From 9845627a43908ad545ccbc33ab4716b9e6dfa56c Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 14 Dec 2023 14:01:09 +0100 Subject: [PATCH 1/9] sdk: add libp11 to SDK this is the pkcs11 engine for OpenSSL Signed-off-by: Mathieu Tortuyaux --- .../workflows/portage-stable-packages-list | 1 + .../hard-host-depends-0.0.1.ebuild | 1 + .../portage-stable/dev-libs/libp11/Manifest | 1 + .../files/libp11-0.4.12-openssl-3.1.patch | 50 ++++++++++++++++++ .../dev-libs/libp11/libp11-0.4.12-r1.ebuild | 31 +++++++++++ .../dev-libs/libp11/libp11-0.4.12-r4.ebuild | 51 +++++++++++++++++++ .../dev-libs/libp11/metadata.xml | 17 +++++++ 7 files changed, 152 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/libp11/metadata.xml diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 3419f1dfa73..1a3ae1f53e0 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -197,6 +197,7 @@ dev-libs/libnl dev-libs/libpcre dev-libs/libpcre2 dev-libs/libpipeline +dev-libs/libp11 dev-libs/libsodium dev-libs/libtasn1 dev-libs/libunistring diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index 26bfbd84904..8bcf8ae27e5 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -95,6 +95,7 @@ RDEPEND="${RDEPEND} # TODO: sys-apps/mosys RDEPEND="${RDEPEND} sys-fs/squashfs-tools + dev-libs/libp11 " # Host dependencies that are needed for delta_generator. diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest new file mode 100644 index 00000000000..fcc7ee29886 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest @@ -0,0 +1 @@ +DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch new file mode 100644 index 00000000000..f7f148e07e1 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch @@ -0,0 +1,50 @@ +https://github.com/OpenSC/libp11/pull/503 +https://bugs.gentoo.org/910203 + +From 580c12b78b63d88010a6178d7c4c58186938c479 Mon Sep 17 00:00:00 2001 +From: Dominique Leuenberger +Date: Tue, 6 Jun 2023 14:27:46 +0200 +Subject: [PATCH] Detect openSSL 3.1; compatible to openSSL 3.0 + +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index d6b0ee91..b96979d9 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,7 +33,7 @@ AC_C_BIGENDIAN + # issues with applications linking to new openssl, old libp11, and vice versa + case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ + $PKG_CONFIG --modversion openssl`" in +- 3.0.*) # Predicted engines directory prefix for OpenSSL 3.x ++ 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x + LIBP11_LT_OLDEST="3" + debian_ssl_prefix="openssl-3.0.0";; + 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x +From 0697773b403efb8e7fa9f0c0fddcb499fb9b6337 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Thu, 13 Jul 2023 13:52:54 -0400 +Subject: [PATCH] configure: treat all openssl-3.x releases the same + +OpenSSL's soversion will not change for any 3.x minor release. + +https://www.openssl.org/policies/general/versioning-policy.html +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index b96979d9..c344e84a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -33,7 +33,7 @@ AC_C_BIGENDIAN + # issues with applications linking to new openssl, old libp11, and vice versa + case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \ + $PKG_CONFIG --modversion openssl`" in +- 3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x ++ 3.*) # Predicted engines directory prefix for OpenSSL 3.x + LIBP11_LT_OLDEST="3" + debian_ssl_prefix="openssl-3.0.0";; + 1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild new file mode 100644 index 00000000000..928c1c97516 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild @@ -0,0 +1,31 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="Abstraction layer to simplify PKCS#11 API" +HOMEPAGE="https://github.com/opensc/libp11/wiki" +SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="doc static-libs" + +RDEPEND="dev-libs/openssl:=[bindist(+)]" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig + doc? ( app-doc/doxygen )" + +src_configure() { + econf \ + --enable-shared \ + $(use_enable static-libs static) \ + $(use_enable doc api-doc) +} + +src_install() { + default + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild new file mode 100644 index 00000000000..6e77eed1ad5 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools + +DESCRIPTION="Abstraction layer to simplify PKCS#11 API" +HOMEPAGE="https://github.com/opensc/libp11/wiki" +SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz" + +LICENSE="LGPL-2.1" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="doc static-libs test" +RESTRICT="!test? ( test )" + +RDEPEND=" + + + + + + Library implementing a small layer on top of PKCS#11 API to make + using PKCS#11 implementations easier. + + + Generate