From dfe752b6bed264026279a9bf103382e1d0ad8f85 Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Wed, 28 Feb 2024 21:54:07 +0800 Subject: [PATCH] Initialize for p11-kit --- .gitignore | 1 + .p11-kit.metadata | 1 + ...BM-specific-mechanism-and-attributes.patch | 325 ++++++++++++ ...serializing-CK_ECDH1_DERIVE_PARAMS-m.patch | 136 +++++ ...low-zero-part-length-at-C_SignUpdate.patch | 26 + 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch | 25 + ...riants-also-for-RSA-and-EC-signature.patch | 77 +++ ...-missing-AES-and-DES-DES3-mechanisms.patch | 156 ++++++ ...-for-MAC-and-HMAC-general-mechanisms.patch | 128 +++++ 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch | 95 ++++ ...-special-cases-for-buffer-and-length.patch | 73 +++ 0010-Add-support-for-CKM_AES_CTR.patch | 116 +++++ 0011-Add-support-for-CKM_AES_GCM.patch | 124 +++++ ...-Support-CRYPTOKI_GNU-for-IBM-vendor.patch | 45 ++ baselibs.conf | 9 + p11-kit-0.23.22.tar.xz.sig | Bin 0 -> 580 bytes ...nable-testing-with-p11-kit-pkcs11x.h.patch | 63 +++ p11-kit.changes | 486 ++++++++++++++++++ p11-kit.keyring | 63 +++ p11-kit.spec | 205 ++++++++ 20 files changed, 2154 insertions(+) create mode 100644 .gitignore create mode 100644 .p11-kit.metadata create mode 100644 0001-Add-IBM-specific-mechanism-and-attributes.patch create mode 100644 0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch create mode 100644 0003-client-Allow-zero-part-length-at-C_SignUpdate.patch create mode 100644 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch create mode 100644 0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch create mode 100644 0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch create mode 100644 0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch create mode 100644 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch create mode 100644 0009-rpc-Handle-special-cases-for-buffer-and-length.patch create mode 100644 0010-Add-support-for-CKM_AES_CTR.patch create mode 100644 0011-Add-support-for-CKM_AES_GCM.patch create mode 100644 0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch create mode 100644 baselibs.conf create mode 100644 p11-kit-0.23.22.tar.xz.sig create mode 100644 p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch create mode 100644 p11-kit.changes create mode 100644 p11-kit.keyring create mode 100644 p11-kit.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9cbeb26 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +p11-kit-0.23.22.tar.xz diff --git a/.p11-kit.metadata b/.p11-kit.metadata new file mode 100644 index 0000000..22ff718 --- /dev/null +++ b/.p11-kit.metadata @@ -0,0 +1 @@ +c92e10ce38901277a72a6e7c42a47f37a602593d4f8db42eb49a2b74d9277347 p11-kit-0.23.22.tar.xz diff --git a/0001-Add-IBM-specific-mechanism-and-attributes.patch b/0001-Add-IBM-specific-mechanism-and-attributes.patch new file mode 100644 index 0000000..040dac8 --- /dev/null +++ b/0001-Add-IBM-specific-mechanism-and-attributes.patch @@ -0,0 +1,325 @@ +From ad66cbc52bf83ba58c43ef13169f577f7f8b172d Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 7 Apr 2022 16:22:43 +0200 +Subject: [PATCH 01/11] Add IBM specific mechanism and attributes + +Signed-off-by: Ingo Franzki +--- + common/attrs.c | 17 +++++++++ + common/constants.c | 38 +++++++++++++++++++ + common/pkcs11x.h | 51 +++++++++++++++++++++++++ + p11-kit/rpc-message.c | 86 ++++++++++++++++++++++++++++++++++++++++++- + p11-kit/rpc-message.h | 12 ++++++ + 5 files changed, 203 insertions(+), 1 deletion(-) + +diff --git a/common/attrs.c b/common/attrs.c +index ad233f4..9ce7c66 100644 +--- a/common/attrs.c ++++ b/common/attrs.c +@@ -709,6 +709,23 @@ attribute_is_sensitive (const CK_ATTRIBUTE *attr, + X (CKA_TRUST_STEP_UP_APPROVED) + X (CKA_CERT_SHA1_HASH) + X (CKA_CERT_MD5_HASH) ++ X (CKA_IBM_OPAQUE) ++ X (CKA_IBM_RESTRICTABLE) ++ X (CKA_IBM_NEVER_MODIFIABLE) ++ X (CKA_IBM_RETAINKEY) ++ X (CKA_IBM_ATTRBOUND) ++ X (CKA_IBM_KEYTYPE) ++ X (CKA_IBM_CV) ++ X (CKA_IBM_MACKEY) ++ X (CKA_IBM_USE_AS_DATA) ++ X (CKA_IBM_STRUCT_PARAMS) ++ X (CKA_IBM_STD_COMPLIANCE1) ++ X (CKA_IBM_PROTKEY_EXTRACTABLE) ++ X (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE) ++ X (CKA_IBM_OPAQUE_PKEY) ++ X (CKA_IBM_DILITHIUM_KEYFORM) ++ X (CKA_IBM_DILITHIUM_RHO) ++ X (CKA_IBM_DILITHIUM_T1) + case CKA_VALUE: + return (klass != CKO_CERTIFICATE && + klass != CKO_X_CERTIFICATE_EXTENSION); +diff --git a/common/constants.c b/common/constants.c +index 2b785b8..672ed29 100644 +--- a/common/constants.c ++++ b/common/constants.c +@@ -141,6 +141,28 @@ const p11_constant p11_constant_types[] = { + CT (CKA_WRAP_TEMPLATE, "wrap-template") + CT (CKA_UNWRAP_TEMPLATE, "unwrap-template") + CT (CKA_ALLOWED_MECHANISMS, "allowed-mechanisms") ++ CT (CKA_IBM_OPAQUE, "ibm-opaque") ++ CT (CKA_IBM_RESTRICTABLE, "ibm-restrictable") ++ CT (CKA_IBM_NEVER_MODIFIABLE, "ibm-never-modifiable") ++ CT (CKA_IBM_RETAINKEY, "ibm-retainkey") ++ CT (CKA_IBM_ATTRBOUND, "ibm-attrbound") ++ CT (CKA_IBM_KEYTYPE, "ibm-keytype") ++ CT (CKA_IBM_CV, "ibm-cv") ++ CT (CKA_IBM_MACKEY, "ibm-mackey") ++ CT (CKA_IBM_USE_AS_DATA, "ibm-use-as-data") ++ CT (CKA_IBM_STRUCT_PARAMS, "ibm-struct-params") ++ CT (CKA_IBM_STD_COMPLIANCE1, "ibm-std_compliance1") ++ CT (CKA_IBM_PROTKEY_EXTRACTABLE, "ibm-protkey-extractable") ++ CT (CKA_IBM_PROTKEY_NEVER_EXTRACTABLE, "ibm-protkey-never-extractable") ++ CT (CKA_IBM_DILITHIUM_KEYFORM, "ibm-dilithium-keyform") ++ CT (CKA_IBM_DILITHIUM_RHO, "ibm-dilithium-rho") ++ CT (CKA_IBM_DILITHIUM_SEED, "ibm-dilithium-seed") ++ CT (CKA_IBM_DILITHIUM_TR, "ibm-dilithium-tr") ++ CT (CKA_IBM_DILITHIUM_S1, "ibm-dilithium-s1") ++ CT (CKA_IBM_DILITHIUM_S2, "ibm-dilithium-s2") ++ CT (CKA_IBM_DILITHIUM_T0, "ibm-dilithium-t0") ++ CT (CKA_IBM_DILITHIUM_T1, "ibm-dilithium-t1") ++ CT (CKA_IBM_OPAQUE_PKEY, "ibm-opaque-pkey") + CT (CKA_NSS_URL, "nss-url") + CT (CKA_NSS_EMAIL, "nss-email") + CT (CKA_NSS_SMIME_INFO, "nss-smime-constant") +@@ -247,6 +269,7 @@ const p11_constant p11_constant_keys[] = { + CT (CKK_AES, "aes") + CT (CKK_BLOWFISH, "blowfish") + CT (CKK_TWOFISH, "twofish") ++ CT (CKK_IBM_PQC_DILITHIUM, "ibm-dilithium") + CT (CKK_NSS_PKCS8, "nss-pkcs8") + { CKA_INVALID }, + }; +@@ -595,6 +618,21 @@ const p11_constant p11_constant_mechanisms[] = { + CT (CKM_DSA_PARAMETER_GEN, "dsa-parameter-gen") + CT (CKM_DH_PKCS_PARAMETER_GEN, "dh-pkcs-parameter-gen") + CT (CKM_X9_42_DH_PARAMETER_GEN, "x9-42-dh-parameter-gen") ++ CT (CKM_IBM_SHA3_224, "ibm-sha3-224") ++ CT (CKM_IBM_SHA3_256, "ibm-sha3-256") ++ CT (CKM_IBM_SHA3_384, "ibm-sha3-384") ++ CT (CKM_IBM_SHA3_512, "ibm-sha3-512") ++ CT (CKM_IBM_CMAC, "ibm-cmac") ++ CT (CKM_IBM_EC_X25519, "ibm-ec-x25519") ++ CT (CKM_IBM_ED25519_SHA512, "ibm-ed25519-sha512") ++ CT (CKM_IBM_EC_X448, "ibm-ec-x448") ++ CT (CKM_IBM_ED448_SHA3, "ibm-ed448-sha3") ++ CT (CKM_IBM_DILITHIUM, "ibm-dilithium") ++ CT (CKM_IBM_SHA3_224_HMAC, "ibm-sha3-224-hmac") ++ CT (CKM_IBM_SHA3_256_HMAC, "ibm-sha3-256-hmac") ++ CT (CKM_IBM_SHA3_384_HMAC, "ibm-sha3-384-hmac") ++ CT (CKM_IBM_SHA3_512_HMAC, "ibm-sha3-512-hmac") ++ CT (CKM_IBM_ATTRIBUTEBOUND_WRAP, "ibm-attributebound-wrap") + { CKA_INVALID }, + }; + +diff --git a/common/pkcs11x.h b/common/pkcs11x.h +index 3b12db6..4183b3d 100644 +--- a/common/pkcs11x.h ++++ b/common/pkcs11x.h +@@ -181,6 +181,57 @@ typedef CK_ULONG CK_TRUST; + + #endif /* CRYPTOKI_RU_TEAM_TC26_VENDOR_DEFINED */ + ++/* Define this if you want the IBM specific symbols */ ++#define CRYPTOKI_IBM_VENDOR_DEFINED 1 ++#ifdef CRYPTOKI_IBM_VENDOR_DEFINED ++ ++#define CKK_IBM_PQC_DILITHIUM CKK_VENDOR_DEFINED + 0x10023 ++ ++#define CKA_IBM_OPAQUE (CKA_VENDOR_DEFINED + 1) ++#define CKA_IBM_RESTRICTABLE (CKA_VENDOR_DEFINED + 0x10001) ++#define CKA_IBM_NEVER_MODIFIABLE (CKA_VENDOR_DEFINED + 0x10002) ++#define CKA_IBM_RETAINKEY (CKA_VENDOR_DEFINED + 0x10003) ++#define CKA_IBM_ATTRBOUND (CKA_VENDOR_DEFINED + 0x10004) ++#define CKA_IBM_KEYTYPE (CKA_VENDOR_DEFINED + 0x10005) ++#define CKA_IBM_CV (CKA_VENDOR_DEFINED + 0x10006) ++#define CKA_IBM_MACKEY (CKA_VENDOR_DEFINED + 0x10007) ++#define CKA_IBM_USE_AS_DATA (CKA_VENDOR_DEFINED + 0x10008) ++#define CKA_IBM_STRUCT_PARAMS (CKA_VENDOR_DEFINED + 0x10009) ++#define CKA_IBM_STD_COMPLIANCE1 (CKA_VENDOR_DEFINED + 0x1000a) ++#define CKA_IBM_PROTKEY_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000c) ++#define CKA_IBM_PROTKEY_NEVER_EXTRACTABLE (CKA_VENDOR_DEFINED + 0x1000d) ++#define CKA_IBM_DILITHIUM_KEYFORM (CKA_VENDOR_DEFINED + 0xd0001) ++#define CKA_IBM_DILITHIUM_RHO (CKA_VENDOR_DEFINED + 0xd0002) ++#define CKA_IBM_DILITHIUM_SEED (CKA_VENDOR_DEFINED + 0xd0003) ++#define CKA_IBM_DILITHIUM_TR (CKA_VENDOR_DEFINED + 0xd0004) ++#define CKA_IBM_DILITHIUM_S1 (CKA_VENDOR_DEFINED + 0xd0005) ++#define CKA_IBM_DILITHIUM_S2 (CKA_VENDOR_DEFINED + 0xd0006) ++#define CKA_IBM_DILITHIUM_T0 (CKA_VENDOR_DEFINED + 0xd0007) ++#define CKA_IBM_DILITHIUM_T1 (CKA_VENDOR_DEFINED + 0xd0008) ++#define CKA_IBM_OPAQUE_PKEY (CKA_VENDOR_DEFINED + 0xd0100) ++ ++#define CKM_IBM_SHA3_224 (CKM_VENDOR_DEFINED + 0x10001) ++#define CKM_IBM_SHA3_256 (CKM_VENDOR_DEFINED + 0x10002) ++#define CKM_IBM_SHA3_384 (CKM_VENDOR_DEFINED + 0x10003) ++#define CKM_IBM_SHA3_512 (CKM_VENDOR_DEFINED + 0x10004) ++#define CKM_IBM_CMAC (CKM_VENDOR_DEFINED + 0x10007) ++#define CKM_IBM_EC_X25519 (CKM_VENDOR_DEFINED + 0x1001b) ++#define CKM_IBM_ED25519_SHA512 (CKM_VENDOR_DEFINED + 0x1001c) ++#define CKM_IBM_EC_X448 (CKM_VENDOR_DEFINED + 0x1001e) ++#define CKM_IBM_ED448_SHA3 (CKM_VENDOR_DEFINED + 0x1001f) ++#define CKM_IBM_DILITHIUM (CKM_VENDOR_DEFINED + 0x10023) ++#define CKM_IBM_SHA3_224_HMAC (CKM_VENDOR_DEFINED + 0x10025) ++#define CKM_IBM_SHA3_256_HMAC (CKM_VENDOR_DEFINED + 0x10026) ++#define CKM_IBM_SHA3_384_HMAC (CKM_VENDOR_DEFINED + 0x10027) ++#define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) ++#define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) ++ ++typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ ++ + #if defined(__cplusplus) + } + #endif +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 8dfa30b..0923224 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -800,6 +800,13 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_RESET_ON_INIT: + case CKA_HAS_RESET: + case CKA_COLOR: ++ case CKA_IBM_RESTRICTABLE: ++ case CKA_IBM_NEVER_MODIFIABLE: ++ case CKA_IBM_RETAINKEY: ++ case CKA_IBM_ATTRBOUND: ++ case CKA_IBM_USE_AS_DATA: ++ case CKA_IBM_PROTKEY_EXTRACTABLE: ++ case CKA_IBM_PROTKEY_NEVER_EXTRACTABLE: + return P11_RPC_VALUE_BYTE; + case CKA_CLASS: + case CKA_CERTIFICATE_TYPE: +@@ -821,6 +828,9 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_CHAR_COLUMNS: + case CKA_BITS_PER_PIXEL: + case CKA_MECHANISM_TYPE: ++ case CKA_IBM_DILITHIUM_KEYFORM: ++ case CKA_IBM_STD_COMPLIANCE1: ++ case CKA_IBM_KEYTYPE: + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: +@@ -869,6 +879,18 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + case CKA_REQUIRED_CMS_ATTRIBUTES: + case CKA_DEFAULT_CMS_ATTRIBUTES: + case CKA_SUPPORTED_CMS_ATTRIBUTES: ++ case CKA_IBM_OPAQUE: ++ case CKA_IBM_CV: ++ case CKA_IBM_MACKEY: ++ case CKA_IBM_STRUCT_PARAMS: ++ case CKA_IBM_OPAQUE_PKEY: ++ case CKA_IBM_DILITHIUM_RHO: ++ case CKA_IBM_DILITHIUM_SEED: ++ case CKA_IBM_DILITHIUM_TR: ++ case CKA_IBM_DILITHIUM_S1: ++ case CKA_IBM_DILITHIUM_S2: ++ case CKA_IBM_DILITHIUM_T0: ++ case CKA_IBM_DILITHIUM_T1: + return P11_RPC_VALUE_BYTE_ARRAY; + } + } +@@ -1406,9 +1428,59 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ /* Check if value can be converted to CKM_IBM_ATTRIBUTEBOUND_WRAP. */ ++ if (value_length != sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.hSignVerifyKey can be converted to uint64_t. */ ++ if (params.hSignVerifyKey > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.hSignVerifyKey); ++} ++ ++bool ++p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (value) { ++ CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS params; ++ ++ params.hSignVerifyKey = val; ++ ++ memcpy (value, ¶ms, sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS); ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +- { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value } ++ { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value } + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1533,6 +1605,18 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_RIPEMD160: + case CKM_RIPEMD160_HMAC: + case CKM_KEY_WRAP_LYNKS: ++ case CKM_IBM_SHA3_224: ++ case CKM_IBM_SHA3_256: ++ case CKM_IBM_SHA3_384: ++ case CKM_IBM_SHA3_512: ++ case CKM_IBM_CMAC: ++ case CKM_IBM_DILITHIUM: ++ case CKM_IBM_SHA3_224_HMAC: ++ case CKM_IBM_SHA3_256_HMAC: ++ case CKM_IBM_SHA3_384_HMAC: ++ case CKM_IBM_SHA3_512_HMAC: ++ case CKM_IBM_ED25519_SHA512: ++ case CKM_IBM_ED448_SHA3: + return true; + default: + return false; +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 62e7b18..eec2927 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -42,6 +42,7 @@ + + #include "buffer.h" + #include "pkcs11.h" ++#include "pkcs11x.h" + + /* The calls, must be in sync with array below */ + enum { +@@ -479,4 +480,15 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.38.1 + diff --git a/0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch b/0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch new file mode 100644 index 0000000..5a9c45c --- /dev/null +++ b/0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch @@ -0,0 +1,136 @@ +From d23b8a60a1944a9e25d5e47ead16185a39111b51 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 7 Apr 2022 17:10:53 +0200 +Subject: [PATCH 02/11] Add support for serializing CK_ECDH1_DERIVE_PARAMS mech + param + +Used by CKM_ECDH1_DERIVE, CKM_IBM_EC_X25519 and CKM_IBM_EC_X448. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 79 ++++++++++++++++++++++++++++++++++++++++++- + p11-kit/rpc-message.h | 11 ++++++ + 2 files changed, 89 insertions(+), 1 deletion(-) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 0923224..d842df0 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1428,6 +1428,80 @@ p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ /* Check if value can be converted to CK_ECDH1_DERIVE_PARAMS. */ ++ if (value_length != sizeof (CK_ECDH1_DERIVE_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.kdf can be converted to uint64_t. */ ++ if (params.kdf > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.kdf); ++ ++ /* parmas.shared_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.shared_data, ++ params.shared_data_len); ++ ++ /* parmas.public_data can only be an array of CK_BYTE or ++ * NULL */ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.public_data, ++ params.public_data_len); ++} ++ ++bool ++p11_rpc_buffer_get_ecdh1_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ ++ ++ if (value) { ++ CK_ECDH1_DERIVE_PARAMS params; ++ ++ params.kdf = val; ++ params.shared_data = (void *) data1; ++ params.shared_data_len = len1; ++ params.public_data = (void *) data2; ++ params.public_data_len = len2; ++ ++ memcpy (value, ¶ms, sizeof (CK_ECDH1_DERIVE_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_ECDH1_DERIVE_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1480,7 +1554,10 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, +- { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value } ++ { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, ++ { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index eec2927..66f512d 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -480,6 +480,17 @@ bool p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_ecdh1_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value + (p11_buffer *buffer, + const void *value, +-- +2.38.1 + diff --git a/0003-client-Allow-zero-part-length-at-C_SignUpdate.patch b/0003-client-Allow-zero-part-length-at-C_SignUpdate.patch new file mode 100644 index 0000000..8b51723 --- /dev/null +++ b/0003-client-Allow-zero-part-length-at-C_SignUpdate.patch @@ -0,0 +1,26 @@ +From e23948fa491680822177d4428e39866c866fbc64 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 08:47:31 +0200 +Subject: [PATCH 03/11] client: Allow zero part length at C_SignUpdate + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-client.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index a72c1d1..550ebd2 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -1489,8 +1489,6 @@ rpc_C_SignUpdate (CK_X_FUNCTION_LIST *self, + CK_BYTE_PTR part, + CK_ULONG part_len) + { +- return_val_if_fail (part_len, CKR_ARGUMENTS_BAD); +- + BEGIN_CALL_OR (C_SignUpdate, self, CKR_SESSION_HANDLE_INVALID); + IN_ULONG (session); + IN_BYTE_ARRAY (part, part_len); +-- +2.38.1 + diff --git a/0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch b/0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch new file mode 100644 index 0000000..8310f53 --- /dev/null +++ b/0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch @@ -0,0 +1,25 @@ +From c12d7c858728ebeb2db6e450f21895c419f0fe04 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 09:35:54 +0200 +Subject: [PATCH 04/11] Fix support of CKA_DERIVE_TEMPLATE + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index d842df0..cedda03 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -834,6 +834,7 @@ map_attribute_to_value_type (CK_ATTRIBUTE_TYPE type) + return P11_RPC_VALUE_ULONG; + case CKA_WRAP_TEMPLATE: + case CKA_UNWRAP_TEMPLATE: ++ case CKA_DERIVE_TEMPLATE: + return P11_RPC_VALUE_ATTRIBUTE_ARRAY; + case CKA_ALLOWED_MECHANISMS: + return P11_RPC_VALUE_MECHANISM_TYPE_ARRAY; +-- +2.38.1 + diff --git a/0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch b/0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch new file mode 100644 index 0000000..a8b1d6f --- /dev/null +++ b/0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch @@ -0,0 +1,77 @@ +From 153d9df0592c78481c4203e138aef109b06ec1b9 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 10:39:38 +0200 +Subject: [PATCH 05/11] Add other SHA variants, also for RSA and EC signatures + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index cedda03..40a4d9f 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1554,6 +1554,11 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA224_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA256_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA384_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, ++ { CKM_SHA512_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_RSA_PKCS_OAEP, p11_rpc_buffer_add_rsa_pkcs_oaep_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_oaep_mechanism_value }, + { CKM_ECDH1_DERIVE, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, +@@ -1603,6 +1608,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_MD2_RSA_PKCS: + case CKM_MD5_RSA_PKCS: + case CKM_SHA1_RSA_PKCS: ++ case CKM_SHA224_RSA_PKCS: + case CKM_SHA256_RSA_PKCS: + case CKM_SHA384_RSA_PKCS: + case CKM_SHA512_RSA_PKCS: +@@ -1617,6 +1623,10 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_EC_KEY_PAIR_GEN: + case CKM_ECDSA: + case CKM_ECDSA_SHA1: ++ case CKM_ECDSA_SHA224: ++ case CKM_ECDSA_SHA256: ++ case CKM_ECDSA_SHA384: ++ case CKM_ECDSA_SHA512: + case CKM_DH_PKCS_KEY_PAIR_GEN: + case CKM_DH_PKCS_PARAMETER_GEN: + case CKM_X9_42_DH_KEY_PAIR_GEN: +@@ -1671,12 +1681,28 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_MD5_HMAC: + case CKM_SHA_1: + case CKM_SHA_1_HMAC: ++ case CKM_SHA1_KEY_DERIVATION: ++ case CKM_SHA224: ++ case CKM_SHA224_HMAC: ++ case CKM_SHA224_KEY_DERIVATION: + case CKM_SHA256: + case CKM_SHA256_HMAC: ++ case CKM_SHA256_KEY_DERIVATION: + case CKM_SHA384: + case CKM_SHA384_HMAC: ++ case CKM_SHA384_KEY_DERIVATION: + case CKM_SHA512: + case CKM_SHA512_HMAC: ++ case CKM_SHA512_KEY_DERIVATION: ++ case CKM_SHA512_T: ++ case CKM_SHA512_T_HMAC: ++ case CKM_SHA512_T_KEY_DERIVATION: ++ case CKM_SHA512_224: ++ case CKM_SHA512_224_HMAC: ++ case CKM_SHA512_224_KEY_DERIVATION: ++ case CKM_SHA512_256: ++ case CKM_SHA512_256_HMAC: ++ case CKM_SHA512_256_KEY_DERIVATION: + case CKM_FASTHASH: + case CKM_RIPEMD128: + case CKM_RIPEMD128_HMAC: +-- +2.38.1 + diff --git a/0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch b/0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch new file mode 100644 index 0000000..32e453d --- /dev/null +++ b/0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch @@ -0,0 +1,156 @@ +From 1e86da126a191ec5b010ef86c6cfa15721a9bd0d Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 12:36:51 +0200 +Subject: [PATCH 06/11] Add support for missing AES and DES/DES3 mechanisms + +They take a 16 byte (AES) or 8 byte (DES/DES3) IV as mechanism parameter. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 95 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 18 ++++++++ + 2 files changed, 113 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 40a4d9f..a574911 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1552,6 +1552,86 @@ p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an AES IV. */ ++ if (value_length != 16) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 16) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ ++void ++p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Check if value can be converted to an DES IV. */ ++ if (value_length != 8) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len != 8) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1564,6 +1644,21 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_IBM_ATTRIBUTEBOUND_WRAP, p11_rpc_buffer_add_ibm_attrbound_wrap_mechanism_value, p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value }, + { CKM_IBM_EC_X25519, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, + { CKM_IBM_EC_X448, p11_rpc_buffer_add_ecdh1_derive_mechanism_value, p11_rpc_buffer_get_ecdh1_derive_mechanism_value }, ++ { CKM_AES_CBC, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CBC_PAD, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_OFB, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB1, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB8, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES3_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 66f512d..8c8119d 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -502,4 +502,22 @@ bool p11_rpc_buffer_get_ibm_attrbound_wrap_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ ++void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.38.1 + diff --git a/0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch b/0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch new file mode 100644 index 0000000..f0d6d65 --- /dev/null +++ b/0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch @@ -0,0 +1,128 @@ +From 1f46d537a1924f3d7af833d8b079b45d79d02ac0 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 13:02:41 +0200 +Subject: [PATCH 07/11] Add support for MAC and HMAC general mechanisms + +The take a mechanism parameter of type CK_MAC_GENERAL_PARAMS which +is a CK_ULONG. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 59 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 11 ++++++++ + 2 files changed, 70 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index a574911..5159d98 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1632,6 +1632,52 @@ p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_mac_general_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_ULONG val; ++ uint64_t params; ++ ++ /* ++ * Check if value can be converted to an CK_MAC_GENERAL_PARAMS which ++ * is a CK_ULONG. ++ */ ++ if (value_length != sizeof (CK_ULONG)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (&val, value, value_length); ++ params = val; ++ ++ p11_rpc_buffer_add_uint64 (buffer, params); ++} ++ ++bool ++p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ CK_ULONG params; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ ++ params = val; ++ ++ if (value) ++ memcpy (value, ¶ms, sizeof (params)); ++ ++ if (value_length) ++ *value_length = sizeof (params); ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1659,6 +1705,17 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_DES_CFB8, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_OFB64, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, ++ { CKM_SHA_1_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA384_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_224_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_SHA512_256_HMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +@@ -1735,6 +1792,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_AES_KEY_GEN: + case CKM_AES_ECB: + case CKM_AES_MAC: ++ case CKM_AES_CMAC: + case CKM_DES_KEY_GEN: + case CKM_DES2_KEY_GEN: + case CKM_DES3_KEY_GEN: +@@ -1760,6 +1818,7 @@ mechanism_has_no_parameters (CK_MECHANISM_TYPE mech) + case CKM_RC2_MAC: + case CKM_DES_MAC: + case CKM_DES3_MAC: ++ case CKM_DES3_CMAC: + case CKM_CDMF_MAC: + case CKM_CAST_MAC: + case CKM_CAST3_MAC: +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 8c8119d..5ae09e5 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -520,4 +520,15 @@ bool p11_rpc_buffer_get_des_iv_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_mac_general_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.38.1 + diff --git a/0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch b/0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch new file mode 100644 index 0000000..1123c35 --- /dev/null +++ b/0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch @@ -0,0 +1,95 @@ +From 25c7661eb8ae1f60aa0d1d995ac4addc456d33b9 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 13:38:44 +0200 +Subject: [PATCH 08/11] Add support for CKM_DH_PKCS_DERIVE + +It takes the the public value of the other party as mechanism parameter. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 41 +++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 11 +++++++++++ + 2 files changed, 52 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 5159d98..c3f1dbb 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1678,6 +1678,46 @@ p11_rpc_buffer_get_mac_general_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ /* Mechanism parameter is public value of the other party */ ++ if (value_length == 0) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)value, ++ value_length); ++} ++ ++bool ++p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (len == 0) ++ return false; ++ ++ if (value) ++ memcpy (value, data, len); ++ ++ if (value_length) ++ *value_length = len; ++ ++ return true; ++} ++ + static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, + { CKM_SHA1_RSA_PKCS_PSS, p11_rpc_buffer_add_rsa_pkcs_pss_mechanism_value, p11_rpc_buffer_get_rsa_pkcs_pss_mechanism_value }, +@@ -1716,6 +1756,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_MAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, + { CKM_DES3_CMAC_GENERAL, p11_rpc_buffer_add_mac_general_mechanism_value, p11_rpc_buffer_get_mac_general_mechanism_value }, ++ { CKM_DH_PKCS_DERIVE, p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value, p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value }, + }; + + static p11_rpc_mechanism_serializer p11_rpc_byte_array_mechanism_serializer = { +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 5ae09e5..6c8eaf3 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -531,4 +531,15 @@ bool p11_rpc_buffer_get_mac_general_mechanism_value + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_dh_pkcs_derive_mechanism_value ++ (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + #endif /* _RPC_MESSAGE_H */ +-- +2.38.1 + diff --git a/0009-rpc-Handle-special-cases-for-buffer-and-length.patch b/0009-rpc-Handle-special-cases-for-buffer-and-length.patch new file mode 100644 index 0000000..5b797cf --- /dev/null +++ b/0009-rpc-Handle-special-cases-for-buffer-and-length.patch @@ -0,0 +1,73 @@ +From e192374d08d5fbbfabad3fbe8913e775fbb8629e Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Fri, 8 Apr 2022 14:39:35 +0200 +Subject: [PATCH 09/11] rpc: Handle special cases for buffer and length + +When the buffer is not NULL, but the length is zero then treat this as an +empty message. Serialize this in a special way so that the server can +restore the same situation. + +Example: Terminate an operation via C_XxxFinal, but there is no more +data for the final part. A call to C_XxxFinal with buffer=NULL and length=0 +would be treated as a size query, and would not terminate the operation. +So the way to terminate the operation without more data is to specify +buffer!