rpms / nss-pem

Clone
Source Code
GIT

Files

c7 c7-alt c7-beta
  1.   c7
  2.   SOURCES
  3.   0004-nss-pem-1.0.3-multi-encrypted-keys.patch
Blob Blame History Raw 
From b4279d5328b8746d7c87e24e196f31f99df06392 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 18 Jan 2023 16:20:28 +0100
Subject: [PATCH 1/3] pobject: logout when a new encrypted private key is
 loaded

This forces CKFW to call pem_mdSession_Login() each time we load a new
encrypted private key into nss-pem.  Otherwise it would be called only
for the first encrypted private key and an attempt to use the other keys
would fail later on with: `The key does not support the requested
operation.`

Bug: https://bugzilla.redhat.com/2121064

Upstream-commit: 25312ae55da718690fb68a13cfc709efcab17162
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/pobject.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pobject.c b/src/pobject.c
index a86640e..bd9d330 100644
--- a/src/pobject.c
+++ b/src/pobject.c
@@ -1267,6 +1267,7 @@ pem_CreateObject
             /* FIXME: dirty hack relying on NSS internals */
             CK_SESSION_HANDLE hSession =
                 NSSCKFWInstance_FindSessionHandle(fwInstance, fwSession);
+            NSSCKFWC_Logout(fwInstance, hSession);
             NSSCKFWInstance_DestroySessionHandle(fwInstance, hSession);
         } else {
             *pError = CKR_KEY_UNEXTRACTABLE;
-- 
2.39.2


From d85beb202c9fd6d976f8dced54b32b994a0f8181 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 18 Jan 2023 16:28:30 +0100
Subject: [PATCH 2/3] psession: find the key to decrypt in reverse order

If we attempt to decrypt a key that is already decrypted, curl fails
with a misleading error: `Unable to load client key: Incorrect
password`.

In practice, we usually want to decrypt the key that was loaded the last
time.  Reversing the order of search through the global array makes
nss-pem work in a scenario where 2 distinct encrypted private keys are
used.

Bug: https://bugzilla.redhat.com/2121064

Upstream-commit: b29f61b52ef622c071b0451255a84b081511bc7b
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/psession.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/psession.c b/src/psession.c
index 13a5e5d..1aebd81 100644
--- a/src/psession.c
+++ b/src/psession.c
@@ -256,7 +256,7 @@ pem_mdSession_Login
     token_needsLogin[slotID - 1] = PR_FALSE;
 
     /* Find the right key object */
-    list_for_each_entry(curObj, &pem_objs, gl_list) {
+    list_for_each_entry_reverse(curObj, &pem_objs, gl_list) {
         if ((slotID == curObj->slotID) && (curObj->type == pemBareKey)) {
             io = curObj;
             break;
-- 
2.39.2


From f1087f6ab4e6514c0dbc8cfa320ca207bfa78f7b Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 16 Feb 2023 15:55:15 +0100
Subject: [PATCH 3/3] pobject: include <nssckfwc.h> to avoid implicit function
 declaration
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

```
src/pobject.c: In function ‘pem_CreateObject’:
src/pobject.c:1249:13: warning: implicit declaration of function ‘NSSCKFWC_Logout’ [-Wimplicit-function-declaration]
 1249 |             NSSCKFWC_Logout(fwInstance, hSession);
      |             ^~~~~~~~~~~~~~~
```

This is a follow-up commit to nss-pem-1.0.8-5-g25312ae which introduced
the warning.

Closes: https://github.com/kdudka/nss-pem/pull/15

Upstream-commit: 9e160fce7a3aa0e6167400b0dc5cbb7f400585c1
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 src/pobject.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/pobject.c b/src/pobject.c
index bd9d330..1d918dd 100644
--- a/src/pobject.c
+++ b/src/pobject.c
@@ -46,6 +46,7 @@
 
 #include <blapi.h>
 #include <certt.h>
+#include <nssckfwc.h>
 #include <pk11pub.h>
 #include <secasn1.h>
 
-- 
2.39.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation