+AUX opensc-0.23.0-backport-pr2656.patch 8562 BLAKE2B ebcfa06920d83fbc72dc2d5af76f2982956d192e4573b13e001f2b6ffd05c3b5768bc7e64626b75649ba0ecb121c1d5085564f6b71f7cf1e320a854db59c058c SHA512 e188a368eb50536e59e5eab5740b5df1254789f6200eb8ccb31139291012bb3cdf281f9d4dd1a0d2b5ff13d974534a84e054506a763f8bd74bb1ca25a1f38d12

+EBUILD opensc-0.23.0-r2.ebuild 1925 BLAKE2B 26530b6d503dea329abd7f0e5941f48740ab473e4f09fbb0e836d581806cb19d1c706fb7ff5ca4df88730c4dbc15085807f3cd488b032439dff1ca760d8974c2 SHA512 6e6597638236987720030d6d7eab2b2dbb3301c334edd92de514f76f0aa00638453700b5e5ecade126c94c357d85b8860a8dcd703c1571f3206ae192211687d2

+https://bugs.gentoo.org/909781

+https://github.com/OpenSC/libp11/issues/478

+https://github.com/OpenSC/OpenSC/pull/2656

+

+From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001

+From: Jakub Jelen <jjelen@redhat.com>

+Date: Thu, 1 Dec 2022 20:08:53 +0100

+Subject: [PATCH 1/4] pkcs11-tool: Fix private key import

+

+---

+ src/tools/pkcs11-tool.c | 4 ++--

+ 1 file changed, 2 insertions(+), 2 deletions(-)

+

+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c

+index aae205fe2c..cfee8526d5 100644

+--- a/src/tools/pkcs11-tool.c

++++ b/src/tools/pkcs11-tool.c

+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)

+ RSA_get0_factors(r, &r_p, &r_q);

+ RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);

+ #else

+- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||

++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||

+- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {

+ util_fatal("OpenSSL error during RSA private key parsing");

++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {

+ }

+ #endif

+ RSA_GET_BN(rsa, private_exponent, r_d);

+

+From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001

+From: Jakub Jelen <jjelen@redhat.com>

+Date: Thu, 1 Dec 2022 20:11:41 +0100

+Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors

+

+---

+ src/tools/pkcs11-tool.c | 15 ++++++---------

+ 1 file changed, 6 insertions(+), 9 deletions(-)

+

+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c

+index cfee8526d5..f2e6b1dd91 100644

+--- a/src/tools/pkcs11-tool.c

++++ b/src/tools/pkcs11-tool.c

+@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)

+ const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;

+ r = EVP_PKEY_get1_RSA(pkey);

+ if (!r) {

+- if (private)

+- util_fatal("OpenSSL error during RSA private key parsing");

+- else

+- util_fatal("OpenSSL error during RSA public key parsing");

++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",

++ ERR_error_string(ERR_peek_last_error(), NULL));

+ }

+

+ RSA_get0_key(r, &r_n, &r_e, NULL);

+@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)

+ BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;

+ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {

+- if (private)

+- util_fatal("OpenSSL error during RSA private key parsing");

+- else

+- util_fatal("OpenSSL error during RSA public key parsing");

++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",

++ ERR_error_string(ERR_peek_last_error(), NULL));

+ }

+ #endif

+ RSA_GET_BN(rsa, modulus, r_n);

+@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||

+- util_fatal("OpenSSL error during RSA private key parsing");

+ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {

++ util_fatal("OpenSSL error during RSA private key parsing: %s",

++ ERR_error_string(ERR_peek_last_error(), NULL));

+ }

+ #endif

+ RSA_GET_BN(rsa, private_exponent, r_d);

+

+From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001

+From: Jakub Jelen <jjelen@redhat.com>

+Date: Thu, 1 Dec 2022 20:38:31 +0100

+Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import

+

+---

+ tests/Makefile.am | 10 ++++---

+ tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++

+ 2 files changed, 54 insertions(+), 4 deletions(-)

+ create mode 100755 tests/test-pkcs11-tool-import.sh

+

+diff --git a/tests/Makefile.am b/tests/Makefile.am

+index d378e2ee00..9d8a24c321 100644

+--- a/tests/Makefile.am

++++ b/tests/Makefile.am

+@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \

+ test-pkcs11-tool-test-threads.sh \

+ test-pkcs11-tool-sign-verify.sh \

+ test-pkcs11-tool-allowed-mechanisms.sh \

+- test-pkcs11-tool-sym-crypt-test.sh\

+- test-pkcs11-tool-unwrap-wrap-test.sh

++ test-pkcs11-tool-sym-crypt-test.sh \

++ test-pkcs11-tool-unwrap-wrap-test.sh \

++ test-pkcs11-tool-import.sh

+

+ .NOTPARALLEL:

+ TESTS = \

+@@ -25,8 +26,9 @@ TESTS = \

+ test-pkcs11-tool-test.sh \

+ test-pkcs11-tool-test-threads.sh \

+ test-pkcs11-tool-allowed-mechanisms.sh \

+- test-pkcs11-tool-sym-crypt-test.sh\

+- test-pkcs11-tool-unwrap-wrap-test.sh

++ test-pkcs11-tool-sym-crypt-test.sh \

++ test-pkcs11-tool-unwrap-wrap-test.sh \

++ test-pkcs11-tool-import.sh

+ XFAIL_TESTS = \

+ test-pkcs11-tool-test-threads.sh \

+ test-pkcs11-tool-test.sh

+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh

+new file mode 100755

+index 0000000000..76ff8e51be

+--- /dev/null

++++ b/tests/test-pkcs11-tool-import.sh

+@@ -0,0 +1,48 @@

++#!/bin/bash

++SOURCE_PATH=${SOURCE_PATH:-..}

++

++source $SOURCE_PATH/tests/common.sh

++

++echo "======================================================="

