ZhuningOS/p11-kit
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Initialize for p11-kit

Browse source
This commit is contained in:
zyppe 2024-02-28 21:54:07 +08:00
commit dfe752b6be
20 changed files with 2154 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored Normal file
View file

@ -0,0 +1 @@
p11-kit-0.23.22.tar.xz

1
.p11-kit.metadata Normal file
View file

@ -0,0 +1 @@
c92e10ce38901277a72a6e7c42a47f37a602593d4f8db42eb49a2b74d9277347 p11-kit-0.23.22.tar.xz

325
0001-Add-IBM-specific-mechanism-and-attributes.patch Normal file
View file

@ -0,0 +1,325 @@
From ad66cbc52bf83ba58c43ef13169f577f7f8b172d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 7 Apr 2022 16:22:43 +0200
Subject: [PATCH 01/11] Add IBM specific mechanism and attributes
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
common/attrs.c | 17 +++++++++
common/constants.c | 38 +++++++++++++++++++
common/pkcs11x.h | 51 +++++++++++++++++++++++++
p11-kit/rpc-message.c | 86 ++++++++++++++++++++++++++++++++++++++++++-
p11-kit/rpc-message.h | 12 ++++++
5 files changed, 203 insertions(+), 1 deletion(-)
diff --git a/common/attrs.c b/common/attrs.c
index ad233f4..9ce7c66 100644
--- a/common/attrs.c
+++ b/common/attrs.c
@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr,
X (CKA_TRUST_STEP_UP_APPROVED)
X (CKA_CERT_SHA1_HASH)
X (CKA_CERT_MD5_HASH)
+ X (CKA_IBM_OPAQUE)
+ X (CKA_IBM_RESTRICTABLE)
+ X (CKA_IBM_NEVER_MODIFIABLE)
+ X (CKA_IBM_RETAINKEY)
+ X (CKA_IBM_ATTRBOUND)
+ X (CKA_IBM_KEYTYPE)
+ X (CKA_IBM_CV)
+ X (CKA_IBM_MACKEY)
+ X (CKA_IBM_USE_AS_DATA)
+ X (CKA_IBM_STRUCT_PARAMS)
+ X (CKA_IBM_STD_COMPLIANCE1)
+ X (CKA_IBM_PROTKEY_EXTRACTABLE)
+ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE)
+ X (CKA_IBM_OPAQUE_PKEY)
+ X (CKA_IBM_DILITHIUM_KEYFORM)
+ X (CKA_IBM_DILITHIUM_RHO)
+ X (CKA_IBM_DILITHIUM_T1)
case CKA_VALUE:
return (klass != CKO_CERTIFICATE &&
klass != CKO_X_CERTIFICATE_EXTENSION);
diff --git a/common/constants.c b/common/constants.c
index 2b785b8..672ed29 100644
--- a/common/constants.c
+++ b/common/constants.c
@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = {
CT (CKA_WRAP_TEMPLATE, "wrap-template")
CT (CKA_UNWRAP_TEMPLATE, "unwrap-template")
CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms")
+ CT (CKA_IBM_OPAQUE, "ibm-opaque")
+ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable")
+ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable")
+ CT (CKA_IBM_RETAINKEY, "ibm-retainkey")
+ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound")
+ CT (CKA_IBM_KEYTYPE, "ibm-keytype")
+ CT (CKA_IBM_CV, "ibm-cv")
+ CT (CKA_IBM_MACKEY, "ibm-mackey")
+ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data")
+ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params")
+ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1")
+ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable")
+ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable")
+ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform")
+ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho")
+ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed")
+ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr")
+ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1")
+ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2")
+ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0")
+ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1")
+ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey")
CT (CKA_NSS_URL, "nss-url")
CT (CKA_NSS_EMAIL, "nss-email")
CT (CKA_NSS_SMIME_INFO, "nss-smime-constant")
@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = {
CT (CKK_AES, "aes")
CT (CKK_BLOWFISH, "blowfish")
CT (CKK_TWOFISH, "twofish")
+ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium")
CT (CKK_NSS_PKCS8, "nss-pkcs8")
{ CKA_INVALID },
};
@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = {
CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen")
CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen")
CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen")
+ CT (CKM_IBM_SHA3_224, "ibm-sha3-224")
+ CT (CKM_IBM_SHA3_256, "ibm-sha3-256")
+ CT (CKM_IBM_SHA3_384, "ibm-sha3-384")
+ CT (CKM_IBM_SHA3_512, "ibm-sha3-512")
+ CT (CKM_IBM_CMAC, "ibm-cmac")
+ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519")
+ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512")
+ CT (CKM_IBM_EC_X448, "ibm-ec-x448")
+ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3")
+ CT (CKM_IBM_DILITHIUM, "ibm-dilithium")
+ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac")
+ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac")
+ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac")
+ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac")
+ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap")
{ CKA_INVALID },
};
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index 3b12db6..4183b3d 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -181,6 +181,57 @@ typedef CK_ULONG CK_TRUST;
#endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */
+/* Define this if you want the IBM specific symbols */
+#define CRYPTOKI_IBM_VENDOR_DEFINED 1
+#ifdef CRYPTOKI_IBM_VENDOR_DEFINED
+
+#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023
+
+#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1)
+#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001)
+#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002)
+#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003)
+#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004)
+#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005)
+#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006)
+#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007)
+#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008)
+#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009)
+#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a)
+#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c)
+#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d)
+#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001)
+#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002)
+#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003)
+#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004)
+#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005)
+#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006)
+#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007)
+#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008)
+#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100)
+
+#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001)
+#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002)
+#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003)
+#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004)
+#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007)
+#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b)
+#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c)
+#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e)
+#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f)
+#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023)
+#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025)
+#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026)
+#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027)
+#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
+#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
+
+typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP {
+ CK_OBJECT_HANDLE hSignVerifyKey;
+} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
+
#if defined(__cplusplus)
}
#endif
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 8dfa30b..0923224 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_RESET_ON_INIT:
case CKA_HAS_RESET:
case CKA_COLOR:
+ case CKA_IBM_RESTRICTABLE:
+ case CKA_IBM_NEVER_MODIFIABLE:
+ case CKA_IBM_RETAINKEY:
+ case CKA_IBM_ATTRBOUND:
+ case CKA_IBM_USE_AS_DATA:
+ case CKA_IBM_PROTKEY_EXTRACTABLE:
+ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE:
return P11_RPC_VALUE_BYTE;
case CKA_CLASS:
case CKA_CERTIFICATE_TYPE:
@@ -821,6 +828,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_CHAR_COLUMNS:
case CKA_BITS_PER_PIXEL:
case CKA_MECHANISM_TYPE:
+ case CKA_IBM_DILITHIUM_KEYFORM:
+ case CKA_IBM_STD_COMPLIANCE1:
+ case CKA_IBM_KEYTYPE:
return P11_RPC_VALUE_ULONG;
case CKA_WRAP_TEMPLATE:
case CKA_UNWRAP_TEMPLATE:
@@ -869,6 +879,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
case CKA_REQUIRED_CMS_ATTRIBUTES:
case CKA_DEFAULT_CMS_ATTRIBUTES:
case CKA_SUPPORTED_CMS_ATTRIBUTES:
+ case CKA_IBM_OPAQUE:
+ case CKA_IBM_CV:
+ case CKA_IBM_MACKEY:
+ case CKA_IBM_STRUCT_PARAMS:
+ case CKA_IBM_OPAQUE_PKEY:
+ case CKA_IBM_DILITHIUM_RHO:
+ case CKA_IBM_DILITHIUM_SEED:
+ case CKA_IBM_DILITHIUM_TR:
+ case CKA_IBM_DILITHIUM_S1:
+ case CKA_IBM_DILITHIUM_S2:
+ case CKA_IBM_DILITHIUM_T0:
+ case CKA_IBM_DILITHIUM_T1:
return P11_RPC_VALUE_BYTE_ARRAY;
}
}
@@ -1406,9 +1428,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */
+ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.hSignVerifyKey can be converted to uint64_t. */
+ if (params.hSignVerifyKey > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey);
+}
+
+bool
+p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (value) {
+ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params;
+
+ params.hSignVerifyKey = val;
+
+ memcpy (value, &params, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS);
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }
+ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1533,6 +1605,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_RIPEMD160:
case CKM_RIPEMD160_HMAC:
case CKM_KEY_WRAP_LYNKS:
+ case CKM_IBM_SHA3_224:
+ case CKM_IBM_SHA3_256:
+ case CKM_IBM_SHA3_384:
+ case CKM_IBM_SHA3_512:
+ case CKM_IBM_CMAC:
+ case CKM_IBM_DILITHIUM:
+ case CKM_IBM_SHA3_224_HMAC:
+ case CKM_IBM_SHA3_256_HMAC:
+ case CKM_IBM_SHA3_384_HMAC:
+ case CKM_IBM_SHA3_512_HMAC:
+ case CKM_IBM_ED25519_SHA512:
+ case CKM_IBM_ED448_SHA3:
return true;
default:
return false;
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 62e7b18..eec2927 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -42,6 +42,7 @@
#include "buffer.h"
#include "pkcs11.h"
+#include "pkcs11x.h"
/* The calls, must be in sync with array below */
enum {
@@ -479,4 +480,15 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
#endif /* _RPC_MESSAGE_H */
--
2.38.1

