rpm/p11-kit
SHA256
1
0
Fork 0
forked from pool/p11-kit
Code Pull Requests Activity

- Added a backport of an upstream commit in p11-kit-d938f4a8a3a2.patch

Browse Source 
to avoid passing an incompatible pointer type to a function which is
  an error by default in GCC 14.

If the request is OK, please forward it to Factory soon so that we can
switch the default compiler.  Thanks!

OBS-URL: https://build.opensuse.org/package/show/Base:System/p11-kit?expand=0&rev=62
This commit is contained in:
Angel Yankov 2024-07-30 06:48:40 +00:00 committed by Git OBS Bridge
commit 663f7ed042
9 changed files with 1088 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

9
baselibs.conf Normal file
View File

@ -0,0 +1,9 @@
libp11-kit0
p11-kit
+/usr/lib(64)?/pkcs11/*.so
requires "p11-kit = <version>"
p11-kit-nss-trust
+/usr/lib(64)?/*.so
requires "p11-kit = <version>"
conflicts "mozilla-nss-certs-<targettype>"
provides "libnssckbi.so"

BIN
p11-kit-0.25.3.tar.xz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
p11-kit-0.25.3.tar.xz.sig Normal file
View File

Binary file not shown.

106
p11-kit-d938f4a8a3a2.patch Normal file
View File

@ -0,0 +1,106 @@
From d938f4a8a3a2f371e0a3bc1404a384b4b1f61020 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sat, 2 Dec 2023 09:24:01 +0900
Subject: [PATCH] import-object: Avoid integer truncation on 32-bit platforms
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The build fails when compiling for 32-bit platforms with
-Werror=incompatible-pointer-types:
CFLAGS="-m32 -march=i686 -Werror=incompatible-pointer-types -Werror=implicit -Werror=int-conversion" setarch i686 -- meson setup _build
setarch i686 -- meson compile -C _build -v
...
../p11-kit/import-object.c: In function add_attrs_pubkey_rsa:
../p11-kit/import-object.c:223:62: error: passing argument 3 of p11_asn1_read from incompatible pointer type [-Werror=incompatible-pointer-types]
223 | attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
| ^~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int *
Reported by Sam James in:
https://github.com/p11-glue/p11-kit/issues/608
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
p11-kit/import-object.c | 30 +++++++++++++++++++++++++++---
1 file changed, 27 insertions(+), 3 deletions(-)
diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
index feee0765..fb47b964 100644
--- a/p11-kit/import-object.c
+++ b/p11-kit/import-object.c
@@ -55,6 +55,7 @@
#endif
#include <assert.h>
+#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
@@ -201,6 +202,7 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE attr_encrypt = { CKA_ENCRYPT, &tval, sizeof (tval) };
CK_ATTRIBUTE attr_modulus = { CKA_MODULUS, };
CK_ATTRIBUTE attr_exponent = { CKA_PUBLIC_EXPONENT, };
+ size_t len = 0;
pubkey = p11_asn1_read (info, "subjectPublicKey", &pubkey_len);
if (pubkey == NULL) {
@@ -220,17 +222,31 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
goto cleanup;
}
- attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
+ attr_modulus.pValue = p11_asn1_read (asn, "modulus", &len);
if (attr_modulus.pValue == NULL) {
p11_message (_("failed to obtain modulus"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain modulus"));
+ goto cleanup;
+ }
+#endif
+ attr_modulus.ulValueLen = len;
- attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &attr_exponent.ulValueLen);
+ attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &len);
if (attr_exponent.pValue == NULL) {
p11_message (_("failed to obtain exponent"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain exponent"));
+ goto cleanup;
+ }
+#endif
+ attr_exponent.ulValueLen = len;
result = p11_attrs_build (attrs, &attr_key_type, &attr_encrypt, &attr_modulus, &attr_exponent, NULL);
if (result == NULL) {
@@ -260,12 +276,20 @@ add_attrs_pubkey_ec (CK_ATTRIBUTE *attrs,
CK_ATTRIBUTE attr_key_type = { CKA_KEY_TYPE, &key_type, sizeof (key_type) };
CK_ATTRIBUTE attr_ec_params = { CKA_EC_PARAMS, };
CK_ATTRIBUTE attr_ec_point = { CKA_EC_POINT, };
+ size_t len = 0;
- attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &attr_ec_params.ulValueLen);
+ attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &len);
if (attr_ec_params.pValue == NULL) {
p11_message (_("failed to obtain EC parameters"));
goto cleanup;
}
+#if ULONG_MAX < SIZE_MAX
+ if (len > ULONG_MAX) {
+ p11_message (_("failed to obtain EC parameters"));
+ goto cleanup;
+ }
+#endif
+ attr_ec_params.ulValueLen = len;
/* subjectPublicKey is read as BIT STRING value which contains
* EC point data. We need to DER encode this data as OCTET STRING.

