commit: e2c4faef071d1e2210ea330d5f14f1fe80403527 Author: Amy Liffey <amynka <AT> gentoo <DOT> org> AuthorDate: Thu Aug 15 19:14:35 2019 +0000 Commit: Amy Liffey <amynka <AT> gentoo <DOT> org> CommitDate: Thu Aug 15 19:19:35 2019 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2c4faef
app-crypt/eid-mw: version bump 4.4.19 Closes: https://bugs.gentoo.org/690038 Submitted-by: Vincent Hardy <vincent.hardy.be <AT> gmail.com> Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Amy Liffey <amynka <AT> gentoo.org> app-crypt/eid-mw/Manifest | 1 + app-crypt/eid-mw/eid-mw-4.4.19.ebuild | 103 ++++++++ app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch | 272 ++++++++++++++++++++++ 3 files changed, 376 insertions(+) diff --git a/app-crypt/eid-mw/Manifest b/app-crypt/eid-mw/Manifest index debf3f3f29b..644dc3133d4 100644 --- a/app-crypt/eid-mw/Manifest +++ b/app-crypt/eid-mw/Manifest @@ -1,2 +1,3 @@ DIST eid-mw-4.4.1.tar.gz 7708697 BLAKE2B 7bdbaa37af1cdd5a8abd1519939f663c7c871cea49850932d97c391465de362885b061c024285ab2690473a4bb1ba57a70fdc12a720246b2a610ac9525f6395e SHA512 9de54858ac052eeff101070dd11c5cf60ab1d29b8dc8d946680745acf9aa6ba1044ca5451eca6066b5b467fbc32a2a23bbe7e8551ca7559e6003a4097a304cfc DIST eid-mw-4.4.11.tar.gz 7975630 BLAKE2B e7b052736cba98c53e97e9de15ea8e54f508c28471a7a936c5d28539648f5d3454983d9c9a21cf5959a070849865de5ca58d5d29ad64eb08209afd40959c56ae SHA512 35273492abc0efa7146848c82770bcd5e4ce1b7c9971ce45686b4d3244332456011db6df05154ad6a204854fd13ac3dce8f7b8cd6112a2e60a7b8434f3c4a196 +DIST eid-mw-4.4.19.tar.gz 7941144 BLAKE2B c02f975081eacf7803839461ae91e3c6a24c3e2fc60064a981cc71f629925679b0df997e8acbe2da2f1e58dcc665b8633e3c9bf28b07be90ac8cdd0448e80848 SHA512 21530111461302123be662dd60f3fbd56ffd8a0537cac88c99d5a6bcd9163a27bc34e05beaf7502dd5ada247ca324d21590a866907b5a7a02ce3d8d78fcac634 diff --git a/app-crypt/eid-mw/eid-mw-4.4.19.ebuild b/app-crypt/eid-mw/eid-mw-4.4.19.ebuild new file mode 100644 index 00000000000..98c8bfee6ce --- /dev/null +++ b/app-crypt/eid-mw/eid-mw-4.4.19.ebuild @@ -0,0 +1,103 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit autotools desktop gnome2-utils xdg-utils + +DESCRIPTION="Electronic Identity Card middleware supplied by the Belgian Federal Government" +HOMEPAGE="https://eid.belgium.be"; +SRC_URI="https://codeload.github.com/fedict/${PN}/tar.gz/v${PV} -> ${P}.tar.gz" + +LICENSE="LGPL-3" +SLOT="0" +KEYWORDS="~amd64 ~arm ~x86" +IUSE="+dialogs +gtk +p11v220 p11-kit" + +RDEPEND=">=sys-apps/pcsc-lite-1.2.9 + gtk? ( + x11-libs/gdk-pixbuf[jpeg] + x11-libs/gtk+:* + dev-libs/libxml2 + net-misc/curl[ssl] + net-libs/libproxy + !app-misc/eid-viewer-bin + ) + p11-kit? ( app-crypt/p11-kit )" + +DEPEND="${RDEPEND} + virtual/pkgconfig" + +REQUIRED_USE="dialogs? ( gtk )" + +src_prepare() { + default + + sed -i -e 's:/beid/rsaref220:/rsaref220:' configure.ac || die + sed -i -e 's:/beid::' cardcomm/pkcs11/src/libbeidpkcs11.pc.in || die + + # Buggy internal versioning when autoreconf a tarball release. + # Weird numbering is required otherwise we get a seg fault in + # about-eid-mw program. + echo "${PV}-v${PV}" > .version + sed -i \ + -e '/^GITDESC/ d' \ + -e '/^VERCLEAN/ d' \ + scripts/build-aux/genver.sh + + # legacy xpi module : we don't want it anymore + sed -i -e '/SUBDIRS/ s:plugins_tools/xpi ::' Makefile.am || die + sed -i -e '/plugins_tools\/xpi/ d' configure.ac || die + + # hardcoded lsb_info + sed -i \ + -e "s:get_lsb_info('i'):strdup(_(\"Gentoo\")):" \ + -e "s:get_lsb_info('r'):strdup(_(\"n/a\")):" \ + -e "s:get_lsb_info('c'):strdup(_(\"n/a\")):" \ + plugins_tools/aboutmw/gtk/about-main.c || die + + # Fix libdir for pkcs11_manifestdir + sed -i \ + -e "/pkcs11_manifestdir/ s:prefix)/lib:libdir):" \ + cardcomm/pkcs11/src/Makefile.am || die + + # See bug #691308 + eapply "${FILESDIR}/eid-sign-test-${PV}.patch" + + eautoreconf +} + +src_configure() { + econf \ + $(use_enable dialogs) \ + $(use_enable p11v220) \ + $(use_enable p11-kit p11kit) \ + $(use_with gtk gtkvers 'detect') \ + --with-gnu-ld \ + --disable-static +} + +src_install() { + default + rm -r "${ED}"/usr/$(get_libdir)/*.la || die + if use gtk; then + domenu plugins_tools/eid-viewer/eid-viewer.desktop + doicon plugins_tools/eid-viewer/gtk/eid-viewer.png + fi +} + +pkg_postinst(){ + if use gtk; then + gnome2_schemas_update + xdg_desktop_database_update + xdg_icon_cache_update + fi +} + +pkg_postrm(){ + if use gtk; then + gnome2_schemas_update + xdg_desktop_database_update + xdg_icon_cache_update + fi +} diff --git a/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch b/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch new file mode 100644 index 00000000000..cf59f99a8ea --- /dev/null +++ b/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch @@ -0,0 +1,272 @@ +--- eid-mw-4.4.19/tests/unit/sign.c 2019-07-11 16:08:46.000000000 +0200 ++++ eid-mw-git/tests/unit/sign.c 2019-08-04 17:40:08.683942928 +0200 +@@ -19,10 +19,13 @@ + **************************************************************************** */ + #ifdef WIN32 + #include <win32.h> ++#pragma pack(push, cryptoki, 1) ++#include "pkcs11.h" ++#pragma pack(pop, cryptoki) + #else + #include <unix.h> +-#endif + #include <pkcs11.h> ++#endif + #include <stdio.h> + #include <string.h> + #include <stdlib.h> +@@ -33,66 +36,88 @@ + #include <config.h> + #endif + ++#include <stdbool.h> ++ + #if HAVE_OPENSSL +-#include <openssl/rsa.h> ++#include <openssl/opensslv.h> ++#include <openssl/evp.h> + #include <openssl/engine.h> + +-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +-static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) { +- if(!r || !n || !e) { +- return 0; +- } +- r->n = n; +- r->e = e; +- r->d = d; +- return 1; +-} +-#endif +- +-CK_BYTE digest_sha256[] = { +- 0x2c, 0x26, 0xb4, 0x6b, +- 0x68, 0xff, 0xc6, 0x8f, +- 0xf9, 0x9b, 0x45, 0x3c, +- 0x1d, 0x30, 0x41, 0x34, +- 0x13, 0x42, 0x2d, 0x70, +- 0x64, 0x83, 0xbf, 0xa0, +- 0xf9, 0x8a, 0x5e, 0x88, +- 0x62, 0x66, 0xe7, 0xae +-}; +- +-int verify_sig(unsigned char* sig, CK_ULONG siglen, CK_BYTE_PTR modulus, CK_ULONG modlen, CK_BYTE_PTR exponent, CK_ULONG explen) { +- RSA* rsa = RSA_new(); +- unsigned char* s = malloc(siglen); +- int ret; +- +- RSA_set0_key(rsa, BN_bin2bn(modulus, (int) modlen, NULL), BN_bin2bn(exponent, (int) explen, NULL), NULL); +- +- int v = RSA_verify(NID_sha256, digest_sha256, sizeof(digest_sha256), sig, siglen, rsa); +- +- printf("Signature verification returned: %d\n", v); +- if(!v) { +- unsigned long e = ERR_get_error(); +- printf("error %ld: %s\n", e, ERR_error_string(e, NULL)); +- ret = TEST_RV_FAIL; +- } else { +- ret = TEST_RV_OK; ++// These were copied from eid-test-ca:derencode.c ++int verify_sig(const unsigned char *sig_in, CK_ULONG siglen, const unsigned char *certificate, size_t certlen, bool is_rsa) { ++#if OPENSSL_VERSION_NUMBER > 0x10100000L ++ X509 *cert = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_MD_CTX *mdctx; ++ EVP_PKEY_CTX *pctx; ++ const EVP_MD *md = EVP_get_digestbyname("sha256"); ++ unsigned char *sig = (unsigned char*)sig_in; ++ ++ if(d2i_X509(&cert, &certificate, certlen) == NULL) { ++ fprintf(stderr, "E: could not parse X509 certificate\n"); ++ return TEST_RV_FAIL; ++ } ++ pkey = X509_get0_pubkey(cert); ++ if(pkey == NULL) { ++ fprintf(stderr, "E: could not find public key in certificate\n"); ++ return TEST_RV_FAIL; ++ } ++ mdctx = EVP_MD_CTX_new(); ++ if(EVP_DigestVerifyInit(mdctx, &pctx, md, NULL, pkey) != 1) { ++ fprintf(stderr, "E: initialization for signature validation failed!\n"); ++ return TEST_RV_FAIL; ++ } ++ if(EVP_DigestVerifyUpdate(mdctx, (const unsigned char*)"foo", 3) != 1) { ++ fprintf(stderr, "E: hashing for signature failed!\n"); ++ return TEST_RV_FAIL; + } + +- free(s); +- RSA_free(rsa); +- +- return ret; ++ ECDSA_SIG* ec_sig; ++ if(!is_rsa) { ++ BIGNUM *r; ++ BIGNUM *s; ++ ec_sig = ECDSA_SIG_new(); ++ if((r = BN_bin2bn(sig, siglen / 2, NULL)) == NULL) { ++ fprintf(stderr, "E: could not convert R part of ECDSA signature!\n"); ++ return TEST_RV_FAIL; ++ } ++ if((s = BN_bin2bn(sig + (siglen / 2), siglen / 2, NULL)) == NULL) { ++ fprintf(stderr, "E: could not convert S part of ECDSA signature!\n"); ++ return TEST_RV_FAIL; ++ } ++ if(ECDSA_SIG_set0(ec_sig, r, s) == 0) { ++ fprintf(stderr, "E: could not set ECDSA_SIG structure!\n"); ++ return TEST_RV_FAIL; ++ } ++ siglen = i2d_ECDSA_SIG(ec_sig, NULL); ++ unsigned char *dersig = sig = malloc(siglen); ++ siglen = i2d_ECDSA_SIG(ec_sig, &dersig); ++ } ++ if(EVP_DigestVerifyFinal(mdctx, sig, siglen) != 1) { ++ fprintf(stderr, "E: signature fails validation!\n"); ++ return TEST_RV_FAIL; ++ } ++ if(!is_rsa) { ++ free(sig); ++ } ++ printf("signature verified\n"); ++ return TEST_RV_OK; ++#else ++ printf("OpenSSL too old for verification\n"); ++#endif + } +- + #endif + +-int test_key(char* label, CK_SESSION_HANDLE session, CK_SLOT_ID slot EIDT_UNUSED) { ++int test_key(char* label, CK_SESSION_HANDLE session, CK_SLOT_ID slot) { + CK_ATTRIBUTE attr[2]; + CK_MECHANISM mech; ++ CK_MECHANISM_TYPE_PTR mechlist; + CK_BYTE data[] = { 'f', 'o', 'o' }; + CK_BYTE_PTR sig, mod, exp; + CK_ULONG sig_len, type, count; +- CK_OBJECT_HANDLE privatekey, publickey; ++ CK_OBJECT_HANDLE privatekey, publickey, certificate; ++ bool is_rsa = false; ++ int i; + + attr[0].type = CKA_CLASS; + attr[0].pValue = &type; +@@ -113,7 +138,22 @@ + return TEST_RV_SKIP; + } + +- mech.mechanism = CKM_SHA256_RSA_PKCS; ++ check_rv(C_GetMechanismList(slot, NULL_PTR, &count)); ++ mechlist = malloc(sizeof(CK_MECHANISM_TYPE) * count); ++#undef CHECK_RV_DEALLOCATE ++#define CHECK_RV_DEALLOCATE free(mechlist) ++ ++ check_rv(C_GetMechanismList(slot, mechlist, &count)); ++ ++ for(i=0; i<count; i++) { ++ if(mechlist[i] == CKM_SHA256_RSA_PKCS) { ++ mech.mechanism = mechlist[i]; ++ i=count; ++ is_rsa = true; ++ break; ++ } ++ } ++ + check_rv(C_SignInit(session, &mech, privatekey)); + + check_rv(C_Sign(session, data, sizeof(data), NULL, &sig_len)); +@@ -124,42 +164,68 @@ + + hex_dump((char*)sig, sig_len); + +- type = CKO_PUBLIC_KEY; +- check_rv(C_FindObjectsInit(session, attr, 2)); +- check_rv(C_FindObjects(session, &publickey, 1, &count)); +- verbose_assert(count == 1); +- check_rv(C_FindObjectsFinal(session)); ++ if(is_rsa) { ++ type = CKO_PUBLIC_KEY; ++ check_rv(C_FindObjectsInit(session, attr, 2)); ++ check_rv(C_FindObjects(session, &publickey, 1, &count)); ++ verbose_assert(count == 1); ++ check_rv(C_FindObjectsFinal(session)); + +- attr[0].type = CKA_MODULUS; +- attr[0].pValue = NULL_PTR; +- attr[0].ulValueLen = 0; ++ attr[0].type = CKA_MODULUS; ++ attr[0].pValue = NULL_PTR; ++ attr[0].ulValueLen = 0; + +- attr[1].type = CKA_PUBLIC_EXPONENT; +- attr[1].pValue = NULL_PTR; +- attr[1].ulValueLen = 0; ++ attr[1].type = CKA_PUBLIC_EXPONENT; ++ attr[1].pValue = NULL_PTR; ++ attr[1].ulValueLen = 0; + +- check_rv(C_GetAttributeValue(session, publickey, attr, 2)); ++ check_rv(C_GetAttributeValue(session, publickey, attr, 2)); + +- verbose_assert(attr[0].ulValueLen == sig_len); ++ verbose_assert(attr[0].ulValueLen == sig_len); + +- mod = malloc(attr[0].ulValueLen); +- mod[0] = 0xde; mod[1] = 0xad; mod[2] = 0xbe; mod[3] = 0xef; +- exp = malloc(attr[1].ulValueLen); +- exp[0] = 0xde; exp[1] = 0xad; exp[2] = 0xbe; exp[3] = 0xef; ++ mod = malloc(attr[0].ulValueLen); ++ mod[0] = 0xde; mod[1] = 0xad; mod[2] = 0xbe; mod[3] = 0xef; ++ exp = malloc(attr[1].ulValueLen); ++ exp[0] = 0xde; exp[1] = 0xad; exp[2] = 0xbe; exp[3] = 0xef; + +- attr[0].pValue = mod; +- attr[1].pValue = exp; ++ attr[0].pValue = mod; ++ attr[1].pValue = exp; + +- check_rv(C_GetAttributeValue(session, publickey, attr, 2)); ++ check_rv(C_GetAttributeValue(session, publickey, attr, 2)); + +- printf("Received key modulus with length %lu:\n", attr[0].ulValueLen); +- hex_dump((char*)mod, attr[0].ulValueLen); ++ printf("Received key modulus with length %lu:\n", attr[0].ulValueLen); ++ hex_dump((char*)mod, attr[0].ulValueLen); + +- printf("Received public exponent of key with length %lu:\n", attr[1].ulValueLen); +- hex_dump((char*)exp, attr[1].ulValueLen); ++ printf("Received public exponent of key with length %lu:\n", attr[1].ulValueLen); ++ hex_dump((char*)exp, attr[1].ulValueLen); ++ } + +-#if HAVE_OPENSSL +- return verify_sig(sig, sig_len, mod, attr[0].ulValueLen, exp, attr[1].ulValueLen); ++#if HAVE_OPENSSL && OPENSSL_VERSION_NUMBER > 0x10100000L ++ unsigned char cert[4096]; ++ attr[0].type = CKA_CLASS; ++ attr[0].pValue = &type; ++ type = CKO_CERTIFICATE; ++ attr[0].ulValueLen = sizeof(CK_ULONG); ++ ++ attr[1].type = CKA_LABEL; ++ attr[1].pValue = label; ++ attr[1].ulValueLen = strlen(label); ++ ++ check_rv(C_FindObjectsInit(session, attr, 2)); ++ check_rv(C_FindObjects(session, &certificate, 1, &count)); ++ verbose_assert(count == 1); ++ check_rv(C_FindObjectsFinal(session)); ++ ++ attr[0].type = CKA_VALUE; ++ attr[0].pValue = cert; ++ attr[0].ulValueLen = sizeof(cert); ++ ++ check_rv(C_GetAttributeValue(session, certificate, attr, 1)); ++ ++ printf("Received certificate with length %lu:\n", attr[0].ulValueLen); ++ hex_dump((char*)cert, attr[0].ulValueLen); ++ ++ return verify_sig(sig, sig_len, cert, attr[0].ulValueLen, is_rsa); + #else + return TEST_RV_OK; + #endif