++echo "Setup SoftHSM"

++echo "======================================================="

++if [[ ! -f $P11LIB ]]; then

++ echo "WARNING: The SoftHSM is not installed. Can not run this test"

++ exit 77;

++fi

++card_setup

++

++ID="0100"

++OPTS=""

++for KEYTYPE in "RSA" "EC"; do

++ echo "======================================================="

++ echo "Generate and import $KEYTYPE keys"

++ echo "======================================================="

++ if [ "$KEYTYPE" == "RSA" ]; then

++ ID="0100"

++ elif [ "$KEYTYPE" == "EC" ]; then

++ ID="0200"

++ OPTS="-pkeyopt ec_paramgen_curve:P-521"

++ fi

++ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS

++ assert $? "Failed to generate private $KEYTYPE key"

++ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \

++ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"

++ assert $? "Failed to write private $KEYTYPE key"

++

++ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER

++ assert $? "Failed to convert private $KEYTYPE key to public"

++ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \

++ -p $PIN --module $P11LIB

++ assert $? "Failed to write public $KEYTYPE key"

++ # certificate import already tested in all other tests

++

++ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"

++done

++

++echo "======================================================="

++echo "Cleanup"

++echo "======================================================="

++card_cleanup

++

++exit $ERRORS

+

+From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001

+From: Jakub Jelen <jakuje@gmail.com>

+Date: Fri, 2 Dec 2022 18:07:43 +0100

+Subject: [PATCH 4/4] Simplify the new test

+MIME-Version: 1.0

+Content-Type: text/plain; charset=UTF-8

+Content-Transfer-Encoding: 8bit

+

+Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>

+---

+ tests/test-pkcs11-tool-import.sh | 8 +++-----

+ 1 file changed, 3 insertions(+), 5 deletions(-)

+

+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh

+index 76ff8e51be..c90b3b4926 100755

+--- a/tests/test-pkcs11-tool-import.sh

++++ b/tests/test-pkcs11-tool-import.sh

+@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then

+ fi

+ card_setup

+

+-ID="0100"

+-OPTS=""

+ for KEYTYPE in "RSA" "EC"; do

+ echo "======================================================="

+ echo "Generate and import $KEYTYPE keys"

+ echo "======================================================="

+- if [ "$KEYTYPE" == "RSA" ]; then

+- ID="0100"

+- elif [ "$KEYTYPE" == "EC" ]; then

++ ID="0100"

++ OPTS=""

++ if [ "$KEYTYPE" == "EC" ]; then

+ ID="0200"

+ OPTS="-pkeyopt ec_paramgen_curve:P-521"

+ fi

+# Copyright 1999-2023 Gentoo Authors

+# Distributed under the terms of the GNU General Public License v2

+

+EAPI=8

+

+inherit autotools bash-completion-r1

+

+DESCRIPTION="Libraries and applications to access smartcards"

+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"

+

+if [[ ${PV} == *9999 ]]; then

+ inherit git-r3

+ EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"

+else

+ SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"

+ KEYWORDS="~amd64 ~ppc64 ~riscv ~sparc ~x86"

+fi

+

+LICENSE="LGPL-2.1"

+SLOT="0"

+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"

+RESTRICT="!test? ( test )"

+

+RDEPEND="zlib? ( sys-libs/zlib )

+ readline? ( sys-libs/readline:0= )

+ ssl? ( dev-libs/openssl:0= )

+ openct? ( >=dev-libs/openct-0.5.0 )

+ pace? ( dev-libs/openpace:= )

+ pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )

+ notify? ( dev-libs/glib:2 )"

+DEPEND="${RDEPEND}

+ app-text/docbook-xsl-stylesheets

+ dev-libs/libxslt

+ test? ( dev-util/cmocka )"

+BDEPEND="virtual/pkgconfig"

+

+REQUIRED_USE="

+ pcsc-lite? ( !openct !ctapi )

+ openct? ( !pcsc-lite !ctapi )

+ ctapi? ( !pcsc-lite !openct )

+ || ( pcsc-lite openct ctapi )"

+

+PATCHES=(

+ "${FILESDIR}"/${P}-CVE-2023-2977.patch

+ "${FILESDIR}"/${P}-backport-pr2656.patch

+)

+

+src_prepare() {

+ default

+ eautoreconf

+}

+

+src_configure() {

+ # don't want to run upstream's clang-tidy checks

+ export ac_cv_path_CLANGTIDY=""

+

+ econf \

+ --with-completiondir="$(get_bashcompdir)" \

+ --disable-strict \

+ --enable-man \

+ $(use_enable ctapi) \

+ $(use_enable doc) \

+ $(use_enable notify) \

+ $(use_enable openct) \

+ $(use_enable pace openpace) \

+ $(use_enable pcsc-lite pcsc) \

+ $(use_enable readline) \

+ $(use_enable secure-messaging sm) \

+ $(use_enable ssl openssl) \

+ $(use_enable test cmocka) \

+ $(use_enable zlib)

+}

+

+src_install() {

+ default

+

+ insinto /etc/pkcs11/modules/

+ doins "${FILESDIR}"/opensc.module

+

+ find "${ED}" -name '*.la' -delete || die

+}