735
p11-kit.changes Normal file
View File

@ -0,0 +1,735 @@
-------------------------------------------------------------------
Fri Jul 26 15:15:20 UTC 2024 - Martin Jambor <mjambor@suse.com>
- Added a backport of an upstream commit in p11-kit-d938f4a8a3a2.patch
to avoid passing an incompatible pointer type to a function which is
an error by default in GCC 14.
-------------------------------------------------------------------
Fri Nov 17 10:11:56 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 0.25.3:
* rpc: fix serialization of NULL mechanism pointer [#601]
* fix meson build failure in macOS (appleframeworks not found) [#603]
-------------------------------------------------------------------
Thu Nov 2 08:58:08 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 0.25.2:
* fix error code checking of readpassphrase for --login option [#595]
* build fixes [#594]
* test fixes [#596]
-------------------------------------------------------------------
Fri Oct 27 12:05:22 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 0.25.1:
* fix probing of C_GetInterface [#535]
* p11-kit: add command to list tokens [#581]
* p11-kit: add command to list mechanisms supported by a token [#576]
* p11-kit: add command to generate private-public keypair on a token
[#551, #582]
* p11-kit: add commands to import/export certificates and public
keys into/from a token [#543, #549, #568, #588]
* p11-kit: add commands to list and delete objects of a token
[#533, #544, #571]
* p11-kit: add --login option to login into a token with object
and profile management commands [#587]
* p11-kit: adjust behavior of PKCS#11 profile management commands
[#558, #560, #583, #591]
* p11-kit: print PKCS#11 URIs in list-modules [#532]
* bug and build fixes [#528 #529, #534, #537, #540, #541, #545,
#547, #550, #557, #572, #575, #579, #585, #586, #590]
* test fixes [#553, #580]
* Remove patch fixed upstream:
- d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch
-------------------------------------------------------------------
Wed Sep 20 21:26:03 UTC 2023 - Bjørn Lie <bjorn.lie@gmail.com>
- Add d1d4b0ac316a27c739ff91e6c4153f1154e96e5a.patch: Fix probing
of C_GetInterface.
-------------------------------------------------------------------
Wed Sep 20 08:49:47 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
- Update to 0.25.0:
* add PKCS#11 3.0 support
* add support for profile objects
* add ability to adjust module and config paths at run-time via
system environmental exports
* make terminal output nicer
* p11-kit: add command to print merged configuration
* p11-kit: add commands to list, add and delete profiles of a token
* trust: add command to check format of .p11-kit files
* virtual: fix libffi type signatures for PKCS#11 3.0 functions
* server: fix umask setting when --group is specified
* server: check SHELL only when neither --sh nor --csh is specified
* rpc: use space string in C_InitToken
* rpc: fix two off-by-one errors identified by asan
* modules: make logging message more translatable
* pkcs11.h: support CRYPTOKI_GNU for IBM vendor mechanisms
* pkcs11.h: add IBM specific mechanism and attributes
* pkcs11.h: add ChaCha20/Salsa20 and Poly1305 mechanisms
* pkcs11.h: add AES-GCM mechanism parameters for message-based encryption
* po: update translations from Transifex
- Update upstream p11-kit.keyring file
- Add missing lang files
- Switch to using Meson as the build system
-------------------------------------------------------------------
Mon Aug 8 16:03:57 UTC 2022 - Dirk Müller <dmueller@suse.com>
- skip testsuite on qemu arches, it fails
-------------------------------------------------------------------
Wed Mar 9 16:19:28 UTC 2022 - Ludwig Nussel <lnussel@suse.de>
- make sure p11-kit components have matching versions (boo#1196812)
-------------------------------------------------------------------
Tue Jan 25 10:42:15 UTC 2022 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.24.1:
* rpc: Support protocol version negotiation.
* proxy: Support copying attribute array recursively.
* Link libp11-kit so that it cannot unload.
* Translation improvements.
* Build fixes.
-------------------------------------------------------------------
Fri Dec 17 13:47:17 UTC 2021 - Bjørn Lie <bjorn.lie@gmail.com>
- Update to version 0.24.0:
* Use inclusive language on certificate distrust. Note: This
changes the directory and attribute names to distrust certain
CAs to "blocklist".
* Fix issues spotted by coverity and ASan.
* Integrate gettext with tools more tightly.
* rpc: Forbid use of array of attributes.
* Build fixes.
- Change dirs from blacklist to blocklist ref upstream changes.
-------------------------------------------------------------------
