summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatoro Mahri <matoro@users.noreply.github.com>2023-07-17 18:06:02 -0400
committerSam James <sam@gentoo.org>2023-07-17 23:14:32 +0100
commit08f134943e605456a2506fbfe688cea0340059e9 (patch)
treed8f0578bda0110ba8e98bd22609a14bf0e736ba1 /dev-libs/opensc
parentsys-apps/less: update live for tests (diff)
downloadgentoo-08f134943e605456a2506fbfe688cea0340059e9.tar.gz
gentoo-08f134943e605456a2506fbfe688cea0340059e9.tar.bz2
gentoo-08f134943e605456a2506fbfe688cea0340059e9.zip
dev-libs/opensc: backport PR to fix dev-libs/libp11 tests
See: https://github.com/OpenSC/libp11/issues/478 See: https://github.com/OpenSC/OpenSC/pull/2656 Bug: https://bugs.gentoo.org/909781 Signed-off-by: Matoro Mahri <matoro@users.noreply.github.com> Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'dev-libs/opensc')
-rw-r--r--dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch215
-rw-r--r--dev-libs/opensc/opensc-0.23.0-r2.ebuild81
2 files changed, 296 insertions, 0 deletions
diff --git a/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch b/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
new file mode 100644
index 000000000000..f9ce72d31776
--- /dev/null
+++ b/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
@@ -0,0 +1,215 @@
+https://bugs.gentoo.org/909781
+https://github.com/OpenSC/libp11/issues/478
+https://github.com/OpenSC/OpenSC/pull/2656
+
+From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:08:53 +0100
+Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
+
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index aae205fe2c..cfee8526d5 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ RSA_get0_factors(r, &r_p, &r_q);
+ RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
+ #else
+- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
+ util_fatal("OpenSSL error during RSA private key parsing");
++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ }
+ #endif
+ RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:11:41 +0100
+Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
+
+---
+ src/tools/pkcs11-tool.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index cfee8526d5..f2e6b1dd91 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
+ r = EVP_PKEY_get1_RSA(pkey);
+ if (!r) {
+- if (private)
+- util_fatal("OpenSSL error during RSA private key parsing");
+- else
+- util_fatal("OpenSSL error during RSA public key parsing");
++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++ ERR_error_string(ERR_peek_last_error(), NULL));
+ }
+
+ RSA_get0_key(r, &r_n, &r_e, NULL);
+@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
+ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
+- if (private)
+- util_fatal("OpenSSL error during RSA private key parsing");
+- else
+- util_fatal("OpenSSL error during RSA public key parsing");
++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++ ERR_error_string(ERR_peek_last_error(), NULL));
+ }
+ #endif
+ RSA_GET_BN(rsa, modulus, r_n);
+@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+- util_fatal("OpenSSL error during RSA private key parsing");
+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
++ util_fatal("OpenSSL error during RSA private key parsing: %s",
++ ERR_error_string(ERR_peek_last_error(), NULL));
+ }
+ #endif
+ RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:38:31 +0100
+Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
+
+---
+ tests/Makefile.am | 10 ++++---
+ tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 4 deletions(-)
+ create mode 100755 tests/test-pkcs11-tool-import.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index d378e2ee00..9d8a24c321 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
+ test-pkcs11-tool-test-threads.sh \
+ test-pkcs11-tool-sign-verify.sh \
+ test-pkcs11-tool-allowed-mechanisms.sh \
+- test-pkcs11-tool-sym-crypt-test.sh\
+- test-pkcs11-tool-unwrap-wrap-test.sh
++ test-pkcs11-tool-sym-crypt-test.sh \
++ test-pkcs11-tool-unwrap-wrap-test.sh \
++ test-pkcs11-tool-import.sh
+
+ .NOTPARALLEL:
+ TESTS = \
+@@ -25,8 +26,9 @@ TESTS = \
+ test-pkcs11-tool-test.sh \
+ test-pkcs11-tool-test-threads.sh \
+ test-pkcs11-tool-allowed-mechanisms.sh \
+- test-pkcs11-tool-sym-crypt-test.sh\
+- test-pkcs11-tool-unwrap-wrap-test.sh
++ test-pkcs11-tool-sym-crypt-test.sh \
++ test-pkcs11-tool-unwrap-wrap-test.sh \
++ test-pkcs11-tool-import.sh
+ XFAIL_TESTS = \
+ test-pkcs11-tool-test-threads.sh \
+ test-pkcs11-tool-test.sh