and install API documentation for the package. + + + cpe:/a:opensc-project:libp11 + opensc/libp11 + opensc + + From 86f4e68f539a78ad0734345515d8b0bf40b3e977 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 14 Dec 2023 14:10:22 +0100 Subject: [PATCH 2/9] sdk: add opensc dependency it's used to interact with the HSM device. Signed-off-by: Mathieu Tortuyaux --- .../workflows/portage-stable-packages-list | 6 + .../hard-host-depends-0.0.1.ebuild | 1 + .../acct-group/openct/metadata.xml | 5 + .../acct-group/openct/openct-0-r2.ebuild | 8 + .../acct-group/pcscd/metadata.xml | 5 + .../acct-group/pcscd/pcscd-0-r2.ebuild | 8 + .../acct-group/usb/metadata.xml | 5 + .../acct-group/usb/usb-0-r2.ebuild | 8 + .../acct-user/pcscd/metadata.xml | 5 + .../acct-user/pcscd/pcscd-0-r2.ebuild | 13 ++ .../portage-stable/dev-libs/opensc/Manifest | 1 + .../files/opensc-0.23.0-CVE-2023-2977.patch | 49 ++++ .../files/opensc-0.23.0-backport-pr2656.patch | 215 ++++++++++++++++++ .../files/opensc-0.23.0-backport-pr2765.patch | 39 ++++ .../dev-libs/opensc/files/opensc.module | 8 + .../dev-libs/opensc/metadata.xml | 30 +++ .../dev-libs/opensc/opensc-0.23.0-r2.ebuild | 81 +++++++ .../dev-libs/opensc/opensc-0.23.0-r3.ebuild | 82 +++++++ .../dev-libs/opensc/opensc-9999.ebuild | 81 +++++++ .../sys-apps/pcsc-lite/Manifest | 2 + .../pcsc-lite/files/99-pcscd-hotplug-r1.rules | 6 + .../files/pcsc-lite-1.8.11-polkit-pcscd.patch | 20 ++ .../files/pcsc-lite-1.9.8-systemd-user.patch | 18 ++ .../sys-apps/pcsc-lite/files/pcscd-init.7 | 22 ++ .../sys-apps/pcsc-lite/files/pcscd-udev | 14 ++ .../sys-apps/pcsc-lite/files/pcscd.conf | 1 + .../sys-apps/pcsc-lite/metadata.xml | 18 ++ .../sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild | 109 +++++++++ .../sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild | 109 +++++++++ 29 files changed, 969 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index 1a3ae1f53e0..cc0de16c01d 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -17,7 +17,9 @@ acct-group/messagebus acct-group/netperf acct-group/nobody acct-group/ntp +acct-group/openct acct-group/pcap +acct-group/pcscd acct-group/polkitd acct-group/portage acct-group/render @@ -34,6 +36,7 @@ acct-group/systemd-timesync acct-group/tape acct-group/tss acct-group/tty +acct-group/usb acct-group/users acct-group/utmp acct-group/uucp @@ -47,6 +50,7 @@ acct-user/netperf acct-user/nobody acct-user/ntp acct-user/pcap +acct-user/pcscd acct-user/polkitd acct-user/portage acct-user/root @@ -214,6 +218,7 @@ dev-libs/nettle dev-libs/npth dev-libs/nspr dev-libs/oniguruma +dev-libs/opensc dev-libs/popt dev-libs/protobuf dev-libs/userspace-rcu @@ -469,6 +474,7 @@ sys-apps/miscfiles sys-apps/net-tools sys-apps/nvme-cli sys-apps/pciutils +sys-apps/pcsc-lite sys-apps/portage sys-apps/pv sys-apps/sandbox diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index 8bcf8ae27e5..ee0837d2ddb 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -96,6 +96,7 @@ RDEPEND="${RDEPEND} RDEPEND="${RDEPEND} sys-fs/squashfs-tools dev-libs/libp11 + dev-libs/opensc " # Host dependencies that are needed for delta_generator. diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml new file mode 100644 index 00000000000..115e9d64a66 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild new file mode 100644 index 00000000000..e373f6d1526 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=46 diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml new file mode 100644 index 00000000000..115e9d64a66 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild new file mode 100644 index 00000000000..29a733881a7 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=47 diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml new file mode 100644 index 00000000000..115e9d64a66 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild new file mode 100644 index 00000000000..8f739063b3e --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild @@ -0,0 +1,8 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-group + +ACCT_GROUP_ID=85 diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml new file mode 100644 index 00000000000..115e9d64a66 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml @@ -0,0 +1,5 @@ + + + + + diff --git a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild new file mode 100644 index 00000000000..e2ef2fb4579 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild @@ -0,0 +1,13 @@ +# Copyright 2020-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit acct-user + +DESCRIPTION="A user for pcsc-lite" +ACCT_USER_ID=47 +ACCT_USER_GROUPS=( pcscd openct usb ) +ACCT_USER_GROUPS=( pcscd openct ) + +acct-user_add_deps diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest