From aaca60231084a6c090fe2005e82a1824a5c8cdaf Mon Sep 17 00:00:00 2001 From: QwQ Date: Mon, 14 Nov 2022 07:19:39 +0000 Subject: [PATCH] v0.22.0-2 --- opensc-0.19.0-pinpad.patch | 13 ++ opensc-0.22.0-detect-empty.patch | 62 +++++++ opensc-0.22.0-file-cache.patch | 23 +++ opensc-0.22.0-init-var.patch | 27 +++ opensc-0.22.0-realloc-pointer.patch | 30 +++ opensc-0.22.0-support-itacns-2048.patch | 227 +++++++++++++++++++++++ opensc-32b-arch.patch | 33 ++++ opensc-gcc11.patch | 17 ++ opensc.module | 9 + opensc.spec | 232 ++++++++++++++++-------- 10 files changed, 598 insertions(+), 75 deletions(-) create mode 100644 opensc-0.19.0-pinpad.patch create mode 100644 opensc-0.22.0-detect-empty.patch create mode 100644 opensc-0.22.0-file-cache.patch create mode 100644 opensc-0.22.0-init-var.patch create mode 100644 opensc-0.22.0-realloc-pointer.patch create mode 100644 opensc-0.22.0-support-itacns-2048.patch create mode 100644 opensc-32b-arch.patch create mode 100644 opensc-gcc11.patch create mode 100644 opensc.module diff --git a/opensc-0.19.0-pinpad.patch b/opensc-0.19.0-pinpad.patch new file mode 100644 index 0000000..f531b8b --- /dev/null +++ b/opensc-0.19.0-pinpad.patch @@ -0,0 +1,13 @@ +diff -up opensc-0.19.0/etc/opensc.conf.pinpad opensc-0.19.0/etc/opensc.conf +--- opensc-0.19.0/etc/opensc.conf.pinpad 2018-10-22 14:31:12.082963540 +0200 ++++ opensc-0.19.0/etc/opensc.conf 2018-10-22 14:33:59.939410701 +0200 +@@ -4,4 +4,9 @@ app default { + framework pkcs15 { + # use_file_caching = true; + } ++ reader_driver pcsc { ++ # The pinpad is disabled by default, ++ # because of many broken readers out there ++ enable_pinpad = false; ++ } + } diff --git a/opensc-0.22.0-detect-empty.patch b/opensc-0.22.0-detect-empty.patch new file mode 100644 index 0000000..671aba2 --- /dev/null +++ b/opensc-0.22.0-detect-empty.patch @@ -0,0 +1,62 @@ +From fe198e8b3837aa4c960e75d0e2a41020ad4dc9f9 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 24 Sep 2021 13:33:26 +0200 +Subject: [PATCH 1/9] pkcs11: Unbreak detection of unenrolled cards + +This was broken since 58b03b68, which tried to sanitize some states, +but caused C_GetTokenInfo returning CKR_TOKEN_NOT_RECOGNIZED instead +of empty token information. + +Note, that this has effect only if the configuration options +enable_default_driver and pkcs11_enable_InitToken are turned on. +Otherwise it still returns CKR_TOKEN_NOT_RECOGNIZED. +--- + src/pkcs11/framework-pkcs15.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/pkcs11/framework-pkcs15.c b/src/pkcs11/framework-pkcs15.c +index 74fe7b3c49..4205e41739 100644 +--- a/src/pkcs11/framework-pkcs15.c ++++ b/src/pkcs11/framework-pkcs15.c +@@ -544,9 +544,7 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) + { + struct sc_pkcs11_slot *slot; + struct pkcs15_fw_data *fw_data = NULL; +- struct sc_pkcs15_card *p15card = NULL; + struct sc_pkcs15_object *auth; +- struct sc_pkcs15_auth_info *pin_info; + CK_RV rv; + + sc_log(context, "C_GetTokenInfo(%lx)", slotID); +@@ -578,12 +576,6 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) + rv = sc_to_cryptoki_error(SC_ERROR_INTERNAL, "C_GetTokenInfo"); + goto out; + } +- p15card = fw_data->p15_card; +- if (!p15card) { +- rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo"); +- goto out; +- } +- + /* User PIN flags are cleared before re-calculation */ + slot->token_info.flags &= ~(CKF_USER_PIN_COUNT_LOW|CKF_USER_PIN_FINAL_TRY|CKF_USER_PIN_LOCKED); + auth = slot_data_auth(slot->fw_data); +@@ -591,8 +583,17 @@ CK_RV C_GetTokenInfo(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) + "C_GetTokenInfo() auth. object %p, token-info flags 0x%lX", auth, + slot->token_info.flags); + if (auth) { ++ struct sc_pkcs15_card *p15card = NULL; ++ struct sc_pkcs15_auth_info *pin_info = NULL; ++ + pin_info = (struct sc_pkcs15_auth_info*) auth->data; + ++ p15card = fw_data->p15_card; ++ if (!p15card) { ++ rv = sc_to_cryptoki_error(SC_ERROR_INVALID_CARD, "C_GetTokenInfo"); ++ goto out; ++ } ++ + sc_pkcs15_get_pin_info(p15card, auth); + + if (pin_info->tries_left >= 0) { + diff --git a/opensc-0.22.0-file-cache.patch b/opensc-0.22.0-file-cache.patch new file mode 100644 index 0000000..3702537 --- /dev/null +++ b/opensc-0.22.0-file-cache.patch @@ -0,0 +1,23 @@ +diff -up opensc-0.22.0/etc/opensc.conf.file-cache opensc-0.22.0/etc/opensc.conf +--- opensc-0.22.0/etc/opensc.conf.file-cache 2021-10-08 13:14:44.091772071 +0200 ++++ opensc-0.22.0/etc/opensc.conf 2021-10-08 13:19:27.339051951 +0200 +@@ -2,7 +2,7 @@ app default { + # debug = 3; + # debug_file = opensc-debug.txt; + framework pkcs15 { +- # use_file_caching = true; ++ use_file_caching = true; + } + reader_driver pcsc { + # The pinpad is disabled by default, +@@ -10,3 +10,10 @@ app default { + enable_pinpad = false; + } + } ++# the pkcs15-init is used for card initialization when the file caching ++# brings more trouble than use so disable that: ++app pkcs15-init { ++ framework pkcs15 { ++ use_file_caching = false; ++ } ++} diff --git a/opensc-0.22.0-init-var.patch b/opensc-0.22.0-init-var.patch new file mode 100644 index 0000000..d86a076 --- /dev/null +++ b/opensc-0.22.0-init-var.patch @@ -0,0 +1,27 @@ +From bd8269ed0afd24da2fc0c5350640f66f0641d4d4 Mon Sep 17 00:00:00 2001 +From: Veronika Hanulikova +Date: Mon, 21 Feb 2022 14:02:32 +0100 +Subject: [PATCH] base64: Initialize variables + +--- + src/libopensc/base64.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/base64.c b/src/libopensc/base64.c +index 4fe79897..1aa1c941 100644 +--- a/src/libopensc/base64.c ++++ b/src/libopensc/base64.c +@@ -150,8 +150,8 @@ int sc_base64_encode(const u8 *in, size_t len, u8 *out, size_t outlen, size_t li + + int sc_base64_decode(const char *in, u8 *out, size_t outlen) + { +- int len = 0, r, skip; +- unsigned int i; ++ int len = 0, r = 0, skip = 0; ++ unsigned int i = 0; + + while ((r = from_base64(in, &i, &skip)) > 0) { + int finished = 0, s = 16; +-- +2.27.0 + diff --git a/opensc-0.22.0-realloc-pointer.patch b/opensc-0.22.0-realloc-pointer.patch new file mode 100644 index 0000000..0f0eeb4 --- /dev/null +++ b/opensc-0.22.0-realloc-pointer.patch @@ -0,0 +1,30 @@ +From b3537ced353579b59e2421645707e9aeda64ff29 Mon Sep 17 00:00:00 2001 +From: Veronika Hanulikova +Date: Wed, 16 Feb 2022 11:59:27 +0100 +Subject: [PATCH] Fix usage of pointer after realloc + +--- + src/sm/sm-iso.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/sm/sm-iso.c b/src/sm/sm-iso.c +index 5baded77c6..2c3f6bcabd 100644 +--- a/src/sm/sm-iso.c ++++ b/src/sm/sm-iso.c +@@ -181,13 +181,14 @@ static int format_le(size_t le, struct sc_asn1_entry *le_entry, + + static int prefix_buf(u8 prefix, u8 *buf, size_t buflen, u8 **cat) + { +- u8 *p; ++ u8 *p = NULL; ++ int ptr_same = *cat == buf; + + p = realloc(*cat, buflen + 1); + if (!p) + return SC_ERROR_OUT_OF_MEMORY; + +- if (*cat == buf) { ++ if (ptr_same) { + memmove(p + 1, p, buflen); + } else { + /* Flawfinder: ignore */ diff --git a/opensc-0.22.0-support-itacns-2048.patch b/opensc-0.22.0-support-itacns-2048.patch new file mode 100644 index 0000000..b420c87 --- /dev/null +++ b/opensc-0.22.0-support-itacns-2048.patch @@ -0,0 +1,227 @@ +From 24d6c30dcfec00c425360414b2b75336a42982e8 Mon Sep 17 00:00:00 2001 +From: 0xdebe +Date: Thu, 29 Jul 2021 17:13:01 +0200 +Subject: [PATCH 1/3] fix Key Lenght for ST2021 + +--- + src/libopensc/card-itacns.