rpm/openCryptoki
SHA256
1
0
Fork 0
forked from pool/openCryptoki
Code Pull Requests Activity

- Amended the .spec file accorinding to the recommendation in (bsc#1225876)

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/security/openCryptoki?expand=0&rev=151
This commit is contained in:
Nikolay Gueorguiev 2024-07-18 06:18:42 +00:00 committed by Git OBS Bridge
commit 18d764e160
9 changed files with 3208 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

119
ocki-3.23-remove-make-install-chgrp.patch Normal file
View File

@ -0,0 +1,119 @@
--- Makefile.am 2023-05-15 14:42:55.000000000 +0200
+++ Makefile-3.21.am 2023-05-25 17:13:36.266936832 +0200
@@ -39,14 +39,9 @@
include doc/doc.mk
install-data-hook:
- getent group $(pkcs_group) > /dev/null || $(GROUPADD) -r $(pkcs_group)
- getent passwd $(pkcsslotd_user) >/dev/null || $(USERADD) -r -g $(pkcs_group) -d /run/opencryptoki -s /sbin/nologin -c "Opencryptoki pkcsslotd user" $(pkcsslotd_user)
$(MKDIR_P) $(DESTDIR)/run/opencryptoki/
- $(CHOWN) $(pkcsslotd_user):$(pkcs_group) $(DESTDIR)/run/opencryptoki/
- $(CHGRP) $(pkcs_group) $(DESTDIR)/run/opencryptoki/
$(CHMOD) 0710 $(DESTDIR)/run/opencryptoki/
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki
if ENABLE_LIBRARY
$(MKDIR_P) $(DESTDIR)$(libdir)/opencryptoki/stdll
@@ -66,19 +61,15 @@
endif
if ENABLE_PKCSHSM_MK_CHANGE
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/HSM_MK_CHANGE
endif
if ENABLE_CCATOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_cca.so PKCS11_CCA.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok/TOK_OBJ
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ccatok
$(MKDIR_P) $(DESTDIR)$(lockdir)/ccatok
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ccatok
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ccatok
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/cca_stdll/ccatok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ccatok.conf || true
@@ -87,12 +78,9 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_ep11.so PKCS11_EP11.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok/TOK_OBJ
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/ep11tok
$(MKDIR_P) $(DESTDIR)$(lockdir)/ep11tok
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/ep11tok
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/ep11tok
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || $(INSTALL) -m 644 $(srcdir)/usr/lib/ep11_stdll/ep11tok.conf $(DESTDIR)$(sysconfdir)/opencryptoki/ep11tok.conf || true
@@ -100,30 +88,24 @@
endif
if ENABLE_P11SAK
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -g $(pkcs_group) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || $(INSTALL) -m 0640 $(srcdir)/usr/sbin/p11sak/p11sak_defined_attrs.conf $(DESTDIR)$(sysconfdir)/opencryptoki/p11sak_defined_attrs.conf || true
endif
if ENABLE_ICATOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_ica.so PKCS11_ICA.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite/TOK_OBJ
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/lite
$(MKDIR_P) $(DESTDIR)$(lockdir)/lite
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/lite
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/lite
endif
if ENABLE_SWTOK
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_sw.so PKCS11_SW.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok/TOK_OBJ
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/swtok
$(MKDIR_P) $(DESTDIR)$(lockdir)/swtok
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/swtok
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/swtok
endif
if ENABLE_TPMTOK
@@ -131,10 +113,8 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_tpm.so PKCS11_TPM.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/tpm
$(MKDIR_P) $(DESTDIR)$(lockdir)/tpm
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/tpm
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/tpm
endif
if ENABLE_ICSFTOK
@@ -142,16 +122,14 @@
cd $(DESTDIR)$(libdir)/opencryptoki/stdll && \
ln -fs libpkcs11_icsf.so PKCS11_ICSF.so
$(MKDIR_P) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
$(CHMOD) 0770 $(DESTDIR)$(localstatedir)/lib/opencryptoki/icsf
$(MKDIR_P) $(DESTDIR)$(lockdir)/icsf
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir)/icsf
$(CHMOD) 0770 $(DESTDIR)$(lockdir)/icsf
endif
if ENABLE_DAEMON
test -f $(DESTDIR)$(sysconfdir)/opencryptoki || $(MKDIR_P) $(DESTDIR)$(sysconfdir)/opencryptoki || true
test -f $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || $(INSTALL) -m 644 $(srcdir)/usr/sbin/pkcsslotd/opencryptoki.conf $(DESTDIR)$(sysconfdir)/opencryptoki/opencryptoki.conf || true
- test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -g $(pkcs_group) -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
+ test -f $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || $(INSTALL) -m 640 -o root -T $(srcdir)/doc/strength-example.conf $(DESTDIR)$(sysconfdir)/opencryptoki/strength.conf || true
endif
$(MKDIR_P) $(DESTDIR)/etc/ld.so.conf.d
echo "$(libdir)/opencryptoki" >\
@@ -162,7 +140,6 @@
@echo "Remember you must run ldconfig before using the above settings"
@echo "--------------------------------------------------------------"
$(MKDIR_P) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
- $(CHGRP) $(pkcs_group) $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)
$(CHMOD) 0770 $(DESTDIR)$(lockdir) $(DESTDIR)$(logdir)

