Accepting request 156290 from home:gary_lin:branches:Base:System

Update pesign-bnc805166-fix-signature-list.patch to skip the unneeded private key request. (bnc#805166c#17) OBS-URL: https://build.opensuse.org/request/show/156290 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign?expand=0&rev=12
2013-02-25 10:09:38 +00:00 · 2013-02-25 10:09:38 +00:00 · ed0b396886
commit ed0b396886
parent 0b5d673ec8
3 changed files with 175 additions and 128 deletions
--- a/pesign-bnc805166-fix-signature-list.patch
+++ b/pesign-bnc805166-fix-signature-list.patch
@ -1,8 +1,7 @@
-commit 63c6ad572b3c1a7041dc581072421c2c94ff5d35
-Author: Gary Ching-Pang Lin <chingpang@gmail.com>
-Date:   Fri Feb 22 15:13:08 2013 +0800
-
-    Backport patches to fix signature list
+From 4956251d79904be08c4012fa06c14434f8e706ed Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <chingpang@gmail.com>
+Date: Fri, 22 Feb 2013 15:13:08 +0800
+Subject: [PATCH 1/2] Backport patches to fix signature list

 Get cms_context out of wincert functions.
 ee357451be9968cedda57ce13b103eb82c590e67
@ -32,13 +31,28 @@ Date:   Fri Feb 22 15:13:08 2013 +0800
 8c3d82ceb5029bedfee1577682fec5ff3669ff3c

 Fix a casting problem on 32-bit.
-    
 9eb2814858270af2d7ecfbfa5ca131e7be2f9f53
+---
+ libdpe/pe_addcert.c    |    2 +-
+ libdpe/pe_updatefile.c |   13 ++++++-
+ src/actions.c          |   12 +------
+ src/actions.h          |    2 +-
+ src/cms_common.c       |   93 ++++++++++++++++++++++++++++++++++++++++++++++++
+ src/cms_common.h       |   32 ++++++++++++++++-
+ src/daemon.c           |    6 ++--
+ src/pesign.c           |   35 +++++++++++++++---
+ src/peverify.c         |    7 ++--
+ src/siglist.c          |   46 +++++++++++++++++++-----
+ src/siglist.h          |    3 +-
+ src/signed_data.c      |   53 +++++++++++++++++++++------
+ src/wincert.c          |   65 +++++++++++++++++++++++----------
+ src/wincert.h          |    8 +++--
+ 14 files changed, 312 insertions(+), 65 deletions(-)

-Index: pesign-0.99/libdpe/pe_addcert.c
-===================================================================
--- pesign-0.99.orig/libdpe/pe_addcert.c
-+++ pesign-0.99/libdpe/pe_addcert.c
+diff --git a/libdpe/pe_addcert.c b/libdpe/pe_addcert.c
+index e391242..b6ba969 100644
+--- a/libdpe/pe_addcert.c
+++ b/libdpe/pe_addcert.c
@@ -59,7 +59,7 @@ pe_alloccert(Pe *pe, size_t size)
 	memset(addr, '\0', size);
 
@ -48,10 +62,10 @@ Index: pesign-0.99/libdpe/pe_addcert.c
 
 #if 0
 	pe_set_image_size(pe);
-Index: pesign-0.99/libdpe/pe_updatefile.c
-===================================================================
--- pesign-0.99.orig/libdpe/pe_updatefile.c
-+++ pesign-0.99/libdpe/pe_updatefile.c
+diff --git a/libdpe/pe_updatefile.c b/libdpe/pe_updatefile.c
+index 7a29757..a8fe769 100644
+--- a/libdpe/pe_updatefile.c
+++ b/libdpe/pe_updatefile.c
@@ -24,6 +24,7 @@
 #include <sys/mman.h>
 