Mon Dec 13 11:11:31 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
- Enable systemd support
-------------------------------------------------------------------
Sun Jan 17 23:39:49 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066, jsc#SLE-18495):
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes
-------------------------------------------------------------------
Mon Oct 5 13:19:09 UTC 2020 - Ludwig Nussel <lnussel@suse.de>
- avoid bareword to fix build failure
-------------------------------------------------------------------
Wed Apr 15 07:01:38 UTC 2020 - Martin Pluskal <mpluskal@suse.com>
- Update to version 0.23.20:
* Revert "Fix RPC when length-s are 0" changes [PR#276]
- Changes for version 0.23.19:
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
- Changes for version 0.23.18:
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
- Changes for version 0.23.17:
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
- Changes for version 0.23.16:
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
- Changes for version 0.23.15:
* trust: Improve error handling if backed trust file is corrupted [PR#206]
* url: Prefer upper-case letters in hex characters when encoding [PR#193]
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202]
* virtual: Prefer fixed closures to libffi closures [PR#196]
* Fix issues spotted by coverity and cppcheck [PR#194, PR#204]
* Build and test fixes [PR#164, PR#191, PR#199, PR#201]
- Changes for version 0.23.14:
* proxy: Avoid invalid memory access when unloading proxy module [PR#180]
* Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]
* build: Restore libpthread dependency [PR#183]
* Build fixes [PR#188]
- Changes for version 0.23.13:
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules [PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread [PR#177]
* Build fixes [PR#170, PR#176]
- Remove obsolete patches:
* 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
* 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
-------------------------------------------------------------------
Mon Dec 23 11:00:15 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
- Also build documentation (boo#1013125)
-------------------------------------------------------------------
Fri Nov 15 11:02:43 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (boo#1154871,
0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch,
0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)
-------------------------------------------------------------------
Fri May 10 09:28:21 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
- Move RPM macros to %_rpmmacrodir.
-------------------------------------------------------------------
Fri Jun 15 04:09:24 UTC 2018 - fezhang@suse.com
- New version 0.23.12
* Fix compile error when PKCS#11 GNU calling convention enabled
- Changelog from version 0.23.11
* trust: Add extractor for edk2/cacerts.bin
* modules: Add option to control module visibility from proxy
* trust: Prevent trust module being loaded by proxy module
* library: Use dedicated locale object for printing error
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly
* Improve const correctness for P11KitUri
* PKCS#11 URI scheme comparison is now case insensitive
- Drop p11-kit-biarch.patch: Obsolete since 0.23.10
-------------------------------------------------------------------
Tue Mar 27 08:33:43 UTC 2018 - lnussel@suse.de
- New version 0.23.10
* New p11-kit server command
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY attribute
* New trust dump command
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user configurations
* trust: Respect anyExtendedKeyUsage in CA certificates
* Support x-init-reserved argument of C_Initialize() in remote modules
* install private executables in libexecdir, obsoletes p11-kit-biarch.patch
- new server subpackage
- change keyring to new maintainer Daiki Ueno
- Changes for version 0.23.9
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
- Changes for version 0.23.8
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
- Changes for version 0.23.7
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
- Changes for version 0.23.6
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
- Changes for version 0.23.5
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
- Changes for version 0.23.4
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
- Changes for version 0.23.3
* Install private executables in libexecdir [fdo#98817]
* Fix link error of proxy module on macOS [fdo#98022]
* Use new PKCS#11 URI specification for URIs [fdo#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules
[fdo#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [fdo#87192 ...]