136
0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch Normal file
View file

@ -0,0 +1,136 @@
From d23b8a60a1944a9e25d5e47ead16185a39111b51 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 7 Apr 2022 17:10:53 +0200
Subject: [PATCH 02/11] Add support for serializing CK_ECDH1_DERIVE_PARAMS mech
param
Used by CKM_ECDH1_DERIVE, CKM_IBM_EC_X25519 and CKM_IBM_EC_X448.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 79 ++++++++++++++++++++++++++++++++++++++++++-
p11-kit/rpc-message.h | 11 ++++++
2 files changed, 89 insertions(+), 1 deletion(-)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 0923224..d842df0 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1428,6 +1428,80 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */
+ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.kdf can be converted to uint64_t. */
+ if (params.kdf > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.kdf);
+
+ /* parmas.shared_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.shared_data,
+ params.shared_data_len);
+
+ /* parmas.public_data can only be an array of CK_BYTE or
+ * NULL */
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.public_data,
+ params.public_data_len);
+}
+
+bool
+p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+
+
+ if (value) {
+ CK_ECDH1_DERIVE_PARAMS params;
+
+ params.kdf = val;
+ params.shared_data = (void *) data1;
+ params.shared_data_len = len1;
+ params.public_data = (void *) data2;
+ params.public_data_len = len2;
+
+ memcpy (value, &params, sizeof (CK_ECDH1_DERIVE_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS);
+
+ return true;
+}
+
void
p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
const void *value,
@@ -1480,7 +1554,10 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
- { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }
+ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
+ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index eec2927..66f512d 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -480,6 +480,17 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value
(p11_buffer *buffer,
const void *value,
--
2.38.1

26
0003-client-Allow-zero-part-length-at-C_SignUpdate.patch Normal file
View file

@ -0,0 +1,26 @@
From e23948fa491680822177d4428e39866c866fbc64 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 08:47:31 +0200
Subject: [PATCH 03/11] client: Allow zero part length at C_SignUpdate
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-client.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index a72c1d1..550ebd2 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *self,
CK_BYTE_PTR part,
CK_ULONG part_len)
{
- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD);
-
BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID);
IN_ULONG (session);
IN_BYTE_ARRAY (part, part_len);
--
2.38.1

25
0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch Normal file
View file

@ -0,0 +1,25 @@
From c12d7c858728ebeb2db6e450f21895c419f0fe04 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 09:35:54 +0200
Subject: [PATCH 04/11] Fix support of CKA_DERIVE_TEMPLATE
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index d842df0..cedda03 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -834,6 +834,7 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type)
return P11_RPC_VALUE_ULONG;
case CKA_WRAP_TEMPLATE:
case CKA_UNWRAP_TEMPLATE:
+ case CKA_DERIVE_TEMPLATE:
return P11_RPC_VALUE_ATTRIBUTE_ARRAY;
case CKA_ALLOWED_MECHANISMS:
return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY;
--
2.38.1

77
0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch Normal file
View file

@ -0,0 +1,77 @@
From 153d9df0592c78481c4203e138aef109b06ec1b9 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 10:39:38 +0200
Subject: [PATCH 05/11] Add other SHA variants, also for RSA and EC signatures
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index cedda03..40a4d9f 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1554,6 +1554,11 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
+ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
{ CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value },
{ CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
{ CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
@@ -1603,6 +1608,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_MD2_RSA_PKCS:
case CKM_MD5_RSA_PKCS:
case CKM_SHA1_RSA_PKCS:
+ case CKM_SHA224_RSA_PKCS:
case CKM_SHA256_RSA_PKCS:
case CKM_SHA384_RSA_PKCS:
case CKM_SHA512_RSA_PKCS:
@@ -1617,6 +1623,10 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_EC_KEY_PAIR_GEN:
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
+ case CKM_ECDSA_SHA224:
+ case CKM_ECDSA_SHA256:
+ case CKM_ECDSA_SHA384:
+ case CKM_ECDSA_SHA512:
case CKM_DH_PKCS_KEY_PAIR_GEN:
case CKM_DH_PKCS_PARAMETER_GEN:
case CKM_X9_42_DH_KEY_PAIR_GEN:
@@ -1671,12 +1681,28 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_MD5_HMAC:
case CKM_SHA_1:
case CKM_SHA_1_HMAC:
+ case CKM_SHA1_KEY_DERIVATION:
+ case CKM_SHA224:
+ case CKM_SHA224_HMAC:
+ case CKM_SHA224_KEY_DERIVATION:
case CKM_SHA256:
case CKM_SHA256_HMAC:
+ case CKM_SHA256_KEY_DERIVATION:
case CKM_SHA384:
case CKM_SHA384_HMAC:
+ case CKM_SHA384_KEY_DERIVATION:
case CKM_SHA512:
case CKM_SHA512_HMAC:
+ case CKM_SHA512_KEY_DERIVATION:
+ case CKM_SHA512_T:
+ case CKM_SHA512_T_HMAC:
+ case CKM_SHA512_T_KEY_DERIVATION:
+ case CKM_SHA512_224:
+ case CKM_SHA512_224_HMAC:
+ case CKM_SHA512_224_KEY_DERIVATION:
+ case CKM_SHA512_256:
+ case CKM_SHA512_256_HMAC:
+ case CKM_SHA512_256_KEY_DERIVATION:
case CKM_FASTHASH:
case CKM_RIPEMD128:
case CKM_RIPEMD128_HMAC:
--
2.38.1

156
0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch Normal file
View file

@ -0,0 +1,156 @@
From 1e86da126a191ec5b010ef86c6cfa15721a9bd0d Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 12:36:51 +0200
Subject: [PATCH 06/11] Add support for missing AES and DES/DES3 mechanisms
They take a 16 byte (AES) or 8 byte (DES/DES3) IV as mechanism parameter.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 95 +++++++++++++++++++++++++++++++++++++++++++
p11-kit/rpc-message.h | 18 ++++++++
2 files changed, 113 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 40a4d9f..a574911 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1552,6 +1552,86 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an AES IV. */
+ if (value_length != 16) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 16)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
+void
+p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Check if value can be converted to an DES IV. */
+ if (value_length != 8) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len != 8)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
{ CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
@@ -1564,6 +1644,21 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value },
{ CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
{ CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value },
+ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 66f512d..8c8119d 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -502,4 +502,22 @@ bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
+void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
#endif /* _RPC_MESSAGE_H */
--
2.38.1

128
0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch Normal file
View file

