From 0b5d673ec827541d71ce5cb948d9a31da9539d46d503087a369390137cd2435a Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Sun, 24 Feb 2013 11:07:40 +0000 Subject: [PATCH 1/2] Accepting request 156163 from home:joeyli:branches:openSUSE:Factory:bnc805166 Modified pesign-bnc805166-fix-signature-list.patch, block out the source code for find/attach Issuer certificate (bnc#805166 comment#13) OBS-URL: https://build.opensuse.org/request/show/156163 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=11 --- pesign-bnc805166-fix-signature-list.patch | 182 +++++++++++----------- pesign.changes | 7 + pesign.spec | 1 + 3 files changed, 100 insertions(+), 90 deletions(-) diff --git a/pesign-bnc805166-fix-signature-list.patch b/pesign-bnc805166-fix-signature-list.patch index 133f59f..f8704d3 100644 --- a/pesign-bnc805166-fix-signature-list.patch +++ b/pesign-bnc805166-fix-signature-list.patch @@ -35,10 +35,10 @@ Date: Fri Feb 22 15:13:08 2013 +0800 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53 -diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c -index e391242..b6ba969 100644 ---- a/libdpe/pe_addcert.c -+++ b/libdpe/pe_addcert.c +Index: pesign-0.99/libdpe/pe_addcert.c +=================================================================== +--- pesign-0.99.orig/libdpe/pe_addcert.c ++++ pesign-0.99/libdpe/pe_addcert.c @@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size) memset(addr, '\0', size); @@ -48,10 +48,10 @@ index e391242..b6ba969 100644 #if 0 pe_set_image_size(pe); -diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c -index 7a29757..a8fe769 100644 ---- a/libdpe/pe_updatefile.c -+++ b/libdpe/pe_updatefile.c +Index: pesign-0.99/libdpe/pe_updatefile.c +=================================================================== +--- pesign-0.99.orig/libdpe/pe_updatefile.c ++++ pesign-0.99/libdpe/pe_updatefile.c @@ -24,6 +24,7 @@ #include @@ -60,7 +60,7 @@ index 7a29757..a8fe769 100644 __get_last_section(Pe *pe) { Pe_Scn *scn = NULL; -@@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b) +@@ -79,6 +80,7 @@ compare_sections (const void *a, const v } static void @@ -86,10 +86,10 @@ index 7a29757..a8fe769 100644 return 0; } -diff --git a/src/actions.c b/src/actions.c -index 9e4ac59..5c5dd89 100644 ---- a/src/actions.c -+++ b/src/actions.c +Index: pesign-0.99/src/actions.c +=================================================================== +--- pesign-0.99.orig/src/actions.c ++++ pesign-0.99/src/actions.c @@ -268,7 +268,7 @@ failure: return ret; } @@ -108,7 +108,7 @@ index 9e4ac59..5c5dd89 100644 ssize_t available = available_cert_space(ctx->outpe); if (available < ctx->cms_ctx->newsig.len) { -@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx) +@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ct } } @@ -123,11 +123,11 @@ index 9e4ac59..5c5dd89 100644 void allocate_signature_space(Pe *pe, ssize_t sigspace) { -diff --git a/src/actions.h b/src/actions.h -index 400876f..4ecaad8 100644 ---- a/src/actions.h -+++ b/src/actions.h -@@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx); +Index: pesign-0.99/src/actions.h +=================================================================== +--- pesign-0.99.orig/src/actions.h ++++ pesign-0.99/src/actions.h +@@ -28,12 +28,12 @@ extern int list_signatures(pesign_contex extern void check_signature_space(pesign_context *ctx); extern void allocate_signature_space(Pe *pe, ssize_t sigspace); extern off_t export_signature(cms_context *cms, int fd, int ascii_armor); @@ -141,11 +141,11 @@ index 400876f..4ecaad8 100644 extern void insert_signature(cms_context *cms, int signum); #endif /* PESIGN_CRYPTO_H */ -diff --git a/src/cms_common.c b/src/cms_common.c -index 9ab2021..3b2e71a 100644 ---- a/src/cms_common.c -+++ b/src/cms_common.c -@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data) +Index: pesign-0.99/src/cms_common.c +=================================================================== +--- pesign-0.99.orig/src/cms_common.c ++++ pesign-0.99/src/cms_common.c +@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, voi return SECFailure; } @@ -163,10 +163,15 @@ index 9ab2021..3b2e71a 100644 /* This is the dumbest function ever, but we need it anyway, because nss * is garbage. */ static void -@@ -448,6 +459,88 @@ err_slots: - return 0; - } +@@ -443,6 +454,88 @@ err_slots: + PK11_DestroySlotListElement(slots, &psle); + PK11_FreeSlotList(slots); ++ CERT_DestroyCertList(certlist); ++ ++ return 0; ++} ++ +int +find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) +{ @@ -244,18 +249,13 @@ index 9ab2021..3b2e71a 100644 + + PK11_DestroySlotListElement(slots, &psle); + PK11_FreeSlotList(slots); -+ CERT_DestroyCertList(certlist); -+ -+ return 0; -+} -+ - static SEC_ASN1Template EmptySequenceTemplate[] = { - { - .kind = SEC_ASN1_SEQUENCE, -diff --git a/src/cms_common.h b/src/cms_common.h -index a3848cd..2b2d619 100644 ---- a/src/cms_common.h -+++ b/src/cms_common.h + CERT_DestroyCertList(certlist); + + return 0; +Index: pesign-0.99/src/cms_common.h +=================================================================== +--- pesign-0.99.orig/src/cms_common.h ++++ pesign-0.99/src/cms_common.h @@ -19,9 +19,35 @@ #ifndef CMS_COMMON_H #define CMS_COMMON_H 1 @@ -293,7 +293,7 @@ index a3848cd..2b2d619 100644 struct digest { PK11Context *pk11ctx; -@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe); +@@ -109,6 +135,10 @@ extern int generate_digest(cms_context * extern int generate_signature(cms_context *ctx); extern int unlock_nss_token(cms_context *ctx); extern int find_certificate(cms_context *ctx); @@ -304,11 +304,11 @@ index a3848cd..2b2d619 100644 extern SECOidTag digest_get_digest_oid(cms_context *cms); extern SECOidTag digest_get_encryption_oid(cms_context *cms); -diff --git a/src/daemon.c b/src/daemon.c -index 4a9af87..92ae856 100644 ---- a/src/daemon.c -+++ b/src/daemon.c -@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe) +Index: pesign-0.99/src/daemon.c +=================================================================== +--- pesign-0.99.orig/src/daemon.c ++++ pesign-0.99/src/daemon.c +@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **p return -1; } @@ -328,10 +328,10 @@ index 4a9af87..92ae856 100644 pe_end(outpe); } else { if (ftruncate(outfd, 0) != 0) { -diff --git a/src/pesign.c b/src/pesign.c -index bfda33b..fcb2dca 100644 ---- a/src/pesign.c -+++ b/src/pesign.c +Index: pesign-0.99/src/pesign.c +=================================================================== +--- pesign-0.99.orig/src/pesign.c ++++ pesign-0.99/src/pesign.c @@ -104,7 +104,8 @@ open_input(pesign_context *ctx) exit(1); } @@ -414,10 +414,10 @@ index bfda33b..fcb2dca 100644 close_output(ctxp); break; case DAEMONIZE: -diff --git a/src/peverify.c b/src/peverify.c -index 08aad27..e010d87 100644 ---- a/src/peverify.c -+++ b/src/peverify.c +Index: pesign-0.99/src/peverify.c +=================================================================== +--- pesign-0.99.orig/src/peverify.c ++++ pesign-0.99/src/peverify.c @@ -55,9 +55,12 @@ open_input(peverify_context *ctx) exit(1); } @@ -433,10 +433,10 @@ index 08aad27..e010d87 100644 exit(1); } } -diff --git a/src/siglist.c b/src/siglist.c -index 1a933e7..ca097e6 100644 ---- a/src/siglist.c -+++ b/src/siglist.c +Index: pesign-0.99/src/siglist.c +=================================================================== +--- pesign-0.99.orig/src/siglist.c ++++ pesign-0.99/src/siglist.c @@ -17,11 +17,15 @@ * Author(s): Peter Jones */ @@ -454,7 +454,7 @@ index 1a933e7..ca097e6 100644 struct efi_signature_data { efi_guid_t SignatureOwner; -@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, +@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *s if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) { if (sigsize > sl->SignatureSize) resize_entries(sl, sigsize); @@ -466,7 +466,7 @@ index 1a933e7..ca097e6 100644 return -1; } -@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, +@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *s return 0; } @@ -475,9 +475,7 @@ index 1a933e7..ca097e6 100644 +#if 0 +int +signature_list_parse(signature_list *sl, uint8_t *data, size_t len) - { -- if (sl->realized) -- return sl->realized; ++{ + if (!sl) + return -1; + @@ -494,7 +492,9 @@ index 1a933e7..ca097e6 100644 + +int +signature_list_realize(signature_list *sl, void **out, size_t *outsize) -+{ + { +- if (sl->realized) +- return sl->realized; + if (sl->realized) { + free(sl->realized); + sl->realized = NULL; @@ -502,7 +502,7 @@ index 1a933e7..ca097e6 100644 struct efi_signature_list *esl = NULL; uint32_t size = sizeof (*esl) + -@@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl) +@@ -174,7 +201,7 @@ signature_list_realize(signature_list *s void *ret = calloc(1, size); if (!ret) @@ -511,7 +511,7 @@ index 1a933e7..ca097e6 100644 esl = ret; memcpy(esl, sl, sizeof (*esl)); -@@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl) +@@ -186,7 +213,10 @@ signature_list_realize(signature_list *s } sl->realized = ret; @@ -523,11 +523,11 @@ index 1a933e7..ca097e6 100644 } void -diff --git a/src/siglist.h b/src/siglist.h -index 2961a39..a576ffd 100644 ---- a/src/siglist.h -+++ b/src/siglist.h -@@ -24,7 +24,8 @@ typedef struct signature_list signature_list; +Index: pesign-0.99/src/siglist.h +=================================================================== +--- pesign-0.99.orig/src/siglist.h ++++ pesign-0.99/src/siglist.h +@@ -24,7 +24,8 @@ typedef struct signature_list signature_ extern signature_list *signature_list_new(efi_guid_t SignatureType); extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner, uint8_t *sig, uint32_t sigsize); @@ -537,11 +537,11 @@ index 2961a39..a576ffd 100644 extern void signature_list_free(signature_list *sl); #endif /* SIGLIST_H */ -diff --git a/src/signed_data.c b/src/signed_data.c -index e676cb3..83957d6 100644 ---- a/src/signed_data.c -+++ b/src/signed_data.c -@@ -76,20 +76,51 @@ static int +Index: pesign-0.99/src/signed_data.c +=================================================================== +--- pesign-0.99.orig/src/signed_data.c ++++ pesign-0.99/src/signed_data.c +@@ -76,20 +76,53 @@ static int generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) { SECItem **certificates = NULL; @@ -561,7 +561,7 @@ index e676cb3..83957d6 100644 + if (!certificates) { + save_port_err(PORT_ArenaRelease(cms->arena, mark)); + cmsreterr(-1, cms, "could not allocate certificate list"); -+ } + } + int i = 0; + + certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem)); @@ -571,6 +571,7 @@ index e676cb3..83957d6 100644 + } + SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert); + ++#if 0 + if (!is_issuer_of(cms->cert, cms->cert)) { + CERTCertificate *signer = NULL; + int rc = find_named_certificate(cms, cms->cert->issuerName, @@ -598,16 +599,17 @@ index e676cb3..83957d6 100644 + } + CERT_DestroyCertificate(signer); + } - } ++ } ++#endif - SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert); *certificate_list_p = certificates; return 0; } -diff --git a/src/wincert.c b/src/wincert.c -index 4b5ba45..4197a87 100644 ---- a/src/wincert.c -+++ b/src/wincert.c +Index: pesign-0.99/src/wincert.c +=================================================================== +--- pesign-0.99.orig/src/wincert.c ++++ pesign-0.99/src/wincert.c @@ -25,13 +25,13 @@ struct cert_list_entry { }; @@ -626,7 +628,7 @@ index 4b5ba45..4197a87 100644 } uint8_t *data = malloc(cl_size); -@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list, +@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, voi *cert_list = (void *)data; *cert_list_size = cl_size; @@ -647,7 +649,7 @@ index 4b5ba45..4197a87 100644 } return 0; -@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size) +@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_lis } int @@ -732,7 +734,7 @@ index 4b5ba45..4197a87 100644 { cert_iter iter; int rc = cert_iter_init(&iter, pe); -@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe) +@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *p } if (nsigs == 0) { @@ -743,7 +745,7 @@ index 4b5ba45..4197a87 100644 return 0; } -@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe) +@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *p i++; } @@ -754,10 +756,10 @@ index 4b5ba45..4197a87 100644 return 0; err: -diff --git a/src/wincert.h b/src/wincert.h -index 4309915..ed7e15c 100644 ---- a/src/wincert.h -+++ b/src/wincert.h +Index: pesign-0.99/src/wincert.h +=================================================================== +--- pesign-0.99.orig/src/wincert.h ++++ pesign-0.99/src/wincert.h @@ -32,8 +32,6 @@ typedef struct win_certificate { uint16_t cert_type; } win_certificate; @@ -767,7 +769,7 @@ index 4309915..ed7e15c 100644 typedef struct cert_iter { Pe *pe; off_t n; -@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe); +@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *ite extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size); extern ssize_t available_cert_space(Pe *pe); extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe); diff --git a/pesign.changes b/pesign.changes index f94f955..d028f15 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com + +- Modified pesign-bnc805166-fix-signature-list.patch, block out the + source code for find/attach Issuer certificate + (bnc#805166 comment#13) + ------------------------------------------------------------------- Fri Feb 22 08:44:43 UTC 2013 - glin@suse.com diff --git a/pesign.spec b/pesign.spec index b02c2f6..76fe4b5 100644 --- a/pesign.spec +++ b/pesign.spec @@ -16,6 +16,7 @@ # + Name: pesign Version: 0.99 Release: 0 From ed0b396886e6d7eda11e5652ef769bfeb0921b3745379c2015410cf7959f3fcf Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 25 Feb 2013 10:09:38 +0000 Subject: [PATCH 2/2] Accepting request 156290 from home:gary_lin:branches:Base:System Update pesign-bnc805166-fix-signature-list.patch to skip the unneeded private key request. (bnc#805166c#17) OBS-URL: https://build.opensuse.org/request/show/156290 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=12 --- pesign-bnc805166-fix-signature-list.patch | 296 ++++++++++++---------- pesign.changes | 6 + pesign.spec | 1 - 3 files changed, 175 insertions(+), 128 deletions(-) diff --git a/pesign-bnc805166-fix-signature-list.patch b/pesign-bnc805166-fix-signature-list.patch index f8704d3..0506bad 100644 --- a/pesign-bnc805166-fix-signature-list.patch +++ b/pesign-bnc805166-fix-signature-list.patch @@ -1,44 +1,58 @@ -commit 63c6ad572b3c1a7041dc581072421c2c94ff5d35 -Author: Gary Ching-Pang Lin -Date: Fri Feb 22 15:13:08 2013 +0800 +From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Fri, 22 Feb 2013 15:13:08 +0800 +Subject: [PATCH 1/2] Backport patches to fix signature list - Backport patches to fix signature list - - Get cms_context out of wincert functions. - ee357451be9968cedda57ce13b103eb82c590e67 - - Rework siglist to be somewhat more useful. - a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8 - - Don't allow our signature list iterator to walk off the end of the file. - 18980866e7952100d98510297c0e1cc25fca8fc8 - - Include old signatures in new space calculations. - 77d334d77435d64e88fcc772b5b58440b394584a - - Make implanting extracted certificates work again. - 5ceddd2f80dfea70d211236190943746c2d2f77b - - Add