-------------------------------------------------------------------
Tue Mar 20 13:26:02 CET 2018 - kukuk@suse.de
- Use %license instead of %doc [bsc#1082318]
-------------------------------------------------------------------
Tue Nov 22 14:57:50 CET 2016 - sbrabec@suse.com
- 32-bit compatibility fixes:
* Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
* Add p11-kit-nss-trust-32bit NSS module
* Fix potential bi-arch issue with private binaries
(fdo#98817, p11-kit-biarch.patch)
-------------------------------------------------------------------
Mon Feb 8 21:25:45 UTC 2016 - mpluskal@suse.com
- Update to 0.23.2
* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
-------------------------------------------------------------------
Sun Mar 8 18:56:55 UTC 2015 - p.drouand@gmail.com
- Update to version 0.23.1 (stable)
* Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582]
* Add pem-directory-hash extract format
* Build fixes
- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff;
fixed on upstream release
- Remove autoconf, automake and libtool require; unneeded dependencies
- Add gtk-doc require; needed to build html documentation
- Remove redundant %clean section
-------------------------------------------------------------------
Mon Oct 13 16:09:09 UTC 2014 - lnussel@suse.de
- remove patches:
* trust-Print-label-of-certificate-when-complaining-.patch
* trust-Dont-use-invalid-public-keys-for-looking-up-.patch
- new version 0.20.7 (stable)
* New public pkcs11x.h header containing extensions [fdo#83495]
* Export necessary defines to lookup attached extensions [fdo#83495]
* Build fixes
- new version 0.20.6 (stable)
* Make the p11-kit-proxy.so module respect critical = no [fdo#83651]
* Build fix for FreeBSD [fdo#75674]
- new version 0.20.5 (stable)
* Don't use invalid keys for looking up stapled extensions [fdo#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
- new version 0.20.4 (stable)
* Don't complain about C_Finalize after a fork
* Fix typo
-------------------------------------------------------------------
Fri Aug 29 06:47:50 UTC 2014 - lnussel@suse.de
- new version 0.20.3
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
- apply patches to avoid errors from certificates with invalid public key
(fdo#82328, bnc#890908,
trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
trust-Print-label-of-certificate-when-complaining-.patch)
-------------------------------------------------------------------
Mon May 19 07:04:38 UTC 2014 - lnussel@suse.de
- New version 0.20.2
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [fdo#73558]
* Check for race in BasicConstraints stapled extension [fdo#69314]
* Build fixes and cleanup
-------------------------------------------------------------------
Tue Feb 11 12:53:06 UTC 2014 - meissner@suse.com
- added .sig file. trying to locate source of the keyring.
-------------------------------------------------------------------
Fri Dec 6 09:31:32 UTC 2013 - lnussel@suse.de
- trust: allow to also add openssl style hashes to pem-directory
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
-------------------------------------------------------------------
Tue Sep 10 09:02:33 UTC 2013 - lnussel@suse.de
- upgrade to 0.20.1 which is 0.19 declared stable
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
-------------------------------------------------------------------
Fri Aug 30 12:33:32 UTC 2013 - lnussel@suse.de
- new version 0.19.4
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
-------------------------------------------------------------------
Thu Jul 25 09:06:51 UTC 2013 - lnussel@suse.de
- new version 0.19.3
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
-------------------------------------------------------------------
Fri Jul 5 08:09:46 UTC 2013 - lnussel@suse.de
- fix 32bit provides of libnssckbi.so
- repace p11-kit-extract-trust with update-ca-certificates
-------------------------------------------------------------------
Fri Jun 28 09:30:03 UTC 2013 - lnussel@suse.de
- provide libnssckbi.so to replace mozilla-nss-certs
-------------------------------------------------------------------
Mon Jun 24 13:08:21 UTC 2013 - lnussel@suse.de
- add p11-kit-nss-trust subpackage that serves as drop-in
replacement for mozilla-nss-certs
-------------------------------------------------------------------
Wed Jun 19 09:24:45 UTC 2013 - lnussel@suse.de
- use /etc/pki/trust and /usr/share/pki/trust as system CA
certificate store
-------------------------------------------------------------------
Mon May 27 14:40:57 UTC 2013 - dimstar@opensuse.org
- Update to version 0.19.1:
+ Refactor API to be able to handle managed modules.