@ -60,7 +74,7 @@ Index: pesign-0.99/libdpe/pe_updatefile.c
 __get_last_section(Pe *pe)
 {
 	Pe_Scn *scn = NULL;
-@@ -79,6 +80,7 @@ compare_sections (const void *a, const v
+@@ -79,6 +80,7 @@ compare_sections (const void *a, const void *b)
 }
 
 static void
@ -86,10 +100,10 @@ Index: pesign-0.99/libdpe/pe_updatefile.c
 
 	return 0;
 }
-Index: pesign-0.99/src/actions.c
-===================================================================
--- pesign-0.99.orig/src/actions.c
-+++ pesign-0.99/src/actions.c
+diff --git a/src/actions.c b/src/actions.c
+index 9e4ac59..5c5dd89 100644
+--- a/src/actions.c
+++ b/src/actions.c
@@ -268,7 +268,7 @@ failure:
 	return ret;
 }
@ -108,7 +122,7 @@ Index: pesign-0.99/src/actions.c
 	ssize_t available = available_cert_space(ctx->outpe);
 
 	if (available < ctx->cms_ctx->newsig.len) {
-@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ct
+@@ -406,14 +404,6 @@ check_signature_space(pesign_context *ctx)
 	}
 }
 
@ -123,11 +137,11 @@ Index: pesign-0.99/src/actions.c
 void
 allocate_signature_space(Pe *pe, ssize_t sigspace)
 {
-Index: pesign-0.99/src/actions.h
-===================================================================
--- pesign-0.99.orig/src/actions.h
-+++ pesign-0.99/src/actions.h
-@@ -28,12 +28,12 @@ extern int list_signatures(pesign_contex
+diff --git a/src/actions.h b/src/actions.h
+index 400876f..4ecaad8 100644
+--- a/src/actions.h
+++ b/src/actions.h
+@@ -28,12 +28,12 @@ extern int list_signatures(pesign_context *ctx);
 extern void check_signature_space(pesign_context *ctx);
 extern void allocate_signature_space(Pe *pe, ssize_t sigspace);
 extern off_t export_signature(cms_context *cms, int fd, int ascii_armor);
@ -141,11 +155,11 @@ Index: pesign-0.99/src/actions.h
 extern void insert_signature(cms_context *cms, int signum);
 
 #endif /* PESIGN_CRYPTO_H */
-Index: pesign-0.99/src/cms_common.c
-===================================================================
--- pesign-0.99.orig/src/cms_common.c
-+++ pesign-0.99/src/cms_common.c
-@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, voi
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 9ab2021..3b2e71a 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -304,6 +304,17 @@ is_valid_cert(CERTCertificate *cert, void *data)
 	return SECFailure;
 }
 
@ -163,15 +177,10 @@ Index: pesign-0.99/src/cms_common.c
 /* This is the dumbest function ever, but we need it anyway, because nss
  * is garbage. */
 static void
-@@ -443,6 +454,88 @@ err_slots:
+@@ -448,6 +459,88 @@ err_slots:
+ 	return 0;
+ }
 
- 	PK11_DestroySlotListElement(slots, &psle);
- 	PK11_FreeSlotList(slots);
-+	CERT_DestroyCertList(certlist);
-+
-+	return 0;
-+}
-+
 +int
 +find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
 +{
@ -249,13 +258,18 @@ Index: pesign-0.99/src/cms_common.c
 +
 +	PK11_DestroySlotListElement(slots, &psle);
 +	PK11_FreeSlotList(slots);
- 	CERT_DestroyCertList(certlist);
- 
- 	return 0;
-Index: pesign-0.99/src/cms_common.h
-===================================================================
--- pesign-0.99.orig/src/cms_common.h
-+++ pesign-0.99/src/cms_common.h
+	CERT_DestroyCertList(certlist);
+
+	return 0;
+}
+
+ static SEC_ASN1Template EmptySequenceTemplate[] = {
+ 	{
+ 	.kind = SEC_ASN1_SEQUENCE,
+diff --git a/src/cms_common.h b/src/cms_common.h
+index a3848cd..2b2d619 100644
+--- a/src/cms_common.h
+++ b/src/cms_common.h
@@ -19,9 +19,35 @@
 #ifndef CMS_COMMON_H
 #define CMS_COMMON_H 1
@ -293,7 +307,7 @@ Index: pesign-0.99/src/cms_common.h
 
