commit p11-kit for openSUSE:Factory
From a7f02ca0a88019da353381a25d2e7c42150abb39 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel <ludwig.nussel@suse.de> Date: Fri, 6 Dec 2013 10:00:32 +0100 Subject: [PATCH] trust: allow to also add openssl style hashes to
Hello community, here is the log from the commit of package p11-kit for openSUSE:Factory checked in at 2013-12-22 19:37:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/p11-kit (Old) and /work/SRC/openSUSE:Factory/.p11-kit.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "p11-kit" Changes: -------- --- /work/SRC/openSUSE:Factory/p11-kit/p11-kit.changes 2013-09-11 13:02:18.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.p11-kit.new/p11-kit.changes 2013-12-22 19:37:30.000000000 +0100 @@ -1,0 +2,6 @@ +Fri Dec 6 09:31:32 UTC 2013 - lnussel@suse.de + +- trust: allow to also add openssl style hashes to pem-directory + 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff + +------------------------------------------------------------------- New: ---- 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ p11-kit.spec ++++++ --- /var/tmp/diff_new_pack.y6LVb3/_old 2013-12-22 19:37:30.000000000 +0100 +++ /var/tmp/diff_new_pack.y6LVb3/_new 2013-12-22 19:37:30.000000000 +0100 @@ -30,6 +30,12 @@ Url: http://p11-glue.freedesktop.org/p11-kit.html Source0: http://p11-glue.freedesktop.org/releases/%{name}-%{version}.tar.gz Source99: baselibs.conf +# patch proposed upstream. If it gets rejected, need to implement +# this in ca-certificates. +Patch0: 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool BuildRequires: pkg-config BuildRequires: pkgconfig(libffi) >= 3.0.0 BuildRequires: pkgconfig(libtasn1) >= 2.3 @@ -85,8 +91,11 @@ %prep %setup -q +%patch0 -p1 %build +# just because of patch0 +autoreconf -f -i %configure %--with-trust-paths=%{trustdir_cfg}:%{trustdir_static} make %{?_smp_mflags} -C trust asn make %{?_smp_mflags} ++++++ 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff ++++++ pem-directory For backward compatibility with older openssl and other libs like gnutls /etc/ssl/certs needs to be created as pem-directory rather than openssl-directory on openSUSE. Therefore also allow to install openssl style hashes there to avoid having to call c_rehash with a script. --- trust/extract-openssl.c | 76 ++++++++++++++++++++++++++----------------------- trust/extract-pem.c | 26 +++++++++++++---- trust/extract.c | 1 + trust/extract.h | 5 ++++ trust/tests/Makefile.am | 1 + 5 files changed, 69 insertions(+), 40 deletions(-) diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c index 912c90d..16e12fd 100644 --- a/trust/extract-openssl.c +++ b/trust/extract-openssl.c @@ -587,6 +587,46 @@ symlink_for_subject_old_hash (p11_enumerate *ex) #endif /* OS_UNIX */ + +/* + * The OpenSSL style c_rehash stuff + * + * Different versions of openssl build these hashes differently + * so output both of them. Shouldn't cause confusion, because + * multiple certificates can hash to the same link anyway, + * and this is the reason for the trailing number after the dot. + * + * The trailing number is incremented p11_save_symlink_in() if it + * conflicts with something we've already written out. + * + * On Windows no symlinks. + */ +bool +p11_openssl_symlink (p11_enumerate *ex, + p11_save_dir *dir, + const char *filename) +{ + bool ret = true; +#ifdef OS_UNIX + char *linkname; + + linkname = symlink_for_subject_hash (ex); + if (linkname) { + ret = p11_save_symlink_in (dir, linkname, ".0", filename); + free (linkname); + } + + if (ret) { + linkname = symlink_for_subject_old_hash (ex); + if (linkname) { + ret = p11_save_symlink_in (dir, linkname, ".0", filename); + free (linkname); + } + } +#endif /* OS_UNIX */ + return ret; +} + bool p11_extract_openssl_directory (p11_enumerate *ex, const char *destination) @@ -601,10 +641,6 @@ p11_extract_openssl_directory (p11_enumerate *ex, char *name; CK_RV rv; -#ifdef OS_UNIX - char *linkname; -#endif - dir = p11_save_open_directory (destination, ex->flags); if (dir == NULL) return false; @@ -638,37 +674,7 @@ p11_extract_openssl_directory (p11_enumerate *ex, filename = p11_path_base (path); } - /* - * The OpenSSL style c_rehash stuff - * - * Different versions of openssl build these hashes differently - * so output both of them. Shouldn't cause confusion, because - * multiple certificates can hash to the same link anyway, - * and this is the reason for the trailing number after the dot. - * - * The trailing number is incremented p11_save_symlink_in() if it - * conflicts with something we've already written out. - * - * On Windows no symlinks. - */ - -#ifdef OS_UNIX - if (ret) { - linkname = symlink_for_subject_hash (ex); - if (linkname) { - ret = p11_save_symlink_in (dir, linkname, ".0", filename); - free (linkname); - } - } - - if (ret) { - linkname = symlink_for_subject_old_hash (ex); - if (linkname) { - ret = p11_save_symlink_in (dir, linkname, ".0", filename); - free (linkname); - } - } -#endif /* OS_UNIX */ + ret = p11_openssl_symlink(ex, dir, filename); free (filename); free (path); diff --git a/trust/extract-pem.c b/trust/extract-pem.c index 1e1c857..04dc600 100644 --- a/trust/extract-pem.c +++ b/trust/extract-pem.c @@ -42,6 +42,7 @@ #include "message.h" #include "pem.h" #include "save.h" +#include "path.h" #include <stdlib.h> @@ -107,6 +108,8 @@ p11_extract_pem_directory (p11_enumerate *ex, p11_buffer buf; bool ret = true; char *filename; + char *path; + char *name; CK_RV rv; dir = p11_save_open_directory (destination, ex->flags); @@ -121,14 +124,27 @@ p11_extract_pem_directory (p11_enumerate *ex, if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf)) return_val_if_reached (false); - filename = p11_enumerate_filename (ex); - return_val_if_fail (filename != NULL, false); + name = p11_enumerate_filename (ex); + return_val_if_fail (name != NULL, false); - file = p11_save_open_file_in (dir, filename, ".pem"); - free (filename); + path = NULL; - ret = p11_save_write_and_finish (file, buf.data, buf.len); + file = p11_save_open_file_in (dir, name, ".pem"); + ret = p11_save_write (file, buf.data, buf.len); + + if (!p11_save_finish_file (file, &path, ret)) + ret = false; + + /* XXX: getenv is a hack here, any better idea? */ + if (ret && getenv("P11_KIT_PEMDIR_HASH")) { + filename = p11_path_base (path); + ret = p11_openssl_symlink(ex, dir, filename); + free (filename); + } + + free (path); + free (name); if (!ret) break; } diff --git a/trust/extract.c b/trust/extract.c index 1a38f11..1a23967 100644 --- a/trust/extract.c +++ b/trust/extract.c @@ -46,6 +46,7 @@ #include "pkcs11x.h" #include "save.h" #include "tool.h" +#include "digest.h" #include <assert.h> #include <ctype.h> diff --git a/trust/extract.h b/trust/extract.h index ca14238..d2e58c3 100644 --- a/trust/extract.h +++ b/trust/extract.h @@ -39,6 +39,7 @@ #include "enumerate.h" #include "pkcs11.h" +#include "save.h" enum { /* These overlap with the flags in save.h, so start higher */ @@ -75,4 +76,8 @@ int p11_trust_extract (int argc, int p11_trust_extract_compat (int argc, char *argv[]); +/* from extract-openssl.c but also used in extract-pem.c */ +bool p11_openssl_symlink (p11_enumerate *ex, + p11_save_dir *dir, + const char *filename); #endif /* P11_EXTRACT_H_ */ diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am index e53a6ae..6d81363 100644 --- a/trust/tests/Makefile.am +++ b/trust/tests/Makefile.am @@ -105,6 +105,7 @@ test_bundle_SOURCES = \ test-bundle.c \ $(TRUST)/enumerate.c \ $(TRUST)/extract-pem.c \ + $(TRUST)/extract-openssl.c \ $(TRUST)/save.c \ $(NULL) -- 1.8.1.4 -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@hilbert.suse.de