BIN
openCryptoki-3.23.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

1320
openCryptoki-TFAQ.html Normal file
View File

File diff suppressed because it is too large Load Diff

1
openCryptoki-rpmlintrc Normal file
View File

@ -0,0 +1 @@
addFilter("openCryptoki.* tmpfile-not-in-filelist /var/lock/opencryptoki")

1243
openCryptoki.changes Normal file
View File

File diff suppressed because it is too large Load Diff

150
openCryptoki.pkcsslotd Normal file
View File

@ -0,0 +1,150 @@
#! /bin/sh
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
#
# Author: Jiri Smid <feedback@suse.de>
#
# /etc/init.d/pkcsslotd
#
# and symbolic its link
#
# /usr/sbin/rcpkcsslotd
#
### BEGIN INIT INFO
# Provides: pkcsslotd
# Required-Start: $remote_fs
# Required-Stop: $null
# Should-Start: z90crypt
# Should-Stop: z90crypt
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Description: Start the pkcsslotd daemon
# Short-Description: Start the pkcsslotd daemon
### END INIT INFO
. /etc/rc.status
PKCSSLOTD_PID_FILE=/var/lib/opencryptoki/.slotpid
# Check for missing binaries (stale symlinks should not happen)
PKCSSLOTD_BIN=/usr/sbin/pkcsslotd
test -x $PKCSSLOTD_BIN || exit 5
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v ditto but be verbose in local rc status
# rc_status -v -r ditto and clear the local rc status
# rc_failed set local and overall rc status to failed
# rc_reset clear local rc status (overall remains)
# rc_exit exit appropriate to overall rc status
# Check for machine architecture
PKCS_ARCH=$(/bin/uname -m)
# First reset status of this service
rc_reset
case "$1" in
start)
case "$PKCS_ARCH" in
s390|s390x)
PKCS_MODULE="z90crypt"
;;
*)
PKCS_MODULE="leedslite"
;;
esac
lsmod | grep $PKCS_MODULE > /dev/null 2>&1 \
|| echo "$PKCS_MODULE module is not installed - PKCS#11 will not be hardware accelerated"
echo -n "Starting pkcsslotd daemon:"
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
if [ ! -f $PKCSSLOTD_PID_FILE ]; then
# $PKCSSLOTD_PID_FILE does not exist
startproc -f $PKCSSLOTD_BIN
elif ! ps -h --pid `cat $PKCSSLOTD_PID_FILE` | grep "$PKCSSLOTD_BIN" 2>&1 >/dev/null; then
# $PKCSSLOTD_PID_FILE exists but named pid not
rm -f $PKCSSLOTD_PID_FILE
startproc -f $PKCSSLOTD_BIN
else
# just to have "failed" message
startproc $PKCSSLOTD_BIN
fi
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down pkcsslotd daemon:"
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $PKCSSLOTD_PID_FILE -TERM $PKCSSLOTD_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart)
## Stop the service and if this succeeds (i.e. the
## service was running before), start it again.
$0 status >/dev/null && $0 restart
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart.
echo -n "Reload service pkcsslotd"
## if it supports it:
killproc -p $PKCSSLOTD_PID_FILE -HUP $PKCSSLOTD_BIN
#touch $PKCSSLOTD_PID_FILE
rc_status -v
;;
reload)
## Like force-reload, but if daemon does not support
## signalling, do nothing (!)
# If it supports signalling:
echo -n "Reload service pkcsslotd"
killproc -p $PKCSSLOTD_PID_FILE -HUP $PKCSSLOTD_BIN
#touch $PKCSSLOTD_PID_FILE
rc_status -v
# If it does not support reload:
#exit 3
;;
status)
echo -n "Checking for service pkcsslotd: "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Status has a slightly different for the status command:
# 0 - service running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
# NOTE: checkproc returns LSB compliant status values.
checkproc $PKCSSLOTD_BIN
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
;;
esac
rc_exit