@ -0,0 +1,128 @@
From 1f46d537a1924f3d7af833d8b079b45d79d02ac0 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 13:02:41 +0200
Subject: [PATCH 07/11] Add support for MAC and HMAC general mechanisms
The take a mechanism parameter of type CK_MAC_GENERAL_PARAMS which
is a CK_ULONG.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 59 +++++++++++++++++++++++++++++++++++++++++++
p11-kit/rpc-message.h | 11 ++++++++
2 files changed, 70 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index a574911..5159d98 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1632,6 +1632,52 @@ p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_ULONG val;
+ uint64_t params;
+
+ /*
+ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which
+ * is a CK_ULONG.
+ */
+ if (value_length != sizeof (CK_ULONG)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&val, value, value_length);
+ params = val;
+
+ p11_rpc_buffer_add_uint64 (buffer, params);
+}
+
+bool
+p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ CK_ULONG params;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+
+ params = val;
+
+ if (value)
+ memcpy (value, &params, sizeof (params));
+
+ if (value_length)
+ *value_length = sizeof (params);
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
{ CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
@@ -1659,6 +1705,17 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
+ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
@@ -1735,6 +1792,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_AES_KEY_GEN:
case CKM_AES_ECB:
case CKM_AES_MAC:
+ case CKM_AES_CMAC:
case CKM_DES_KEY_GEN:
case CKM_DES2_KEY_GEN:
case CKM_DES3_KEY_GEN:
@@ -1760,6 +1818,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech)
case CKM_RC2_MAC:
case CKM_DES_MAC:
case CKM_DES3_MAC:
+ case CKM_DES3_CMAC:
case CKM_CDMF_MAC:
case CKM_CAST_MAC:
case CKM_CAST3_MAC:
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 8c8119d..5ae09e5 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -520,4 +520,15 @@ bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer,
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_mac_general_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
#endif /* _RPC_MESSAGE_H */
--
2.38.1

95
0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch Normal file
View file

@ -0,0 +1,95 @@
From 25c7661eb8ae1f60aa0d1d995ac4addc456d33b9 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 13:38:44 +0200
Subject: [PATCH 08/11] Add support for CKM_DH_PKCS_DERIVE
It takes the the public value of the other party as mechanism parameter.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 41 +++++++++++++++++++++++++++++++++++++++++
p11-kit/rpc-message.h | 11 +++++++++++
2 files changed, 52 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 5159d98..c3f1dbb 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1678,6 +1678,46 @@ p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ /* Mechanism parameter is public value of the other party */
+ if (value_length == 0) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)value,
+ value_length);
+}
+
+bool
+p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (len == 0)
+ return false;
+
+ if (value)
+ memcpy (value, data, len);
+
+ if (value_length)
+ *value_length = len;
+
+ return true;
+}
+
static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
{ CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value },
@@ -1716,6 +1756,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
{ CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
{ CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value },
+ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value },
};
static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = {
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 5ae09e5..6c8eaf3 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -531,4 +531,15 @@ bool p11_rpc_buffer_get_mac_general_mechanism_value
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value
+ (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
#endif /* _RPC_MESSAGE_H */
--
2.38.1

73
0009-rpc-Handle-special-cases-for-buffer-and-length.patch Normal file
View file

@ -0,0 +1,73 @@
From e192374d08d5fbbfabad3fbe8913e775fbb8629e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Fri, 8 Apr 2022 14:39:35 +0200
Subject: [PATCH 09/11] rpc: Handle special cases for buffer and length
When the buffer is not NULL, but the length is zero then treat this as an
empty message. Serialize this in a special way so that the server can
restore the same situation.
Example: Terminate an operation via C_XxxFinal, but there is no more
data for the final part. A call to C_XxxFinal with buffer=NULL and length=0
would be treated as a size query, and would not terminate the operation.
So the way to terminate the operation without more data is to specify
buffer!=NULL but length=0.
When sending a byte array, and the buffer is NULL, and the length is
zero, don't treat this is invalid, but as empty message.
Example: C_XxxUpdate with an empty message.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-client.c | 2 +-
p11-kit/rpc-message.c | 2 +-
p11-kit/rpc-server.c | 6 ++++++
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c
index 550ebd2..a6816ea 100644
--- a/p11-kit/rpc-client.c
+++ b/p11-kit/rpc-client.c
@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_message *msg,
#define IN_BYTE_BUFFER(arr, len) \
if (len == NULL) \
{ _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \
- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \
+ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \
{ _ret = CKR_HOST_MEMORY; goto _cleanup; }
#define IN_BYTE_ARRAY(arr, len) \
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index c3f1dbb..960b218 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rpc_message *msg,
assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay"));
/* No array, no data, just length */
- if (!arr) {
+ if (!arr && num != 0) {
p11_rpc_buffer_add_byte (msg->output, 0);
p11_rpc_buffer_add_uint32 (msg->output, num);
} else {
diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c
index dfdb76d..fb71ed9 100644
--- a/p11-kit/rpc-server.c
+++ b/p11-kit/rpc-server.c
@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message *msg,
*n_buffer = length;
*buffer = NULL;
+ /* length = -1 indicates length = 0, but buffer not NULL */
+ if (length == (uint32_t)-1) {
+ *n_buffer = 0;
+ length = 1; /*allocate 1 dummy byte */
+ }
+
/* If set to zero, then they just want the length */
if (length == 0)
return CKR_OK;
--
2.38.1

116
0010-Add-support-for-CKM_AES_CTR.patch Normal file
View file

@ -0,0 +1,116 @@
From 556335018ed45b5df28801d5aa44e9821040a519 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 11 Apr 2022 11:24:42 +0200
Subject: [PATCH 10/11] Add support for CKM_AES_CTR
It takes a CK_AES_CTR_PARAMS structure as mechanism parameter.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 62 +++++++++++++++++++++++++++++++++++++++++++
p11-kit/rpc-message.h | 9 +++++++
2 files changed, 71 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 960b218..7c92fb5 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1592,6 +1592,67 @@ p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_AES_CTR_PARAMS params;
+
+ /* Check if value can be converted to CK_AES_CTR_PARAMS. */
+ if (value_length != sizeof (CK_AES_CTR_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.counter_bits can be converted to uint64_t. */
+ if (params.counter_bits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits);
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.cb,
+ sizeof(params.cb));
+}
+
+bool
+p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val;
+ const unsigned char *data;
+ size_t len;
+
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len))
+ return false;
+
+ if (value) {
+ CK_AES_CTR_PARAMS params;
+
+ params.ulCounterBits = val;
+
+ if (len != sizeof (params.cb))
+ return false;
+
+ memcpy (params.cb, data, sizeof (params.cb));
+ memcpy (value, &params, sizeof (CK_AES_CTR_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_AES_CTR_PARAMS);
+
+ return true;
+}
+
void
p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
const void *value,
@@ -1738,6 +1799,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
{ CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
{ CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
+ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
{ CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 6c8eaf3..6998443 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -511,6 +511,15 @@ bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer,
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
const void *value,
CK_ULONG value_length);
--
2.38.1

124
0011-Add-support-for-CKM_AES_GCM.patch Normal file
View file

@ -0,0 +1,124 @@
From 733905eacbaf29aa807a416bbb3535f75b53a314 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 11 Apr 2022 11:43:12 +0200
Subject: [PATCH 11/11] Add support for CKM_AES_GCM
It takes a CK_GCM_PARAMS structure as mechanism parameter.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
p11-kit/rpc-message.c | 70 +++++++++++++++++++++++++++++++++++++++++++
p11-kit/rpc-message.h | 9 ++++++
2 files changed, 79 insertions(+)
diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c
index 7c92fb5..a4974b5 100644
--- a/p11-kit/rpc-message.c
+++ b/p11-kit/rpc-message.c
@@ -1653,6 +1653,75 @@ p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
return true;
}
+void
+p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length)
+{
+ CK_GCM_PARAMS params;
+
+ /* Check if value can be converted to CK_GCM_PARAMS. */
+ if (value_length != sizeof (CK_GCM_PARAMS)) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ memcpy (&params, value, value_length);
+
+ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */
+ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) {
+ p11_buffer_fail (buffer);
+ return;
+ }
+
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pIv,
+ params.ulIvLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits);
+ p11_rpc_buffer_add_byte_array (buffer,
+ (unsigned char *)params.pAAD,
+ params.ulAADLen);
+ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits);
+}
+
+bool
+p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length)
+{
+ uint64_t val1, val2;
+ const unsigned char *data1, *data2;
+ size_t len1, len2;
+
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1))
+ return false;
+ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2))
+ return false;
+ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2))
+ return false;
+
+ if (value) {
+ CK_GCM_PARAMS params;
+
+ params.pIv = (void *) data1;
+ params.ulIvLen = len1;
+ params.ulIvBits = val1;
+ params.pAAD = (void *) data2;
+ params.ulAADLen = len2;
+ params.ulTagBits = val2;
+
+ memcpy (value, &params, sizeof (CK_GCM_PARAMS));
+ }
+
+ if (value_length)
+ *value_length = sizeof (CK_GCM_PARAMS);
+
+ return true;
+}
+
void
p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
const void *value,
@@ -1800,6 +1869,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = {
{ CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
{ CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value },
{ CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value },
+ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value },
{ CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
{ CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value },
diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h
index 6998443..69c274c 100644
--- a/p11-kit/rpc-message.h
+++ b/p11-kit/rpc-message.h
@@ -520,6 +520,15 @@ bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer,
void *value,
CK_ULONG *value_length);
+void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer,
+ const void *value,
+ CK_ULONG value_length);
+
+bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer,
+ size_t *offset,
+ void *value,
+ CK_ULONG *value_length);
+
void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer,
const void *value,
CK_ULONG value_length);
--
2.38.1