new file mode 100644 index 00000000000..5d4728329fb --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest @@ -0,0 +1 @@ +DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch new file mode 100644 index 00000000000..ad3bc1fadc9 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch @@ -0,0 +1,49 @@ +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch new file mode 100644 index 00000000000..f9ce72d3177 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch @@ -0,0 +1,215 @@ +https://bugs.gentoo.org/909781 +https://github.com/OpenSC/libp11/issues/478 +https://github.com/OpenSC/OpenSC/pull/2656 + +From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:08:53 +0100 +Subject: [PATCH 1/4] pkcs11-tool: Fix private key import + +--- + src/tools/pkcs11-tool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index aae205fe2c..cfee8526d5 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + RSA_get0_factors(r, &r_p, &r_q); + RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp); + #else +- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 || ++ if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) { + util_fatal("OpenSSL error during RSA private key parsing"); ++ EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:11:41 +0100 +Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors + +--- + src/tools/pkcs11-tool.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index cfee8526d5..f2e6b1dd91 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp; + r = EVP_PKEY_get1_RSA(pkey); + if (!r) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + + RSA_get0_key(r, &r_n, &r_e, NULL); +@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL; + if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) { +- if (private) +- util_fatal("OpenSSL error during RSA private key parsing"); +- else +- util_fatal("OpenSSL error during RSA public key parsing"); ++ util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, modulus, r_n); +@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa) + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 || + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 || +- util_fatal("OpenSSL error during RSA private key parsing"); + EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) { ++ util_fatal("OpenSSL error during RSA private key parsing: %s", ++ ERR_error_string(ERR_peek_last_error(), NULL)); + } + #endif + RSA_GET_BN(rsa, private_exponent, r_d); + +From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 1 Dec 2022 20:38:31 +0100 +Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import + +--- + tests/Makefile.am | 10 ++++--- + tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++ + 2 files changed, 54 insertions(+), 4 deletions(-) + create mode 100755 tests/test-pkcs11-tool-import.sh + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index d378e2ee00..9d8a24c321 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-sign-verify.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + + .NOTPARALLEL: + TESTS = \ +@@ -25,8 +26,9 @@ TESTS = \ + test-pkcs11-tool-test.sh \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-allowed-mechanisms.sh \ +- test-pkcs11-tool-sym-crypt-test.sh\ +- test-pkcs11-tool-unwrap-wrap-test.sh ++ test-pkcs11-tool-sym-crypt-test.sh \ ++ test-pkcs11-tool-unwrap-wrap-test.sh \ ++ test-pkcs11-tool-import.sh + XFAIL_TESTS = \ + test-pkcs11-tool-test-threads.sh \ + test-pkcs11-tool-test.sh +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +new file mode 100755 +index 0000000000..76ff8e51be +--- /dev/null ++++ b/tests/test-pkcs11-tool-import.sh +@@ -0,0 +1,48 @@ ++#!/bin/bash ++SOURCE_PATH=${SOURCE_PATH:-..} ++ ++source $SOURCE_PATH/tests/common.sh ++ ++echo "=======================================================" ++echo "Setup SoftHSM" ++echo "=======================================================" ++if [[ ! -f $P11LIB ]]; then ++ echo "WARNING: The SoftHSM is not installed. Can not run this test" ++ exit 77; ++fi ++card_setup ++ ++ID="0100" ++OPTS="" ++for KEYTYPE in "RSA" "EC"; do ++ echo "=======================================================" ++ echo "Generate and import $KEYTYPE keys" ++ echo "=======================================================" ++ if [ "$KEYTYPE" == "RSA" ]; then ++ ID="0100" ++ elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0200" ++ OPTS="-pkeyopt ec_paramgen_curve:P-521" ++ fi ++ openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS ++ assert $? "Failed to generate private $KEYTYPE key" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \ ++ --label "$KEYTYPE" -p "$PIN" --module "$P11LIB" ++ assert $? "Failed to write private $KEYTYPE key" ++ ++ openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER ++ assert $? "Failed to convert private $KEYTYPE key to public" ++ $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \ ++ -p $PIN --module $P11LIB ++ assert $? "Failed to write public $KEYTYPE key" ++ # certificate import already tested in all other tests ++ ++ rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der" ++done ++ ++echo "=======================================================" ++echo "Cleanup" ++echo "=======================================================" ++card_cleanup ++ ++exit $ERRORS + +From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 2 Dec 2022 18:07:43 +0100 +Subject: [PATCH 4/4] Simplify the new test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com> +--- + tests/test-pkcs11-tool-import.sh | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh +index 76ff8e51be..c90b3b4926 100755 +--- a/tests/test-pkcs11-tool-import.sh ++++ b/tests/test-pkcs11-tool-import.sh +@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then + fi + card_setup + +-ID="0100" +-OPTS="" + for KEYTYPE in "RSA" "EC"; do + echo "=======================================================" + echo "Generate and import $KEYTYPE keys" + echo "=======================================================" +- if [ "$KEYTYPE" == "RSA" ]; then +- ID="0100" +- elif [ "$KEYTYPE" == "EC" ]; then ++ ID="0100" ++ OPTS="" ++ if [ "$KEYTYPE" == "EC" ]; then + ID="0200" + OPTS="-pkeyopt ec_paramgen_curve:P-521" + fi diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch new file mode 100644 index 00000000000..72572c598ac --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch @@ -0,0 +1,39 @@ +https://bugs.gentoo.org/909781 +https://github.com/OpenSC/OpenSC/pull/2765 + +From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001 +From: Peter Popovec +Date: Fri, 28 Apr 2023 10:50:25 +0200 +Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID + +"object_id[]" and "id_len" must be allocated so that it is not deallocated +or overwritten (on the stack) at the time of the C_UnwrapKey() call. + + modified: src/tools/pkcs11-tool.c +--- + src/tools/pkcs11-tool.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c +index 890ca27060..f3a01ab4cf 100644 +--- a/src/tools/pkcs11-tool.c ++++ b/src/tools/pkcs11-tool.c +@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session) + {CKA_CLASS, &secret_key_class, sizeof(secret_key_class)}, + {CKA_TOKEN, &_true, sizeof(_true)}, + }; ++ CK_BYTE object_id[100]; ++ size_t id_len; + CK_OBJECT_HANDLE hSecretKey; + int n_attr = 2; + CK_RV rv; +@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session) + } + + if (opt_application_id != NULL) { +- CK_BYTE object_id[100]; +- size_t id_len; +- + id_len = sizeof(object_id); + if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) { + FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len); diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module new file mode 100644 index 00000000000..3246ab4da0a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module @@ -0,0 +1,8 @@ +# This file describes how to load the opensc module +# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html + +# This is a relative path, which means it will be loaded from +# the p11-kit default path which is usually $(libdir)/pkcs11. +# Doing it this way allows for packagers to package opensc for +# 32-bit and 64-bit and make them parallel installable +module: onepin-opensc-pkcs11.so diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml new file mode 100644 index 00000000000..67d2c026ef0 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml @@ -0,0 +1,30 @@ + + + + + soap@gentoo.org + David Seifert + + + OpenSC is a library for accessing SmartCard devices. It is also + the core library of the OpenSC project. + + Basic functionality (e.g. SELECT FILE, READ BINARY) should work on + any ISO 7816-4 compatible SmartCard. Encryption and decryption + using private keys on the SmartCard is possible with PKCS #15 + compatible cards, such as the FINEID (Finnish Electronic IDentity) + card. + + + Use CT-API for accessing Smartcard hardware + Enable notifications + Use dev-libs/openct (and CT-API) for accessing Smartcard hardware + Use dev-libs/openpace for EAC version 2 support + Use sys-apps/pcsc-lite (and PC/SC API) for accessing Smartcard hardware + Enable secure messaging + + + OpenSC/OpenSC + opensc + + diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild new file mode 100644 index 00000000000..f372e3e254a --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools bash-completion-r1 + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="amd64 ~arm ~arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~s390 ~sparc x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2023-2977.patch + "${FILESDIR}"/${P}-backport-pr2656.