=NULL but length=0. + +When sending a byte array, and the buffer is NULL, and the length is +zero, don't treat this is invalid, but as empty message. + +Example: C_XxxUpdate with an empty message. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-client.c | 2 +- + p11-kit/rpc-message.c | 2 +- + p11-kit/rpc-server.c | 6 ++++++ + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/p11-kit/rpc-client.c b/p11-kit/rpc-client.c +index 550ebd2..a6816ea 100644 +--- a/p11-kit/rpc-client.c ++++ b/p11-kit/rpc-client.c +@@ -570,7 +570,7 @@ proto_read_sesssion_info (p11_rpc_message *msg, + #define IN_BYTE_BUFFER(arr, len) \ + if (len == NULL) \ + { _ret = CKR_ARGUMENTS_BAD; goto _cleanup; } \ +- if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? *len : 0)) \ ++ if (!p11_rpc_message_write_byte_buffer (&_msg, arr ? (*len > 0 ? *len : (uint32_t)-1) : 0)) \ + { _ret = CKR_HOST_MEMORY; goto _cleanup; } + + #define IN_BYTE_ARRAY(arr, len) \ +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index c3f1dbb..960b218 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -372,7 +372,7 @@ p11_rpc_message_write_byte_array (p11_rpc_message *msg, + assert (!msg->signature || p11_rpc_message_verify_part (msg, "ay")); + + /* No array, no data, just length */ +- if (!arr) { ++ if (!arr && num != 0) { + p11_rpc_buffer_add_byte (msg->output, 0); + p11_rpc_buffer_add_uint32 (msg->output, num); + } else { +diff --git a/p11-kit/rpc-server.c b/p11-kit/rpc-server.c +index dfdb76d..fb71ed9 100644 +--- a/p11-kit/rpc-server.c ++++ b/p11-kit/rpc-server.c +@@ -84,6 +84,12 @@ proto_read_byte_buffer (p11_rpc_message *msg, + *n_buffer = length; + *buffer = NULL; + ++ /* length = -1 indicates length = 0, but buffer not NULL */ ++ if (length == (uint32_t)-1) { ++ *n_buffer = 0; ++ length = 1; /*allocate 1 dummy byte */ ++ } ++ + /* If set to zero, then they just want the length */ + if (length == 0) + return CKR_OK; +-- +2.38.1 + diff --git a/0010-Add-support-for-CKM_AES_CTR.patch b/0010-Add-support-for-CKM_AES_CTR.patch new file mode 100644 index 0000000..8580c88 --- /dev/null +++ b/0010-Add-support-for-CKM_AES_CTR.patch @@ -0,0 +1,116 @@ +From 556335018ed45b5df28801d5aa44e9821040a519 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 11 Apr 2022 11:24:42 +0200 +Subject: [PATCH 10/11] Add support for CKM_AES_CTR + +It takes a CK_AES_CTR_PARAMS structure as mechanism parameter. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 62 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 9 +++++++ + 2 files changed, 71 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 960b218..7c92fb5 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1592,6 +1592,67 @@ p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_AES_CTR_PARAMS params; ++ ++ /* Check if value can be converted to CK_AES_CTR_PARAMS. */ ++ if (value_length != sizeof (CK_AES_CTR_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.counter_bits can be converted to uint64_t. */ ++ if (params.counter_bits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_uint64 (buffer, params.counter_bits); ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.cb, ++ sizeof(params.cb)); ++} ++ ++bool ++p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val; ++ const unsigned char *data; ++ size_t len; ++ ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data, &len)) ++ return false; ++ ++ if (value) { ++ CK_AES_CTR_PARAMS params; ++ ++ params.ulCounterBits = val; ++ ++ if (len != sizeof (params.cb)) ++ return false; ++ ++ memcpy (params.cb, data, sizeof (params.cb)); ++ memcpy (value, ¶ms, sizeof (CK_AES_CTR_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_AES_CTR_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1738,6 +1799,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CFB64, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, ++ { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, + { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 6c8eaf3..6998443 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -511,6 +511,15 @@ bool p11_rpc_buffer_get_aes_iv_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_ctr_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); +-- +2.38.1 + diff --git a/0011-Add-support-for-CKM_AES_GCM.patch b/0011-Add-support-for-CKM_AES_GCM.patch new file mode 100644 index 0000000..497a68a --- /dev/null +++ b/0011-Add-support-for-CKM_AES_GCM.patch @@ -0,0 +1,124 @@ +From 733905eacbaf29aa807a416bbb3535f75b53a314 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Mon, 11 Apr 2022 11:43:12 +0200 +Subject: [PATCH 11/11] Add support for CKM_AES_GCM + +It takes a CK_GCM_PARAMS structure as mechanism parameter. + +Signed-off-by: Ingo Franzki +--- + p11-kit/rpc-message.c | 70 +++++++++++++++++++++++++++++++++++++++++++ + p11-kit/rpc-message.h | 9 ++++++ + 2 files changed, 79 insertions(+) + +diff --git a/p11-kit/rpc-message.c b/p11-kit/rpc-message.c +index 7c92fb5..a4974b5 100644 +--- a/p11-kit/rpc-message.c ++++ b/p11-kit/rpc-message.c +@@ -1653,6 +1653,75 @@ p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + return true; + } + ++void ++p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length) ++{ ++ CK_GCM_PARAMS params; ++ ++ /* Check if value can be converted to CK_GCM_PARAMS. */ ++ if (value_length != sizeof (CK_GCM_PARAMS)) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ memcpy (¶ms, value, value_length); ++ ++ /* Check if params.ulTagBits/ulIvBits can be converted to uint64_t. */ ++ if (params.ulTagBits > UINT64_MAX || params.ulIvBits > UINT64_MAX) { ++ p11_buffer_fail (buffer); ++ return; ++ } ++ ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pIv, ++ params.ulIvLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulIvBits); ++ p11_rpc_buffer_add_byte_array (buffer, ++ (unsigned char *)params.pAAD, ++ params.ulAADLen); ++ p11_rpc_buffer_add_uint64 (buffer, params.ulTagBits); ++} ++ ++bool ++p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length) ++{ ++ uint64_t val1, val2; ++ const unsigned char *data1, *data2; ++ size_t len1, len2; ++ ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data1, &len1)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val1)) ++ return false; ++ if (!p11_rpc_buffer_get_byte_array (buffer, offset, &data2, &len2)) ++ return false; ++ if (!p11_rpc_buffer_get_uint64 (buffer, offset, &val2)) ++ return false; ++ ++ if (value) { ++ CK_GCM_PARAMS params; ++ ++ params.pIv = (void *) data1; ++ params.ulIvLen = len1; ++ params.ulIvBits = val1; ++ params.pAAD = (void *) data2; ++ params.ulAADLen = len2; ++ params.ulTagBits = val2; ++ ++ memcpy (value, ¶ms, sizeof (CK_GCM_PARAMS)); ++ } ++ ++ if (value_length) ++ *value_length = sizeof (CK_GCM_PARAMS); ++ ++ return true; ++} ++ + void + p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, +@@ -1800,6 +1869,7 @@ static p11_rpc_mechanism_serializer p11_rpc_mechanism_serializers[] = { + { CKM_AES_CFB128, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTS, p11_rpc_buffer_add_aes_iv_mechanism_value, p11_rpc_buffer_get_aes_iv_mechanism_value }, + { CKM_AES_CTR, p11_rpc_buffer_add_aes_ctr_mechanism_value, p11_rpc_buffer_get_aes_ctr_mechanism_value }, ++ { CKM_AES_GCM, p11_rpc_buffer_add_aes_gcm_mechanism_value, p11_rpc_buffer_get_aes_gcm_mechanism_value }, + { CKM_DES_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES_CBC_PAD, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, + { CKM_DES3_CBC, p11_rpc_buffer_add_des_iv_mechanism_value, p11_rpc_buffer_get_des_iv_mechanism_value }, +diff --git a/p11-kit/rpc-message.h b/p11-kit/rpc-message.h +index 6998443..69c274c 100644 +--- a/p11-kit/rpc-message.h ++++ b/p11-kit/rpc-message.h +@@ -520,6 +520,15 @@ bool p11_rpc_buffer_get_aes_ctr_mechanism_value (p11_buffer *buffer, + void *value, + CK_ULONG *value_length); + ++void p11_rpc_buffer_add_aes_gcm_mechanism_value (p11_buffer *buffer, ++ const void *value, ++ CK_ULONG value_length); ++ ++bool p11_rpc_buffer_get_aes_gcm_mechanism_value (p11_buffer *buffer, ++ size_t *offset, ++ void *value, ++ CK_ULONG *value_length); ++ + void p11_rpc_buffer_add_des_iv_mechanism_value (p11_buffer *buffer, + const void *value, + CK_ULONG value_length); +-- +2.38.1 + diff --git a/0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch b/0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch new file mode 100644 index 0000000..6add161 --- /dev/null +++ b/0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch @@ -0,0 +1,45 @@ +From bd1574181b9a736ab6445d581388fc1162f3474a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Sun, 19 Jun 2022 16:29:41 +0900 +Subject: [PATCH] common/pkcs11x.h: Support CRYPTOKI_GNU for IBM vendor + mechanisms + +Signed-off-by: Daiki Ueno +--- + common/pkcs11x.h | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/common/pkcs11x.h b/common/pkcs11x.h +index 4183b3d..da29224 100644 +--- a/common/pkcs11x.h ++++ b/common/pkcs11x.h +@@ -226,9 +226,23 @@ typedef CK_ULONG CK_TRUST; + #define CKM_IBM_SHA3_512_HMAC (CKM_VENDOR_DEFINED + 0x10028) + #define CKM_IBM_ATTRIBUTEBOUND_WRAP (CKM_VENDOR_DEFINED + 0x20004) + +-typedef struct CK_IBM_ATTRIBUTEBOUND_WRAP { +- CK_OBJECT_HANDLE hSignVerifyKey; +-} CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++/* ++ * If the caller is using the PKCS#11 GNU calling convention, then we cater ++ * to that here. ++ */ ++#ifdef CRYPTOKI_GNU ++#define hSignVerifyKey h_sign_verify_key ++#endif ++ ++struct ck_ibm_attributebound_wrap { ++ CK_OBJECT_HANDLE hSignVerifyKey; ++}; ++ ++typedef struct ck_ibm_attributebound_wrap CK_IBM_ATTRIBUTEBOUND_WRAP_PARAMS; ++ ++#ifdef CRYPTOKI_GNU ++#undef hSignVerifyKey ++#endif + + #endif /* CRYPTOKI_IBM_VENDOR_DEFINED */ + +-- +2.38.1 + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..f3b7c2c --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,9 @@ +libp11-kit0 +p11-kit + +/usr/lib(64)?