Accepting request 156290 from home:gary_lin:branches:Base:System

Update pesign-bnc805166-fix-signature-list.patch to skip the unneeded private key request. (bnc#805166c#17) OBS-URL: https://build.opensuse.org/request/show/156290 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=12
2013-02-25 10:09:38 +00:00 · 2013-02-25 10:09:38 +00:00 · ed0b396886
commit ed0b396886
parent 0b5d673ec8
3 changed files with 175 additions and 128 deletions
--- a/pesign-bnc805166-fix-signature-list.patch
+++ b/pesign-bnc805166-fix-signature-list.patch
@ -1,44 +1,58 @@
-commit 63c6ad572b3c1a7041dc581072421c2c94ff5d35
+From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001
-Author: Gary Ching-Pang Lin <chingpang@gmail.com>
+From: Gary Ching-Pang Lin <chingpang@gmail.com>
-Date:   Fri Feb 22 15:13:08 2013 +0800
+Date: Fri, 22 Feb 2013 15:13:08 +0800
 Subject: [PATCH 1/2] Backport patches to fix signature list
-    Backport patches to fix signature list
+Get cms_context out of wincert functions.
-    
+ee357451be9968cedda57ce13b103eb82c590e67
    Get cms_context out of wincert functions.
    ee357451be9968cedda57ce13b103eb82c590e67
    Rework siglist to be somewhat more useful.
    a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8
    Don't allow our signature list iterator to walk off the end of the file.
    18980866e7952100d98510297c0e1cc25fca8fc8
    Include old signatures in new space calculations.
    77d334d77435d64e88fcc772b5b58440b394584a
    Make implanting extracted certificates work again.
    5ceddd2f80dfea70d211236190943746c2d2f77b
    Add error handling macros to make code simpler.
    0bafa814b49a9556550cfbc373e0ea5b9edb929e
    Add is_issuer_of(cert, cert) helper function.
    7750aaeceb2655807788f8e45417e84cb5404a8e
    Add "find_named_certificate()" helper function.
    c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c
    Make generate_certificate_list include the issuing certificate.
    8c3d82ceb5029bedfee1577682fec5ff3669ff3c
    Fix a casting problem on 32-bit.
    9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
-Index: pesign-0.99/libdpe/pe_addcert.c
+Rework siglist to be somewhat more useful.
-===================================================================
+a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8
--- pesign-0.99.orig/libdpe/pe_addcert.c
+
-+++ pesign-0.99/libdpe/pe_addcert.c
+Don't allow our signature list iterator to walk off the end of the file.
 18980866e7952100d98510297c0e1cc25fca8fc8
 Include old signatures in new space calculations.
 77d334d77435d64e88fcc772b5b58440b394584a
 Make implanting extracted certificates work again.
 5ceddd2f80dfea70d211236190943746c2d2f77b
 Add error handling macros to make code simpler.
 0bafa814b49a9556550cfbc373e0ea5b9edb929e
 Add is_issuer_of(cert, cert) helper function.
 7750aaeceb2655807788f8e45417e84cb5404a8e
 Add "find_named_certificate()" helper function.
 c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c
 Make generate_certificate_list include the issuing certificate.
 8c3d82ceb5029bedfee1577682fec5ff3669ff3c
 Fix a casting problem on 32-bit.
 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
 ---
 libdpe/pe_addcert.c    |    2 +-
 libdpe/pe_updatefile.c |   13 ++++++-
 src/actions.c          |   12 +------
 src/actions.h          |    2 +-
 src/cms_common.c       |   93 ++++++++++++++++++++++++++++++++++++++++++++++++
 src/cms_common.h       |   32 ++++++++++++++++-
 src/daemon.c           |    6 ++--
 src/pesign.c           |   35 +++++++++++++++---
 src/peverify.c         |    7 ++--
 src/siglist.c          |   46 +++++++++++++++++++-----
 src/siglist.h          |    3 +-
 src/signed_data.c      |   53 +++++++++++++++++++++------
 src/wincert.c          |   65 +++++++++++++++++++++++----------
 src/wincert.h          |    8 +++--
 14 files changed, 312 insertions(+), 65 deletions(-)
 diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c
 index e391242..b6ba969 100644
 --- a/libdpe/pe_addcert.c
 +++ b/libdpe/pe_addcert.c
@@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size)
 	memset(addr, '\0', size);
@ -48,10 +62,10 @@ Index: pesign-0.99/libdpe/pe_addcert.c
 #if 0
 	pe_set_image_size(pe);
-Index: pesign-0.99/libdpe/pe_updatefile.c
+diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c