+ Deprecate much of old p11-kit API.
+ Implement concept of managed modules.
+ Make C_CloseAllSessions function work for multiple callers.
+ New dependency on libffi.
+ Fix possible threading problems reported by hellgrind.
+ Add log-calls option.
+ Mark p11_kit_message() as a stable function.
+ Use our own unit testing framework.
- Add pkgconfig(libffi) BuildRequires: new dependency.
-------------------------------------------------------------------
Tue May 14 18:27:52 UTC 2013 - dimstar@opensuse.org
- Update to version 0.18.2:
+ Build fixes (fdo#64378)
-------------------------------------------------------------------
Mon May 13 21:13:20 UTC 2013 - dimstar@opensuse.org
- Also provide p11-kit-32bit (in fact, the pkcs#11 modules)
(bnc#819246).
-------------------------------------------------------------------
Mon Apr 15 18:46:10 UTC 2013 - dimstar@opensuse.org
- Update to version 0.18.1:
+ Put the external tools in $libdir/p11-kit.
+ Documentation build fixes.
-------------------------------------------------------------------
Thu Apr 4 13:34:40 UTC 2013 - dimstar@opensuse.org
- Update to version 0.18.0:
+ Fix use of trust module with gcr and empathy (fdo#62896).
+ Further tweaks to trust module date parsing.
+ Fix unaligned memory reads (fdo#62819).
+ Win32 fixes (fdo#63062, fdo#63046).
+ Debug and logging tweaks (fdo#62874).
+ Other build fixes.
-------------------------------------------------------------------
Thu Mar 28 21:42:55 UTC 2013 - zaitor@opensuse.org
- Update to version 0.17.5:
+ Don't try to guess at overflowing time values on 32-bit
systems (fdo#62825).
+ Test fixes (fdo#927394).
-------------------------------------------------------------------
Thu Mar 21 08:10:37 UTC 2013 - dimstar@opensuse.org
- Update to version 0.17.4:
+ Check for duplicate certificates in a token, warn and discard
(fdo#62548).
+ Implement a proper index so we have decent load performance.
-------------------------------------------------------------------
Wed Mar 20 19:09:13 UTC 2013 - dimstar@opensuse.org
- Update to version 0.17.3:
+ Use descriptive labels for the trust module tokens (fdo#62534).
+ Remove the temporary built in distrust objects.
+ Make extracted output directories and files read-only
(fdo#61898).
+ Don't export unneccessary ABI.
+ Build fixes (fdo#62479).
-------------------------------------------------------------------
Tue Mar 19 20:39:24 UTC 2013 - dimstar@opensuse.org
- Update to version 0.17.2:
+ Fix build on 32-bit linux.
+ Fix several crashers.
- Changes from version 0.17.1:
+ Support a p11-kit specific PKCS#11 attribute persistance format
(fdo#62156).
+ Use the SHA1 hash of SPKI as the CKA_ID in the trust module by
default (fdo#62329).
+ Refactor a trust builder which builds objects out of parsed
data (fdo#62329).
+ Combine trust policy when extracting certificates (fdo#61497).
+ The extract --comment option adds comments to PEM bundles
(fdo#62029).
+ A new 'priority' config option for ordering modules
(fdo#61978).
+ Make each configured path its own trust module token
(fdo#61499).
+ Use --with-trust-paths to configure trust module (fdo#62327).
+ Fix bug decoding some PEM files.
+ Better debug output for trust module lookups.
+ Work around bug in NSS when doing serial number lookups.
+ Work around broken strndup() function in firefox.
+ Fix the nickname for the distrusted attribute.
+ Build fixes.
- Add ca-certificates BuildRequires: needed to find the location of
the root certificates.
-------------------------------------------------------------------
Thu Mar 14 12:26:18 UTC 2013 - dimstar@opensuse.org
- Update to version 0.16.4:
+ Display per command help again (fdo#62153).
+ Don't always print tools debug output (fdo#62152).
- Changes from version 0.16.3:
+ When iterating don't skip tokens without the
CKF_TOKEN_INITIALIZED flag.
+ Hardcode some distrust records for NSS temporarily.
+ Parse global options better in the p11-kit command.
+ Better debugging.
- Changes from version 0.16.2:
+ Fix regression in 'p11-kit extract --purpose' option
(fdo#62009)
+ Documentation updates
+ Build fixes (fdo#62001).
- Changes from version 0.16.1:
+ Don't break when cA field of BasicConstraints is missing
(fdo#61975).
+ Documentation fixes and updates.
+ p11-kit extract-trust is a placeholder script now.
-------------------------------------------------------------------
Tue Mar 5 13:36:20 UTC 2013 - dimstar@opensuse.org
- Update to version 0.16.0:
+ Update the pkcs11.h header for new mechanisms
+ Fix build and tests on mingw64 (ie: win32)
+ Relicense LGPL code to BSD license
+ Documentation tweaks
+ Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792
+ Updated translations.
- Changes from version 0.15.2:
+ Better define the libtasn1 dependency.