/pkcs11/*.so + requires "p11-kit = " +p11-kit-nss-trust + +/usr/lib(64)?/*.so + requires "p11-kit = " + conflicts "mozilla-nss-certs-" + provides "libnssckbi.so" diff --git a/p11-kit-0.23.22.tar.xz.sig b/p11-kit-0.23.22.tar.xz.sig new file mode 100644 index 0000000000000000000000000000000000000000..6ef001e021400211896d7cde2ea969d72b40170c GIT binary patch literal 580 zcmV-K0=xZ*0zm`-0SEvq79j*iA|=DLZ#0LW$VqJ01%!^*=9qB>0$%}}C%`sX#k z@+EO&X5M!|dst(0s5|j5m1?1%0~dJ`75%cn3J#s=x=}o1hsqG&!AGl(hlLx07ZB6p zX^{axJG#awb}+EUx;PXz?{6idTYHZLv}TmG@> z(W`r-gPNK=pF4l})bSf{<_QJQ+Q7p*#q+fCSP@s5EeuqXn|x)J5PcnZ^V8NQCUC}z zckYB6Rl!(biwMPzMwFZ~^=L&`-(f7ZxY_<trH*LCoj-nr+1ROgzJI_YQg+o#?FtlO@J#aWiAT9>PZ29zN7%qwJ8eV+g%FOc0@ zT9W8O6&5X5wDgoxl*+tugScihD|p#TPFd)hKrqgA=O0ZE(`hlkT_mj7a!0wWfMdI literal 0 HcmV?d00001 diff --git a/p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch b/p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch new file mode 100644 index 0000000..4672eb0 --- /dev/null +++ b/p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch @@ -0,0 +1,63 @@ +From d1782b694f75f4a7c1449b2d006df7aeaffbb576 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 27 Jul 2022 15:18:05 +0900 +Subject: pkcs11-gnu: Enable testing with + +This ensures that programs using can be compiled +with CRYPTOKI_GNU. The previous coverage was partial as pkcs11-gnu.c +didn't include "pkcs11x.h" and Meson didn't supply -DCRYPTOKI_GNU=1. + +Signed-off-by: Daiki Ueno + +diff --git a/p11-kit/meson.build b/p11-kit/meson.build +index 386f612..7912684 100644 +--- a/p11-kit/meson.build ++++ b/p11-kit/meson.build +@@ -217,6 +217,9 @@ gnu_h = gnu_h_gen.process(pkcs11_gnu_headers) + static_library('p11-kit-pkcs11-gnu', + gnu_h, + 'pkcs11-gnu.c', ++ c_args: [ ++ '-DCRYPTOKI_GNU=1', '-DP11_KIT_FUTURE_UNSTABLE_API=1', ++ ], + include_directories: [configinc, commoninc]) + + # Tests ---------------------------------------------------------------- +diff --git a/p11-kit/p11-kit.h b/p11-kit/p11-kit.h +index cc89595..aa8323e 100644 +--- a/p11-kit/p11-kit.h ++++ b/p11-kit/p11-kit.h +@@ -43,12 +43,17 @@ + */ + #ifdef CRYPTOKI_GNU + typedef ck_rv_t CK_RV; ++typedef ck_object_handle_t CK_OBJECT_HANDLE; ++typedef unsigned long int CK_ULONG; + typedef struct ck_function_list* CK_FUNCTION_LIST_PTR; + typedef struct ck_function_list CK_FUNCTION_LIST; + #endif + + #include "p11-kit/deprecated.h" + ++/* For size_t. */ ++#include ++ + #ifdef __cplusplus + extern "C" { + #endif +diff --git a/p11-kit/pkcs11-gnu.c b/p11-kit/pkcs11-gnu.c +index 86d9374..c75f4b0 100644 +--- a/p11-kit/pkcs11-gnu.c ++++ b/p11-kit/pkcs11-gnu.c +@@ -1,3 +1,8 @@ ++#include "config.h" ++ ++#include "p11-kit.h" ++#include "pkcs11x.h" ++ + #include "pkcs11-gnu-iter.h" + #include "pkcs11-gnu-pin.h" + #include "pkcs11-gnu-uri.h" +-- +2.42.0 + diff --git a/p11-kit.changes b/p11-kit.changes new file mode 100644 index 0000000..1ca3397 --- /dev/null +++ b/p11-kit.changes @@ -0,0 +1,486 @@ +* Tue Oct 24 2023 pmonreal@suse.com +- Ensure that programs using can be compiled + with CRYPTOKI_GNU. Fixes GnuTLS builds. [jsc#PED-6705] + * Add p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch +* Wed Jan 25 2023 lnussel@suse.com +- Backport IBM specific mechanism and attributes (Jira#PED-584) + 0001-Add-IBM-specific-mechanism-and-attributes.patch + 0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch + 0003-client-Allow-zero-part-length-at-C_SignUpdate.patch + 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch + 0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch + 0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch + 0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch + 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch + 0009-rpc-Handle-special-cases-for-buffer-and-length.patch + 0010-Add-support-for-CKM_AES_CTR.patch + 0011-Add-support-for-CKM_AES_GCM.patch + 0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch +* Wed Aug 11 2021 scabrero@suse.de +- Update to version 0.23.22 (bsc#1180064, bsc#1180065, bsc#1180066): + * Fix memory-safety issues that affect the RPC protocol + (CVE-2020-29361, CVE-2020-29362, and CVE-2020-29363), discovered + and fixed by David Cook + * anchor: Prefer persistent format when storing anchor [PR#329] + * common: Fix infloop in p11_path_build [PR#326, PR#327] + * proxy: C_CloseAllSessions: Make sure that calloc args are non-zero [PR#325] + * common: Check for a NULL locale before freeing it [PR#321] + * Build and test fixes [PR#313, PR#315, PR#317, PR#318, PR#319, PR#323, + PR#330, PR#333, PR#334, PR#335, PR#338, PR#339] +- Changes for version 0.23.21 + * proxy: Do not assign duplicate slot IDs [PR#282] + * common: Get program name based on executable path if possible [PR#307] + * anchor: Exit with non-zero code, if any error occurs [PR#304] + * Build and test fixes [PR#283, PR#290, PR#291, PR#292, PR#296, PR#299, + PR#305, PR#306, PR#309, PR#311] +- Changes for version 0.23.20: + * Revert "Fix RPC when length-s are 0" changes [PR#276] +- Changes for version 0.23.19: + * common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255] + * Add simple bash completion for provided commands [PR#258] + * Unbreak list matching in enable-in and disable-in [PR#262] + * Fix RPC when length-s are 0 [PR#259] + * rpc: Add vsock transport support [PR#270] + * trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265] + * Build fixes [PR#271, PR#272, PR#273, ...] +- Changes for version 0.23.18: + * rpc: Allow empty CK_DATE value [PR#253] + * build: Meson fixes [PR#245] + * build: Adjust feature parity between meson and autotools [PR#247] +- Changes for version 0.23.17: + * common: Fix uClibc-ng compilation [PR#237] + * trust: do not allow daylight to invalidate date validation [PR#236] + * build: Port to meson build system [PR#231, PR#234] + * rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232] + * doc: Add 'server' command in help [PR#229] + * Build and test fixes [PR#230] +- Changes for version 0.23.16: + * proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225] + * conf: Ignore user configuration if the program is running as root [PR#226] + * proxy: Refresh slot list on every C_GetSlotList call [PR#224] + * modules: Fix index used in call to p11_dict_remove() [PR#219] + * Fix Win32 p11_dl_error crash [PR#218] + * modules: check gl.modules before iterates on it when freeing [PR#217] + * trust: Ignore unreadable content in anchors [PR#215] + * extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213] +- Changes for version 0.23.15: + * trust: Improve error handling if backed trust file is corrupted [PR#206] + * url: Prefer upper-case letters in hex characters when encoding [PR#193] + * trust/extract-jks.c: also honor SOURCE_DATE_EPOCH time [PR#202] + * virtual: Prefer fixed closures to libffi closures [PR#196] + * Fix issues spotted by coverity and cppcheck [PR#194, PR#204] + * Build and test fixes [PR#164, PR#191, PR#199, PR#201] +- Changes for version 0.23.14: + * proxy: Avoid invalid memory access when unloading proxy module [PR#180] + * Update pkcs11 header to allow SoftHSMv2 to compile [PR#181] + * build: Restore libpthread dependency [PR#183] + * Build fixes [PR#188] +- Changes for version 0.23.13: + * server: Enable socket activation through systemd [PR#173] + * rpc-server: p11_kit_remote_serve_tokens: Allow exporting all modules + [PR#174] + * proxy: Fail early if there is no slot mapping [PR#175] + * Remove hard dependency on libpthread [PR#177] + * Build fixes [PR#170, PR#176] +- Changes for version 0.23.12 + * Fix compile error when PKCS#11 GNU calling convention is enabled [PR#160] + * Fix getauxval() and secure_getenv() emulation on macOS and FreeBSD [PR#167] + * Build and test fixes on macOS [PR#162, PR#168] +- Changes for version 0.23.11 + * trust: Add extractor for edk2/cacerts.bin [PR#139] + * modules: Add option to control module visibility from proxy [PR#140] + * trust: Prevent trust module being loaded by proxy module [PR#142] + * library: Use dedicated locale object for