error handling macros to make code simpler. - 0bafa814b49a9556550cfbc373e0ea5b9edb929e - - Add is_issuer_of(cert, cert) helper function. - 7750aaeceb2655807788f8e45417e84cb5404a8e - - Add "find_named_certificate()" helper function. - c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c - - Make generate_certificate_list include the issuing certificate. - 8c3d82ceb5029bedfee1577682fec5ff3669ff3c - - Fix a casting problem on 32-bit. - - 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53 +Get cms_context out of wincert functions. +ee357451be9968cedda57ce13b103eb82c590e67 -Index: pesign-0.99/libdpe/pe_addcert.c -=================================================================== ---- pesign-0.99.orig/libdpe/pe_addcert.c -+++ pesign-0.99/libdpe/pe_addcert.c +Rework siglist to be somewhat more useful. +a5ec0d2cd06dec0961fc3fed680e7e385dc5bec8 + +Don't allow our signature list iterator to walk off the end of the file. +18980866e7952100d98510297c0e1cc25fca8fc8 + +Include old signatures in new space calculations. +77d334d77435d64e88fcc772b5b58440b394584a + +Make implanting extracted certificates work again. +5ceddd2f80dfea70d211236190943746c2d2f77b + +Add error handling macros to make code simpler. +0bafa814b49a9556550cfbc373e0ea5b9edb929e + +Add is_issuer_of(cert, cert) helper function. +7750aaeceb2655807788f8e45417e84cb5404a8e + +Add "find_named_certificate()" helper function. +c89c8dbf7929f8f8f36bc1c4045fcc17d5ce7e5c + +Make generate_certificate_list include the issuing certificate. +8c3d82ceb5029bedfee1577682fec5ff3669ff3c + +Fix a casting problem on 32-bit. +9eb2814858270af2d7ecfbfa5ca131e7be2f9f53 +--- + libdpe/pe_addcert.c | 2 +- + libdpe/pe_updatefile.c | 13 ++++++- + src/actions.c | 12 +------ + src/actions.h | 2 +- + src/cms_common.c | 93 ++++++++++++++++++++++++++++++++++++++++++++++++ + src/cms_common.h | 32 ++++++++++++++++- + src/daemon.c | 6 ++-- + src/pesign.c | 35 +++++++++++++++--- + src/peverify.c | 7 ++-- + src/siglist.c | 46 +++++++++++++++++++----- + src/siglist.h | 3 +- + src/signed_data.c | 53 +++++++++++++++++++++------ + src/wincert.c | 65 +++++++++++++++++++++++---------- + src/wincert.h | 8 +++-- + 14 files changed, 312 insertions(+), 65 deletions(-) + +diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c +index e391242..b6ba969 100644 +--- a/libdpe/pe_addcert.c ++++ b/libdpe/pe_addcert.c @@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size) memset(addr, '\0', size); @@ -48,10 +62,10 @@ Index: pesign-0.99/libdpe/pe_addcert.c #if 0 pe_set_image_size(pe); -Index: pesign-0.99/libdpe/pe_updatefile.c -=================================================================== ---- pesign-0.99.orig/libdpe/pe_updatefile.c -+++ pesign-0.99/libdpe/pe_updatefile.c +diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c +index 7a29757..a8fe769 100644 +--- a/libdpe/pe_updatefile.c ++++ b/libdpe/pe_updatefile.c @@ -24,6 +24,7 @@ #include @@ -60,7 +74,7 @@ Index: pesign-0.99/libdpe/pe_updatefile.c __get_last_section(Pe *pe) { Pe_Scn *scn = NULL; -@@ -79,6 +80,7 @@ compare_sections (const void *a, const v +@@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b) } static void @@ -86,10 +100,10 @@ Index: pesign-0.99/libdpe/pe_updatefile.c return 0; } -Index: pesign-0.99/src/actions.c -=================================================================== ---- pesign-0.99.orig/src/actions.c -+++ pesign-0.99/src/actions.c +diff --git a/src/actions.c b/src/actions.c +index 9e4ac59..5c5dd89 100644 +--- a/src/actions.c ++++ b/src/actions.c @@ -268,7 +268,7 @@ failure: return ret; } @@ -108,7 +122,7 @@ Index: pesign-0.99/src/actions.c ssize_t available = available_cert_space(ctx->outpe); if (available < ctx->cms_ctx->newsig.len) { -@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ct +@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx) } } @@ -123,11 +137,11 @@ Index: pesign-0.99/src/actions.c void allocate_signature_space(Pe *pe, ssize_t sigspace) { -Index: pesign-0.99/src/actions.h -=================================================================== ---- pesign-0.99.orig/src/actions.h -+++ pesign-0.99/src/actions.h -@@ -28,12 +28,12 @@ extern int list_signatures(pesign_contex +diff --git a/src/actions.h b/src/actions.h +index 400876f..4ecaad8 100644 +--- a/src/actions.h ++++ b/src/actions.h +@@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx); extern void check_signature_space(pesign_context *ctx); extern void allocate_signature_space(Pe *pe, ssize_t sigspace); extern off_t export_signature(cms_context *cms, int fd, int ascii_armor); @@ -141,11 +155,11 @@ Index: pesign-0.99/src/actions.h extern void insert_signature(cms_context *cms, int signum); #endif /* PESIGN_CRYPTO_H */ -Index: pesign-0.99/src/cms_common.c -=================================================================== ---- pesign-0.99.orig/src/cms_common.c -+++ pesign-0.99/src/cms_common.c -@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, voi +diff --git a/src/cms_common.c b/src/cms_common.c +index 9ab2021..3b2e71a 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data) return SECFailure; } @@ -163,15 +177,10 @@ Index: pesign-0.99/src/cms_common.c /* This is the dumbest function ever, but we need it anyway, because nss * is garbage. */ static void -@@ -443,6 +454,88 @@ err_slots: +@@ -448,6 +459,88 @@ err_slots: + return 0; + } - PK11_DestroySlotListElement(slots, &psle); - PK11_FreeSlotList(slots); -+ CERT_DestroyCertList(certlist); -+ -+ return 0; -+} -+ +int +find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) +{ @@ -249,13 +258,18 @@ Index: pesign-0.99/src/cms_common.c + + PK11_DestroySlotListElement(slots, &psle); + PK11_FreeSlotList(slots); - CERT_DestroyCertList(certlist); - - return 0; -Index: pesign-0.99/src/cms_common.h -=================================================================== ---- pesign-0.99.orig/src/cms_common.h -+++ pesign-0.99/src/cms_common.h ++ CERT_DestroyCertList(certlist); ++ ++ return 0; ++} ++ + static SEC_ASN1Template EmptySequenceTemplate[] = { + { + .kind = SEC_ASN1_SEQUENCE, +diff --git a/src/cms_common.h b/src/cms_common.h +index a3848cd..2b2d619 100644 +--- a/src/cms_common.h ++++ b/src/cms_common.h @@ -19,9 +19,35 @@ #ifndef CMS_COMMON_H #define CMS_COMMON_H 1 @@ -293,7 +307,7 @@ Index: pesign-0.99/src/cms_common.h struct digest { PK11Context *pk11ctx; -@@ -109,6 +135,10 @@ extern int generate_digest(cms_context * +@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe); extern int generate_signature(cms_context *ctx); extern int unlock_nss_token(cms_context *ctx); extern int find_certificate(cms_context *ctx); @@ -304,11 +318,11 @@ Index: pesign-0.99/src/cms_common.h extern SECOidTag digest_get_digest_oid(cms_context *cms); extern SECOidTag digest_get_encryption_oid(cms_context *cms); -Index: pesign-0.99/src/daemon.c -=================================================================== ---- pesign-0.99.orig/src/daemon.c -+++ pesign-0.99/src/daemon.c -@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **p +diff --git a/src/daemon.c b/src/daemon.c +index 4a9af87..92ae856 100644 +--- a/src/daemon.c ++++ b/src/daemon.c +@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe) return -1; } @@ -328,10 +342,10 @@ Index: pesign-0.99/src/daemon.c pe_end(outpe); } else { if (ftruncate(outfd, 0) != 0) { -Index: pesign-0.99/src/pesign.c -=================================================================== ---- pesign-0.99.orig/src/pesign.c -+++ pesign-0.99/src/pesign.c +diff --git a/src/pesign.c b/src/pesign.c +index bfda33b..fcb2dca 100644 +--- a/src/pesign.c ++++ b/src/pesign.c @@ -104,7 +104,8 @@ open_input(pesign_context *ctx) exit(1); } @@ -414,10 +428,10 @@ Index: pesign-0.99/src/pesign.c close_output(ctxp); break; case DAEMONIZE: -Index: pesign-0.99/src/peverify.c -=================================================================== ---- pesign-0.99.orig/src/peverify.c -+++ pesign-0.99/src/peverify.c +diff --git a/src/peverify.c b/src/peverify.c +index 08aad27..e010d87 100644 +--- a/src/peverify.c ++++ b/src/peverify.c @@ -55,9 +55,12 @@ open_input(peverify_context *ctx) exit(1); } @@ -433,10 +447,10 @@ Index: pesign-0.99/src/peverify.c exit(1); } } -Index: pesign-0.99/src/siglist.c -=================================================================== ---- pesign-0.99.orig/src/siglist.c -+++ pesign-0.99/src/siglist.c +diff --git a/src/siglist.c b/src/siglist.c +index 1a933e7..ca097e6 100644 +--- a/src/siglist.c ++++ b/src/siglist.c @@ -17,11 +17,15 @@ * Author(s): Peter Jones */ @@ -454,7 +468,7 @@ Index: pesign-0.99/src/siglist.c struct efi_signature_data { efi_guid_t SignatureOwner; -@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *s +@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) { if (sigsize > sl->SignatureSize) resize_entries(sl, sigsize); @@ -466,7 +480,7 @@ Index: pesign-0.99/src/siglist.c return -1; } -@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *s +@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner, return 0; } @@ -475,7 +489,9 @@ Index: pesign-0.99/src/siglist.c +#if 0 +int +signature_list_parse(signature_list *sl, uint8_t *data, size_t len) -+{ + { +- if (sl->realized) +- return sl->realized; + if (!sl) + return -1; + @@ -492,9 +508,7 @@ Index: pesign-0.99/src/siglist.c + +int +signature_list_realize(signature_list *sl, void **out, size_t *outsize) - { -- if (sl->realized) -- return sl->realized; ++{ + if (sl->realized) { + free(sl->realized); + sl->realized = NULL; @@ -502,7 +516,7 @@ Index: pesign-0.99/src/siglist.c struct efi_signature_list *esl = NULL; uint32_t size = sizeof (*esl) + -@@ -174,7 +201,7 @@ signature_list_realize(signature_list *s +@@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl) void *ret = calloc(1, size); if (!ret) @@ -511,7 +525,7 @@ Index: pesign-0.99/src/siglist.c esl = ret; memcpy(esl, sl, sizeof (*esl)); -@@ -186,7 +213,10 @@ signature_list_realize(signature_list *s +@@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl) } sl->realized = ret; @@ -523,11 +537,11 @@ Index: pesign-0.99/src/siglist.c } void -Index: pesign-0.99/src/siglist.h -=================================================================== ---- pesign-0.99.orig/src/siglist.h -+++ pesign-0.99/src/siglist.h -@@ -24,7 +24,8 @@ typedef struct signature_list signature_ +diff --git a/src/siglist.h b/src/siglist.h +index 2961a39..a576ffd 100644 +--- a/src/siglist.h ++++ b/src/siglist.h +@@ -24,7 +24,8 @@ typedef struct signature_list signature_list; extern signature_list *signature_list_new(efi_guid_t SignatureType); extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner, uint8_t *sig, uint32_t sigsize); @@ -537,11 +551,11 @@ Index: pesign-0.99/src/siglist.h extern void signature_list_free(signature_list *sl); #endif /* SIGLIST_H */ -Index: pesign-0.99/src/signed_data.c -=================================================================== ---- pesign-0.99.orig/src/signed_data.c -+++ pesign-0.99/src/signed_data.c -@@ -76,20 +76,53 @@ static int +diff --git a/src/signed_data.c b/src/signed_data.c +index e676cb3..83957d6 100644 +--- a/src/signed_data.c ++++ b/src/signed_data.c +@@ -76,20 +76,51 @@ static int generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) { SECItem **certificates = NULL; @@ -561,7 +575,7 @@ Index: pesign-0.99/src/signed_data.c + if (!certificates) { + save_port_err(PORT_ArenaRelease(cms->arena, mark)); + cmsreterr(-1, cms, "could not allocate certificate list"); - } ++ } + int i = 0; + + certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem)); @@ -571,7 +585,6 @@ Index: pesign-0.99/src/signed_data.c + } + SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert); + -+#if 0 + if (!is_issuer_of(cms->cert, cms->cert)) { + CERTCertificate *signer = NULL; + int rc = find_named_certificate(cms, cms->cert->issuerName, @@ -599,17 +612,16 @@ Index: pesign-0.99/src/signed_data.c + } + CERT_DestroyCertificate(signer); + } -+ } -+#endif + } - SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert); *certificate_list_p = certificates; return 0; } -Index: pesign-0.99/src/wincert.c -=================================================================== ---- pesign-0.99.orig/src/wincert.c -+++ pesign-0.99/src/wincert.c +diff --git a/src/wincert.c b/src/wincert.c +index 4b5ba45..4197a87 100644 +--- a/src/wincert.c ++++ b/src/wincert.c @@ -25,13 +25,13 @@ struct cert_list_entry { }; @@ -628,7 +640,7 @@ Index: pesign-0.99/src/wincert.c } uint8_t *data = malloc(cl_size); -@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, voi +@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list, *cert_list = (void *)data; *cert_list_size = cl_size; @@ -649,7 +661,7 @@ Index: pesign-0.99/src/wincert.c } return 0; -@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_lis +@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size) } int @@ -734,7 +746,7 @@ Index: pesign-0.99/src/wincert.c { cert_iter iter; int rc = cert_iter_init(&iter, pe); -@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *p +@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe) } if (nsigs == 0) { @@ -745,7 +757,7 @@ Index: pesign-0.99/src/wincert.c return 0; } -@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *p +@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe) i++; } @@ -756,10 +768,10 @@ Index: pesign-0.99/src/wincert.c return 0; err: -Index: pesign-0.99/src/wincert.h -=================================================================== ---- pesign-0.99.orig/src/wincert.h -+++ pesign-0.99/src/wincert.h +diff --git a/src/wincert.h b/src/wincert.h +index 4309915..ed7e15c 100644 +--- a/src/wincert.h ++++ b/src/wincert.h @@ -32,8 +32,6 @@ typedef struct win_certificate { uint16_t cert_type; } win_certificate; @@ -769,7 +781,7 @@ Index: pesign-0.99/src/wincert.h typedef struct cert_iter { Pe *pe; off_t n; -@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *ite +@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe); extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size); extern ssize_t available_cert_space(Pe *pe); extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe); @@ -781,3 +793,33 @@ Index: pesign-0.99/src/wincert.h + #endif /* PESIGN_WINCERT_H */ +-- +1.7.10.4 + + +From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 25 Feb 2013 10:43:09 +0800 +Subject: [PATCH 2/2] Don't request the private key in + find_named_certificate() when importing a raw signature + +--- + src/cms_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 3b2e71a..642cc86 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) + } + + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { ++ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); + if (status != SECSuccess) { + PK11_DestroySlotListElement(slots, &psle); +-- +1.7.10.4 + diff --git a/pesign.changes b/pesign.changes index d028f15..a273d7b 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com + +- Update pesign-bnc805166-fix-signature-list.patch to skip the + unneeded private key request. (bnc#805166c#17) + ------------------------------------------------------------------- Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com diff --git a/pesign.spec b/pesign.spec index 76fe4b5..b02c2f6 100644 --- a/pesign.spec +++ b/pesign.spec @@ -16,7 +16,6 @@ # - Name: pesign Version: 0.99 Release: 0