45
0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch Normal file
View file

@ -0,0 +1,45 @@
From bd1574181b9a736ab6445d581388fc1162f3474a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Sun, 19 Jun 2022 16:29:41 +0900
Subject: [PATCH] common/pkcs11x.h: Support CRYPTOKI_GNU for IBM vendor
mechanisms
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
common/pkcs11x.h | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index 4183b3d..da29224 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -226,9 +226,23 @@ typedef CK_ULONG CK_TRUST;
#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028)
#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004)
-typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP {
- CK_OBJECT_HANDLE hSignVerifyKey;
-} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+/*
+ * If the caller is using the PKCS#11 GNU calling convention, then we cater
+ * to that here.
+ */
+#ifdef CRYPTOKI_GNU
+#define hSignVerifyKey h_sign_verify_key
+#endif
+
+struct ck_ibm_attributebound_wrap {
+ CK_OBJECT_HANDLE hSignVerifyKey;
+};
+
+typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS;
+
+#ifdef CRYPTOKI_GNU
+#undef hSignVerifyKey
+#endif
#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */
--
2.38.1

9
baselibs.conf Normal file
View file

@ -0,0 +1,9 @@
libp11-kit0
p11-kit
+/usr/lib(64)?/pkcs11/*.so
requires "p11-kit = <version>"
p11-kit-nss-trust
+/usr/lib(64)?/*.so
requires "p11-kit = <version>"
conflicts "mozilla-nss-certs-<targettype>"
provides "libnssckbi.so"

BIN
p11-kit-0.23.22.tar.xz.sig Normal file
View file

Binary file not shown.

63
p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch Normal file
View file

@ -0,0 +1,63 @@
From d1782b694f75f4a7c1449b2d006df7aeaffbb576 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 27 Jul 2022 15:18:05 +0900
Subject: pkcs11-gnu: Enable testing with <p11-kit/pkcs11x.h>
This ensures that programs using <p11-kit/pkcs11x.h> can be compiled
with CRYPTOKI_GNU. The previous coverage was partial as pkcs11-gnu.c
didn't include "pkcs11x.h" and Meson didn't supply -DCRYPTOKI_GNU=1.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
diff --git a/p11-kit/meson.build b/p11-kit/meson.build
index 386f612..7912684 100644
--- a/p11-kit/meson.build
+++ b/p11-kit/meson.build
@@ -217,6 +217,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_headers)
static_library('p11-kit-pkcs11-gnu',
gnu_h,
'pkcs11-gnu.c',
+ c_args: [
+ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1',
+ ],
include_directories: [configinc, commoninc])
# Tests ----------------------------------------------------------------
diff --git a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h
index cc89595..aa8323e 100644
--- a/p11-kit/p11-kit.h
+++ b/p11-kit/p11-kit.h
@@ -43,12 +43,17 @@
*/
#ifdef CRYPTOKI_GNU
typedef ck_rv_t CK_RV;
+typedef ck_object_handle_t CK_OBJECT_HANDLE;
+typedef unsigned long int CK_ULONG;
typedef struct ck_function_list* CK_FUNCTION_LIST_PTR;
typedef struct ck_function_list CK_FUNCTION_LIST;
#endif
#include "p11-kit/deprecated.h"
+/* For size_t. */
+#include <stddef.h>
+
#ifdef __cplusplus
extern "C" {
#endif
diff --git a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c
index 86d9374..c75f4b0 100644
--- a/p11-kit/pkcs11-gnu.c
+++ b/p11-kit/pkcs11-gnu.c
@@ -1,3 +1,8 @@
+#include "config.h"
+
+#include "p11-kit.h"
+#include "pkcs11x.h"
+
#include "pkcs11-gnu-iter.h"
#include "pkcs11-gnu-pin.h"
#include "pkcs11-gnu-uri.h"
--
2.42.0