-===================================================================
+index 7a29757..a8fe769 100644
--- pesign-0.99.orig/libdpe/pe_updatefile.c
+--- a/libdpe/pe_updatefile.c
-+++ pesign-0.99/libdpe/pe_updatefile.c
+++ b/libdpe/pe_updatefile.c
@@ -24,6 +24,7 @@
 #include <sys/mman.h>
@ -60,7 +74,7 @@ Index: pesign-0.99/libdpe/pe_updatefile.c
 __get_last_section(Pe *pe)
 {
 	Pe_Scn *scn = NULL;
-@@ -79,6 +80,7 @@ compare_sections (const void *a, const v
+@@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b)
 }
 static void
@ -86,10 +100,10 @@ Index: pesign-0.99/libdpe/pe_updatefile.c
 	return 0;
 }
-Index: pesign-0.99/src/actions.c
+diff --git a/src/actions.c b/src/actions.c
-===================================================================
+index 9e4ac59..5c5dd89 100644
--- pesign-0.99.orig/src/actions.c
+--- a/src/actions.c
-+++ pesign-0.99/src/actions.c
+++ b/src/actions.c
@@ -268,7 +268,7 @@ failure:
 	return ret;
 }
@ -108,7 +122,7 @@ Index: pesign-0.99/src/actions.c
 	ssize_t available = available_cert_space(ctx->outpe);
 	if (available < ctx->cms_ctx->newsig.len) {
-@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ct
+@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx)
 	}
 }
@ -123,11 +137,11 @@ Index: pesign-0.99/src/actions.c
 void
 allocate_signature_space(Pe *pe, ssize_t sigspace)
 {
-Index: pesign-0.99/src/actions.h
+diff --git a/src/actions.h b/src/actions.h
-===================================================================
+index 400876f..4ecaad8 100644
--- pesign-0.99.orig/src/actions.h
+--- a/src/actions.h
-+++ pesign-0.99/src/actions.h
+++ b/src/actions.h
-@@ -28,12 +28,12 @@ extern int list_signatures(pesign_contex
+@@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx);
 extern void check_signature_space(pesign_context *ctx);
 extern void allocate_signature_space(Pe *pe, ssize_t sigspace);
 extern off_t export_signature(cms_context *cms, int fd, int ascii_armor);
@ -141,11 +155,11 @@ Index: pesign-0.99/src/actions.h
 extern void insert_signature(cms_context *cms, int signum);
 #endif /* PESIGN_CRYPTO_H */
-Index: pesign-0.99/src/cms_common.c
+diff --git a/src/cms_common.c b/src/cms_common.c
-===================================================================
+index 9ab2021..3b2e71a 100644
--- pesign-0.99.orig/src/cms_common.c
+--- a/src/cms_common.c
-+++ pesign-0.99/src/cms_common.c
+++ b/src/cms_common.c
-@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, voi
+@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data)
 	return SECFailure;
 }
@ -163,15 +177,10 @@ Index: pesign-0.99/src/cms_common.c
 /* This is the dumbest function ever, but we need it anyway, because nss
  * is garbage. */
 static void
-@@ -443,6 +454,88 @@ err_slots:
+@@ -448,6 +459,88 @@ err_slots:
 	return 0;
 }
 	PK11_DestroySlotListElement(slots, &psle);
 	PK11_FreeSlotList(slots);
 +	CERT_DestroyCertList(certlist);
 +
 +	return 0;
 +}
 +
 +int
 +find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 +{
@ -249,13 +258,18 @@ Index: pesign-0.99/src/cms_common.c
 +
 +	PK11_DestroySlotListElement(slots, &psle);
 +	PK11_FreeSlotList(slots);
- 	CERT_DestroyCertList(certlist);
+	CERT_DestroyCertList(certlist);
- 
+
- 	return 0;
+	return 0;
-Index: pesign-0.99/src/cms_common.h
+}
-===================================================================
+
--- pesign-0.99.orig/src/cms_common.h
+ static SEC_ASN1Template EmptySequenceTemplate[] = {
-+++ pesign-0.99/src/cms_common.h
+ 	{
 	.kind = SEC_ASN1_SEQUENCE,
 diff --git a/src/cms_common.h b/src/cms_common.h
 index a3848cd..2b2d619 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -19,9 +19,35 @@
 #ifndef CMS_COMMON_H
 #define CMS_COMMON_H 1
@ -293,7 +307,7 @@ Index: pesign-0.99/src/cms_common.h
 struct digest {
 	PK11Context *pk11ctx;
-@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *
+@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe);
 extern int generate_signature(cms_context *ctx);
 extern int unlock_nss_token(cms_context *ctx);
 extern int find_certificate(cms_context *ctx);
@ -304,11 +318,11 @@ Index: pesign-0.99/src/cms_common.h
 extern SECOidTag digest_get_digest_oid(cms_context *cms);
 extern SECOidTag digest_get_encryption_oid(cms_context *cms);
-Index: pesign-0.99/src/daemon.c
+diff --git a/src/daemon.c b/src/daemon.c
