Accepting request 920615 from security

OBS-URL: https://build.opensuse.org/request/show/920615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/parsec?expand=0&rev=6

_service

@@ -1,6 +1,6 @@
 <services>
   <service name="cargo_vendor" mode="disabled">
     <param name="compression">xz</param>
-    <param name="srcdir">parsec-0.7.2</param>
+    <param name="srcdir">parsec-0.8.0</param>
   </service>
 </services>

parsec-0.7.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:baa114fe0cadffccca3e8a29702c8482691e5ad44e823e317e04d33e7ef41c47
-size 837424

parsec-0.8.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee23842c8f2975136a9e41caf075a659b5a81f1e8a95d388d84abc885d046b72
+size 867922

parsec-fix-old-rust.patch

@@ -1,53 +0,0 @@
-From f9688c44319c1733586d6fbc3b3c24a403deaed8 Mon Sep 17 00:00:00 2001
-From: Hugues de Valon <hugues.devalon@arm.com>
-Date: Fri, 30 Apr 2021 10:48:37 +0100
-Subject: [PATCH] Make it compile for Rust 1.43.1
-
-The From trait was not implemented for that version of Rust. Uses the
-to_vec method which achieves the same thing.
-
-Signed-off-by: Hugues de Valon <hugues.devalon@arm.com>
----
- src/providers/pkcs11/key_management.rs | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/providers/pkcs11/key_management.rs b/src/providers/pkcs11/key_management.rs
-index 6bc5e06..73ce607 100644
---- a/src/providers/pkcs11/key_management.rs
-+++ b/src/providers/pkcs11/key_management.rs
-@@ -27,7 +27,7 @@ impl Provider {
-         key_id: u32,
-         key_type: KeyPairType,
-     ) -> Result<ObjectHandle> {
--        let mut template = vec![Attribute::Id(key_id.to_be_bytes().into())];
-+        let mut template = vec![Attribute::Id(key_id.to_be_bytes().to_vec())];
- 
-         match key_type {
-             KeyPairType::PublicKey => template.push(Attribute::Class(ObjectClass::PUBLIC_KEY)),
-@@ -103,7 +103,7 @@ impl Provider {
-         let key_id = self.create_key_id();
- 
-         let mut pub_template = vec![
--            Attribute::Id(key_id.to_be_bytes().into()),
-+            Attribute::Id(key_id.to_be_bytes().to_vec()),
-             Attribute::Token(true.into()),
-             Attribute::AllowedMechanisms(vec![Mechanism::try_from(
-                 key_attributes.policy.permitted_algorithms,
-@@ -122,7 +122,7 @@ impl Provider {
-         let mech = match key_attributes.key_type {
-             Type::RsaKeyPair => {
-                 pub_template.push(Attribute::Private(false.into()));
--                pub_template.push(Attribute::PublicExponent(utils::PUBLIC_EXPONENT.into()));
-+                pub_template.push(Attribute::PublicExponent(utils::PUBLIC_EXPONENT.to_vec()));
-                 pub_template.push(Attribute::ModulusBits(
-                     key_attributes.bits.try_into().map_err(to_response_status)?,
-                 ));
-@@ -225,7 +225,7 @@ impl Provider {
-         template.push(Attribute::PublicExponent(exponent_object.into()));
-         template.push(Attribute::Verify(true.into()));
-         template.push(Attribute::Encrypt(true.into()));
--        template.push(Attribute::Id(key_id.to_be_bytes().into()));
-+        template.push(Attribute::Id(key_id.to_be_bytes().to_vec()));
-         template.push(Attribute::Private(false.into()));
-         template.push(Attribute::AllowedMechanisms(vec![MechanismType::RSA_PKCS]));
- 