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c +index bf085cafbc..52e144f194 100644 +--- a/src/libopensc/card-itacns.c ++++ b/src/libopensc/card-itacns.c +@@ -105,7 +105,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i) + DRVDATA(card)->cns_version = atr[i]; + } + /* Warn if the version is not 1.0. */ +- if(atr[i] != 0x10) { ++ if(atr[i] != 0x10 && atr[i] != 0x11) { + char version[8]; + snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f); + sc_log(card->ctx, "CNS card version %s; no official specifications " +@@ -219,8 +219,13 @@ static int itacns_init(sc_card_t *card) + | SC_ALGORITHM_RSA_RAW + | SC_ALGORITHM_RSA_HASHES + ; ++ + _sc_card_add_rsa_alg(card, 1024, flags, 0); + ++ if (DRVDATA(card)->cns_version == 0x11) { ++ card->caps |= SC_CARD_CAP_APDU_EXT; ++ _sc_card_add_rsa_alg(card, 2048, flags, 0); ++ } + return SC_SUCCESS; + } + + +From 9a38cd36c2823efb2b7615902e7cbef0534da1aa Mon Sep 17 00:00:00 2001 +From: 0xdebe +Date: Thu, 29 Jul 2021 17:13:16 +0200 +Subject: [PATCH 2/3] fix Modulus Lenght for ST2021 + +--- + src/libopensc/pkcs15-itacns.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c +index 9c9b40a591..875b12276d 100644 +--- a/src/libopensc/pkcs15-itacns.c ++++ b/src/libopensc/pkcs15-itacns.c +@@ -283,7 +283,16 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card, + * This is hard-coded, unless unforeseen versions of the CNS + * turn up sometime. + */ +- info.modulus_length = 1024; ++ ++ /* This is the unforseen version :D */ ++ if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) { ++ info.modulus_length = 2048; ++ } ++ else { ++ info.modulus_length = 1024; ++ } ++ ++ + + *modulus_len_out = info.modulus_length; + r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info); +@@ -590,6 +599,10 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card, + + /* This is hard-coded, for the time being. */ + int modulus_length = 1024; ++ /* it's a ST2021? */ ++ if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) { ++ modulus_length = 2048; ++ } + + /* Public key; not really needed */ + /* FIXME: set usage according to the certificate. */ + +From 03707e182235ce9f83d3847e33f4fb4e38eebe42 Mon Sep 17 00:00:00 2001 +From: 0xdebe +Date: Sat, 31 Jul 2021 16:25:58 +0200 +Subject: [PATCH 3/3] fix modulus len + +--- + src/libopensc/card-itacns.c | 2 +- + src/libopensc/pkcs15-itacns.c | 43 ++++++++++++----------------------- + 2 files changed, 15 insertions(+), 30 deletions(-) + +diff --git a/src/libopensc/card-itacns.c b/src/libopensc/card-itacns.c +index 52e144f194..b26f9d3317 100644 +--- a/src/libopensc/card-itacns.c ++++ b/src/libopensc/card-itacns.c +@@ -104,7 +104,7 @@ static int itacns_match_cns_card(sc_card_t *card, unsigned int i) + if(card->driver) { + DRVDATA(card)->cns_version = atr[i]; + } +- /* Warn if the version is not 1.0. */ ++ /* Warn if version is not 1.X. */ + if(atr[i] != 0x10 && atr[i] != 0x11) { + char version[8]; + snprintf(version, sizeof(version), "%d.