-===================================================================
+index 4a9af87..92ae856 100644
--- pesign-0.99.orig/src/daemon.c
+--- a/src/daemon.c
-+++ pesign-0.99/src/daemon.c
+++ b/src/daemon.c
-@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **p
+@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe)
 		return -1;
 	}
@ -328,10 +342,10 @@ Index: pesign-0.99/src/daemon.c
 		pe_end(outpe);
 	} else {
 		if (ftruncate(outfd, 0) != 0) {
-Index: pesign-0.99/src/pesign.c
+diff --git a/src/pesign.c b/src/pesign.c
-===================================================================
+index bfda33b..fcb2dca 100644
--- pesign-0.99.orig/src/pesign.c
+--- a/src/pesign.c
-+++ pesign-0.99/src/pesign.c
+++ b/src/pesign.c
@@ -104,7 +104,8 @@ open_input(pesign_context *ctx)
 		exit(1);
 	}
@ -414,10 +428,10 @@ Index: pesign-0.99/src/pesign.c
 			close_output(ctxp);
 			break;
 		case DAEMONIZE:
-Index: pesign-0.99/src/peverify.c
+diff --git a/src/peverify.c b/src/peverify.c
-===================================================================
+index 08aad27..e010d87 100644
--- pesign-0.99.orig/src/peverify.c
+--- a/src/peverify.c
-+++ pesign-0.99/src/peverify.c
+++ b/src/peverify.c
@@ -55,9 +55,12 @@ open_input(peverify_context *ctx)
 		exit(1);
 	}
@ -433,10 +447,10 @@ Index: pesign-0.99/src/peverify.c
 		exit(1);
 	}
 }
-Index: pesign-0.99/src/siglist.c
+diff --git a/src/siglist.c b/src/siglist.c
-===================================================================
+index 1a933e7..ca097e6 100644
--- pesign-0.99.orig/src/siglist.c
+--- a/src/siglist.c
-+++ pesign-0.99/src/siglist.c
+++ b/src/siglist.c
@@ -17,11 +17,15 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
@ -454,7 +468,7 @@ Index: pesign-0.99/src/siglist.c
 struct efi_signature_data {
 	efi_guid_t		SignatureOwner;
-@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *s
+@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 	if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) {
 		if (sigsize > sl->SignatureSize)
 			resize_entries(sl, sigsize);
@ -466,7 +480,7 @@ Index: pesign-0.99/src/siglist.c
 		return -1;
 	}
-@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *s
+@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 	return 0;
 }
@ -475,7 +489,9 @@ Index: pesign-0.99/src/siglist.c
 +#if 0
 +int
 +signature_list_parse(signature_list *sl, uint8_t *data, size_t len)
-+{
+ {
 -	if (sl->realized)
 -		return sl->realized;
 +	if (!sl)
 +		return -1;
 +
@ -492,9 +508,7 @@ Index: pesign-0.99/src/siglist.c
 +
 +int
 +signature_list_realize(signature_list *sl, void **out, size_t *outsize)
- {
+{
 -	if (sl->realized)
 -		return sl->realized;
 +	if (sl->realized) {
 +		free(sl->realized);
 +		sl->realized = NULL;
@ -502,7 +516,7 @@ Index: pesign-0.99/src/siglist.c
 	struct efi_signature_list *esl = NULL;
 	uint32_t size = sizeof (*esl) +
-@@ -174,7 +201,7 @@ signature_list_realize(signature_list *s
+@@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl)
 	void *ret = calloc(1, size);
 	if (!ret)
@ -511,7 +525,7 @@ Index: pesign-0.99/src/siglist.c
 	esl = ret;
 	memcpy(esl, sl, sizeof (*esl));
-@@ -186,7 +213,10 @@ signature_list_realize(signature_list *s
+@@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl)
 	}
 	sl->realized = ret;
@ -523,11 +537,11 @@ Index: pesign-0.99/src/siglist.c
 }
 void
-Index: pesign-0.99/src/siglist.h
+diff --git a/src/siglist.h b/src/siglist.h
-===================================================================
+index 2961a39..a576ffd 100644
--- pesign-0.99.orig/src/siglist.h
+--- a/src/siglist.h
-+++ pesign-0.99/src/siglist.h
+++ b/src/siglist.h
-@@ -24,7 +24,8 @@ typedef struct signature_list signature_
+@@ -24,7 +24,8 @@ typedef struct signature_list signature_list;
 extern signature_list *signature_list_new(efi_guid_t SignatureType);
 extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 			uint8_t *sig, uint32_t sigsize);
@ -537,11 +551,11 @@ Index: pesign-0.99/src/siglist.h
 extern void signature_list_free(signature_list *sl);
 #endif /* SIGLIST_H */
-Index: pesign-0.99/src/signed_data.c
+diff --git a/src/signed_data.c b/src/signed_data.c
-===================================================================
+index e676cb3..83957d6 100644
--- pesign-0.99.orig/src/signed_data.c