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+new file mode 100755
+index 0000000000..76ff8e51be
+--- /dev/null
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -0,0 +1,48 @@
++#!/bin/bash
++SOURCE_PATH=${SOURCE_PATH:-..}
++
++source $SOURCE_PATH/tests/common.sh
++
++echo "======================================================="
++echo "Setup SoftHSM"
++echo "======================================================="
++if [[ ! -f $P11LIB ]]; then
++ echo "WARNING: The SoftHSM is not installed. Can not run this test"
++ exit 77;
++fi
++card_setup
++
++ID="0100"
++OPTS=""
++for KEYTYPE in "RSA" "EC"; do
++ echo "======================================================="
++ echo "Generate and import $KEYTYPE keys"
++ echo "======================================================="
++ if [ "$KEYTYPE" == "RSA" ]; then
++ ID="0100"
++ elif [ "$KEYTYPE" == "EC" ]; then
++ ID="0200"
++ OPTS="-pkeyopt ec_paramgen_curve:P-521"
++ fi
++ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
++ assert $? "Failed to generate private $KEYTYPE key"
++ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
++ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
++ assert $? "Failed to write private $KEYTYPE key"
++
++ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
++ assert $? "Failed to convert private $KEYTYPE key to public"
++ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
++ -p $PIN --module $P11LIB
++ assert $? "Failed to write public $KEYTYPE key"
++ # certificate import already tested in all other tests
++
++ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
++done
++
++echo "======================================================="
++echo "Cleanup"
++echo "======================================================="
++card_cleanup
++
++exit $ERRORS
+
+From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jakuje@gmail.com>
+Date: Fri, 2 Dec 2022 18:07:43 +0100
+Subject: [PATCH 4/4] Simplify the new test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
+---
+ tests/test-pkcs11-tool-import.sh | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+index 76ff8e51be..c90b3b4926 100755
+--- a/tests/test-pkcs11-tool-import.sh
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
+ fi
+ card_setup
+
+-ID="0100"
+-OPTS=""
+ for KEYTYPE in "RSA" "EC"; do
+ echo "======================================================="
+ echo "Generate and import $KEYTYPE keys"
+ echo "======================================================="
+- if [ "$KEYTYPE" == "RSA" ]; then
+- ID="0100"
+- elif [ "$KEYTYPE" == "EC" ]; then
++ ID="0100"
++ OPTS=""
++ if [ "$KEYTYPE" == "EC" ]; then
+ ID="0200"
+ OPTS="-pkeyopt ec_paramgen_curve:P-521"
+ fi
diff --git a/dev-libs/opensc/opensc-0.23.0-r2.ebuild b/dev-libs/opensc/opensc-0.23.0-r2.ebuild
new file mode 100644
index 000000000000..7cbf82823f1a
--- /dev/null
+++ b/dev-libs/opensc/opensc-0.23.0-r2.ebuild
@@ -0,0 +1,81 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+ inherit git-r3
+ EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+ SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+ KEYWORDS="~amd64 ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+ readline? ( sys-libs/readline:0= )
+ ssl? ( dev-libs/openssl:0= )
+ openct? ( >=dev-libs/openct-0.5.0 )
+ pace? ( dev-libs/openpace:= )
+ pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+ notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+ app-text/docbook-xsl-stylesheets
+ dev-libs/libxslt
+ test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+ pcsc-lite? ( !openct !ctapi )
+ openct? ( !pcsc-lite !ctapi )
+ ctapi? ( !pcsc-lite !openct )
+ || ( pcsc-lite openct ctapi )"
+
+PATCHES=(
+ "${FILESDIR}"/${P}-CVE-2023-2977.patch
+ "${FILESDIR}"/${P}-0.23.0-backport-pr2656.patch
+)
+
+src_prepare() {
+ default
+ eautoreconf
+}
+
+src_configure() {
+ # don't want to run upstream's clang-tidy checks
+ export ac_cv_path_CLANGTIDY=""
+
+ econf \
+ --with-completiondir="$(get_bashcompdir)" \
+ --disable-strict \
+ --enable-man \
+ $(use_enable ctapi) \
+ $(use_enable doc) \
+ $(use_enable notify) \
+ $(use_enable openct) \
+ $(use_enable pace openpace) \
+ $(use_enable pcsc-lite pcsc) \
+ $(use_enable readline) \
+ $(use_enable secure-messaging sm) \
+ $(use_enable ssl openssl) \
+ $(use_enable test cmocka) \
+ $(use_enable zlib)
+}
+
+src_install() {
+ default
+
+ insinto /etc/pkcs11/modules/
+ doins "${FILESDIR}"/opensc.module
+
+ find "${ED}" -name '*.la' -delete || die
+}