486
p11-kit.changes Normal file
View file

@ -0,0 +1,486 @@
* Tue Oct 24 2023 pmonreal@suse.com
- Ensure that programs using <p11-kit/pkcs11x.h> can be compiled
with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705]
* Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch
* Wed Jan 25 2023 lnussel@suse.com
- Backport IBM specific mechanism and attributes (Jira#PED-584)
0001-Add-IBM-specific-mechanism-and-attributes.patch
0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch
0003-client-Allow-zero-part-length-at-C_SignUpdate.patch
0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch
0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch
0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch
0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch
0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch
0009-rpc-Handle-special-cases-for-buffer-and-length.patch
0010-Add-support-for-CKM_AES_CTR.patch
0011-Add-support-for-CKM_AES_GCM.patch
0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch
* Wed Aug 11 2021 scabrero@suse.de
- Update to version 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066):
* Fix memory-safety issues that affect the RPC protocol
(CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered
and fixed by David Cook
* anchor: Prefer persistent format when storing anchor [PR#329]
* common: Fix infloop in p11_path_build [PR#326, PR#327]
* proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325]
* common: Check for a NULL locale before freeing it [PR#321]
* Build and test fixes [PR#313, PR#315, PR#317, PR#318, PR#319, PR#323,
PR#330, PR#333, PR#334, PR#335, PR#338, PR#339]
- Changes for version 0.23.21
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes [PR#283, PR#290, PR#291, PR#292, PR#296, PR#299,
PR#305, PR#306, PR#309, PR#311]
- Changes for version 0.23.20:
* Revert "Fix RPC when length-s are 0" changes [PR#276]
- Changes for version 0.23.19:
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
- Changes for version 0.23.18:
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
- Changes for version 0.23.17:
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
- Changes for version 0.23.16:
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
- Changes for version 0.23.15:
* trust: Improve error handling if backed trust file is corrupted [PR#206]
* url: Prefer upper-case letters in hex characters when encoding [PR#193]
* trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202]
* virtual: Prefer fixed closures to libffi closures [PR#196]
* Fix issues spotted by coverity and cppcheck [PR#194, PR#204]
* Build and test fixes [PR#164, PR#191, PR#199, PR#201]
- Changes for version 0.23.14:
* proxy: Avoid invalid memory access when unloading proxy module [PR#180]
* Update pkcs11 header to allow SoftHSMv2 to compile [PR#181]
* build: Restore libpthread dependency [PR#183]
* Build fixes [PR#188]
- Changes for version 0.23.13:
* server: Enable socket activation through systemd [PR#173]
* rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules
[PR#174]
* proxy: Fail early if there is no slot mapping [PR#175]
* Remove hard dependency on libpthread [PR#177]
* Build fixes [PR#170, PR#176]
- Changes for version 0.23.12
* Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160]
* Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167]
* Build and test fixes on macOS [PR#162, PR#168]
- Changes for version 0.23.11
* trust: Add extractor for edk2/cacerts.bin [PR#139]
* modules: Add option to control module visibility from proxy [PR#140]
* trust: Prevent trust module being loaded by proxy module [PR#142]
* library: Use dedicated locale object for printing error [PR#148]
* Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134]
* Improve const correctness for P11KitUri [PR#152]
* PKCS#11 URI scheme comparison is now case insensitive [PR#156]
* Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135]
- Changes for version 0.23.10
* filter: Respect "write-protected" vendor-specific attribute in
PKCS#11 URI [PR#129]
* server: Improve shell integration and documentation [PR#107, PR#108]
* proxy: Reuse existing slot ID mapping in after fork() [PR#120]
* trust: Forcibly mark "Default Trust" read-only [PR#123]
* New function p11_kit_override_system_files() which can be used for
testing [PR#110]
* trust: Filter out duplicate extensions [PR#69]
* Update translations [PR#128]
* Bug fixes [PR#125, PR#126]
- Changes for version 0.23.9
* Fix p11-kit server regressions [PR#103, PR#104]
* trust: Respect anyExtendedKeyUsage in CA certificates [PR#99]
* Build fixes related to reallocarray [PR#96, PR#98, PR#100]
- Changes for version 0.23.8
* Improve vendor query attributes handling in PKCS#11 URI [PR#92]
* Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91]
* New envvar P11_KIT_NO_USER_CONFIG to stop looking at user
configurations [PR#87]
* Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86]
- Changes for version 0.23.7
* Fix memory issues with "p11-kit server" [PR#78]
* Build fixes [PR#77 ...]
- Changes for version 0.23.6
* Port "p11-kit server" to Windows and portability fixes of the RPC
protocol [PR#67, PR#72, PR#74]
* Recover the old behavior of "trust anchor --remove" [PR#70, PR#71]
* Build fixes [PR#63 ...]
- Changes for version 0.23.5
* Fix license notice of common/unix-peer.c [PR#58]
* Remove systemd unit files for now [PR#60]
* Build fixes for FreeBSD [PR#56]
- Changes for version 0.23.4
* Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31,
PR#37, PR#52]
* The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY
attribute, used by Firefox [#99453, PR#46]
* Add 'trust dump' command to dump all PKCS#11 objects in the
persistence format [PR#44]
* New experimental 'p11-kit server' command that allows PKCS#11
forwarding through a Unix domain socket. A client-side module
p11-kit-client.so is also provided [PR#15]
* Add systemd unit files for exporting the proxy module through a
Unix domain socket [PR#35]
* New P11KitIter API to iterate over slots, tokens, and modules in
addition to objects [PR#28]
* libffi dependency is now optional [PR#9]
* Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45]
- Changes for version 0.23.3
* Install private executables in libexecdir [fdo#98817]
* Fix link error of proxy module on macOS [fdo#98022]
* Use new PKCS#11 URI specification for URIs [fdo#97245]
* Support x-init-reserved argument of C_Initialize() in remote modules
[fdo#80519]
* Incorporate changes from PKCS#11 2.40 specification
* Bump libtool library version
* Documentation fixes
* Build fixes [fdo#87192 ...]
- Move RPM macros to %%_rpmmacrodir.
- New server subpackage
- Change keyring to new maintainer Daiki Ueno
- Avoid bareword to fix build failure
- Remove obsolete patches:
* p11-kit-biarch.patch
* 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch
* 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch
* Mon Dec 23 2019 lnussel@suse.de
- Also build documentation (boo#1013125)
* Fri Nov 15 2019 lnussel@suse.de
- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
detects built in certificates (boo#1154871,
0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch,
0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)
* Tue Mar 20 2018 kukuk@suse.de
- Use %%license instead of %%doc [bsc#1082318]
* Tue Nov 22 2016 sbrabec@suse.com
- 32-bit compatibility fixes:
* Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
* Add p11-kit-nss-trust-32bit NSS module
* Fix potential bi-arch issue with private binaries
(fdo#98817, p11-kit-biarch.patch)
* Mon Feb 8 2016 mpluskal@suse.com
- Update to 0.23.2
* Fix forking issues with libffi
* Fix various crashes in corner cases
* Updated translations
* Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner
* Sun Mar 8 2015 p.drouand@gmail.com
- Update to version 0.23.1 (stable)
* Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582]
* Add pem-directory-hash extract format
* Build fixes
- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff;
fixed on upstream release
- Remove autoconf, automake and libtool require; unneeded dependencies
- Add gtk-doc require; needed to build html documentation
- Remove redundant %%clean section
* Mon Oct 13 2014 lnussel@suse.de
- remove patches:
* trust-Print-label-of-certificate-when-complaining-.patch
* trust-Dont-use-invalid-public-keys-for-looking-up-.patch
- new version 0.20.7 (stable)
* New public pkcs11x.h header containing extensions [fdo#83495]
* Export necessary defines to lookup attached extensions [fdo#83495]
* Build fixes
- new version 0.20.6 (stable)
* Make the p11-kit-proxy.so module respect critical = no [fdo#83651]
* Build fix for FreeBSD [fdo#75674]
- new version 0.20.5 (stable)
* Don't use invalid keys for looking up stapled extensions [fdo#82328]
* Better error messages when invalid certificate extensions
* Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
* Fix some leaks, and memory issues
* Silence some clang scanner warnings
- new version 0.20.4 (stable)
* Don't complain about C_Finalize after a fork
* Fix typo
* Fri Aug 29 2014 lnussel@suse.de
- new version 0.20.3
* Fix problems reinitializing managed modules after fork
* Fix bad bookeeping when fail initializing one of the modules
* Fix case where module would be unloaded while in use [#74919]
* Remove assertions when module used before initialized [#74919]
* Fix handling of mmap failure and mapping empty files [#74773]
* Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
* Require automake 1.12 or later
* Build fixes for Windows [#76594 #74149]
- apply patches to avoid errors from certificates with invalid public key
(fdo#82328, bnc#890908,
trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
trust-Print-label-of-certificate-when-complaining-.patch)
* Mon May 19 2014 lnussel@suse.de
- New version 0.20.2
* Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
and blacklist were not in the same trust path (regression) [fdo#73558]
* Check for race in BasicConstraints stapled extension [fdo#69314]
* Build fixes and cleanup