+ Crasher and bug fixes.
+ Build fixes.
+ Updated translations.
- Changes from version 0.15.1:
+ Fix some memory leaks.
+ Add a location for packages to drop module configs.
+ Documentation updates and fixes.
+ Add command line tool manual page.
+ Remove unused err() function and friends.
+ Move more code into common/ directory and refactor.
+ Add a system trust policy module.
+ Refactor how the p11-kit command line tool works.
+ Add p11-kit extract and extract-trust commands.
+ Don't complain if we cannot access ~/.pkcs11/pkcs11.conf.
+ Refuse to load the p11-kit-proxy.so as a registered module.
+ Don't fail initialization if last initialized module fails.
-------------------------------------------------------------------
Fri Sep 7 11:04:40 UTC 2012 - dimstar@opensuse.org
- Update to version 0.14:
+ Change default for user-config to merge
+ Always URI-encode the 'id' attribute in PKCS#11 URIs
+ Expect a .module extension on module configs
+ Windows compatibility fixes
+ Testing fixes
+ Build fixes
-------------------------------------------------------------------
Mon Jul 23 06:26:02 UTC 2012 - zaitor@opensuse.org
- Update to version 0.13:
+ Don't allow reading of PIN files larger than 4096 bytes
+ If a module is not marked as critical then ignore init failure
+ Use preconditions to check for input problems and out of memory
+ Add enable-in and disable-in options to module config
+ Fix the flags in pin.h
+ Use gcc extensions to check varargs during compile
+ Fix crasher when a duplicate module is present
+ Fix broken hashmap behavior
+ Testing fixes
+ Win32 build fixes
+ 'p11-kit -h' now works
+ Documentation fixes
-------------------------------------------------------------------
Fri Mar 9 19:37:44 UTC 2012 - dimstar@opensuse.org
- Update to version 0.12:
+ Build fix.
-------------------------------------------------------------------
Fri Feb 10 08:05:27 UTC 2012 - vuntz@opensuse.org
- Update to version 0.11:
+ Remove automatic reinitialization of PKCS#11 after fork
-------------------------------------------------------------------
Wed Jan 4 09:08:59 UTC 2012 - vuntz@opensuse.org
- Update to version 0.10:
+ Build fixes, for windows, gcc 4.6.1.
-------------------------------------------------------------------
Tue Nov 15 10:18:49 UTC 2011 - dimstar@opensuse.org
- Update to version 0.9:
+ p11-kit can't be used as a static library.
+ Fix problems crashing when freeing TLS on windows.
+ Add debug output to windows init and uninit of library.
+.Build fixes, especially for windows
-------------------------------------------------------------------
Thu Oct 27 21:53:33 UTC 2011 - dimstar@opensuse.org
- Update to version 0.8:
+ Rename non-static functions to have a _p11_xxx prefix
+ No concurrent calling of C_Initialize and C_Finalize
+ Print more information in 'p11-kit -l'
+ Initial port to win32
+ Build and testing fixes.
-------------------------------------------------------------------
Tue Sep 27 19:24:59 UTC 2011 - vuntz@opensuse.org
- Update to version 0.7:
+ Expand p11-kit config variables correctly in various build
scenarios
+ Add test tool to print out error messages
+ Build fix on FreeBSD
-------------------------------------------------------------------
Thu Sep 15 05:02:07 UTC 2011 - vuntz@opensuse.org
- Update to version 0.6:
+ Add concept of a default module directory from which modules
with relative paths are loaded.
+ Renamed pkg-config variables to make it clearer what's what.
-------------------------------------------------------------------
Fri Sep 2 08:20:47 UTC 2011 - vuntz@opensuse.org
- Update to version 0.5:
+ Fix crasher in p11_kit_registered_modules()
+ Add 'critical' setting for modules, which defaults to 'no'
+ Fix initialization issues in the proxy module
-------------------------------------------------------------------
Fri Aug 19 19:37:44 CEST 2011 - dimstar@opensuse.org
- Update to version 0.4:
+ Fix endless loop if module forks during initialization
+ Update PKCS#11 URI code for new draft of spec
+ Don't fail when duplicate modules are configured
+ Better debug output
+ Add example configuration documentation
+ Support whitespace in PKCS#11 URIs
- Move the p11-kit.conf.example to the doc folder.
-------------------------------------------------------------------
Sat Jul 30 15:04:36 CEST 2011 - vuntz@opensuse.org
- Update to version 0.3:
+ Rewrite hash table, and simplify licensing.
+ Correct paths for p11-kit config files.
+ Many build fixes and tweaks.
- Remove Apache-2 part from License tag, as the code was rewritten.
-------------------------------------------------------------------
Mon Jul 25 15:35:57 CEST 2011 - vuntz@opensuse.org
- Initial package (version 0.2).