 struct digest {
 	PK11Context *pk11ctx;
-@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *
+@@ -109,6 +135,10 @@ extern int generate_digest(cms_context *cms, Pe *pe);
 extern int generate_signature(cms_context *ctx);
 extern int unlock_nss_token(cms_context *ctx);
 extern int find_certificate(cms_context *ctx);
@ -304,11 +318,11 @@ Index: pesign-0.99/src/cms_common.h
 
 extern SECOidTag digest_get_digest_oid(cms_context *cms);
 extern SECOidTag digest_get_encryption_oid(cms_context *cms);
-Index: pesign-0.99/src/daemon.c
-===================================================================
--- pesign-0.99.orig/src/daemon.c
-+++ pesign-0.99/src/daemon.c
-@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **p
+diff --git a/src/daemon.c b/src/daemon.c
+index 4a9af87..92ae856 100644
+--- a/src/daemon.c
+++ b/src/daemon.c
+@@ -288,7 +288,8 @@ set_up_inpe(context *ctx, int fd, Pe **pe)
 		return -1;
 	}
 
@ -328,10 +342,10 @@ Index: pesign-0.99/src/daemon.c
 		pe_end(outpe);
 	} else {
 		if (ftruncate(outfd, 0) != 0) {
-Index: pesign-0.99/src/pesign.c
-===================================================================
--- pesign-0.99.orig/src/pesign.c
-+++ pesign-0.99/src/pesign.c
+diff --git a/src/pesign.c b/src/pesign.c
+index bfda33b..fcb2dca 100644
+--- a/src/pesign.c
+++ b/src/pesign.c
@@ -104,7 +104,8 @@ open_input(pesign_context *ctx)
 		exit(1);
 	}
@ -414,10 +428,10 @@ Index: pesign-0.99/src/pesign.c
 			close_output(ctxp);
 			break;
 		case DAEMONIZE:
-Index: pesign-0.99/src/peverify.c
-===================================================================
--- pesign-0.99.orig/src/peverify.c
-+++ pesign-0.99/src/peverify.c
+diff --git a/src/peverify.c b/src/peverify.c
+index 08aad27..e010d87 100644
+--- a/src/peverify.c
+++ b/src/peverify.c
@@ -55,9 +55,12 @@ open_input(peverify_context *ctx)
 		exit(1);
 	}
@ -433,10 +447,10 @@ Index: pesign-0.99/src/peverify.c
 		exit(1);
 	}
 }
-Index: pesign-0.99/src/siglist.c
-===================================================================
--- pesign-0.99.orig/src/siglist.c
-+++ pesign-0.99/src/siglist.c
+diff --git a/src/siglist.c b/src/siglist.c
+index 1a933e7..ca097e6 100644
+--- a/src/siglist.c
+++ b/src/siglist.c
@@ -17,11 +17,15 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
@ -454,7 +468,7 @@ Index: pesign-0.99/src/siglist.c
 
 struct efi_signature_data {
 	efi_guid_t		SignatureOwner;
-@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *s
+@@ -135,7 +139,10 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 	if (memcmp(&sl->SignatureType, &x509_guid, sizeof (efi_guid_t)) == 0) {
 		if (sigsize > sl->SignatureSize)
 			resize_entries(sl, sigsize);
@ -466,7 +480,7 @@ Index: pesign-0.99/src/siglist.c
 		return -1;
 	}
 
-@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *s
+@@ -162,11 +169,31 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 	return 0;
 }
 
