Robert Milasan [Thu, 30 Jul 2015 09:27:13 +0000 (11:27 +0200)]
Fix trust command segfaults in expand_homedir() when no matching password record was found
Hello, it looks like under some conditions, command trust segfaults in
expand_homedir() due to no matching password record was found:
Signed-off-by: Robert Milasan <rmilasan@suse.com> Signed-off-by: Stef Walter <stefw@redhat.com>
* Updated path so message is printed and errno is not overwritten
In proxy module don't call C_Finalize on a forked process.
This corrects a deadlock on the forked process. The deadlock
happened because the proxy called C_Finalize prior to a C_Initialize
which is wrong according to PKCS #11 (2.40). This patch eliminates
the C_Finalize call in that case.
This resolves #90289
https://bugs.freedesktop.org/show_bug.cgi?id=90289
Generate URIs compliant to the PKCS#11 URI draft in LC
We continue to accept both the older style 'object-type' field
in addition to the new 'type' field. However we start generating
URIs in the new form.
In other words we have backwards compatibility, but not forwards
compatibility. Given the fact that PKCS#11 URIs are now standardizing
this is an acceptable compromise.
Adam Williamson [Wed, 14 Jan 2015 04:52:20 +0000 (20:52 -0800)]
trust: Add pem-directory-hash extract format
This allows extraction of a directory of standard PEM files
with the OpenSSL hash symlinks; this is a format used by
some popular platforms (Debian's /etc/ssl/certs is in this
form, and OpenSUSE provides it for compatibility).
Initially by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Stef Walter <stefw@redhat.com>
* Added header, fixed compiler warnings
Stef Walter [Thu, 9 Oct 2014 06:15:29 +0000 (08:15 +0200)]
trust: Certificate CKA_ID is SubjectKeyIdentifier if possible
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
Stef Walter [Fri, 3 Oct 2014 07:42:27 +0000 (09:42 +0200)]
p11-kit: Use pthread_atfork() in a safe manner
Instead of trying to perform actions in pthread_atfork() which
are not async-signal-safe, just increment a counter so we can
later tell if the process has forked.
Note this does not make it safe to mix threads and forking without
immediately execing. This is a far broader problem that p11-kit,
however we now do the right thing when fork+exec is used from a
thread.
Stef Walter [Wed, 1 Oct 2014 15:14:50 +0000 (17:14 +0200)]
p11-kit: Remove the 'isolated' option for now
This option was not completed in time, and as implemented suffers
from limitations that the module is not really completely isolated
as it still runs under the same user id as the calling process.
Baruch Siach [Mon, 5 May 2014 06:32:23 +0000 (09:32 +0300)]
Fix build against older pthreads implementations
Older pthreads implementations like glibc NPTL prior to version 2.12, and
uClibc linuxthreads (both), need _XOPEN_SOURCE to expose
pthread_mutexattr_settype() and THREAD_MUTEX_DEFAULT. The value 600 (SuSv3,
POSIX.1-2001) is equivalent to _POSIX_C_SOURCE 200112L.
Fixes the following build error:
CC compat.lo
compat.c: In function 'p11_mutex_init':
compat.c:164:2: warning: implicit declaration of function 'pthread_mutexattr_settype' [-Wimplicit-function-declaration]
compat.c:164:2: warning: nested extern declaration of 'pthread_mutexattr_settype' [-Wnested-externs]
compat.c:164:36: error: 'PTHREAD_MUTEX_DEFAULT' undeclared (first use in this function)
Stef Walter [Fri, 8 Aug 2014 07:24:47 +0000 (09:24 +0200)]
trust: Parse TRUSTED CERTIFICATE openssl format even without CertAux
openssl sometimes outputs TRUSTED CERTIFICATE PEM files without the
additional CertAux (ie: trust fields) information. It simply leaves
that block out. This happens with a command like:
Stef Walter [Fri, 8 Aug 2014 07:11:52 +0000 (09:11 +0200)]
common: Allow specifying which tests to run on command line
This modifies our common unit test code so we can specify full
test paths on the command line, and restrict the run tests to
the ones specified. Order is not respected at this time.
Stef Walter [Thu, 7 Aug 2014 05:47:00 +0000 (07:47 +0200)]
p11-kit: Don't complain about C_Finalize called in wrong process
When C_Finalize is called in the wrong process, it's often because
of a caller unaware of forking. This is a painful area of PKCS#11,
but at least for C_Finalize, lets not complain loudly about it.
* This enables passing around bytes which represent PKCS#11 RPC calls.
* Caller is responsible for connecting/disconnecting and so on.
* Client side caller gets a mixin from p11_rpc_client_init() to call
into, which generates callbacks with byte arrays to be transported.
* Server side calls p11_rpc_server_handle() with a CK_FUNCTION_LIST_PTR
on which relevant methods get called.
* Doesn't yet implement the actual daemon or clients etc...
projects / p11-kit / log