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild new file mode 100644 index 00000000000..dce614bde32 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild @@ -0,0 +1,82 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit autotools bash-completion-r1 + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2023-2977.patch + "${FILESDIR}"/${P}-backport-pr2656.patch + "${FILESDIR}"/${P}-backport-pr2765.patch +) + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild new file mode 100644 index 00000000000..a470c4913c3 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild @@ -0,0 +1,81 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit bash-completion-r1 libtool + +DESCRIPTION="Libraries and applications to access smartcards" +HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki" + +if [[ ${PV} == *9999 ]]; then + inherit autotools git-r3 + EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git" +else + SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz" + KEYWORDS="~amd64 ~ppc64 ~x86" +fi + +LICENSE="LGPL-2.1" +SLOT="0" +IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib" +RESTRICT="!test? ( test )" + +RDEPEND="zlib? ( sys-libs/zlib ) + readline? ( sys-libs/readline:0= ) + ssl? ( dev-libs/openssl:0= ) + openct? ( >=dev-libs/openct-0.5.0 ) + pace? ( dev-libs/openpace:= ) + pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 ) + notify? ( dev-libs/glib:2 )" +DEPEND="${RDEPEND} + app-text/docbook-xsl-stylesheets + dev-libs/libxslt + test? ( dev-util/cmocka )" +BDEPEND="virtual/pkgconfig" + +REQUIRED_USE=" + pcsc-lite? ( !openct !ctapi ) + openct? ( !pcsc-lite !ctapi ) + ctapi? ( !pcsc-lite !openct ) + || ( pcsc-lite openct ctapi )" + +src_prepare() { + default + + if [[ ${PV} == *9999 ]]; then + eautoreconf + else + elibtoolize + fi +} + +src_configure() { + # don't want to run upstream's clang-tidy checks + export ac_cv_path_CLANGTIDY="" + + econf \ + --with-completiondir="$(get_bashcompdir)" \ + --disable-strict \ + --enable-man \ + $(use_enable ctapi) \ + $(use_enable doc) \ + $(use_enable notify) \ + $(use_enable openct) \ + $(use_enable pace openpace) \ + $(use_enable pcsc-lite pcsc) \ + $(use_enable readline) \ + $(use_enable secure-messaging sm) \ + $(use_enable ssl openssl) \ + $(use_enable test cmocka) \ + $(use_enable zlib) +} + +src_install() { + default + + insinto /etc/pkcs11/modules/ + doins "${FILESDIR}"/opensc.module + + find "${ED}" -name '*.la' -delete || die +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest new file mode 100644 index 00000000000..59e3eaefc64 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest @@ -0,0 +1,2 @@ +DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c +DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules new file mode 100644 index 00000000000..fc612d5e25f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules @@ -0,0 +1,6 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +# We add this here so that it runs after ccid's and ifd-gempc's rules; +# if we just added a pcscd-owned device, we hotplug the pcscd service. +ACTION=="add", ENV{PCSCD}=="1", GROUP="pcscd", TAG+="systemd", ENV{SYSTEMD_WANTS}+="pcscd.service", RUN+="pcscd.sh" diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch new file mode 100644 index 00000000000..e7a7b515820 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch @@ -0,0 +1,20 @@ +Index: pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy +=================================================================== +--- pcsc-lite-1.8.11.orig/doc/org.debian.pcsc-lite.policy ++++ pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy +@@ -15,6 +15,7 @@ + auth_admin + yes + ++ unix-user:pcscd + + + +@@ -25,6 +26,7 @@ + auth_admin + yes + ++ unix-user:pcscd + + + diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch new file mode 100644 index 00000000000..4d64c5c032f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch @@ -0,0 +1,18 @@ +Don't run the daemon as root +https://bugs.gentoo.org/545390 + +--- a/etc/pcscd.service.in ++++ b/etc/pcscd.service.in +@@ -4,9 +4,12 @@ + Documentation=man:pcscd(8) + + [Service] ++PIDFile=/run/pcscd/pcscd.pid + ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS + ExecReload=@sbindir_exp@/pcscd --hotplug + EnvironmentFile=-@sysconfdir@/default/pcscd ++User=pcscd ++Group=pcscd + + [Install] + Also=pcscd.socket diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 new file mode 100644 index 00000000000..daf880f0e75 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7 @@ -0,0 +1,22 @@ +#!/sbin/openrc-run +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +name="PC/SC Daemon" + +pidfile=/run/pcscd/pcscd.pid + +command=/usr/sbin/pcscd +command_args="${EXTRA_OPTS}" + +start_stop_daemon_args="--user pcscd:pcscd" + +depend() { + need localmount + after udev openct dbus + use logger +} + +start_pre() { + checkpath -q -d -m 0755 -o pcscd:pcscd /run/pcscd +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev new file mode 100644 index 00000000000..e6d6c734888 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev @@ -0,0 +1,14 @@ +#!/bin/sh +# +# pcscd.sh: udev external RUN script +# +# based on netifrc net.sh helper +# Copyright 2007 Roy Marples +# Distributed under the terms of the GNU General Public License v2 + +# make sure openrc is managing services +if [ ! -d /run/openrc ]; then + exit 0 +fi + +IN_HOTPLUG=1 /etc/init.d/pcscd --quiet start diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf new file mode 100644 index 00000000000..168c860e88c --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf @@ -0,0 +1 @@ +d /run/pcscd 0755 pcscd pcscd - diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml new file mode 100644 index 00000000000..90fbe94fb35 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml @@ -0,0 +1,18 @@ + + + + + base-system@gentoo.org + Gentoo Base System + + + limit RAM and CPU ressources by disabling features + Use dev-libs/libusb detection to hotplug new smartcard readers. This flag should only be enabled if you're running a non-Linux kernel or you don't want to use udev. + Use virtual/libudev rules to handle devices' permissions and hotplug support. Unless you know what you're doing do not disable this flag on Linux kernels. This is provided as an option for completeness. + Uses sys-auth/polkit to restrict access to smartcard readers or smartcards to given users. + + + https://salsa.debian.org/rousseau/PCSC/blob/master/ChangeLog + LudovicRousseau/PCSC + + diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild new file mode 100644 index 00000000000..2b817740a74 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit python-single-r1 systemd tmpfiles udev multilib-minimal + +DESCRIPTION="PC/SC Architecture smartcard middleware library" +HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC" +SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2" + +# GPL-2 is there for the init script; everything else comes from +# upstream. +LICENSE="BSD ISC MIT GPL-3+ GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" +# This is called libusb so that it doesn't fool people in thinking that +# it is _required_ for USB support. Otherwise they'll disable udev and +# that's going to be worse. +IUSE="doc embedded libusb policykit selinux systemd +udev" +REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}" + +# No dependencies need the MULTILIB_DEPS because the libraries are actually +# standalone, the deps are only needed for the daemon itself. +DEPEND=" + libusb? ( virtual/libusb:1 ) + udev? ( virtual/libudev:= ) + policykit? ( >=sys-auth/polkit-0.111 ) + acct-group/openct + acct-group/pcscd + acct-user/pcscd + ${PYTHON_DEPS}" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-pcscd )" +BDEPEND=" + sys-devel/flex + virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch + "${FILESDIR}"/${PN}-1.9.8-systemd-user.patch +) + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + --disable-maintainer-mode \ + --disable-strict \ + --enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \ + --enable-ipcdir=/run/pcscd \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + $(multilib_native_use_enable doc documentation) \ + $(multilib_native_use_enable embedded) \ + $(multilib_native_use_enable systemd libsystemd) \ + $(multilib_native_use_enable udev libudev) \ + $(multilib_native_use_enable libusb) \ + $(multilib_native_use_enable policykit polkit) +} + +multilib_src_install_all() { + einstalldocs + dodoc HELP SECURITY + + newinitd "${FILESDIR}"/pcscd-init.7 pcscd + dotmpfiles "${FILESDIR}"/pcscd.conf + + if use udev; then + exeinto "$(get_udevdir)" + newexe "${FILESDIR}"/pcscd-udev pcscd.sh + + insinto "$(get_udevdir)"/rules.d + newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules + fi + + python_fix_shebang "${ED}"/usr/bin/pcsc-spy + + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in" + elog "the pcscd group, to avoid running as root." + elog + elog "This also means you need the newest drivers available so that the" + elog "devices get the proper owner." + elog + elog "Furthermore, a conf.d file is no longer installed by default, as" + elog "the default configuration does not require one. If you need to" + elog "pass further options to pcscd, create a file and set the" + elog "EXTRA_OPTS variable." + elog + + if use udev; then + elog "Hotplug support is provided by udev rules." + elog "When using OpenRC you additionally need to tell it to hotplug" + elog "pcscd by setting this variable in /etc/rc.conf:" + elog + elog " rc_hotplug=\"pcscd\"" + fi + + tmpfiles_process pcscd.conf + + use udev && udev_reload +} + +pkg_postrm() { + use udev && udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild new file mode 100644 index 00000000000..3a0cf3c74ca --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild @@ -0,0 +1,109 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit python-single-r1 systemd tmpfiles udev multilib-minimal + +DESCRIPTION="PC/SC Architecture smartcard middleware library" +HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC" +SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2" + +# GPL-2 is there for the init script; everything else comes from +# upstream. +LICENSE="BSD ISC MIT GPL-3+ GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos" +# This is called libusb so that it doesn't fool people in thinking that +# it is _required_ for USB support. Otherwise they'll disable udev and +# that's going to be worse. +IUSE="doc embedded libusb policykit selinux systemd +udev" +REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}" + +# No dependencies need the MULTILIB_DEPS because the libraries are actually +# standalone, the deps are only needed for the daemon itself. +DEPEND=" + libusb? ( virtual/libusb:1 ) + udev? ( virtual/libudev:= ) + policykit? ( >=sys-auth/polkit-0.111 ) + acct-group/openct + acct-group/pcscd + acct-user/pcscd + ${PYTHON_DEPS}" +RDEPEND="${DEPEND} + selinux? ( sec-policy/selinux-pcscd )" +BDEPEND=" + sys-devel/flex + virtual/pkgconfig" + +PATCHES=( + "${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch + "${FILESDIR}"/${PN}-1.9.8-systemd-user.patch +) + +multilib_src_configure() { + ECONF_SOURCE="${S}" econf \ + --disable-maintainer-mode \ + --disable-strict \ + --enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \ + --enable-ipcdir=/run/pcscd \ + --with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \ + $(multilib_native_use_enable doc documentation) \ + $(multilib_native_use_enable embedded) \ + $(multilib_native_use_enable systemd libsystemd) \ + $(multilib_native_use_enable udev libudev) \ + $(multilib_native_use_enable libusb) \ + $(multilib_native_use_enable policykit polkit) +} + +multilib_src_install_all() { + einstalldocs + dodoc HELP SECURITY + + newinitd "${FILESDIR}"/pcscd-init.7 pcscd + dotmpfiles "${FILESDIR}"/pcscd.conf + + if use udev; then + exeinto "$(get_udevdir)" + newexe "${FILESDIR}"/pcscd-udev pcscd.sh + + insinto "$(get_udevdir)"/rules.d + newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules + fi + + python_fix_shebang "${ED}"/usr/bin/pcsc-spy + + find "${ED}" -name '*.la' -delete || die +} + +pkg_postinst() { + elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in" + elog "the pcscd group, to avoid running as root." + elog + elog "This also means you need the newest drivers available so that the" + elog "devices get the proper owner." + elog + elog "Furthermore, a conf.d file is no longer installed by default, as" + elog "the default configuration does not require one. If you need to" + elog "pass further options to pcscd, create a file and set the" + elog "EXTRA_OPTS variable." + elog + + if use udev; then + elog "Hotplug support is provided by udev rules." + elog "When using OpenRC you additionally need to tell it to hotplug" + elog "pcscd by setting this variable in /etc/rc.conf:" + elog + elog " rc_hotplug=\"pcscd\"" + fi + + tmpfiles_process pcscd.conf + + use udev && udev_reload +} + +pkg_postrm() { + use udev && udev_reload +} From 31b722d0ba1a7915b335c59840ca18d8a40b86c0 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 14 Dec 2023 14:45:21 +0100 Subject: [PATCH 3/9] sdk: add app-crypt/ccid required for pcsc-lite daemon to work Signed-off-by: Mathieu Tortuyaux --- .../workflows/portage-stable-packages-list | 1 + .../hard-host-depends-0.0.1.ebuild | 2 + .../portage-stable/app-crypt/ccid/Manifest | 1 + .../app-crypt/ccid/ccid-1.5.1.ebuild | 45 +++++++++++++++++++ .../app-crypt/ccid/metadata.xml | 11 +++++ 5 files changed, 60 insertions(+) create mode 100644 sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest create mode 100644 sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild create mode 100644 sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list index cc0de16c01d..db884601917 100644 --- a/.github/workflows/portage-stable-packages-list +++ b/.github/workflows/portage-stable-packages-list @@ -106,6 +106,7 @@ app-containers/runc app-crypt/adcli