* Tue Feb 11 2014 meissner@suse.com
- added .sig file. trying to locate source of the keyring.
* Fri Dec 6 2013 lnussel@suse.de
- trust: allow to also add openssl style hashes to pem-directory
0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff
* Tue Sep 10 2013 lnussel@suse.de
- upgrade to 0.20.1 which is 0.19 declared stable
* Extract compat trust data after we've changes
* Skip compat extraction if running as non-root
* Better failure messages when removing anchors
* Fri Aug 30 2013 lnussel@suse.de
- new version 0.19.4
* 'trust anchor' now adds/removes certificate anchors
* 'trust list' lists trust policy stuff
* 'p11-kit extract' is now 'trust extract'
* 'p11-kit extract-trust' is now 'trust extract-compat'
* Workarounds for working on broken zfsonlinux.org [#68525]
* Add --with-module-config parameter to the configure script [#68122]
* Add support for removing stored PKCS#11 objects in trust module
* Thu Jul 25 2013 lnussel@suse.de
- new version 0.19.3
* Fix up problems with automake testing
* Fix a bunch of memory leaks in newly refactored code
* Don't use _GNU_SOURCE and the unportability it brings
* Add basic 'trust anchor' command to store a new anchor
* Support for writing out trust token objects
* Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
* Add option to use freebl for hashing
* Implement reloading of token data
* Fix warnings and possible minor bugs higlighted by code scanners
* Don't load configs in home directories when running setuid or setgid
* Support treating ~/.config as $XDG_CONFIG_HOME
* Use $XDG_DATA_HOME/pkcs11 as default user config directory
* Use $TMPDIR instead of $TEMP while testing
* Open files and fds with O_CLOEXEC
* Abort initialization if a critical module fails to load
* Don't use thread-unsafe functions: strerror, getpwuid
* Fix p11_kit_space_strlen() result when empty string
* Refactoring of where various components live
* Fri Jul 5 2013 lnussel@suse.de
- fix 32bit provides of libnssckbi.so
- repace p11-kit-extract-trust with update-ca-certificates
* Fri Jun 28 2013 lnussel@suse.de
- provide libnssckbi.so to replace mozilla-nss-certs
* Mon Jun 24 2013 lnussel@suse.de
- add p11-kit-nss-trust subpackage that serves as drop-in
replacement for mozilla-nss-certs
* Wed Jun 19 2013 lnussel@suse.de
- use /etc/pki/trust and /usr/share/pki/trust as system CA
certificate store
* Mon May 27 2013 dimstar@opensuse.org
- Update to version 0.19.1:
+ Refactor API to be able to handle managed modules.
+ Deprecate much of old p11-kit API.
+ Implement concept of managed modules.
+ Make C_CloseAllSessions function work for multiple callers.
+ New dependency on libffi.
+ Fix possible threading problems reported by hellgrind.
+ Add log-calls option.
+ Mark p11_kit_message() as a stable function.
+ Use our own unit testing framework.
- Add pkgconfig(libffi) BuildRequires: new dependency.
* Tue May 14 2013 dimstar@opensuse.org
- Update to version 0.18.2:
+ Build fixes (fdo#64378)
* Mon May 13 2013 dimstar@opensuse.org
- Also provide p11-kit-32bit (in fact, the pkcs#11 modules)
(bnc#819246).
* Mon Apr 15 2013 dimstar@opensuse.org
- Update to version 0.18.1:
+ Put the external tools in $libdir/p11-kit.
+ Documentation build fixes.
* Thu Apr 4 2013 dimstar@opensuse.org
- Update to version 0.18.0:
+ Fix use of trust module with gcr and empathy (fdo#62896).
+ Further tweaks to trust module date parsing.
+ Fix unaligned memory reads (fdo#62819).
+ Win32 fixes (fdo#63062, fdo#63046).
+ Debug and logging tweaks (fdo#62874).
+ Other build fixes.
* Thu Mar 28 2013 zaitor@opensuse.org
- Update to version 0.17.5:
+ Don't try to guess at overflowing time values on 32-bit
systems (fdo#62825).
+ Test fixes (fdo#927394).
* Thu Mar 21 2013 dimstar@opensuse.org
- Update to version 0.17.4:
+ Check for duplicate certificates in a token, warn and discard
(fdo#62548).
+ Implement a proper index so we have decent load performance.
* Wed Mar 20 2013 dimstar@opensuse.org
- Update to version 0.17.3:
+ Use descriptive labels for the trust module tokens (fdo#62534).
+ Remove the temporary built in distrust objects.
+ Make extracted output directories and files read-only
(fdo#61898).
+ Don't export unneccessary ABI.
+ Build fixes (fdo#62479).
* Tue Mar 19 2013 dimstar@opensuse.org
- Update to version 0.17.2:
+ Fix build on 32-bit linux.
+ Fix several crashers.
- Changes from version 0.17.1:
+ Support a p11-kit specific PKCS#11 attribute persistance format
(fdo#62156).
+ Use the SHA1 hash of SPKI as the CKA_ID in the trust module by
default (fdo#62329).
+ Refactor a trust builder which builds objects out of parsed
data (fdo#62329).
+ Combine trust policy when extracting certificates (fdo#61497).
+ The extract --comment option adds comments to PEM bundles
(fdo#62029).
+ A new 'priority' config option for ordering modules
(fdo#61978).
+ Make each configured path its own trust module token
(fdo#61499).
+ Use --with-trust-paths to configure trust module (fdo#62327).
+ Fix bug decoding some PEM files.
+ Better debug output for trust module lookups.
+ Work around bug in NSS when doing serial number lookups.
+ Work around broken strndup() function in firefox.
+ Fix the nickname for the distrusted attribute.
+ Build fixes.
- Add ca-certificates BuildRequires: needed to find the location of
the root certificates.
* Thu Mar 14 2013 dimstar@opensuse.org
- Update to version 0.16.4:
+ Display per command help again (fdo#62153).
+ Don't always print tools debug output (fdo#62152).
- Changes from version 0.16.3:
+ When iterating don't skip tokens without the
CKF_TOKEN_INITIALIZED flag.
+ Hardcode some distrust records for NSS temporarily.
+ Parse global options better in the p11-kit command.
+ Better debugging.
- Changes from version 0.16.2:
+ Fix regression in 'p11-kit extract --purpose' option
(fdo#62009)
+ Documentation updates
+ Build fixes (fdo#62001).
- Changes from version 0.16.1:
+ Don't break when cA field of BasicConstraints is missing
(fdo#61975).
+ Documentation fixes and updates.
+ p11-kit extract-trust is a placeholder script now.
* Tue Mar 5 2013 dimstar@opensuse.org
- Update to version 0.16.0:
+ Update the pkcs11.h header for new mechanisms
+ Fix build and tests on mingw64 (ie: win32)
+ Relicense LGPL code to BSD license
+ Documentation tweaks
+ Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792
+ Updated translations.
- Changes from version 0.15.2:
+ Better define the libtasn1 dependency.
+ Crasher and bug fixes.
+ Build fixes.
+ Updated translations.
- Changes from version 0.15.1:
+ Fix some memory leaks.
+ Add a location for packages to drop module configs.
+ Documentation updates and fixes.
+ Add command line tool manual page.
+ Remove unused err() function and friends.
+ Move more code into common/ directory and refactor.
+ Add a system trust policy module.
+ Refactor how the p11-kit command line tool works.
+ Add p11-kit extract and extract-trust commands.
+ Don't complain if we cannot access ~/.pkcs11/pkcs11.conf.
+ Refuse to load the p11-kit-proxy.so as a registered module.
+ Don't fail initialization if last initialized module fails.
* Fri Sep 7 2012 dimstar@opensuse.org
- Update to version 0.14:
+ Change default for user-config to merge
+ Always URI-encode the 'id' attribute in PKCS#11 URIs
+ Expect a .module extension on module configs
+ Windows compatibility fixes
+ Testing fixes
+ Build fixes
* Mon Jul 23 2012 zaitor@opensuse.org
- Update to version 0.13:
+ Don't allow reading of PIN files larger than 4096 bytes
+ If a module is not marked as critical then ignore init failure
+ Use preconditions to check for input problems and out of memory
+ Add enable-in and disable-in options to module config
+ Fix the flags in pin.h
+ Use gcc extensions to check varargs during compile
+ Fix crasher when a duplicate module is present
+ Fix broken hashmap behavior
+ Testing fixes
+ Win32 build fixes
+ 'p11-kit -h' now works
+ Documentation fixes
* Fri Mar 9 2012 dimstar@opensuse.org
- Update to version 0.12:
+ Build fix.
* Fri Feb 10 2012 vuntz@opensuse.org
- Update to version 0.11:
+ Remove automatic reinitialization of PKCS#11 after fork
* Wed Jan 4 2012 vuntz@opensuse.org
- Update to version 0.10:
+ Build fixes, for windows, gcc 4.6.1.
* Tue Nov 15 2011 dimstar@opensuse.org
- Update to version 0.9:
+ p11-kit can't be used as a static library.
+ Fix problems crashing when freeing TLS on windows.
+ Add debug output to windows init and uninit of library.
+.Build fixes, especially for windows
* Thu Oct 27 2011 dimstar@opensuse.org
- Update to version 0.8:
+ Rename non-static functions to have a _p11_xxx prefix
+ No concurrent calling of C_Initialize and C_Finalize
+ Print more information in 'p11-kit -l'
+ Initial port to win32
+ Build and testing fixes.
* Tue Sep 27 2011 vuntz@opensuse.org
- Update to version 0.7:
+ Expand p11-kit config variables correctly in various build
scenarios
+ Add test tool to print out error messages
+ Build fix on FreeBSD
* Thu Sep 15 2011 vuntz@opensuse.org
- Update to version 0.6:
+ Add concept of a default module directory from which modules
with relative paths are loaded.
+ Renamed pkg-config variables to make it clearer what's what.
* Fri Sep 2 2011 vuntz@opensuse.org
- Update to version 0.5:
+ Fix crasher in p11_kit_registered_modules()
+ Add 'critical' setting for modules, which defaults to 'no'
+ Fix initialization issues in the proxy module
* Fri Aug 19 2011 dimstar@opensuse.org
- Update to version 0.4:
+ Fix endless loop if module forks during initialization
+ Update PKCS#11 URI code for new draft of spec
+ Don't fail when duplicate modules are configured
+ Better debug output
+ Add example configuration documentation
+ Support whitespace in PKCS#11 URIs
- Move the p11-kit.conf.example to the doc folder.
* Sat Jul 30 2011 vuntz@opensuse.org
- Update to version 0.3:
+ Rewrite hash table, and simplify licensing.
+ Correct paths for p11-kit config files.
+ Many build fixes and tweaks.
- Remove Apache-2 part from License tag, as the code was rewritten.
* Mon Jul 25 2011 vuntz@opensuse.org
- Initial package (version 0.2).

