commit: 08f134943e605456a2506fbfe688cea0340059e9 Author: Matoro Mahri <matoro <AT> users <DOT> noreply <DOT> github <DOT> com> AuthorDate: Mon Jul 17 22:06:02 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jul 17 22:14:32 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=08f13494
dev-libs/opensc: backport PR to fix dev-libs/libp11 tests See: https://github.com/OpenSC/libp11/issues/478 See: https://github.com/OpenSC/OpenSC/pull/2656 Bug: https://bugs.gentoo.org/909781 Signed-off-by: Matoro Mahri <matoro <AT> users.noreply.github.com> Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/opensc-0.23.0-backport-pr2656.patch | 215 +++++++++++++++++++++ dev-libs/opensc/opensc-0.23.0-r2.ebuild | 81 ++++++++ 2 files changed, 296 insertions(+) diff --git a/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch b/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch new file mode 100644 index 000000000000..f9ce72d31776 --- /dev/null +++ b/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch @@ -0,0 +1,215 @@ +https://bugs.gentoo.org/909781 +https://github.com/OpenSC/libp11/issues/478 +https://github.com/OpenSC/OpenSC/pull/2656 + +From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jje...@redhat.com> +Date: Thu, 1 Dec 2022 20:08:53 +0100 +Subject: [PATCH 1/4] pkcs11-tool: Fix private key import + +--- + src/tools/pkcs11-tool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index aae205fe2c..cfee8526d5 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + RSA_get0_factors(r, &r_p, &r_q); + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); + #else +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { + util_fatal("OpenSSL error during RSA private key parsing"); ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jje...@redhat.com> +Date: Thu, 1 Dec 2022 20:11:41 +0100 +Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors + +--- + src/tools/pkcs11-tool.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index cfee8526d5..f2e6b1dd91 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp; + r = EVP_PKEY_get1_RSA(pkey); + if (!r) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + + RSA_get0_key(r, &r_n, &r_e, NULL); +@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL; + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, modulus, r_n); +@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- util_fatal("OpenSSL error during RSA private key parsing"); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { ++ util_fatal("OpenSSL error during RSA private key parsing: %s", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jje...@redhat.com> +Date: Thu, 1 Dec 2022 20:38:31 +0100 +Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import + +--- + tests/Makefile.am | 10 ++++--- + tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+), 4 deletions(-) + create mode 100755 tests/test-pkcs11-tool-import.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d378e2ee00..9d8a24c321 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-sign-verify.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + + .NOTPARALLEL: + TESTS = \ +@@ -25,8 +26,9 @@ TESTS = \ + test-pkcs11-tool-test.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + XFAIL_TESTS = \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-test.sh +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +new file mode 100755 +index 0000000000..76ff8e51be +--- /dev/null ++++ b/tests/test-pkcs11-tool-import.sh +@@ -0,0 +1,48 @@ ++#!/bin/bash ++SOURCE_PATH=${SOURCE_PATH:-..} ++ ++source $SOURCE_PATH/tests/common.sh ++ ++echo "=======================================================" ++echo "Setup SoftHSM" ++echo "=======================================================" ++if [[ ! -f $P11LIB ]]; then ++ echo "WARNING: The SoftHSM is not installed. Can not run this test" ++ exit 77; ++fi ++card_setup ++ ++ID="0100" ++OPTS="" ++for KEYTYPE in "RSA" "EC"; do ++ echo "=======================================================" ++ echo "Generate and import $KEYTYPE keys" ++ echo "=======================================================" ++ if [ "$KEYTYPE" == "RSA" ]; then ++ ID="0100" ++ elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0200" ++ OPTS="-pkeyopt ec_paramgen_curve:P-521" ++ fi ++ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS ++ assert $? "Failed to generate private $KEYTYPE key" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \ ++ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB" ++ assert $? "Failed to write private $KEYTYPE key" ++ ++ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER ++ assert $? "Failed to convert private $KEYTYPE key to public" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \ ++ -p $PIN --module $P11LIB ++ assert $? "Failed to write public $KEYTYPE key" ++ # certificate import already tested in all other tests ++ ++ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der" ++done ++ ++echo "=======================================================" ++echo "Cleanup" ++echo "=======================================================" ++card_cleanup ++ ++exit $ERRORS + +From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen <jak...@gmail.com> +Date: Fri, 2 Dec 2022 18:07:43 +0100 +Subject: [PATCH 4/4] Simplify the new test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Veronika HanulĂková <61348757+xhanu...@users.noreply.github.com> +--- + tests/test-pkcs11-tool-import.sh | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +index 76ff8e51be..c90b3b4926 100755 +--- a/tests/test-pkcs11-tool-import.sh ++++ b/tests/test-pkcs11-tool-import.sh +@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then + fi + card_setup + +-ID="0100" +-OPTS="" + for KEYTYPE in "RSA" "EC"; do + echo "=======================================================" + echo "Generate and import $KEYTYPE keys" + echo "=======================================================" +- if [ "$KEYTYPE" == "RSA" ]; then +- ID="0100" +- elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0100" ++ OPTS="" ++ if [ "$KEYTYPE" == "EC" ]; then + ID="0200" + OPTS="-pkeyopt ec_paramgen_curve:P-521" + fi diff --git a/dev-libs/opensc/opensc-0.23.0-r2.ebuild b/dev-libs/opensc/opensc-0.23.0-r2.ebuild new file mode 100644 index 000000000000..7cbf82823f1a --- /dev/null +++ b/dev-libs/opensc/opensc-0.23.0-r2.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools bash-completion-r1 + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"; + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"; +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"; + KEYWORDS="~amd64 ~ppc64 ~riscv ~sparc ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2023-2977.patch + "${FILESDIR}"/${P}-0.23.0-backport-pr2656.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +}
