rpms / opendnssec

Clone
Source Code
GIT

Blame opendnssec-1.4.7-extract.patch

el5 el6 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   3b082a60fff86e51115be4c4bd72f7ded8cec7c3
  2.   opendnssec-1.4.7-extract.patch
Blob History Raw
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/conf/conf.rnc opendnssec-1.4.7/conf/conf.rnc
af2cb8c 
--- opendnssec-1.4.7-orig/conf/conf.rnc	2014-12-04 10:17:40.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/conf/conf.rnc	2014-12-08 22:49:16.100212010 -0500
af2cb8c 
@@ -50,7 +50,10 @@
af2cb8c 
 			element RequireBackup { empty }?,
af2cb8c
af2cb8c 
 			# Do not maintain public keys in the repository (optional)
af2cb8c 
-			element SkipPublicKey { empty }?
af2cb8c 
+			element SkipPublicKey { empty }?,
af2cb8c 
+
af2cb8c 
+			# Generate extractable keys (CKA_EXTRACTABLE = TRUE) (optional)
af2cb8c 
+			element AllowExtraction { empty }?
af2cb8c 
 		}*
af2cb8c 
 	},
af2cb8c
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/conf/conf.rng opendnssec-1.4.7/conf/conf.rng
af2cb8c 
--- opendnssec-1.4.7-orig/conf/conf.rng	2014-12-04 10:18:39.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/conf/conf.rng	2014-12-08 22:49:16.105212137 -0500
af2cb8c 
@@ -71,6 +71,12 @@
af2cb8c 
                 <empty/>
af2cb8c 
               </element>
af2cb8c 
             </optional>
af2cb8c 
+            <optional>
af2cb8c 
+
af2cb8c 
+              <element name="AllowExtraction">
af2cb8c 
+                <empty/>
af2cb8c 
+              </element>
af2cb8c 
+            </optional>
af2cb8c 
           </element>
af2cb8c 
         </zeroOrMore>
af2cb8c 
       </element>
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/conf/conf.xml.in opendnssec-1.4.7/conf/conf.xml.in
af2cb8c 
--- opendnssec-1.4.7-orig/conf/conf.xml.in	2014-12-04 10:17:40.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/conf/conf.xml.in	2014-12-08 22:49:16.101212036 -0500
af2cb8c 
@@ -9,6 +9,9 @@
af2cb8c 
 			<TokenLabel>OpenDNSSEC</TokenLabel>
af2cb8c 
 			<PIN>1234</PIN>
af2cb8c 
 			<SkipPublicKey/>
af2cb8c 
+
af2cb8c 
+			<AllowExtraction/>
af2cb8c 
+			-->
af2cb8c 
 		</Repository>
af2cb8c
af2cb8c
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c opendnssec-1.4.7/libhsm/src/lib/libhsm.c
af2cb8c 
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.c	2014-12-04 10:17:40.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.c	2014-12-08 22:49:16.102212061 -0500
af2cb8c 
@@ -504,6 +504,7 @@
af2cb8c 
 hsm_config_default(hsm_config_t *config)
af2cb8c 
 {
af2cb8c 
     config->use_pubkey = 1;
af2cb8c 
+    config->allow_extract = 0;
af2cb8c 
 }
af2cb8c
af2cb8c 
 /* creates a session_t structure, and automatically adds and initializes
af2cb8c 
@@ -2054,6 +2055,8 @@
af2cb8c 
                     module_pin = (char *) xmlNodeGetContent(curNode);
af2cb8c 
                 if (xmlStrEqual(curNode->name, (const xmlChar *)"SkipPublicKey"))
af2cb8c 
                     module_config.use_pubkey = 0;
af2cb8c 
+                if (xmlStrEqual(curNode->name, (const xmlChar *)"AllowExtraction"))
af2cb8c 
+                    module_config.allow_extract = 1;
af2cb8c 
                 curNode = curNode->next;
af2cb8c 
             }
af2cb8c
af2cb8c 
@@ -2341,10 +2344,12 @@
af2cb8c 
     CK_BBOOL ctrue = CK_TRUE;
af2cb8c 
     CK_BBOOL cfalse = CK_FALSE;
af2cb8c 
     CK_BBOOL ctoken = CK_TRUE;
af2cb8c 
+    CK_BBOOL cextractable = CK_FALSE;
af2cb8c
af2cb8c 
     if (!ctx) ctx = _hsm_ctx;
af2cb8c 
     session = hsm_find_repository_session(ctx, repository);
af2cb8c 
     if (!session) return NULL;
af2cb8c 
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
af2cb8c
af2cb8c 
     /* check whether this key doesn't happen to exist already */
af2cb8c 
     do {
af2cb8c 
@@ -2380,7 +2385,7 @@
af2cb8c 