%d", (atr[i] >> 4) & 0x0f, atr[i] & 0x0f); +diff --git a/src/libopensc/pkcs15-itacns.c b/src/libopensc/pkcs15-itacns.c +index 875b12276d..afdf459c4e 100644 +--- a/src/libopensc/pkcs15-itacns.c ++++ b/src/libopensc/pkcs15-itacns.c +@@ -189,7 +189,7 @@ static int loadFile(const sc_pkcs15_card_t *p15card, const sc_path_t *path, + static int itacns_add_cert(sc_pkcs15_card_t *p15card, + int type, int authority, const sc_path_t *path, + const sc_pkcs15_id_t *id, const char *label, int obj_flags, +- int *ext_info_ok, int *key_usage, int *x_key_usage) ++ int *ext_info_ok, int *key_usage, int *x_key_usage, int *modulus_len) + { + int r; + /* const char *label = "Certificate"; */ +@@ -237,6 +237,11 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card, + const u8 *throwaway = cert->data.value; + x509 = d2i_X509(NULL, &throwaway, cert->data.len); + } ++ ++ if (cert->key && cert->key->algorithm == SC_ALGORITHM_RSA) { ++ *modulus_len = cert->key->u.rsa.modulus.len * 8; ++ } ++ + sc_pkcs15_free_certificate(cert); + if (!x509) return SC_SUCCESS; + X509_check_purpose(x509, -1, 0); +@@ -260,7 +265,7 @@ static int itacns_add_cert(sc_pkcs15_card_t *p15card, + + static int itacns_add_pubkey(sc_pkcs15_card_t *p15card, + const sc_path_t *path, const sc_pkcs15_id_t *id, const char *label, +- int usage, int ref, int obj_flags, int *modulus_len_out) ++ int usage, int ref, int obj_flags, int modulus_len) + { + int r; + sc_pkcs15_pubkey_info_t info; +@@ -279,22 +284,8 @@ static int itacns_add_pubkey(sc_pkcs15_card_t *p15card, + strlcpy(obj.label, label, sizeof(obj.label)); + obj.flags = obj_flags; + +- /* +- * This is hard-coded, unless unforeseen versions of the CNS +- * turn up sometime. +- */ +- +- /* This is the unforseen version :D */ +- if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) { +- info.modulus_length = 2048; +- } +- else { +- info.modulus_length = 1024; +- } ++ info.modulus_length = modulus_len; + +- +- +- *modulus_len_out = info.modulus_length; + r = sc_pkcs15emu_add_rsa_pubkey(p15card, &obj, &info); + LOG_TEST_RET(p15card->card->ctx, r, + "Could not add pub key"); +@@ -589,7 +580,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card, + const char *label, int sec_env, sc_pkcs15_id_t *cert_id, + const char *pubkey_path, const char *prkey_path, + unsigned int pubkey_usage_flags, unsigned int prkey_usage_flags, +- u8 pin_ref) ++ u8 pin_ref, int modulus_len) + { + int r; + sc_path_t path; +@@ -597,19 +588,13 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card, + char pinlabel[16]; + int fake_puk_authid, pin_flags; + +- /* This is hard-coded, for the time being. */ +- int modulus_length = 1024; +- /* it's a ST2021? */ +- if (((itacns_drv_data_t *) p15card->card->drv_data)->cns_version == 0x11) { +- modulus_length = 2048; +- } + + /* Public key; not really needed */ + /* FIXME: set usage according to the certificate. */ + if (pubkey_path) { + sc_format_path(pubkey_path, &path); + r = itacns_add_pubkey(p15card, &path, cert_id, label, +- pubkey_usage_flags, sec_env, 0, &modulus_length); ++ pubkey_usage_flags, sec_env, 0, modulus_len); + LOG_TEST_RET(p15card->card->ctx, r, + "Could not add public key"); + } +@@ -623,7 +608,7 @@ static int itacns_add_keyset(sc_pkcs15_card_t *p15card, + private_path = &path; + } + r = itacns_add_prkey(p15card, cert_id, label, SC_PKCS15_TYPE_PRKEY_RSA, +- modulus_length, ++ modulus_len, + prkey_usage_flags, + private_path, sec_env, cert_id, SC_PKCS15_CO_FLAG_PRIVATE); + LOG_TEST_RET(p15card->card->ctx, r, +@@ -674,7 +659,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card, + sc_path_t path; + sc_pkcs15_id_t cert_id; + int ext_info_ok; +- int ku = 0, xku = 0; ++ int ku = 0, xku = 0, modulus_len = 0; + int pubkey_usage_flags = 0, prkey_usage_flags = 0; + + cert_id.len = 1; +@@ -720,7 +705,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card, + } + + r = itacns_add_cert(p15card, SC_PKCS15_TYPE_CERT_X509, 0, +- &path, &cert_id, label, 0, &ext_info_ok, &ku, &xku); ++ &path, &cert_id, label, 0, &ext_info_ok, &ku, &xku, &modulus_len); + if (r == SC_ERROR_INVALID_ASN1_OBJECT) + return 0; + LOG_TEST_RET(p15card->card->ctx, r, +@@ -765,7 +750,7 @@ static int itacns_check_and_add_keyset(sc_pkcs15_card_t *p15card, + + r = itacns_add_keyset(p15card, label, sec_env, &cert_id, + pubkey_path, prkey_path, pubkey_usage_flags, prkey_usage_flags, +- pin_ref); ++ pin_ref, modulus_len); + LOG_TEST_RET(p15card->card->ctx, r, + "Could not add keys for this certificate"); + diff --git a/opensc-32b-arch.patch b/opensc-32b-arch.patch new file mode 100644 index 0000000..70213b1 --- /dev/null +++ b/opensc-32b-arch.patch @@ -0,0 +1,33 @@ +commit 6bc05d7037041e543d627248ca9df90723426ce1 +Author: Jakub Jelen +Date: Tue Aug 10 16:30:40 2021 +0200 + + p11test: Fix invalid format string on 32b architectures + +diff --git a/src/tests/p11test/p11test.c b/src/tests/p11test/p11test.c +index dbac167d..49de6a93 100644 +--- a/src/tests/p11test/p11test.c ++++ b/src/tests/p11test/p11test.c +@@ -139,7 +139,7 @@ int main(int argc, char** argv) { + return -1; + } + +- debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %lu\n\t", ++ debug_print("Card info:\n\tPIN %s\n\tPIN LENGTH %zu\n\t", + token.pin, token.pin_length); + + return cmocka_run_group_tests(readonly_tests_without_initialization, +diff --git a/src/tests/p11test/p11test_case_pss_oaep.c b/src/tests/p11test/p11test_case_pss_oaep.c +index 1d876a5b..5a6ae9d0 100644 +--- a/src/tests/p11test/p11test_case_pss_oaep.c ++++ b/src/tests/p11test/p11test_case_pss_oaep.c +@@ -402,7 +402,7 @@ int oaep_encrypt_decrypt_test(test_cert_t *o, token_info_t *info, test_mech_t *m + if (message_length < 0) { + mech->usage_flags &= ~CKF_DECRYPT; + debug_print(" [SKIP %s ] Too small modulus (%ld bits)" +- " or too large hash %s (%lu B) for OAEP", o->id_str, ++ " or too large hash %s (%zu B) for OAEP", o->id_str, + o->bits, get_mechanism_name(mech->hash), + get_hash_length(mech->hash)); + return 0; + diff --git a/opensc-gcc11.patch b/opensc-gcc11.patch new file mode 100644 index 0000000..0f41d60 --- /dev/null +++ b/opensc-gcc11.patch @@ -0,0 +1,17 @@ +diff --git a/src/tools/opensc-explorer.c b/src/tools/opensc-explorer.c +index 41e620a..57f8a79 100644 +--- a/src/tools/opensc-explorer.c ++++ b/src/tools/opensc-explorer.c +@@ -1839,6 +1839,12 @@ static int do_apdu(int argc, char **argv) + if (argc < 1) + return usage(do_apdu); + ++ /* gcc-11 complains about BUF potentially being used without being ++ initialized. I can't convince myself that the calls to ++ parse_string_or_hexdata will fully initialize it, so we just ++ initialize it here. */ ++ memset (buf, 0, sizeof (buf)); ++ + /* loop over the args and parse them, making sure the result fits into buf[] */ + for (i = 0, len = 0; i < (unsigned) argc && len < sizeof(buf); i++) { + size_t len0 = sizeof(buf) - len; diff --git a/opensc.module