BIN
p11-kit.keyring Normal file
View File

Binary file not shown.

211
p11-kit.spec Normal file
View File

@ -0,0 +1,211 @@
#
# spec file for package p11-kit
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define pkidir_cfg %{_sysconfdir}/pki
%define pkidir_static %{_datadir}/pki
%define trustdir_cfg %{pkidir_cfg}/trust
%define trustdir_static %{pkidir_static}/trust
Name: p11-kit
Version: 0.25.3
Release: 0
Summary: Library to work with PKCS#11 modules
License: BSD-3-Clause
Group: Development/Libraries/C and C++
URL: https://p11-glue.freedesktop.org/p11-kit.html
Source0: https://github.com/p11-glue/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
Source1: https://github.com/p11-glue/%{name}/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
Source98: https://p11-glue.github.io/p11-glue/%{name}/%{name}-release-keyring.gpg#/%{name}.keyring
Source99: baselibs.conf
Patch1: p11-kit-d938f4a8a3a2.patch
BuildRequires: gtk-doc
%if 0%{?suse_version} >= 1600
BuildRequires: libtasn1-tools
%else
BuildRequires: libtasn1
%endif
BuildRequires: meson >= 0.59.0
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libffi) >= 3.0.0
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(libtasn1) >= 2.3
BuildRequires: pkgconfig(systemd)
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package -n libp11-kit0
Summary: Library to work with PKCS#11 modules
Group: System/Libraries
Conflicts: p11-kit < %{version}-%{release}
%description -n libp11-kit0
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package tools
Summary: Library to work with PKCS#11 modules -- Tools
Group: Development/Libraries/C and C++
Conflicts: p11-kit < %{version}-%{release}
%description tools
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package devel
Summary: Library to work with PKCS#11 modules -- Development Files
Group: Development/Libraries/C and C++
Requires: libp11-kit0 = %{version}
%description devel
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package nss-trust
Summary: Adaptor to make NSS read the p11-kit trust store
Group: Productivity/Networking/Security
Requires: p11-kit = %{version}
Conflicts: mozilla-nss-certs
%if "%{_lib}" == "lib64"
Provides: libnssckbi.so()(64bit)
%else
Provides: libnssckbi.so
%endif
%description nss-trust
Adaptor library to make NSS read the p11-kit trust store. It has
to be installed intead of mozilla-nss-certs.
%package server
Summary: Server and client commands for p11-kit
Group: Development/Libraries/C and C++
Requires: %{name}%{?_isa} = %{version}-%{release}
%description server
Command line tools that enable to export PKCS#11 modules through a
Unix domain socket. Note that this feature is still experimental.
%prep
%autosetup -p1
%build
%meson -Dtrust_paths=%{trustdir_cfg}:%{trustdir_static} \
-Dbash_completion=disabled \
-Dgtk_doc=true -Dman=true
%meson_build
%install
%meson_install
#
install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blocklist}