63
p11-kit.keyring Normal file
View file

@ -0,0 +1,63 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBEpn7i4BEACh0wFe2B53UlIxWOQ3wrK3TIyHpmz9zyMCkdIP7x1b74Z/SxZA
7N8uOk5BQh3GLBnYThJl3MSWOAgpbouyI5Eh9f+yZ27AoBkQcd8JeHckbLvXCxG8
GPOn1cqSBUsus+6tuG86LI3rudJSKsFZ2uH0amRfJSBBnybrosy5dTn55GIJ3Bbq
WdaTP7uNFWRMzi6DA49m880hJ2qunkuAOX/q8kvKpfRuJCdme9kXZc1l88FqGUEl
dCVYpG+SjdCFP9CmZJRYhF6UuRHSZXyJTw1WMmop7gYj2F3QTsodnf1e9eDju/yW
pzmPB4WACtrrO7wzPlufselFNIrHwx6tykvzflaYTg2brn9opmZTAM7eYXhBk8AE
vOXCg1q4UXiSGtFpowBUVtoOGQHlSC218OnQyaMEsC7Cagb1EQqZNbXnvcMVzMIc
XcKHFSAQrk5+IfNTQOok8FIWXWm8TYVDqVIpWEKDgHj0PwcPWtpkhjlgIP01a5uv
rvv0w1Tq2NcjLppyYynoEvEbGWojku4lyCUWdWAL9n5h3IClyBCqdH8OMtdL3Wib
GIlkbOcWXfsR+FURCv5eswMRAlZKuzLf6YyDzpZVWyOoe+Qc+S4Dl8J+WeY7PquN
JwGdtLklSi0436VYKup4kgoT3iAHYVOBt0K03nDtgnsm2UxiER+e190YVwARAQAB
tBlEYWlraSBVZW5vIDx1ZW5vQGdudS5vcmc+iQI+BBMBAgAoAhsDBgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAUCUlDGpgUJEU7Z8QAKCRDWBYSO1+aYcb7lD/9nmcZ/
s2x1iEoYtnl0BwhdMH5rc9le9OgNWVSTJEYs/LDfIuwo0qSSi/qrJyXV8MaazM4v
4G+XwGWJxMnRKW2WG7mMRyF5UVSgindZ0CE19vchGMAc9u6xXfm74kd0q/wkfpF9
OhlNrBw5BdFfP66WOoK0vkX40HaTiJKO4ty7g0rMGJh2ENji5ilzc3uccZr8tjg9
ZM+SFZ5KE1wbPLNjVOLJo7BYW5pUmlIMsY5h+5B5etFKiJnqBok/NdMr3Wxszfmg
0ea7F6Nd5+vWD3ZcmAM+fa/N/zRKozlK7I0dFnYjGfQWn8Y5e3jALbY18DmY/Sr/
4D2m6c5g/x0ynLxaNiDcAJtyjI3j0mBvAa6WGiqifYgWesgpcalFnTk5DtNFZtop
0CjKSo6+XTndd2DXtYifFN13t9Q8017lrplMJYDz5UkETnRHun1eJzmVjCt5GC2E
7s71dcmFc/4CQjYOxFBToMI8BuRS8CUVM6Thm4napRwh2SEVAcS479OtY0kraD7B
fMUVYb4iOgjPPvWswD4kztC4YqFO6Q7bK+QDBEsRBpsAphiELwi253kNSRND64SW
kUIfE5jwy/BJpDWiy56ndkGrhsWA7Uf+LyxveHDXqMT/l/sR1uC7lvZo/CTBUmpY
R3Fh8SGUQEOJmfL5rJqFNCpHW9hOa8bZRXhBcbQeRGFpa2kgVWVubyA8dWVub0B1
bml4dXNlci5vcmc+iQI9BBMBAgAnAhsDAh4BAheABQsJCAcDBRUKCQgLBRYCAwEA
BQJSUMarBQkRTtnxAAoJENYFhI7X5phxFfcP/3ffau6eG1p7cmy2ZL0ow1jJEPJH
AV6u3PuvyKrynmJszFEZwt59GK9c1fO8b3nwgljIEIoW7/nWYg2kcLjPatpIA87K
sqTYaoVcmPzD3NkBXFJpHrdoL8gnBFuaQbSKfLa11F2fgpSPxNnpmRx8M3G82ZCT
PQtdeQm9T+QtcOpJ0PRDvckVNXxpW7RX/VATF6yL/zcxGZmFcFW+ZCAbyYQn7LSt
sujvVrH8H/VrDTSKBRK15iTTZZgoIsFbhsOBuQ18nahWcdwxl9qVbduY3cjowXTg
lpsLRcGw99mad8oA1jtSJhsP10v+rgvqYXsGS00bNCuC+LpF272neotgdIsNfrIg
RCnD9gLBWCeLJEZGNx3OgJPHnBDzDHsKr8UbSvYKWWTpHZZ0kt8p6YQ/xj+CycPm
h4mCwAoys2r/r2Mqtoc/WX7yg7i9t43/inLwrQZjOY0TK+QT5+l3opHQ54JKOi6n
xGgMPT/HfNvvjkRoC8Bn1vDBFRpXR+YU6cW6M9SxUeNKFNlElgfYuH1R7t/6C1VG
/O4UQuU4+ZgQNWUJHlibZExZ5oGcOkREjDKYZ9CCiQTc8Nl2F20eP/UL688Ns/mj
lbNYoEZmkGbcd64SM66d+D8jU3olG1xG1+1b4ZrV4Bb3yuuO29k9xU7+A7rXM33p
4ktklE69+udhe9LZuQINBEtrT7wBEACjRnNKXpiD/tbVSiF3bicZpf4C1JFIDvvJ
HQZEuK35SqeAe/tUpMAwbBfgW5sExUoB3Cy1lEK2Bi1kO7GU+tkdCHhi6jrcLYiM
g7QXavYZ/ebYHVfhVY2vGhOJVz4qm0/WvQYT3OpJSqrD1jT+AbRpDxFk9h2CBPw1
roBrh8TqYKyIOBPSswLwP05IKk9h7SwQnl/stXRchLMVaMrKL33V2bpZSI4NtYhJ
QGzX7PHVsv4JYBCXCeFRhAJwLLySfGM3DXdAChsOjtGob/sW84Kv5YM65sHxmhit
4NC5o5IxVQntvYaOsTafF9KOC8egostPsARxUNNihGYvJ5WL8NS2wQVMWsiRMK+/
QsK6PEMXny4q9+lMPGBZpuGicUX68RIIJynAaHatdorA0hFSDQIVxbhDTQdrBnmt
fSx33Yd9LlaW+oFz3oNtsUP57JQMvn7/RYMSheRqtlhSOOHQV/DdORo2B1uhd2Dl
uZOzsVz88o/2eZ9dhO8ArNhQRpWgcx7dq+kI7FyUH0Idrw29qD3IT/PnEOTF84ro
l0HEagP1ozVB32krJIDRQleTmdTogtT69FYLHnK9fYrk1m3Pcc3TWb/1PCcccN0D
2RJCl2kry5wJdx6g2bi7wg4twpRJshi5jREPJAAGNy5MKA+oon6D6gbwwNP3xuz/
/9BU0AUDYQARAQABiQIfBBgBAgAJBQJLa0+8AhsMAAoJENYFhI7X5phxMKwQAJ+j
gt6wOMCLx1zsRi3pxGQQq7FmVJNJYZ12JEp2uLC1h9E08V+aQXZe7pbonIlXvzeI
hOl6R1Smz/Kmyoly9C9TIhtMhkZrsxocriaLM7IxIfCuy0inFvv9bEogCCNVxFpj
V1DPscMVURKQgjbNQcKezyKOUq47ICq8eN5wma72mlxRVRxUTHi53Sokfb9YurhV
HrcWx/ESMR7zHSCwjtfQ69c77+aITJwocVaxlUVQYCCavCOB1gYDjnf5F17g+zGG
Cw7dN8vg4B048oyg8RiSnAmN2lt4iffqPAVTU8rixDRGkgpxYiMkGCdaqHwSu+mu
Ca85AM9r9WK6WIuRQEjh2PNsTk+ltamTLfFUC0sOpG+8LetD1hI3BWSpfgT5ncnU
RcnmansiVT0Gy73vPXf+THwnY4vAY5o0X93s2syfDX7ZRrhLg0MBKuz/eIBRLDFa
wkjpe+3mDYMVo1S1Dpg7Yt8IvlDFQlWRlISuoggM486JQNfjdS0ZiEk1mIja4w8R
YDJ2Fk6hcoR754fhZtULgXzE0ERGaTfpFlGu4jaWmyWikdaz+of5AR09mLl6KhCD
uqJ1LfpokgdeUIOwxe/67xT5wyGWK97fjJGj5Zo6VxFFf6bHZ8rVVhXBsR3WNDQP
kf3uHnsk4YEXreTPtPvQ7sp4/wAqX1qv3cV21kX2
=KGSD
-----END PGP PUBLIC KEY BLOCK-----