printing error [PR#148] + * Treat CKR_CRYPTOKI_ALREADY_INITIALIZED correctly [PR#134] + * Improve const correctness for P11KitUri [PR#152] + * PKCS#11 URI scheme comparison is now case insensitive [PR#156] + * Build and test fixes [PR#151, PR#149, PR#141, PR#138, PR#135] +- Changes for version 0.23.10 + * filter: Respect "write-protected" vendor-specific attribute in + PKCS#11 URI [PR#129] + * server: Improve shell integration and documentation [PR#107, PR#108] + * proxy: Reuse existing slot ID mapping in after fork() [PR#120] + * trust: Forcibly mark "Default Trust" read-only [PR#123] + * New function p11_kit_override_system_files() which can be used for + testing [PR#110] + * trust: Filter out duplicate extensions [PR#69] + * Update translations [PR#128] + * Bug fixes [PR#125, PR#126] +- Changes for version 0.23.9 + * Fix p11-kit server regressions [PR#103, PR#104] + * trust: Respect anyExtendedKeyUsage in CA certificates [PR#99] + * Build fixes related to reallocarray [PR#96, PR#98, PR#100] +- Changes for version 0.23.8 + * Improve vendor query attributes handling in PKCS#11 URI [PR#92] + * Add OTP and GOST mechanisms to pkcs11.h [PR#90, PR#91] + * New envvar P11_KIT_NO_USER_CONFIG to stop looking at user + configurations [PR#87] + * Build fixes for Solaris and 32-bit big-endian platforms [PR#81, PR#86] +- Changes for version 0.23.7 + * Fix memory issues with "p11-kit server" [PR#78] + * Build fixes [PR#77 ...] +- Changes for version 0.23.6 + * Port "p11-kit server" to Windows and portability fixes of the RPC + protocol [PR#67, PR#72, PR#74] + * Recover the old behavior of "trust anchor --remove" [PR#70, PR#71] + * Build fixes [PR#63 ...] +- Changes for version 0.23.5 + * Fix license notice of common/unix-peer.c [PR#58] + * Remove systemd unit files for now [PR#60] + * Build fixes for FreeBSD [PR#56] +- Changes for version 0.23.4 + * Recognize query attributes defined in PKCS#11 URI (RFC7512) [PR#31, + PR#37, PR#52] + * The trust policy module now recognizes CKA_NSS_MOZILLA_CA_POLICY + attribute, used by Firefox [#99453, PR#46] + * Add 'trust dump' command to dump all PKCS#11 objects in the + persistence format [PR#44] + * New experimental 'p11-kit server' command that allows PKCS#11 + forwarding through a Unix domain socket. A client-side module + p11-kit-client.so is also provided [PR#15] + * Add systemd unit files for exporting the proxy module through a + Unix domain socket [PR#35] + * New P11KitIter API to iterate over slots, tokens, and modules in + addition to objects [PR#28] + * libffi dependency is now optional [PR#9] + * Build fixes for FreeBSD, macOS, and Windows [PR#32, PR#39, PR#45] +- Changes for version 0.23.3 + * Install private executables in libexecdir [fdo#98817] + * Fix link error of proxy module on macOS [fdo#98022] + * Use new PKCS#11 URI specification for URIs [fdo#97245] + * Support x-init-reserved argument of C_Initialize() in remote modules + [fdo#80519] + * Incorporate changes from PKCS#11 2.40 specification + * Bump libtool library version + * Documentation fixes + * Build fixes [fdo#87192 ...] +- Move RPM macros to %%_rpmmacrodir. +- New server subpackage +- Change keyring to new maintainer Daiki Ueno +- Avoid bareword to fix build failure +- Remove obsolete patches: + * p11-kit-biarch.patch + * 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch + * 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch +* Mon Dec 23 2019 lnussel@suse.de +- Also build documentation (boo#1013125) +* Fri Nov 15 2019 lnussel@suse.de +- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox + detects built in certificates (boo#1154871, + 0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch, + 0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch) +* Tue Mar 20 2018 kukuk@suse.de +- Use %%license instead of %%doc [bsc#1082318] +* Tue Nov 22 2016 sbrabec@suse.com +- 32-bit compatibility fixes: + * Add PKCS11 module to p11-kit-32bit (bsc#996047#c39) + * Add p11-kit-nss-trust-32bit NSS module + * Fix potential bi-arch issue with private binaries + (fdo#98817, p11-kit-biarch.patch) +* Mon Feb 8 2016 mpluskal@suse.com +- Update to 0.23.2 + * Fix forking issues with libffi + * Fix various crashes in corner cases + * Updated translations + * Build fixes +- Make building more verbose +- Enable tests +- Small spec file cleanup with spec-cleaner +* Sun Mar 8 2015 p.drouand@gmail.com +- Update to version 0.23.1 (stable) + * Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582] + * Add pem-directory-hash extract format + * Build fixes +- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff; + fixed on upstream release +- Remove autoconf, automake and libtool require; unneeded dependencies +- Add gtk-doc require; needed to build html documentation +- Remove redundant %%clean section +* Mon Oct 13 2014 lnussel@suse.de +- remove patches: + * trust-Print-label-of-certificate-when-complaining-.patch + * trust-Dont-use-invalid-public-keys-for-looking-up-.patch +- new version 0.20.7 (stable) + * New public pkcs11x.h header containing extensions [fdo#83495] + * Export necessary defines to lookup attached extensions [fdo#83495] + * Build fixes +- new version 0.20.6 (stable) + * Make the p11-kit-proxy.so module respect critical = no [fdo#83651] + * Build fix for FreeBSD [fdo#75674] +- new version 0.20.5 (stable) + * Don't use invalid keys for looking up stapled extensions [fdo#82328] + * Better error messages when invalid certificate extensions + * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files + * Fix some leaks, and memory issues + * Silence some clang scanner warnings +- new version 0.20.4 (stable) + * Don't complain about C_Finalize after a fork + * Fix typo +* Fri Aug 29 2014 lnussel@suse.de +- new version 0.20.3 + * Fix problems reinitializing managed modules after fork + * Fix bad bookeeping when fail initializing one of the modules + * Fix case where module would be unloaded while in use [#74919] + * Remove assertions when module used before initialized [#74919] + * Fix handling of mmap failure and mapping empty files [#74773] + * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions + * Require automake 1.12 or later + * Build fixes for Windows [#76594 #74149] +- apply patches to avoid errors from certificates with invalid public key + (fdo#82328, bnc#890908, + trust-Dont-use-invalid-public-keys-for-looking-up-.patch, + trust-Print-label-of-certificate-when-complaining-.patch) +* Mon May 19 2014 lnussel@suse.de +- New version 0.20.2 + * Fix bug where blacklist didn't affect extracted ca-anchors if the anchor + and blacklist were not in the same trust path (regression) [fdo#73558] + * Check for race in BasicConstraints stapled extension [fdo#69314] + * Build fixes and cleanup +* Tue Feb 11 2014 meissner@suse.com +- added .sig file. trying to locate source of the keyring. +* Fri Dec 6 2013 lnussel@suse.de +- trust: allow to also add openssl style hashes to pem-directory + 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff +* Tue Sep 10 2013 lnussel@suse.de +- upgrade to 0.20.1 which is 0.19 declared stable + * Extract compat trust data after we've changes + * Skip compat extraction if running as non-root + * Better failure messages when removing anchors +* Fri Aug 30 2013 lnussel@suse.de +- new version 0.19.4 + * 'trust anchor' now adds/removes certificate anchors + * 'trust list' lists trust policy stuff + * 'p11-kit extract' is now 'trust extract' + * 'p11-kit extract-trust' is now 'trust extract-compat' + * Workarounds for working on broken zfsonlinux.org [#68525] + * Add --with-module-config parameter to the configure script [#68122] + * Add support for removing stored PKCS#11 objects in trust module +* Thu Jul 25 2013 lnussel@suse.de +- new version 0.19.3 + * Fix up problems with automake testing + * Fix a bunch of memory leaks in newly refactored code + * Don't use _GNU_SOURCE and the unportability it brings + * Add basic 'trust anchor' command to store a new anchor + * Support for writing out trust token objects + * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec + * Add option to use freebl for hashing + * Implement reloading of token data + * Fix warnings and possible minor bugs higlighted by code scanners + * Don't load configs in home directories when running setuid or setgid + * Support treating ~/.config as $XDG_CONFIG_HOME + * Use $XDG_DATA_HOME/pkcs11 as default user config directory + * Use $TMPDIR instead of $TEMP while testing + * Open files and fds with O_CLOEXEC + * Abort initialization if a critical module fails to load + * Don't use thread-unsafe functions: strerror, getpwuid + * Fix p11_kit_space_strlen() result when empty string + * Refactoring of where various components live +* Fri Jul 5 2013 lnussel@suse.de +- fix 32bit provides of libnssckbi.so +- repace p11-kit-extract-trust with update-ca-certificates +* Fri Jun 28 2013 lnussel@suse.de +- provide libnssckbi.so to replace mozilla-nss-certs +* Mon Jun 24 2013 lnussel@suse.de +- add p11-kit-nss-trust subpackage that serves as drop-in + replacement for mozilla-nss-certs +* Wed Jun 19 2013 lnussel@suse.de +- use /etc/pki/trust and /usr/share/pki/trust as system CA + certificate store +* Mon May 27 2013 dimstar@opensuse.org +- Update to version 