@ -475,7 +489,9 @@ Index: pesign-0.99/src/siglist.c
 +#if 0
 +int
 +signature_list_parse(signature_list *sl, uint8_t *data, size_t len)
-+{
+ {
+-	if (sl->realized)
+-		return sl->realized;
 +	if (!sl)
 +		return -1;
 +
@ -492,9 +508,7 @@ Index: pesign-0.99/src/siglist.c
 +
 +int
 +signature_list_realize(signature_list *sl, void **out, size_t *outsize)
- {
-	if (sl->realized)
-		return sl->realized;
+{
 +	if (sl->realized) {
 +		free(sl->realized);
 +		sl->realized = NULL;
@ -502,7 +516,7 @@ Index: pesign-0.99/src/siglist.c
 
 	struct efi_signature_list *esl = NULL;
 	uint32_t size = sizeof (*esl) +
-@@ -174,7 +201,7 @@ signature_list_realize(signature_list *s
+@@ -174,7 +201,7 @@ signature_list_realize(signature_list *sl)
 
 	void *ret = calloc(1, size);
 	if (!ret)
@ -511,7 +525,7 @@ Index: pesign-0.99/src/siglist.c
 	esl = ret;
 
 	memcpy(esl, sl, sizeof (*esl));
-@@ -186,7 +213,10 @@ signature_list_realize(signature_list *s
+@@ -186,7 +213,10 @@ signature_list_realize(signature_list *sl)
 	}
 
 	sl->realized = ret;
@ -523,11 +537,11 @@ Index: pesign-0.99/src/siglist.c
 }
 
 void
-Index: pesign-0.99/src/siglist.h
-===================================================================
--- pesign-0.99.orig/src/siglist.h
-+++ pesign-0.99/src/siglist.h
-@@ -24,7 +24,8 @@ typedef struct signature_list signature_
+diff --git a/src/siglist.h b/src/siglist.h
+index 2961a39..a576ffd 100644
+--- a/src/siglist.h
+++ b/src/siglist.h
+@@ -24,7 +24,8 @@ typedef struct signature_list signature_list;
 extern signature_list *signature_list_new(efi_guid_t SignatureType);
 extern int signature_list_add_sig(signature_list *sl, efi_guid_t owner,
 			uint8_t *sig, uint32_t sigsize);
@ -537,11 +551,11 @@ Index: pesign-0.99/src/siglist.h
 extern void signature_list_free(signature_list *sl);
 
 #endif /* SIGLIST_H */
-Index: pesign-0.99/src/signed_data.c
-===================================================================
--- pesign-0.99.orig/src/signed_data.c
-+++ pesign-0.99/src/signed_data.c
-@@ -76,20 +76,53 @@ static int
+diff --git a/src/signed_data.c b/src/signed_data.c
+index e676cb3..83957d6 100644
+--- a/src/signed_data.c
+++ b/src/signed_data.c
+@@ -76,20 +76,51 @@ static int
 generate_certificate_list(cms_context *cms, SECItem ***certificate_list_p)
 {
 	SECItem **certificates = NULL;
@ -561,7 +575,7 @@ Index: pesign-0.99/src/signed_data.c
 +	if (!certificates) {
 +		save_port_err(PORT_ArenaRelease(cms->arena, mark));
 +		cmsreterr(-1, cms, "could not allocate certificate list");
- 	}
+	}
 +	int i = 0;
 +
 +	certificates[i] = PORT_ArenaZAlloc(cms->arena, sizeof (SECItem));
@ -571,7 +585,6 @@ Index: pesign-0.99/src/signed_data.c
 +	}
 +	SECITEM_CopyItem(cms->arena, certificates[i++], &cms->cert->derCert);
 +
-+#if 0
 +	if (!is_issuer_of(cms->cert, cms->cert)) {
 +		CERTCertificate *signer = NULL;
 +		int rc = find_named_certificate(cms, cms->cert->issuerName,
@ -599,17 +612,16 @@ Index: pesign-0.99/src/signed_data.c
 +			}
 +			CERT_DestroyCertificate(signer);
 +		}
-+	}
-+#endif
+ 	}
 
 -	SECITEM_CopyItem(cms->arena, certificates[0], &cms->cert->derCert);
 	*certificate_list_p = certificates;
 	return 0;
 }
-Index: pesign-0.99/src/wincert.c
-===================================================================
--- pesign-0.99.orig/src/wincert.c
-+++ pesign-0.99/src/wincert.c
+diff --git a/src/wincert.c b/src/wincert.c
+index 4b5ba45..4197a87 100644
+--- a/src/wincert.c
+++ b/src/wincert.c
@@ -25,13 +25,13 @@ struct cert_list_entry {
 };
 