348
openCryptoki.spec Normal file
View File

@ -0,0 +1,348 @@
#
# spec file for package openCryptoki
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define openCryptoki_32bit_arch %{ix86} s390 ppc %{arm}
# support in the workings for: ppc64
# no support in sight for: ia64
%define openCryptoki_64bit_arch s390x ppc64 ppc64le x86_64 aarch64
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
%define pkcs11_group_id 64
%define pkcs_group pkcs11
%define oc_cvs_tag opencryptoki
Name: openCryptoki
Version: 3.23.0
Release: 0
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
License: CPL-1.0
Group: Productivity/Security
URL: https://github.com/opencryptoki/opencryptoki
Source: https://github.com/opencryptoki/%{oc_cvs_tag}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: openCryptoki.pkcsslotd
Source2: openCryptoki-TFAQ.html
Source3: openCryptoki-rpmlintrc
# Patch 0 is needed because group pkcs11 doesn't exist in the build environment
# and because we don't want(?) various file and directory permissions to be 0700.
Patch000: ocki-3.23-remove-make-install-chgrp.patch
#
#
BuildRequires: bison
BuildRequires: dos2unix
BuildRequires: flex
BuildRequires: gcc-c++
BuildRequires: libcap-devel
BuildRequires: libitm1
BuildRequires: libtool
BuildRequires: libudev-devel
BuildRequires: openldap2-devel
BuildRequires: openssl-devel >= 1.0
BuildRequires: pkgconfig
BuildRequires: trousers-devel
BuildRequires: pkgconfig(systemd)
###
Requires(pre): %{_sbindir}/groupadd
Requires(pre): %{_sbindir}/useradd
Requires(pre): %{_sbindir}/usermod
Requires(pre): %{_sbindir}/getent
###
Provides: user(pkcs11)
Provides: group(pkcs11)
# IBM maintains openCryptoki on these architectures:
ExclusiveArch: %{openCryptoki_32bit_arch} %{openCryptoki_64bit_arch}
%{?systemd_requires}
%ifarch s390 s390x
BuildRequires: libica-devel
BuildRequires: libica-tools
%endif
%description
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%package devel
Summary: Development files for openCryptoki, a PKCS#11 implementation for IBM hardware
Group: Development/Languages/C and C++
Requires: glibc-devel
Requires: libopenssl-devel
Requires: openldap2-devel
Requires: trousers-devel
%ifarch s390 s390x
Requires: libica-devel
%endif
%description devel
The PKCS#11 version 2.01 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
co-processor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%ifarch %{openCryptoki_32bit_arch}
%package 32bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
Requires: openCryptoki
ExclusiveArch: %{openCryptoki_32bit_arch}
%description 32bit
This is a re-packaged binary rpm. For the package source, please look
for the source of the package without the "32bit" ending
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%endif
%ifarch %{openCryptoki_64bit_arch}
%package 64bit
Summary: An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
# this is needed to make sure the pkcs11 group exists before
# installation:
Group: Productivity/Security
Requires: openCryptoki
ExclusiveArch: %{openCryptoki_64bit_arch}
%description 64bit
This is a re-packaged binary rpm. For the package source, please look
for the source of the package without the "64bit" ending