0.19.1: + + Refactor API to be able to handle managed modules. + + Deprecate much of old p11-kit API. + + Implement concept of managed modules. + + Make C_CloseAllSessions function work for multiple callers. + + New dependency on libffi. + + Fix possible threading problems reported by hellgrind. + + Add log-calls option. + + Mark p11_kit_message() as a stable function. + + Use our own unit testing framework. +- Add pkgconfig(libffi) BuildRequires: new dependency. +* Tue May 14 2013 dimstar@opensuse.org +- Update to version 0.18.2: + + Build fixes (fdo#64378) +* Mon May 13 2013 dimstar@opensuse.org +- Also provide p11-kit-32bit (in fact, the pkcs#11 modules) + (bnc#819246). +* Mon Apr 15 2013 dimstar@opensuse.org +- Update to version 0.18.1: + + Put the external tools in $libdir/p11-kit. + + Documentation build fixes. +* Thu Apr 4 2013 dimstar@opensuse.org +- Update to version 0.18.0: + + Fix use of trust module with gcr and empathy (fdo#62896). + + Further tweaks to trust module date parsing. + + Fix unaligned memory reads (fdo#62819). + + Win32 fixes (fdo#63062, fdo#63046). + + Debug and logging tweaks (fdo#62874). + + Other build fixes. +* Thu Mar 28 2013 zaitor@opensuse.org +- Update to version 0.17.5: + + Don't try to guess at overflowing time values on 32-bit + systems (fdo#62825). + + Test fixes (fdo#927394). +* Thu Mar 21 2013 dimstar@opensuse.org +- Update to version 0.17.4: + + Check for duplicate certificates in a token, warn and discard + (fdo#62548). + + Implement a proper index so we have decent load performance. +* Wed Mar 20 2013 dimstar@opensuse.org +- Update to version 0.17.3: + + Use descriptive labels for the trust module tokens (fdo#62534). + + Remove the temporary built in distrust objects. + + Make extracted output directories and files read-only + (fdo#61898). + + Don't export unneccessary ABI. + + Build fixes (fdo#62479). +* Tue Mar 19 2013 dimstar@opensuse.org +- Update to version 0.17.2: + + Fix build on 32-bit linux. + + Fix several crashers. +- Changes from version 0.17.1: + + Support a p11-kit specific PKCS#11 attribute persistance format + (fdo#62156). + + Use the SHA1 hash of SPKI as the CKA_ID in the trust module by + default (fdo#62329). + + Refactor a trust builder which builds objects out of parsed + data (fdo#62329). + + Combine trust policy when extracting certificates (fdo#61497). + + The extract --comment option adds comments to PEM bundles + (fdo#62029). + + A new 'priority' config option for ordering modules + (fdo#61978). + + Make each configured path its own trust module token + (fdo#61499). + + Use --with-trust-paths to configure trust module (fdo#62327). + + Fix bug decoding some PEM files. + + Better debug output for trust module lookups. + + Work around bug in NSS when doing serial number lookups. + + Work around broken strndup() function in firefox. + + Fix the nickname for the distrusted attribute. + + Build fixes. +- Add ca-certificates BuildRequires: needed to find the location of + the root certificates. +* Thu Mar 14 2013 dimstar@opensuse.org +- Update to version 0.16.4: + + Display per command help again (fdo#62153). + + Don't always print tools debug output (fdo#62152). +- Changes from version 0.16.3: + + When iterating don't skip tokens without the + CKF_TOKEN_INITIALIZED flag. + + Hardcode some distrust records for NSS temporarily. + + Parse global options better in the p11-kit command. + + Better debugging. +- Changes from version 0.16.2: + + Fix regression in 'p11-kit extract --purpose' option + (fdo#62009) + + Documentation updates + + Build fixes (fdo#62001). +- Changes from version 0.16.1: + + Don't break when cA field of BasicConstraints is missing + (fdo#61975). + + Documentation fixes and updates. + + p11-kit extract-trust is a placeholder script now. +* Tue Mar 5 2013 dimstar@opensuse.org +- Update to version 0.16.0: + + Update the pkcs11.h header for new mechanisms + + Fix build and tests on mingw64 (ie: win32) + + Relicense LGPL code to BSD license + + Documentation tweaks + + Bugs fixed: fdo#61739, fdo#60894, fdo#61740, fdo#60792 + + Updated translations. +- Changes from version 0.15.2: + + Better define the libtasn1 dependency. + + Crasher and bug fixes. + + Build fixes. + + Updated translations. +- Changes from version 0.15.1: + + Fix some memory leaks. + + Add a location for packages to drop module configs. + + Documentation updates and fixes. + + Add command line tool manual page. + + Remove unused err() function and friends. + + Move more code into common/ directory and refactor. + + Add a system trust policy module. + + Refactor how the p11-kit command line tool works. + + Add p11-kit extract and extract-trust commands. + + Don't complain if we cannot access ~/.pkcs11/pkcs11.conf. + + Refuse to load the p11-kit-proxy.so as a registered module. + + Don't fail initialization if last initialized module fails. +* Fri Sep 7 2012 dimstar@opensuse.org +- Update to version 0.14: + + Change default for user-config to merge + + Always URI-encode the 'id' attribute in PKCS#11 URIs + + Expect a .module extension on module configs + + Windows compatibility fixes + + Testing fixes + + Build fixes +* Mon Jul 23 2012 zaitor@opensuse.org +- Update to version 0.13: + + Don't allow reading of PIN files larger than 4096 bytes + + If a module is not marked as critical then ignore init failure + + Use preconditions to check for input problems and out of memory + + Add enable-in and disable-in options to module config + + Fix the flags in pin.h + + Use gcc extensions to check varargs during compile + + Fix crasher when a duplicate module is present + + Fix broken hashmap behavior + + Testing fixes + + Win32 build fixes + + 'p11-kit -h' now works + + Documentation fixes +* Fri Mar 9 2012 dimstar@opensuse.org +- Update to version 0.12: + + Build fix. +* Fri Feb 10 2012 vuntz@opensuse.org +- Update to version 0.11: + + Remove automatic reinitialization of PKCS#11 after fork +* Wed Jan 4 2012 vuntz@opensuse.org +- Update to version 0.10: + + Build fixes, for windows, gcc 4.6.1. +* Tue Nov 15 2011 dimstar@opensuse.org +- Update to version 0.9: + + p11-kit can't be used as a static library. + + Fix problems crashing when freeing TLS on windows. + + Add debug output to windows init and uninit of library. + +.Build fixes, especially for windows +* Thu Oct 27 2011 dimstar@opensuse.org +- Update to version 0.8: + + Rename non-static functions to have a _p11_xxx prefix + + No concurrent calling of C_Initialize and C_Finalize + + Print more information in 'p11-kit -l' + + Initial port to win32 + + Build and testing fixes. +* Tue Sep 27 2011 vuntz@opensuse.org +- Update to version 0.7: + + Expand p11-kit config variables correctly in various build + scenarios + + Add test tool to print out error messages + + Build fix on FreeBSD +* Thu Sep 15 2011 vuntz@opensuse.org +- Update to version 0.6: + + Add concept of a default module directory from which modules + with relative paths are loaded. + + Renamed pkg-config variables to make it clearer what's what. +* Fri Sep 2 2011 vuntz@opensuse.org +- Update to version 0.5: + + Fix crasher in p11_kit_registered_modules() + + Add 'critical' setting for modules, which defaults to 'no' + + Fix initialization issues in the proxy module +* Fri Aug 19 2011 dimstar@opensuse.org +- Update to version 0.4: + + Fix endless loop if module forks during initialization + + Update PKCS#11 URI code for new draft of spec + + Don't fail when duplicate modules are configured + + Better debug output + + Add example configuration documentation + + Support whitespace in PKCS#11 URIs +- Move the p11-kit.conf.example to the doc folder. +* Sat Jul 30 2011 vuntz@opensuse.org +- Update to version 0.3: + + Rewrite hash table, and simplify licensing. + + Correct paths for p11-kit config files. + + Many build fixes and tweaks. +- Remove Apache-2 part from License tag, as the code was rewritten. +* Mon Jul 25 2011 vuntz@opensuse.org +- Initial package (version 0.2). diff --git a/p11-kit.keyring b/p11-kit.keyring new file mode 100644 index 0000000..7851c65 --- /dev/null +++ b/p11-kit.keyring @@ -0,0 +1,63 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBEpn7i4BEACh0wFe2B53UlIxWOQ3wrK3TIyHpmz9zyMCkdIP7x1b74Z/SxZA +7N8uOk5BQh3GLBnYThJl3MSWOAgpbouyI5Eh9f+yZ27AoBkQcd8JeHckbLvXCxG8 +GPOn1cqSBUsus+6tuG86LI3rudJSKsFZ2uH0amRfJSBBnybrosy5dTn55GIJ3Bbq +WdaTP7uNFWRMzi6DA49m880hJ2qunkuAOX/q8kvKpfRuJCdme9kXZc1l88FqGUEl +dCVYpG+SjdCFP9CmZJRYhF6UuRHSZXyJTw1WMmop7gYj2F3QTsodnf1e9eDju/yW +pzmPB4WACtrrO7wzPlufselFNIrHwx6tykvzflaYTg2brn9opmZTAM7eYXhBk8AE +vOXCg1q4UXiSGtFpowBUVtoOGQHlSC218OnQyaMEsC7Cagb1EQqZNbXnvcMVzMIc +XcKHFSAQrk5+IfNTQOok8FIWXWm8TYVDqVIpWEKDgHj0PwcPWtpkhjlgIP01a5uv +rvv0w1Tq2NcjLppyYynoEvEbGWojku4lyCUWdWAL9n5h3IClyBCqdH8OMtdL3Wib +GIlkbOcWXfsR+FURCv5eswMRAlZKuzLf6YyDzpZVWyOoe+Qc+S4Dl8J+WeY7PquN +JwGdtLklSi0436VYKup4kgoT3iAHYVOBt0K03nDtgnsm2UxiER+e190YVwARAQAB +tBlEYWlraSBVZW5vIDx1ZW5vQGdudS5vcmc+iQI+BBMBAgAoAhsDBgsJCAcDAgYV +CAIJCgsEFgIDAQIeAQIXgAUCUlDGpgUJEU7Z8QAKCRDWBYSO1+aYcb7lD/9nmcZ/ +s2x1iEoYtnl0BwhdMH5rc9le9OgNWVSTJEYs/LDfIuwo0qSSi/qrJyXV8MaazM4v +4G+XwGWJxMnRKW2WG7mMRyF5UVSgindZ0CE19vchGMAc9u6xXfm74kd0q/wkfpF9 +OhlNrBw5BdFfP66WOoK0vkX40HaTiJKO4ty7g0rMGJh2ENji5ilzc3uccZr8tjg9 +ZM+SFZ5KE1wbPLNjVOLJo7BYW5pUmlIMsY5h+5B5etFKiJnqBok/NdMr3Wxszfmg +0ea7F6Nd5+vWD3ZcmAM+fa/N/zRKozlK7I0dFnYjGfQWn8Y5e3jALbY18DmY/Sr/ +4D2m6c5g/x0ynLxaNiDcAJtyjI3j0mBvAa6WGiqifYgWesgpcalFnTk5DtNFZtop +0CjKSo6+XTndd2DXtYifFN13t9Q8017lrplMJYDz5UkETnRHun1eJzmVjCt5GC2E +7s71dcmFc/4CQjYOxFBToMI8BuRS8CUVM6Thm4napRwh2SEVAcS479OtY0kraD7B +fMUVYb4iOgjPPvWswD4kztC4YqFO6Q7bK+QDBEsRBpsAphiELwi253kNSRND64SW +kUIfE5jwy/BJpDWiy56ndkGrhsWA7Uf+LyxveHDXqMT/l/sR1uC7lvZo/CTBUmpY +R3Fh8SGUQEOJmfL5rJqFNCpHW9hOa8bZRXhBcbQeRGFpa2kgVWVubyA8dWVub0B1 +bml4dXNlci5vcmc+iQI9BBMBAgAnAhsDAh4BAheABQsJCAcDBRUKCQgLBRYCAwEA +BQJSUMarBQkRTtnxAAoJENYFhI7X5phxFfcP/3ffau6eG1p7cmy2ZL0ow1jJEPJH +AV6u3PuvyKrynmJszFEZwt59GK9c1fO8b3nwgljIEIoW7/nWYg2kcLjPatpIA87K +sqTYaoVcmPzD3NkBXFJpHrdoL8gnBFuaQbSKfLa11F2fgpSPxNnpmRx8M3G82ZCT +PQtdeQm9T+QtcOpJ0PRDvckVNXxpW7RX/VATF6yL/zcxGZmFcFW+ZCAbyYQn7LSt +sujvVrH8H/VrDTSKBRK15iTTZZgoIsFbhsOBuQ18nahWcdwxl9qVbduY3cjowXTg +lpsLRcGw99mad8oA1jtSJhsP10v+rgvqYXsGS00bNCuC+LpF272neotgdIsNfrIg +RCnD9gLBWCeLJEZGNx3OgJPHnBDzDHsKr8UbSvYKWWTpHZZ0kt8p6YQ/xj+CycPm +h4mCwAoys2r/r2Mqtoc/WX7yg7i9t43/inLwrQZjOY0TK+QT5+l3opHQ54JKOi6n +xGgMPT/HfNvvjkRoC8Bn1vDBFRpXR+YU6cW6M9SxUeNKFNlElgfYuH1R7t/6C1VG +/O4UQuU4+ZgQNWUJHlibZExZ5oGcOkREjDKYZ9CCiQTc8Nl2F20eP/UL688Ns/mj +lbNYoEZmkGbcd64SM66d+D8jU3olG1xG1+1b4ZrV4Bb3yuuO29k9xU7+A7rXM33p +4ktklE69+udhe9LZuQINBEtrT7wBEACjRnNKXpiD/tbVSiF3bicZpf4C1JFIDvvJ +HQZEuK35SqeAe/tUpMAwbBfgW5sExUoB3Cy1lEK2Bi1kO7GU+tkdCHhi6jrcLYiM +g7QXavYZ/ebYHVfhVY2vGhOJVz4qm0/WvQYT3OpJSqrD1jT+AbRpDxFk9h2CBPw1 +roBrh8TqYKyIOBPSswLwP05IKk9h7SwQnl/stXRchLMVaMrKL33V2bpZSI4NtYhJ +QGzX7PHVsv4JYBCXCeFRhAJwLLySfGM3DXdAChsOjtGob/sW84Kv5YM65sHxmhit +4NC5o5IxVQntvYaOsTafF9KOC8egostPsARxUNNihGYvJ5WL8NS2wQVMWsiRMK+/ +QsK6PEMXny4q9+lMPGBZpuGicUX68RIIJynAaHatdorA0hFSDQIVxbhDTQdrBnmt +fSx33Yd9LlaW+oFz3oNtsUP57JQMvn7/RYMSheRqtlhSOOHQV/DdORo2B1uhd2Dl +uZOzsVz88o/2eZ9dhO8ArNhQRpWgcx7dq+kI7FyUH0Idrw29qD3IT/PnEOTF84ro +l0HEagP1ozVB32krJIDRQleTmdTogtT69FYLHnK9fYrk1m3Pcc3TWb/1PCcccN0D +2RJCl2kry5wJdx6g2bi7wg4twpRJshi5jREPJAAGNy5MKA+oon6D6gbwwNP3xuz/ +/9BU0AUDYQARAQABiQIfBBgBAgAJBQJLa0+8AhsMAAoJENYFhI7X5phxMKwQAJ+j +gt6wOMCLx1zsRi3pxGQQq7FmVJNJYZ12JEp2uLC1h9E08V+aQXZe7pbonIlXvzeI +hOl6R1Smz/Kmyoly9C9TIhtMhkZrsxocriaLM7IxIfCuy0inFvv9bEogCCNVxFpj +V1DPscMVURKQgjbNQcKezyKOUq47ICq8eN5wma72mlxRVRxUTHi53Sokfb9YurhV +HrcWx/ESMR7zHSCwjtfQ69c77+aITJwocVaxlUVQYCCavCOB1gYDjnf5F17g+zGG +Cw7dN8vg4B048oyg8RiSnAmN2lt4iffqPAVTU8rixDRGkgpxYiMkGCdaqHwSu+mu +Ca85AM9r9WK6WIuRQEjh2PNsTk+ltamTLfFUC0sOpG+8LetD1hI3BWSpfgT5ncnU +RcnmansiVT0Gy73vPXf+THwnY4vAY5o0X93s2syfDX7ZRrhLg0MBKuz/eIBRLDFa +wkjpe+3mDYMVo1S1Dpg7Yt8IvlDFQlWRlISuoggM486JQNfjdS0ZiEk1mIja4w8R +YDJ2Fk6hcoR754fhZtULgXzE0ERGaTfpFlGu4jaWmyWikdaz+of5AR09mLl6KhCD +uqJ1LfpokgdeUIOwxe/67xT5wyGWK97fjJGj5Zo6VxFFf6bHZ8rVVhXBsR3WNDQP +kf3uHnsk4YEXreTPtPvQ7sp4/wAqX1qv3cV21kX2 +=KGSD +-----END PGP PUBLIC KEY BLOCK----- diff --git a/p11-kit.spec b/p11-kit.spec new file mode 100644 index 0000000..5fcd02d --- /dev/null +++ b/p11-kit.spec @@ -0,0 +1,205 @@ +# +# spec file for package p11-kit +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%define pkidir_cfg %{_sysconfdir}/pki +%define pkidir_static %{_datadir}/pki +%define trustdir_cfg %{pkidir_cfg}/trust +%define trustdir_static %{pkidir_static}/trust + +Name: p11-kit +Version: 0.23.22 +Release: 150500.8.3.1 +Summary: Library to work with PKCS#11 modules +License: BSD-3-Clause +Group: Development/Libraries/C and C++ +URL: https://p11-glue.freedesktop.org/p11-kit.html +Source0: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz +Source1: https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.xz.sig +Source98: p11-kit.keyring +Source99: baselibs.conf +Patch0: 0001-Add-IBM-specific-mechanism-and-attributes.patch +Patch1: 0002-Add-support-for-serializing-CK_ECDH1_DERIVE_PARAMS-m.patch +Patch2: 0003-client-Allow-zero-part-length-at-C_SignUpdate.patch +Patch3: 0004-Fix-support-of-CKA_DERIVE_TEMPLATE.patch +Patch4: 0005-Add-other-SHA-variants-also-for-RSA-and-EC-signature.patch +Patch5: 0006-Add-support-for-missing-AES-and-DES-DES3-mechanisms.patch +Patch6: 0007-Add-support-for-MAC-and-HMAC-general-mechanisms.patch +Patch7: 0008-Add-support-for-CKM_DH_PKCS_DERIVE.patch +Patch8: 0009-rpc-Handle-special-cases-for-buffer-and-length.patch +Patch9: 0010-Add-support-for-CKM_AES_CTR.patch +Patch10: 0011-Add-support-for-CKM_AES_GCM.patch +Patch11: 0012-common-pkcs11x.h-Support-CRYPTOKI_GNU-for-IBM-vendor.patch +# PATCH-FIX-UPSTREAM [jsc#PED-6705] Ensure that programs using +# can be compiled with CRYPTOKI_GNU. +Patch12: p11-kit-pkcs11-gnu-Enable-testing-with-p11-kit-pkcs11x.h.patch +BuildRequires: gtk-doc +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libffi) >= 3.0.0 +BuildRequires: pkgconfig(libtasn1) >= 2.3 + +%description +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package -n libp11-kit0 +Summary: Library to work with PKCS#11 modules +Group: System/Libraries + +%description -n libp11-kit0 +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package tools +Summary: Library to work with PKCS#11 modules -- Tools +Group: Development/Libraries/C and C++ + +%description tools +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package devel +Summary: Library to work with PKCS#11 modules -- Development Files +Group: Development/Libraries/C and C++ +Requires: libp11-kit0 = %{version} + +%description devel +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package nss-trust +Summary: Adaptor to make NSS read the p11-kit trust store +Group: Productivity/Networking/Security +Requires: p11-kit = %{version} +Conflicts: mozilla-nss-certs +%if "%{_lib}" == "lib64" +Provides: libnssckbi.so()(64bit) +%else +Provides: libnssckbi.so +%endif + +%description nss-trust +Adaptor library to make NSS read the p11-kit trust store. It has +to be installed intead of mozilla-nss-certs. + +%package server +Summary: Server and client commands for p11-kit +Group: Development/Libraries/C and C++ +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description server +Command line tools that enable to export PKCS#11 modules through a +Unix domain socket. Note that this feature is still experimental. + +%prep +%autosetup -p1 + +%build +%configure \ + --with-trust-paths=%{trustdir_cfg}:%{trustdir_static} \ + --enable-doc +%make_build + +%install +%make_install +# +install -d m 755 %{buildroot}%{trustdir_cfg}/{anchors,blacklist} +install -d m 755 %{buildroot}%{trustdir_static}/{anchors,blacklist} +# Create pkcs11 config directory +test ! -e %{buildroot}%{_sysconfdir}/pkcs11/modules +install -d %{buildroot}%{_sysconfdir}/pkcs11/modules +# Remove sample config away to doc folder. Having the sample there would conflict +# with future versions of the library on file level. As replacement, we package +# the file as documentation file. +rm %{buildroot}%{_sysconfdir}/pkcs11/pkcs11.conf.example +find %{buildroot} -type f -name "*.la" -delete -print +# +install -d -m 755 %{buildroot}%{_rpmmacrodir} +cat <<'FIN' >%{buildroot}%{_rpmmacrodir}/macros.%{name} +# Macros from p11-kit package +%%pkidir_cfg %{pkidir_cfg} +%%pkidir_static %{pkidir_static} +%%trustdir_cfg %{trustdir_cfg} +%%trustdir_static %{trustdir_static} +FIN +# +# nss compat lib +ln -s %{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}%{_libdir}/libnssckbi.so +# +# call update-ca-certificates when trust changes +rm %{buildroot}%{_libexecdir}/%{name}/trust-extract-compat +ln -s ../../sbin/update-ca-certificates %{buildroot}%{_libexecdir}/%{name}/p11-kit-extract-trust +export NO_BRP_STALE_LINK_ERROR=yes # *grr* + +%check +%make_build check + +%post -n libp11-kit0 -p /sbin/ldconfig +%postun -n libp11-kit0 -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%dir %{_libdir}/pkcs11 +%dir %{_datadir}/%{name} +%dir %{_datadir}/%{name}/modules +%dir %{pkidir_cfg} +%dir %{trustdir_cfg} +%dir %{trustdir_cfg}/anchors +%dir %{trustdir_cfg}/blacklist +%dir %{pkidir_static} +%dir %{trustdir_static} +%dir %{trustdir_static}/anchors +%dir %{trustdir_static}/blacklist +%{_datadir}/%{name}/modules/p11-kit-trust.module +%{_libdir}/pkcs11/p11-kit-trust.so +%dir %{_libexecdir}/%{name} +%{_libexecdir}/%{name}/p11-kit-remote +%{_libexecdir}/%{name}/p11-kit-extract-trust + +%files -n libp11-kit0 +%defattr(-,root,root) +%license COPYING +# Package the example conf file as documentation. Like this we're sure that we will +# not introduce conflicts with this version of the library and future ones. +%doc p11-kit/pkcs11.conf.example +%doc AUTHORS ChangeLog NEWS README +%dir %{_sysconfdir}/pkcs11 +%dir %{_sysconfdir}/pkcs11/modules/ +%{_libdir}/libp11-kit.so.* +%{_libdir}/p11-kit-proxy.so + +%files tools +%defattr(-,root,root) +%{_bindir}/p11-kit +%{_bindir}/trust +%{_mandir}/man1/trust.1%{?ext_man} +%{_mandir}/man5/pkcs11.conf.5%{?ext_man} +%{_mandir}/man8/p11-kit.8%{?ext_man} + +%files devel +%defattr(-,root,root) +%{_rpmmacrodir}/macros.%{name} +%{_includedir}/p11-kit-1/ +%{_libdir}/libp11-kit.so +%{_libdir}/pkgconfig/p11-kit-1.pc +%doc %dir %{_datadir}/gtk-doc +%doc %dir %{_datadir}/gtk-doc/html +%doc %{_datadir}/gtk-doc/html/p11-kit/ + +%files nss-trust +%defattr(-,root,root) +%{_libdir}/libnssckbi.so + +%files server +%defattr(-,root,root) +%{_libdir}/pkcs11/p11-kit-client.so +%{_libexecdir}/p11-kit/p11-kit-server + +%changelog