         { CKA_SENSITIVE,   &ctrue,   sizeof (ctrue) },
af2cb8c 
         { CKA_TOKEN,       &ctrue,   sizeof (ctrue)  },
af2cb8c 
         { CKA_PRIVATE,     &ctrue,   sizeof (ctrue)  },
af2cb8c 
-        { CKA_EXTRACTABLE, &cfalse,  sizeof (cfalse) }
af2cb8c 
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
af2cb8c 
     };
af2cb8c
af2cb8c 
     rv = ((CK_FUNCTION_LIST_PTR)session->module->sym)->C_GenerateKeyPair(session->session,
af2cb8c 
@@ -2420,6 +2425,7 @@
af2cb8c 
     CK_OBJECT_HANDLE domainPar, publicKey, privateKey;
af2cb8c 
     CK_BBOOL ctrue = CK_TRUE;
af2cb8c 
     CK_BBOOL cfalse = CK_FALSE;
af2cb8c 
+    CK_BBOOL cextractable = CK_FALSE;
af2cb8c
af2cb8c 
     /* ids we create are 16 bytes of data */
af2cb8c 
     unsigned char id[16];
af2cb8c 
@@ -2466,12 +2472,13 @@
af2cb8c 
         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
af2cb8c 
         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
af2cb8c 
         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
af2cb8c 
-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
af2cb8c 
+        { CKA_EXTRACTABLE, &cextractable,  sizeof (cextractable) }
af2cb8c 
     };
af2cb8c
af2cb8c 
     if (!ctx) ctx = _hsm_ctx;
af2cb8c 
     session = hsm_find_repository_session(ctx, repository);
af2cb8c 
     if (!session) return NULL;
af2cb8c 
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
af2cb8c
af2cb8c 
     /* check whether this key doesn't happen to exist already */
af2cb8c
af2cb8c 
@@ -2533,6 +2540,7 @@
af2cb8c 
     CK_OBJECT_HANDLE publicKey, privateKey;
af2cb8c 
     CK_BBOOL ctrue = CK_TRUE;
af2cb8c 
     CK_BBOOL cfalse = CK_FALSE;
af2cb8c 
+    CK_BBOOL cextractable = CK_FALSE;
af2cb8c
af2cb8c 
     /* ids we create are 16 bytes of data */
af2cb8c 
     unsigned char id[16];
af2cb8c 
@@ -2569,12 +2577,13 @@
af2cb8c 
         { CKA_SENSITIVE,           &ctrue,   sizeof(ctrue)   },
af2cb8c 
         { CKA_TOKEN,               &ctrue,   sizeof(ctrue)   },
af2cb8c 
         { CKA_PRIVATE,             &ctrue,   sizeof(ctrue)   },
af2cb8c 
-        { CKA_EXTRACTABLE,         &cfalse,  sizeof(cfalse)  }
af2cb8c 
+        { CKA_EXTRACTABLE,         &cextractable,  sizeof (cextractable) }
af2cb8c 
     };
af2cb8c
af2cb8c 
     if (!ctx) ctx = _hsm_ctx;
af2cb8c 
     session = hsm_find_repository_session(ctx, repository);
af2cb8c 
     if (!session) return NULL;
af2cb8c 
+    cextractable = session->module->config->allow_extract ? CK_TRUE : CK_FALSE;
af2cb8c
af2cb8c 
     /* check whether this key doesn't happen to exist already */
af2cb8c
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h opendnssec-1.4.7/libhsm/src/lib/libhsm.h
af2cb8c 
--- opendnssec-1.4.7-orig/libhsm/src/lib/libhsm.h	2014-12-04 10:17:40.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/libhsm/src/lib/libhsm.h	2014-12-08 22:49:16.102212061 -0500
af2cb8c 
@@ -75,6 +75,7 @@
af2cb8c 
 /*! HSM configuration */
af2cb8c 
 typedef struct {
af2cb8c 
     unsigned int use_pubkey;     /*!< Maintain public keys in HSM */
af2cb8c 
+    unsigned int allow_extract;  /*!< Generate CKA_EXTRACTABLE private keys */
af2cb8c 
 } hsm_config_t;
af2cb8c
af2cb8c 
 /*! Data type to describe an HSM */
af2cb8c 
diff -Naur opendnssec-1.4.7-orig/NEWS opendnssec-1.4.7/NEWS
af2cb8c 
--- opendnssec-1.4.7-orig/NEWS	2014-12-04 10:17:40.000000000 -0500
af2cb8c 
+++ opendnssec-1.4.7/NEWS	2014-12-08 22:50:00.560342544 -0500
af2cb8c 
@@ -1,3 +1,9 @@
af2cb8c 
+
af2cb8c 
+Fedora patch:
af2cb8c 
+* Enforcer: New repository option <AllowExtraction/> allows to generate keys
af2cb8c 
+  with CKA_EXTRACTABLE attribute set to TRUE so keys can be wrapped
af2cb8c 
+  and extracted from HSM.
af2cb8c 
+
af2cb8c 
 OpenDNSSEC 1.4.7 - 2014-12-04
af2cb8c
af2cb8c 
 Bugfixes:
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.