+--- a/src/signed_data.c
-+++ pesign-0.99/src/signed_data.c
+++ b/src/signed_data.c
-@@ -76,20 +76,53 @@ static int
+@@ -76,20 +76,51 @@ static int
 generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
 {
 	SECItem **certificates = NULL;
@ -561,7 +575,7 @@ Index: pesign-0.99/src/signed_data.c
 +	if (!certificates) {
 +		save_port_err(PORT_ArenaRelease(cms->arena, mark));
 +		cmsreterr(-1, cms, "could not allocate certificate list");
- 	}
+	}
 +	int i = 0;
 +
 +	certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
@ -571,7 +585,6 @@ Index: pesign-0.99/src/signed_data.c
 +	}
 +	SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert);
 +
 +#if 0
 +	if (!is_issuer_of(cms->cert, cms->cert)) {
 +		CERTCertificate *signer = NULL;
 +		int rc = find_named_certificate(cms, cms->cert->issuerName,
@ -599,17 +612,16 @@ Index: pesign-0.99/src/signed_data.c
 +			}
 +			CERT_DestroyCertificate(signer);
 +		}
-+	}
+ 	}
 +#endif
 -	SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert);
 	*certificate_list_p = certificates;
 	return 0;
 }
-Index: pesign-0.99/src/wincert.c
+diff --git a/src/wincert.c b/src/wincert.c
-===================================================================
+index 4b5ba45..4197a87 100644
--- pesign-0.99.orig/src/wincert.c
+--- a/src/wincert.c
-+++ pesign-0.99/src/wincert.c
+++ b/src/wincert.c
@@ -25,13 +25,13 @@ struct cert_list_entry {
 };
@ -628,7 +640,7 @@ Index: pesign-0.99/src/wincert.c
 	}
 	uint8_t *data = malloc(cl_size);
-@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, voi
+@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list,
 	*cert_list = (void *)data;
 	*cert_list_size = cl_size;
@ -649,7 +661,7 @@ Index: pesign-0.99/src/wincert.c
 	}
 	return 0;
-@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_lis
+@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size)
 }
 int
@ -734,7 +746,7 @@ Index: pesign-0.99/src/wincert.c
 {
 	cert_iter iter;
 	int rc = cert_iter_init(&iter, pe);
-@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *p
+@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe)
 	}
 	if (nsigs == 0) {
@ -745,7 +757,7 @@ Index: pesign-0.99/src/wincert.c
 		return 0;
 	}
-@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *p
+@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe)
 		i++;
 	}
@ -756,10 +768,10 @@ Index: pesign-0.99/src/wincert.c
 	return 0;
 err:
-Index: pesign-0.99/src/wincert.h
+diff --git a/src/wincert.h b/src/wincert.h
-===================================================================
+index 4309915..ed7e15c 100644
--- pesign-0.99.orig/src/wincert.h
+--- a/src/wincert.h
-+++ pesign-0.99/src/wincert.h
+++ b/src/wincert.h
@@ -32,8 +32,6 @@ typedef struct win_certificate {
 	uint16_t cert_type;
 } win_certificate;
@ -769,7 +781,7 @@ Index: pesign-0.99/src/wincert.h
 typedef struct cert_iter {
 	Pe *pe;
 	off_t n;
-@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *ite
+@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe);
 extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size);
 extern ssize_t available_cert_space(Pe *pe);
 extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe);
@ -781,3 +793,33 @@ Index: pesign-0.99/src/wincert.h
 +
 #endif /* PESIGN_WINCERT_H */
 -- 
 1.7.10.4
 From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <chingpang@gmail.com>
 Date: Mon, 25 Feb 2013 10:43:09 +0800
 Subject: [PATCH 2/2] Don't request the private key in
 find_named_certificate() when importing a raw signature
 ---
 src/cms_common.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 3b2e71a..642cc86 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 	}
 	SECStatus status;
 -	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 +	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
 		if (status != SECSuccess) {
 			PK11_DestroySlotListElement(slots, &psle);
 -- 
 1.7.10.4
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com
 - Update pesign-bnc805166-fix-signature-list.patch to skip the
  unneeded private key request. (bnc#805166c#17)
 -------------------------------------------------------------------
 Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com
--- a/pesign.spec
+++ b/pesign.spec
@ -16,7 +16,6 @@
 #
 Name:           pesign
 Version:        0.99
 Release:        0