install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blocklist}
# Create pkcs11 config directory
test ! -e %{buildroot}%{_sysconfdir}/pkcs11/modules
install -d %{buildroot}%{_sysconfdir}/pkcs11/modules
# Remove sample config away to doc folder. Having the sample there would conflict
# with future versions of the library on file level. As replacement, we package
# the file as documentation file.
install -d m 755 %{buildroot}%{_docdir}/libp11-kit0
mv %{buildroot}%{_sysconfdir}/pkcs11/pkcs11.conf.example %{buildroot}%{_docdir}/libp11-kit0
find %{buildroot} -type f -name "*.la" -delete -print
#
install -d -m 755 %{buildroot}%{_rpmmacrodir}
cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{name}
# Macros from p11-kit package
%%pkidir_cfg %{pkidir_cfg}
%%pkidir_static %{pkidir_static}
%%trustdir_cfg %{trustdir_cfg}
%%trustdir_static %{trustdir_static}
FIN
#
# nss compat lib
ln -s %{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}%{_libdir}/libnssckbi.so
#
# call update-ca-certificates when trust changes
rm %{buildroot}%{_libexecdir}/%{name}/trust-extract-compat
ln -s ../../sbin/update-ca-certificates %{buildroot}%{_libexecdir}/%{name}/p11-kit-extract-trust
export NO_BRP_STALE_LINK_ERROR=yes # *grr*
%find_lang %{name}
%if !0%{?qemu_user_space_build}
%check
%meson_test
%endif
%post -n libp11-kit0 -p /sbin/ldconfig
%postun -n libp11-kit0 -p /sbin/ldconfig
%files -f %{name}.lang
%dir %{_libdir}/pkcs11
%dir %{_datadir}/%{name}
%dir %{_datadir}/%{name}/modules
%dir %{pkidir_cfg}
%dir %{trustdir_cfg}
%dir %{trustdir_cfg}/anchors
%dir %{trustdir_cfg}/blocklist
%dir %{pkidir_static}
%dir %{trustdir_static}
%dir %{trustdir_static}/anchors
%dir %{trustdir_static}/blocklist
%{_datadir}/%{name}/modules/p11-kit-trust.module
%{_libdir}/pkcs11/p11-kit-trust.so
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/p11-kit-remote
%{_libexecdir}/%{name}/p11-kit-extract-trust
%files -n libp11-kit0
%license COPYING
# Package the example conf file as documentation. Like this we're sure that we will
# not introduce conflicts with this version of the library and future ones.
%doc pkcs11.conf.example
%doc AUTHORS ChangeLog NEWS README
%dir %{_sysconfdir}/pkcs11
%dir %{_sysconfdir}/pkcs11/modules/
%{_libdir}/libp11-kit.so.*
%{_libdir}/p11-kit-proxy.so
%files tools
%{_bindir}/p11-kit
%{_bindir}/trust
%{_mandir}/man1/trust.1%{?ext_man}
%{_mandir}/man5/pkcs11.conf.5%{?ext_man}
%{_mandir}/man8/p11-kit.8%{?ext_man}
%files devel
%{_rpmmacrodir}/macros.%{name}
%{_includedir}/p11-kit-1/
%{_libdir}/libp11-kit.so
%{_libdir}/pkgconfig/p11-kit-1.pc
%doc %dir %{_datadir}/gtk-doc
%doc %dir %{_datadir}/gtk-doc/html
%doc %{_datadir}/gtk-doc/html/p11-kit/
%files nss-trust
%{_libdir}/libnssckbi.so
%files server
%{_libdir}/pkcs11/p11-kit-client.so
%{_libexecdir}/p11-kit/p11-kit-server
%{_userunitdir}/p11-kit-server.service
%{_userunitdir}/p11-kit-server.socket
%changelog