The PKCS#11 version 2.11 API implemented for the IBM cryptographic
cards. This package includes support for the IBM 4758 cryptographic
coprocessor (with the PKCS#11 firmware loaded) and the IBM eServer
Cryptographic Accelerator (FC 4960 on pSeries).
%endif
%prep
# setup -q -n %{oc_cvs_tag}-%{version}
%autosetup -p 0 -n %{oc_cvs_tag}-%{version}
cp %{SOURCE2} .
%build
./bootstrap.sh
%configure --with-systemd=%{_unitdir} \
--with-libudev=yes \
--enable-tpmtok \
%ifarch aarch64 # Apparently, gcc for aarch64 doesn't support transactional memory
--enable-locks \
%endif
%ifarch s390 s390x
--enable-pkcsep11_migrate
%else
--disable-ccatok
%endif
make %{?_smp_mflags}
dos2unix doc/README.ep11_stdll
%install
%make_install
install -d %{buildroot}%{_includedir}
install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
install -d %{buildroot}%{_initddir}
install -d %{buildroot}%{_sbindir}
install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
#
mkdir -p %{buildroot}%{_datadir}/opencryptoki
cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
#
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcpkcsslotd
rm -rf %{buildroot}/tmp
# Remove all development files
find %{buildroot} -type f -name "*.la" -delete -print
rm -f %{buildroot}%{_libdir}/opencryptoki/methods
%pre
%{service_add_pre pkcsslotd.service}
# autobuild:/work/cd/lib/misc/group
# openCryptoki pkcs11:x:64:
# openCryptoki pkcsslotd:x:64:
%{_sbindir}/getent group %{pkcs_group} 2>/dev/null || %{_sbindir}/groupadd -g %{pkcs11_group_id} -r %{pkcs_group} 2>/dev/null || true
%{_sbindir}/getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs11_group_id} -r pkcsslotd -s /sbin/nologin -d /run/opencryptoki 2>/dev/null || true
%{_sbindir}/usermod -a -G %{pkcs_group} root
%preun
%{service_del_preun pkcsslotd.service}
%post
# Symlink from /var/lib/opencryptoki to /etc/pkcs11
if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
cd %{_sysconfdir} && rm -rf pkcs11 && \
ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
fi
fi
/sbin/ldconfig
%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
%{service_add_post pkcsslotd.service}
%postun
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%{service_del_postun pkcsslotd.service}
%ifarch %{openCryptoki_32bit_arch}
%postun 32bit
if [ -L %{_sysconfdir}/pkcs11 ] ; then
rm %{_sysconfdir}/pkcs11
fi
%{service_del_postun pkcsslotd.service}
%post 32bit
# Old library name links
cd %{_libdir}/opencryptoki && ln -sf ./libopencryptoki.so PKCS11_API.so
ln -sf %{_sbindir} %{_libdir}/opencryptoki/methods
rm -rf %{_libdir}/pkcs11/stdll
test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
cd %{_prefix}/lib/pkcs11
ln -sf ../opencryptoki/stdll stdll
cd stdll
[ -f libpkcs11_cca.so ] && ln -sf ./libpkcs11_cca.so PKCS11_CCA.so || true
[ -f libpkcs11_tpm.so ] && ln -sf ./libpkcs11_tpm.so PKCS11_TPM.so || true
[ -f libpkcs11_ica.so ] && ln -sf ./libpkcs11_ica.so PKCS11_ICA.so || true
[ -f libpkcs11_sw.so ] && ln -sf ./libpkcs11_sw.so PKCS11_SW.so || true
/sbin/ldconfig
%endif
%ifarch %{openCryptoki_64bit_arch}
%post 64bit
# Old library name for 64bit libs were under /usr/lib/pkcs11. For migration purposes only.
test -d %{_prefix}/lib/pkcs11 || mkdir -p %{_prefix}/lib/pkcs11
ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_API.so64
/sbin/ldconfig
%endif
%files
%doc openCryptoki-TFAQ.html FAQ
%doc doc/*
%dir %{_datadir}/doc/opencryptoki
%doc %{_datadir}/doc/opencryptoki/policy-example.conf
%doc %{_datadir}/doc/opencryptoki/strength-example.conf
%dir %{_datadir}/opencryptoki
%{_datadir}/opencryptoki/policy-example.conf
%{_datadir}/opencryptoki/strength-example.conf
# configuration directory
%dir %{_sysconfdir}/opencryptoki
%config %{_sysconfdir}/opencryptoki/opencryptoki.conf
%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/strength.conf
%config %attr(640,root,%{pkcs_group}) %{_sysconfdir}/opencryptoki/p11sak_defined_attrs.conf
%ifarch s390 s390x
%config %{_sysconfdir}/opencryptoki/ccatok.conf
%config %{_sysconfdir}/opencryptoki/ep11cpfilter.conf
%config %{_sysconfdir}/opencryptoki/ep11tok.conf
%{_sbindir}/pkcsep11_migrate
%endif
%{_sbindir}/p11sak
%{_unitdir}/pkcsslotd.service
%{_tmpfilesdir}/opencryptoki.conf
%{_sbindir}/rcpkcsslotd
# utilities
%ifarch s390 s390x
%{_sbindir}/pkcsep11_session
%{_sbindir}/pkcscca
%endif
%{_sbindir}/pkcsslotd
%{_sbindir}/pkcsconf
%{_sbindir}/pkcsicsf
%{_sbindir}/pkcsstats
%{_sbindir}/pkcstok_migrate
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
# State and lock directories
%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
%ifarch s390 s390x
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
%endif
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
%ifarch s390 s390x
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
%endif
%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
%{_mandir}/man*/*
%files devel
%dir %{_libdir}/opencryptoki
%dir %{_libdir}/opencryptoki/stdll
%{_includedir}/opencryptoki
%{_libdir}/pkgconfig/opencryptoki.pc
###
%{_sbindir}/pkcshsm_mk_change
%ifarch %{openCryptoki_32bit_arch}
%files 32bit
# these don't conflict because they only exist as 64bit binaries if
# there is no 32bit version of them usable
%{_libdir}/opencryptoki/libopencryptoki.so
%ghost %{_libdir}/opencryptoki/PKCS11_API.so
%{_libdir}/opencryptoki/*.0
%ifarch s390
%{_libdir}/opencryptoki/stdll/libpkcs11_cca.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_CCA.so
%endif
%{_libdir}/opencryptoki/stdll/libpkcs11_tpm.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_TPM.so
%{_libdir}/opencryptoki/stdll/libpkcs11_sw.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_SW.so
%{_libdir}/opencryptoki/stdll/libpkcs11_icsf.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICSF.so
%ifarch s390 s390x
%{_libdir}/opencryptoki/stdll/libpkcs11_ica.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_ICA.so
%{_libdir}/opencryptoki/stdll/libpkcs11_ep11.so
%ghost %{_libdir}/opencryptoki/stdll/PKCS11_EP11.so
%endif
%{_libdir}/opencryptoki/stdll/*.0
%dir %{_libdir}/pkcs11
%ghost %{_libdir}/pkcs11/stdll
%ghost %{_libdir}/pkcs11/methods
%{_libdir}/pkcs11/*.so
%{_sysconfdir}/ld.so.conf.d/*
%endif
%ifarch %{openCryptoki_64bit_arch}
%files 64bit
%dir %{_libdir}/opencryptoki
%{_libdir}/opencryptoki/*.so
%{_libdir}/opencryptoki/*.0
%dir %{_libdir}/opencryptoki/stdll
%{_libdir}/opencryptoki/stdll/*.so
%{_libdir}/opencryptoki/stdll/*.0
%{_libdir}/pkcs11
%{_sysconfdir}/ld.so.conf.d/*
%endif
%changelog