b/opensc.module new file mode 100644 index 0000000..c6699af --- /dev/null +++ b/opensc.module @@ -0,0 +1,9 @@ +# This file describes how to load the opensc module +# See: https://p11-glue.github.io/p11-glue/p11-kit/manual/pkcs11-conf.html +# or man pkcs11.conf + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: opensc-pkcs11.so diff --git a/opensc.spec b/opensc.spec index b15fcbb..7976b1f 100644 --- a/opensc.spec +++ b/opensc.spec @@ -1,139 +1,221 @@ -%define opensc_module "OpenSC PKCS #11 Module" -%define nssdb %{_sysconfdir}/pki/nssdb +Name: opensc +Version: 0.22.0 +Release: 2 +Summary: Smart card library and applications +License: LGPLv2+ +URL: https://github.com/OpenSC/OpenSC/wiki +Source0: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz +Source1: opensc.module +Patch1: opensc-0.19.0-pinpad.patch +# https://github.com/OpenSC/OpenSC/pull/2241/ +Patch5: %{name}-gcc11.patch +Patch6: %{name}-32b-arch.patch +# File caching by default (#2000626) +Patch8: %{name}-%{version}-file-cache.patch +# https://github.com/OpenSC/OpenSC/pull/2414 (#2007029) +Patch9: %{name}-%{version}-detect-empty.patch +# https://github.com/OpenSC/OpenSC/pull/2512 (#2046792) +Patch10: %{name}-%{version}-realloc-pointer.patch +Patch11: %{name}-%{version}-init-var.patch +# https://github.com/OpenSC/OpenSC/pull/2371 (#2080783) +Patch12: %{name}-%{version}-support-itacns-2048.patch -Name: opensc -Version: 0.22.0 -Release: 1 -License: LGPLv2.1+ -Summary: Smart card library and applications -URL: https://github.com/OpenSC/OpenSC/wiki -Source0: https://github.com/OpenSC/OpenSC/releases/download/%{version}/%{name}-%{version}.tar.gz - - -BuildRequires: openssl-devel pcsc-lite-devel bash-completion docbook-style-xsl readline-devel -BuildRequires: desktop-file-utils /usr/bin/xsltproc autoconf automake libtool gcc -Requires: pcsc-lite -Obsoletes: coolkey <= 1.1.0-36 -Obsoletes: mozilla-opensc-signer < 0.12.0 -Obsoletes: opensc-devel < 0.12.0 +BuildRequires: make +BuildRequires: pcsc-lite-devel +BuildRequires: readline-devel +BuildRequires: openssl-devel +BuildRequires: /usr/bin/xsltproc +BuildRequires: docbook-style-xsl +BuildRequires: autoconf automake libtool gcc +BuildRequires: bash-completion +BuildRequires: zlib-devel +# For tests +BuildRequires: libcmocka-devel +%if ! 0%{?rhel} +BuildRequires: softhsm +%endif +BuildRequires: openssl +Requires: pcsc-lite-libs%{?_isa} +Requires: pcsc-lite +Obsoletes: mozilla-opensc-signer < 0.12.0 +Obsoletes: opensc-devel < 0.12.0 +Obsoletes: coolkey <= 1.1.0-36 +# The simclist is bundled in upstream +Provides: bundled(simclist) = 1.5 %description -OpenSC provides a set of libraries and utilities to work with smart cards. -Its main focus is on cards that support cryptographic operations, and -facilitate their use in security applications such as authentication, -mail encryption and digital signatures. OpenSC implements the standard -APIs to smart cards, e.g. PKCS#11 API, Windows’ Smart Card Minidriver -and macOS Tokend. - -%package_help +OpenSC provides a set of libraries and utilities to work with smart cards. Its +main focus is on cards that support cryptographic operations, and facilitate +their use in security applications such as authentication, mail encryption and +digital signatures. OpenSC implements the PKCS#11 API so applications +supporting this API (such as Mozilla Firefox and Thunderbird) can use it. On +the card OpenSC implements the PKCS#15 standard and aims to be compatible with +every software/card that does so, too. %prep -%autosetup -n %{name}-%{version} -p1 +%setup -q +%patch1 -p1 -b .pinpad +%patch5 -p1 -b .gcc11 +%patch6 -p1 -b .32b +%patch8 -p1 -b .file-cache +%patch9 -p1 -b .detect-empty +%patch10 -p1 -b .realloc-pointer +%patch11 -p1 -b .init-var +%patch12 -p1 -b .support-itacns-2048 + +# The test-pkcs11-tool-allowed-mechanisms already works in Fedora +sed -i -e '/XFAIL_TESTS/,$ { + s/XFAIL_TESTS.