| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
This allows extraction of a directory of standard PEM files
with the OpenSSL hash symlinks; this is a format used by
some popular platforms (Debian's /etc/ssl/certs is in this
form, and OpenSUSE provides it for compatibility).
Initially by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Stef Walter <stefw@redhat.com>
* Added header, fixed compiler warnings
|
|
|
|
| |
This was a later change to the PKCS#11 specification drafts
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKCS#11 spec states that the CKA_ID should match the
SubjectKeyIdentifier if such an extension is present.
We delay the filling of CKA_ID until the builder phase of populating
attributes which allows us to have more control over how this works.
Note that we don't make CKA_ID reflect SubjectKeyIdentifier *attached*
extensions. The CKA_ID isn't supposed to change after object creation.
Making it dependent on attached extensions would be making promises
we cannot keep, since attached extensions can be added/removed at any
time.
This also means the CKA_ID of attached extensions and certificates
won't necessarily match up, but that was never promised, and not how
attached extensions should be matched to their certificate anyway.
Based on a patch and research done by David Woodhouse.
https://bugs.freedesktop.org/show_bug.cgi?id=84761
|
|
|
|
|
|
|
| |
These PEM blocks contribute a CKA_PUBLIC_KEY_INFO to the object
being read/written.
https://bugs.freedesktop.org/show_bug.cgi?id=83799
|
|
|
|
| |
Add a number of missing LIBTASN1_CFLAGS where it's required
|
| |
|
|
|
|
|
|
|
| |
Add missing header for strdup(3).
When EPROTO is not available, fallback to EIO.
https://bugs.freedesktop.org/show_bug.cgi?id=84665
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead of trying to perform actions in pthread_atfork() which
are not async-signal-safe, just increment a counter so we can
later tell if the process has forked.
Note this does not make it safe to mix threads and forking without
immediately execing. This is a far broader problem that p11-kit,
however we now do the right thing when fork+exec is used from a
thread.
https://bugs.freedesktop.org/show_bug.cgi?id=84567
|
|
|
|
|
| |
This allows security frameworks like SELinux or AppArmor to target
it specifically.
|
|
|
|
|
|
| |
External binaries are searched for in $(libdir)/p11-kit. The
P11_KIT_PRIVATEDIR can be used to override that, for example during
'make check'
|
|
|
|
|
| |
In anything security sensitive, use secure_getenv() implementation
for retrieving environment variables.
|
| |
|
|
|
|
|
|
| |
This option was not completed in time, and as implemented suffers
from limitations that the module is not really completely isolated
as it still runs under the same user id as the calling process.
|
|
|
|
|
|
| |
Needed to fix MinGW builds.
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
| |
|
|
|
|
|
|
|
| |
The term 'stapled extensions' is confusing because it overloads
terminology used with OSCP stapling.
Suggested by Daniel Kahn Gillmor.
|
|
|
|
|
|
|
| |
Move our internal stuff to pkcs11i.h, and install the pkcs11x.h
header containing extensions.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
|
|
|
|
|
| |
CKA_PUBLIC_KEY_INFO is defined in the PKCS#11 2.40 draft, so use that
rather than defining our own.
* Fixed up by Nikos Mavrogiannopoulos <nmav@redhat.com>
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
|
|
| |
This allows us to have old/new names for a given constant.
https://bugs.freedesktop.org/show_bug.cgi?id=83495
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
|
|
|
| |
Signed-off-by: Michael Cronenworth <mike@cchtml.com>
|
|
|
|
|
|
|
| |
Check for pthread_create() in pthread library instaed of
pthread_mutexattr_init(). This fixes a linking error on FreeBSD.
https://bugs.freedesktop.org/show_bug.cgi?id=75674
|
|
|
|
| |
Pushed the wrong version
|
|
|
|
|
|
|
| |
The p11-kit-proxy.so module would not respect the critical = no setting
in module configuration, and fail if any module failed to initialize.
https://bugs.freedesktop.org/show_bug.cgi?id=83651
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When building without debug build fails with:
CCLD p11-kit/p11-kit
./.libs/libp11-kit.so: undefined reference to `P11_RPC_CHECK_CALLS'
cc: error: linker command failed with exit code 1 (use -v to see
invocation)
gmake[2]: *** [p11-kit/p11-kit] Error 1
This happens because P11_RPC_CHECK_CALLS is not defined when
debugging is enabled, so provide a noop macro for that case.
|
|
|
|
|
| |
Since the public-key-info is an important part of the way we
represent trust, show it in 'trust list' if --details is present.
|
| |
|
|
|
|
|
|
| |
Previously we would output a line like this:
p11-kit: 'node != NULL' not true at lookup_extension
|
|
|
|
| |
Still use recursive for documentation and translation.
|
|
|
|
|
|
| |
The last commit caused dirfd() to become undefined.
https://bugs.freedesktop.org/show_bug.cgi?id=82617
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Older pthreads implementations like glibc NPTL prior to version 2.12, and
uClibc linuxthreads (both), need _XOPEN_SOURCE to expose
pthread_mutexattr_settype() and THREAD_MUTEX_DEFAULT. The value 600 (SuSv3,
POSIX.1-2001) is equivalent to _POSIX_C_SOURCE 200112L.
Fixes the following build error:
CC compat.lo
compat.c: In function 'p11_mutex_init':
compat.c:164:2: warning: implicit declaration of function 'pthread_mutexattr_settype' [-Wimplicit-function-declaration]
compat.c:164:2: warning: nested extern declaration of 'pthread_mutexattr_settype' [-Wnested-externs]
compat.c:164:36: error: 'PTHREAD_MUTEX_DEFAULT' undeclared (first use in this function)
https://bugs.freedesktop.org/show_bug.cgi?id=82617
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
|
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=82328
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Quieten down the clang scanner by telling it to expect
that our test assertions fail
|
| |
|
| |
|
| |
|
| |
|
| |
|