diff --git a/pesign-allow-no-issuer-cert.patch b/pesign-allow-no-issuer-cert.patch new file mode 100644 index 0000000..0f0a0bf --- /dev/null +++ b/pesign-allow-no-issuer-cert.patch @@ -0,0 +1,44 @@ +From be564827927e9845b61807b1355467df9d8115e6 Mon Sep 17 00:00:00 2001 +From: Gary Ching-Pang Lin +Date: Mon, 4 Mar 2013 16:25:08 +0800 +Subject: [PATCH] Include the issuer's certificate only when available + +--- + src/cms_common.c | 2 +- + src/signed_data.c | 7 +------ + 2 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 7cca21b..755dd31 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -588,7 +588,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert) + if (!strcmp(node->cert->subjectName, name)) + break; + } +- if (!node) { ++ if (CERT_LIST_END(node,certlist)) { + PK11_DestroySlotListElement(slots, &psle); + PK11_FreeSlotList(slots); + CERT_DestroyCertList(certlist); +diff --git a/src/signed_data.c b/src/signed_data.c +index fc1d137..97bf8b5 100644 +--- a/src/signed_data.c ++++ b/src/signed_data.c +@@ -96,12 +96,7 @@ generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p) + CERTCertificate *signer = NULL; + int rc = find_named_certificate(cms, cms->cert->issuerName, + &signer); +- if (rc < 0) { +- PORT_ArenaRelease(cms->arena, mark); +- return -1; +- } +- +- if (signer) { ++ if (rc == 0 && signer) { + if (signer->derCert.len != cms->cert->derCert.len || + memcmp(signer->derCert.data, + cms->cert->derCert.data, +-- +1.7.10.4 + diff --git a/pesign-privkey_unneeded.diff b/pesign-privkey_unneeded.diff index bd2c693..5fed9f0 100644 --- a/pesign-privkey_unneeded.diff +++ b/pesign-privkey_unneeded.diff @@ -1,8 +1,8 @@ --- - src/cms_common.c | 10 +++++++++- + src/cms_common.c | 12 ++++++++++-- src/cms_common.h | 1 + src/pesign.c | 1 + - 3 files changed, 11 insertions(+), 1 deletion(-) + 3 files changed, 12 insertions(+), 2 deletions(-) --- a/src/cms_common.c +++ b/src/cms_common.c @@ -44,6 +44,15 @@ }; if (needs_private_key) { +@@ -562,7 +570,7 @@ find_named_certificate(cms_context *cms, + } + + SECStatus status; +- if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { ++ if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) { + status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata); + if (status != SECSuccess) { + PK11_DestroySlotListElement(slots, &psle); --- a/src/cms_common.h +++ b/src/cms_common.h @@ -63,6 +63,7 @@ typedef int (*cms_common_logger)(struct diff --git a/pesign.changes b/pesign.changes index 9f064e7..497123e 100644 --- a/pesign.changes +++ b/pesign.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jul 18 06:54:19 UTC 2013 - glin@suse.com + +- Add pesign-allow-no-issuer-cert.patch to avoid crash when the + issuer's certificate is not available + ------------------------------------------------------------------- Tue Jul 9 04:44:44 UTC 2013 - glin@suse.com diff --git a/pesign.spec b/pesign.spec index 83cd1fe..3895568 100644 --- a/pesign.spec +++ b/pesign.spec @@ -32,6 +32,8 @@ Patch2: pesign-fix-build-errors.patch Patch3: pesign-privkey_unneeded.diff # PATCH-FIX-UPSTREAM pesign-clear-padding-bits.patch glin@suse.com -- Clear the allocated space before inserting the certificate list Patch4: pesign-clear-padding-bits.patch +# PATCH-FIX-UPSTREAM pesign-allow-no-issuer-cert.patch glin@suse.com -- Don't crash if the issuer's certificate is not available +Patch5: pesign-allow-no-issuer-cert.patch BuildRequires: mozilla-nss-devel BuildRequires: pkg-config BuildRequires: popt-devel @@ -60,6 +62,7 @@ Authors: %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build make OPTFLAGS="$RPM_OPT_FLAGS"