205
p11-kit.spec Normal file
View file

@ -0,0 +1,205 @@
#
# spec file for package p11-kit
#
# Copyright (c) 2022-2023 ZhuningOS
#
%define pkidir_cfg %{_sysconfdir}/pki
%define pkidir_static %{_datadir}/pki
%define trustdir_cfg %{pkidir_cfg}/trust
%define trustdir_static %{pkidir_static}/trust
Name: p11-kit
Version: 0.23.22
Release: 150500.8.3.1
Summary: Library to work with PKCS#11 modules
License: BSD-3-Clause
Group: Development/Libraries/C and C++
URL: https://p11-glue.freedesktop.org/p11-kit.html
Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz
Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig
Source98: p11-kit.keyring
Source99: baselibs.conf
Patch0: 0001-Add-IBM-specific-mechanism-and-attributes.patch
Patch1: 0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch
Patch2: 0003-client-Allow-zero-part-length-at-C_SignUpdate.patch
Patch3: 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch
Patch4: 0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch
Patch5: 0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch
Patch6: 0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch
Patch7: 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch
Patch8: 0009-rpc-Handle-special-cases-for-buffer-and-length.patch
Patch9: 0010-Add-support-for-CKM_AES_CTR.patch
Patch10: 0011-Add-support-for-CKM_AES_GCM.patch
Patch11: 0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch
# PATCH-FIX-UPSTREAM [jsc#PED-6705] Ensure that programs using <p11-kit/pkcs11x.h>
# can be compiled with CRYPTOKI_GNU.
Patch12: p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch
BuildRequires: gtk-doc
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libffi) >= 3.0.0
BuildRequires: pkgconfig(libtasn1) >= 2.3
%description
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package -n libp11-kit0
Summary: Library to work with PKCS#11 modules
Group: System/Libraries
%description -n libp11-kit0
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package tools
Summary: Library to work with PKCS#11 modules -- Tools
Group: Development/Libraries/C and C++
%description tools
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package devel
Summary: Library to work with PKCS#11 modules -- Development Files
Group: Development/Libraries/C and C++
Requires: libp11-kit0 = %{version}
%description devel
p11-kit provides a way to load and enumerate PKCS#11 modules, as well
as a standard configuration setup for installing PKCS#11 modules in
such a way that they're discoverable.
%package nss-trust
Summary: Adaptor to make NSS read the p11-kit trust store
Group: Productivity/Networking/Security
Requires: p11-kit = %{version}
Conflicts: mozilla-nss-certs
%if "%{_lib}" == "lib64"
Provides: libnssckbi.so()(64bit)
%else
Provides: libnssckbi.so
%endif
%description nss-trust
Adaptor library to make NSS read the p11-kit trust store. It has
to be installed intead of mozilla-nss-certs.
%package server
Summary: Server and client commands for p11-kit
Group: Development/Libraries/C and C++
Requires: %{name}%{?_isa} = %{version}-%{release}
%description server
Command line tools that enable to export PKCS#11 modules through a
Unix domain socket. Note that this feature is still experimental.
%prep
%autosetup -p1
%build
%configure \
--with-trust-paths=%{trustdir_cfg}:%{trustdir_static} \
--enable-doc
%make_build
%install
%make_install
#
install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist}
install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist}
# Create pkcs11 config directory
test ! -e %{buildroot}%{_sysconfdir}/pkcs11/modules
install -d %{buildroot}%{_sysconfdir}/pkcs11/modules
# Remove sample config away to doc folder. Having the sample there would conflict
# with future versions of the library on file level. As replacement, we package
# the file as documentation file.
rm %{buildroot}%{_sysconfdir}/pkcs11/pkcs11.conf.example
find %{buildroot} -type f -name "*.la" -delete -print
#
install -d -m 755 %{buildroot}%{_rpmmacrodir}
cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{name}
# Macros from p11-kit package
%%pkidir_cfg %{pkidir_cfg}
%%pkidir_static %{pkidir_static}
%%trustdir_cfg %{trustdir_cfg}
%%trustdir_static %{trustdir_static}
FIN
#
# nss compat lib
ln -s %{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}%{_libdir}/libnssckbi.so
#
# call update-ca-certificates when trust changes
rm %{buildroot}%{_libexecdir}/%{name}/trust-extract-compat
ln -s ../../sbin/update-ca-certificates %{buildroot}%{_libexecdir}/%{name}/p11-kit-extract-trust
export NO_BRP_STALE_LINK_ERROR=yes # *grr*
%check
%make_build check
%post -n libp11-kit0 -p /sbin/ldconfig
%postun -n libp11-kit0 -p /sbin/ldconfig
%files
%defattr(-,root,root)
%dir %{_libdir}/pkcs11
%dir %{_datadir}/%{name}
%dir %{_datadir}/%{name}/modules
%dir %{pkidir_cfg}
%dir %{trustdir_cfg}
%dir %{trustdir_cfg}/anchors
%dir %{trustdir_cfg}/blacklist
%dir %{pkidir_static}
%dir %{trustdir_static}
%dir %{trustdir_static}/anchors
%dir %{trustdir_static}/blacklist
%{_datadir}/%{name}/modules/p11-kit-trust.module
%{_libdir}/pkcs11/p11-kit-trust.so
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/p11-kit-remote
%{_libexecdir}/%{name}/p11-kit-extract-trust
%files -n libp11-kit0
%defattr(-,root,root)
%license COPYING
# Package the example conf file as documentation. Like this we're sure that we will
# not introduce conflicts with this version of the library and future ones.
%doc p11-kit/pkcs11.conf.example
%doc AUTHORS ChangeLog NEWS README
%dir %{_sysconfdir}/pkcs11
%dir %{_sysconfdir}/pkcs11/modules/
%{_libdir}/libp11-kit.so.*
%{_libdir}/p11-kit-proxy.so
%files tools
%defattr(-,root,root)
%{_bindir}/p11-kit
%{_bindir}/trust
%{_mandir}/man1/trust.1%{?ext_man}
%{_mandir}/man5/pkcs11.conf.5%{?ext_man}
%{_mandir}/man8/p11-kit.8%{?ext_man}
%files devel
%defattr(-,root,root)
%{_rpmmacrodir}/macros.%{name}
%{_includedir}/p11-kit-1/
%{_libdir}/libp11-kit.so
%{_libdir}/pkgconfig/p11-kit-1.pc
%doc %dir %{_datadir}/gtk-doc
%doc %dir %{_datadir}/gtk-doc/html
%doc %{_datadir}/gtk-doc/html/p11-kit/
%files nss-trust
%defattr(-,root,root)
%{_libdir}/libnssckbi.so
%files server
%defattr(-,root,root)
%{_libdir}/pkcs11/p11-kit-client.so
%{_libexecdir}/p11-kit/p11-kit-server
%changelog