parsec.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Fri Aug  6 07:01:27 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Update to 0.8.0:
+  * Changelog: https://github.com/parallaxsecond/parsec/compare/0.7.2...0.8.0
+- Drop upstream patch:
+  * parsec-fix-old-rust.patch
+- Disable 'trusted-service-provider' as it currently fails to build
+- Disable 'jwt-svid-authenticator' (SPIFFE-based authenticator)
+  on Leap, as it cannot be compiled with rust 1.43.1
+
 -------------------------------------------------------------------
 Fri Apr 30 11:36:56 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

parsec.spec

@@ -17,13 +17,10 @@
 
 
 %global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
-# Features available:
-# all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]
-# all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator"]
-%define features "all-authenticators,all-providers"
+
 %{?systemd_ordering}
 Name:           parsec
-Version:        0.7.2
+Version:        0.8.0
 Release:        0
 Summary:        Platform AbstRaction for SECurity
 License:        Apache-2.0
@@ -35,8 +32,7 @@ Source3:        parsec.service
 Source4:        config.toml
 Source5:        parsec.conf
 Source6:        system-user-parsec.conf
-# Fix build with old rust used in Leap 15.3/SLE15-SP3 - https://github.com/parallaxsecond/parsec/issues/409
-Patch1:         parsec-fix-old-rust.patch
+Source10:       https://git.trustedfirmware.org/TS/trusted-services.git/snapshot/trusted-services-c1cf912.tar.gz
 BuildRequires:  cargo
 BuildRequires:  clang-devel
 BuildRequires:  cmake
@@ -65,17 +61,31 @@ This abstraction layer keeps workloads decoupled from physical platform details,
 enabling cloud-native delivery flows within the data center and at the edge.
 
 %prep
-%autosetup -p1 -a1
+%setup -q -a1 -a10
+rmdir trusted-services-vendor
+mv trusted-services-c1cf912 trusted-services-vendor
 rm -rf .cargo && mkdir .cargo
 cp %{SOURCE2} .cargo/config
 # Enable all providers
 sed -i -e 's#default = \["unix-peer-credentials-authenticator"\]##' Cargo.toml
-echo 'default = ["all-authenticators", "all-providers"]' >> Cargo.toml
+# Features available in 0.8.0:
+# all-providers = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "trusted-service-provider"]
+# all-authenticators = ["direct-authenticator", "unix-peer-credentials-authenticator", "jwt-svid-authenticator"]
+%if 0%{suse_version} > 1500
+# Tumbleweed
+# Disable "trusted-service-provider" until we have a trusted-services package
+echo 'default = ["tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider", "all-authenticators"]' >> Cargo.toml
+%else
+# Leap/SLE
+# Disable jwt-svid-authenticator (SPIFFE-based authenticator) as it cannot be compiled with rust 1.43.1
+# Disable "trusted-service-provider" until we have a trusted-services package
+echo 'default = ["direct-authenticator", "unix-peer-credentials-authenticator", "tpm-provider", "pkcs11-provider", "mbed-crypto-provider", "cryptoauthlib-provider"]' >> Cargo.toml
+%endif
 
 %build
 export PROTOC=%{_bindir}/protoc
 export PROTOC_INCLUDE=%{_includedir}
-%cargo_build -- --features=%features
+%cargo_build
 %sysusers_generate_pre %{SOURCE6} parsec
 
 %install
@@ -98,7 +108,7 @@ rm -rf %{buildroot}%{_datadir}/cargo/registry
 %check
 export PROTOC=%{_bindir}/protoc
 export PROTOC_INCLUDE=%{_includedir}
-%cargo_test -- --lib --features=%features
+%cargo_test -- --lib
 
 %pre -f parsec.pre
 %service_add_pre parsec.service

trusted-services-c1cf912.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7725f1023f51268d006668947dc888b171c59676834542934391f9a2a1fc19ca
+size 370978

vendor.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:52db05370be4cd68810011da087965bd267731e298df1620667179225eecb505
-size 27078988
+oid sha256:ff2f7282df17acde5a50c99263eabc8c8ab2a97f1c6481ca61293cd58c233896
+size 42409996