*/XFAIL_TESTS=test-pkcs11-tool-test-threads.sh/ + q +}' tests/Makefile.am -sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.example.in cp -p src/pkcs15init/README ./README.pkcs15init cp -p src/scconf/README.scconf . +# No {_libdir} here to avoid multilib conflicts; it's just an example +sed -i -e 's|/usr/local/towitoko/lib/|/usr/lib/ctapi/|' etc/opensc.conf.example.in %build autoreconf -fvi +%ifarch %{ix86} sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in +%endif sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths +%set_build_flags +CFLAGS="$CFLAGS -Wstrict-aliasing=2 -Wno-deprecated-declarations" %configure --disable-static \ + --disable-autostart-items \ + --disable-notify \ --disable-assert \ - --disable-tests \ - --enable-sm \ --enable-pcsc \ + --enable-cmocka \ + --enable-sm \ --with-pcsc-provider=libpcsclite.so.1 %make_build +%check +make check + %install -make install DESTDIR=$RPM_BUILD_ROOT +%make_install +install -Dpm 644 %{SOURCE1} $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/opensc.module + +%ifarch %{ix86} +# To avoid multilib issues, move these files on 32b intel architectures rm -f $RPM_BUILD_ROOT%{_sysconfdir}/opensc.conf install -Dpm 644 etc/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf +rm -f $RPM_BUILD_ROOT%{_mandir}/man5/opensc.conf.5 +install -Dpm 644 doc/files/opensc.conf.5 $RPM_BUILD_ROOT%{_mandir}/man5/opensc-%{_arch}.conf.5 +# use NEWS file timestamp as reference for configuration file touch -r NEWS $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf +touch -r NEWS $RPM_BUILD_ROOT%{_mandir}/man5/opensc-%{_arch}.conf.5 +%else +# For backward compatibility, symlink the old location to the new files +ln -s %{_sysconfdir}/opensc.conf $RPM_BUILD_ROOT%{_sysconfdir}/opensc-%{_arch}.conf +%endif + find $RPM_BUILD_ROOT%{_libdir} -type f -name "*.la" | xargs rm -rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1* -rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so -rm -rf %{buildroot}%{_bindir}/npa-tool -rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so + rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/opensc -rm -rf %{buildroot}%{_bindir}/pkcs11-register -rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1* -rm -rf %{buildroot}%{_sysconfdir}/xdg/autostart/pkcs11-register.desktop -desktop-file-validate %{buildroot}/%{_datadir}/applications/org.opensc.notify.desktop +# Upstream considers libopensc API internal and no longer ships +# public headers and pkgconfig files. +# Remove the symlink as nothing is supposed to link against libopensc. +rm -f $RPM_BUILD_ROOT%{_libdir}/libopensc.so +# remove the .pc file so we do not confuse users #1673139 +rm -f $RPM_BUILD_ROOT%{_libdir}/pkgconfig/*.pc +rm -f $RPM_BUILD_ROOT%{_libdir}/libsmm-local.so +%if 0%{?rhel} && 0%{?rhel} < 7 +rm -rf %{buildroot}%{_datadir}/bash-completion/ +%endif -%check -make check +# the npa-tool builds to nothing since we do not have OpenPACE library +rm -rf %{buildroot}%{_bindir}/npa-tool +rm -rf %{buildroot}%{_mandir}/man1/npa-tool.1* -%post -/sbin/ldconfig +# the pkcs11-register is not applicable to Fedora/RHEL where we use p11-kit +rm -rf %{buildroot}%{_bindir}/pkcs11-register +rm -rf %{buildroot}%{_mandir}/man1/pkcs11-register.1* -%postun -/sbin/ldconfig +# Remove the notification files +rm %{buildroot}%{_bindir}/opensc-notify +rm %{buildroot}%{_datadir}/applications/org.opensc.notify.desktop +rm %{buildroot}%{_mandir}/man1/opensc-notify.1* -%files help -%{_mandir}/man1/cardos-tool.1* -%{_mandir}/man1/cryptoflex-tool.1* -%{_mandir}/man1/dnie-tool.1* -%{_mandir}/man1/egk-tool.1* -%{_mandir}/man1/eidenv.1* -%{_mandir}/man1/gids-tool.1* -%{_mandir}/man1/goid-tool.1* -%{_mandir}/man1/iasecc-tool.1* -%{_mandir}/man1/netkey-tool.1* -%{_mandir}/man1/openpgp-tool.1* -%{_mandir}/man1/opensc-explorer.* -%{_mandir}/man1/opensc-tool.1* -%{_mandir}/man1/opensc-asn1.1* -%{_mandir}/man1/opensc-notify.1* -%{_mandir}/man1/piv-tool.1* -%{_mandir}/man1/pkcs11-tool.1* -%{_mandir}/man1/pkcs15-crypt.1* -%{_mandir}/man1/pkcs15-init.1* -%{_mandir}/man1/pkcs15-tool.1* -%{_mandir}/man1/sc-hsm-tool.1* -%{_mandir}/man1/westcos-tool.1* -%{_mandir}/man5/*.5* %files %doc COPYING NEWS README* + +%if ! 0%{?rhel} || 0%{?rhel} >= 7 %{_datadir}/bash-completion/* +%endif + +%ifarch %{ix86} +%{_mandir}/man5/opensc-%{_arch}.conf.5* +%else +%config(noreplace) %{_sysconfdir}/opensc.conf +%{_mandir}/man5/opensc.conf.5* +%endif + %config(noreplace) %{_sysconfdir}/opensc-%{_arch}.conf +# Co-owned with p11-kit so it is not hard dependency +%dir %{_datadir}/p11-kit +%dir %{_datadir}/p11-kit/modules +%{_datadir}/p11-kit/modules/opensc.module %{_bindir}/cardos-tool %{_bindir}/cryptoflex-tool -%{_bindir}/dnie-tool -%{_bindir}/egk-tool %{_bindir}/eidenv %{_bindir}/iasecc-tool %{_bindir}/gids-tool -%{_bindir}/goid-tool %{_bindir}/netkey-tool %{_bindir}/openpgp-tool %{_bindir}/opensc-explorer %{_bindir}/opensc-tool %{_bindir}/opensc-asn1 -%{_bindir}/opensc-notify %{_bindir}/piv-tool %{_bindir}/pkcs11-tool %{_bindir}/pkcs15-crypt %{_bindir}/pkcs15-init %{_bindir}/pkcs15-tool %{_bindir}/sc-hsm-tool +%{_bindir}/dnie-tool %{_bindir}/westcos-tool +%{_bindir}/egk-tool +%{_bindir}/goid-tool %{_libdir}/lib*.so.* %{_libdir}/opensc-pkcs11.so -%{_libdir}/onepin-opensc-pkcs11.so %{_libdir}/pkcs11-spy.so -%{_libdir}/pkgconfig/*.pc +%{_libdir}/onepin-opensc-pkcs11.so +%%dir %{_libdir}/pkcs11 %{_libdir}/pkcs11/opensc-pkcs11.so %{_libdir}/pkcs11/onepin-opensc-pkcs11.so %{_libdir}/pkcs11/pkcs11-spy.so -%dir %{_libdir}/pkcs11 -%{_datadir}/applications/org.opensc.notify.desktop %{_datadir}/opensc/ +%{_mandir}/man1/cardos-tool.1* +%{_mandir}/man1/cryptoflex-tool.1* +%{_mandir}/man1/eidenv.1* +%{_mandir}/man1/gids-tool.1* +%{_mandir}/man1/goid-tool.1* +%{_mandir}/man1/iasecc-tool.1* +%{_mandir}/man1/netkey-tool.1* +%{_mandir}/man1/openpgp-tool.1* +%{_mandir}/man1/opensc-explorer.* +%{_mandir}/man1/opensc-tool.1* +%{_mandir}/man1/opensc-asn1.1* +%{_mandir}/man1/piv-tool.1* +%{_mandir}/man1/pkcs11-tool.1* +%{_mandir}/man1/pkcs15-crypt.1* +%{_mandir}/man1/pkcs15-init.1* +%{_mandir}/man1/pkcs15-tool.1* +%{_mandir}/man1/sc-hsm-tool.1* +%{_mandir}/man1/westcos-tool.1* +%{_mandir}/man1/dnie-tool.1* +%{_mandir}/man1/egk-tool.1* +%{_mandir}/man5/pkcs15-profile.5* %changelog +* Mon Nov 14 2022 hkgy - 0.22.0-2 +- Upgrade to v0.22.0-2 + * Thu Aug 19 2021 zoulin - 0.22.0-1 - Update version to 0.22.0 -- Gitee