@ -628,7 +640,7 @@ Index: pesign-0.99/src/wincert.c
 	}
 
 	uint8_t *data = malloc(cl_size);
-@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, voi
+@@ -41,15 +41,15 @@ generate_cert_list(cms_context *cms, void **cert_list,
 	*cert_list = (void *)data;
 	*cert_list_size = cl_size;
 
@ -649,7 +661,7 @@ Index: pesign-0.99/src/wincert.c
 	}
 
 	return 0;
-@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_lis
+@@ -62,12 +62,13 @@ implant_cert_list(Pe *pe, void *cert_list, size_t cert_list_size)
 }
 
 int
@ -734,7 +746,7 @@ Index: pesign-0.99/src/wincert.c
 {
 	cert_iter iter;
 	int rc = cert_iter_init(&iter, pe);
-@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *p
+@@ -238,8 +267,8 @@ parse_signatures(cms_context *cms, Pe *pe)
 	}
 
 	if (nsigs == 0) {
@ -745,7 +757,7 @@ Index: pesign-0.99/src/wincert.c
 		return 0;
 	}
 
-@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *p
+@@ -271,8 +300,8 @@ parse_signatures(cms_context *cms, Pe *pe)
 		i++;
 	}
 
@ -756,10 +768,10 @@ Index: pesign-0.99/src/wincert.c
 
 	return 0;
 err:
-Index: pesign-0.99/src/wincert.h
-===================================================================
--- pesign-0.99.orig/src/wincert.h
-+++ pesign-0.99/src/wincert.h
+diff --git a/src/wincert.h b/src/wincert.h
+index 4309915..ed7e15c 100644
+--- a/src/wincert.h
+++ b/src/wincert.h
@@ -32,8 +32,6 @@ typedef struct win_certificate {
 	uint16_t cert_type;
 } win_certificate;
@ -769,7 +781,7 @@ Index: pesign-0.99/src/wincert.h
 typedef struct cert_iter {
 	Pe *pe;
 	off_t n;
-@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *ite
+@@ -45,6 +43,10 @@ extern int cert_iter_init(cert_iter *iter, Pe *pe);
 extern int next_cert(cert_iter *iter, void **cert, ssize_t *cert_size);
 extern ssize_t available_cert_space(Pe *pe);
 extern ssize_t calculate_signature_space(cms_context *cms, Pe *pe);
@ -781,3 +793,33 @@ Index: pesign-0.99/src/wincert.h
 +
 
 #endif /* PESIGN_WINCERT_H */
+-- 
+1.7.10.4
+
+
+From 8d86f6db19be98538fd5397a9de5f7d06733746e Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin <chingpang@gmail.com>
+Date: Mon, 25 Feb 2013 10:43:09 +0800
+Subject: [PATCH 2/2] Don't request the private key in
+ find_named_certificate() when importing a raw signature
+
+---
+ src/cms_common.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 3b2e71a..642cc86 100644
+--- a/src/cms_common.c
+++ b/src/cms_common.c
+@@ -498,7 +498,7 @@ find_named_certificate(cms_context *cms, char *name, CERTCertificate **cert)
+ 	}
+ 
+ 	SECStatus status;
+-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+	if (!cms->privkey_unneeded && PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, pwdata)) {
+ 		status = PK11_Authenticate(psle->slot, PR_TRUE, pwdata);
+ 		if (status != SECSuccess) {
+ 			PK11_DestroySlotListElement(slots, &psle);
+-- 
+1.7.10.4
+
--- a/pesign.changes
+++ b/pesign.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Feb 25 07:35:59 UTC 2013 - glin@suse.com
+
+- Update pesign-bnc805166-fix-signature-list.patch to skip the
+  unneeded private key request. (bnc#805166c#17)
+
 -------------------------------------------------------------------
 Sat Feb 23 04:47:48 UTC 2013 - jlee@suse.com

--- a/pesign.spec
+++ b/pesign.spec
@ -16,7 +16,6 @@
 #


-
 Name:           pesign
 Version:        0.99
 Release:        0