app-crypt/argon2 app-crypt/efitools +app-crypt/ccid app-crypt/libb2 app-crypt/libmd app-crypt/mhash diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild index ee0837d2ddb..e41c79f34e1 100644 --- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild @@ -93,10 +93,12 @@ RDEPEND="${RDEPEND} # Host dependencies that are needed to create and sign images # TODO: sys-apps/mosys +# app-crypt/ccid is required for pcsc-lite daemon to work. RDEPEND="${RDEPEND} sys-fs/squashfs-tools dev-libs/libp11 dev-libs/opensc + app-crypt/ccid " # Host dependencies that are needed for delta_generator. diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest new file mode 100644 index 00000000000..2d167910e1f --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest @@ -0,0 +1 @@ +DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild new file mode 100644 index 00000000000..d2baa038901 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild @@ -0,0 +1,45 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit udev + +DESCRIPTION="CCID free software driver" +HOMEPAGE="https://ccid.apdu.fr https://github.com/LudovicRousseau/CCID" +SRC_URI="https://ccid.apdu.fr/files/${P}.tar.bz2" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ppc ppc64 ~riscv ~sparc x86" +IUSE="twinserial +usb" + +RDEPEND=" + >=sys-apps/pcsc-lite-1.8.3 + twinserial? ( dev-lang/perl ) + usb? ( virtual/libusb:1 ) +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +src_configure() { + econf \ + LEX=: \ + $(use_enable twinserial) \ + $(use_enable usb libusb) +} + +src_install() { + default + udev_newrules src/92_pcscd_ccid.rules 92-pcsc-ccid.rules +} + +pkg_postinst() { + udev_reload + einfo "Check https://github.com/LudovicRousseau/CCID/blob/master/INSTALL" + einfo "for more info about how to configure and use ccid" +} + +pkg_postrm() { + udev_reload +} diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml new file mode 100644 index 00000000000..cb05a176c9b --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml @@ -0,0 +1,11 @@ + + + + + + Enable twinserial reader + + + LudovicRousseau/CCID + + From dd10c493bb5e31dcddd382c08dcea88987d8bfd5 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Mon, 18 Sep 2023 20:16:07 +0200 Subject: [PATCH 4/9] core_sign_update: use pkcs11 openssl engine Signed-off-by: Mathieu Tortuyaux --- core_sign_update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core_sign_update b/core_sign_update index e897d108f61..065b64ad0a7 100755 --- a/core_sign_update +++ b/core_sign_update @@ -136,7 +136,7 @@ i=1 signature_sizes="" for key in "${private_keys[@]}"; do if [[ "${key}" == pkcs11* ]]; then - openssl rsautl -engine pkcs11 -pkcs -sign -inkey ${key} -keyform engine -in update.pkcs11-padhash -out update.sig.${i} + OPENSSL_CONF=/etc/ssl/pkcs11.cnf openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "${key}" -in update.pkcs11-padhash -out "update.sig.${i}" elif [[ "${key}" == fero* ]]; then fero-client \ --address $FLAGS_signing_server_address \ From 0ba64271c4667ea5727ae8aa8d00b187f89daf57 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 15 Dec 2023 10:09:44 +0100 Subject: [PATCH 5/9] sdk: add generate_payload Signed-off-by: Mathieu Tortuyaux --- generate_payload | 423 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 423 insertions(+) create mode 100755 generate_payload diff --git a/generate_payload b/generate_payload new file mode 100755 index 00000000000..789a11fccce --- /dev/null +++ b/generate_payload @@ -0,0 +1,423 @@ +#!/usr/bin/env bash + +set -e + +if [ $# -ne 2 ]; then + echo "usage: ${0} DATA_DIR KEYS_DIR" + exit 1 +fi + +if [ -z "${PRIVATE_KEYS}" ]; then + echo "PRIVATE_KEYS must be set using the URI form (https://www.rfc-editor.org/rfc/rfc7512#section-2.3)" + echo "or using an absolute or relative path." + echo "e.g export PRIVATE_KEYS=pkcs11:id=%1?pin-value=12345" + echo "NOTE: If multiple keys are available, use '+' as a separator" + exit 1 +fi + +# Image signing key: +# $ gpg2 --list-keys --list-options show-unusable-subkeys \ +# --keyid-format SHORT F88CFEDEFF29A5B4D9523864E25D9AED0593B34A +# pub rsa4096/0593B34A 2018-02-26 [SC] +# F88CFEDEFF29A5B4D9523864E25D9AED0593B34A +# uid [ultimate] Flatcar Buildbot (Official Builds) +# sub rsa4096/064D542D 2018-02-26 [S] [revoked: 2018-03-14] +# sub rsa4096/D0FC498C 2018-03-14 [S] [revoked: 2018-09-26] +# sub rsa4096/896E394F 2018-09-26 [S] [expires: 2019-09-26] +# sub rsa4096/AF9CF1AF 2019-09-30 [S] [expires: 2020-09-29] +# sub rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28] +# sub rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10] +GPG_LONG_ID="E25D9AED0593B34A" +GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh +t5TzEKCRw6hpPC4vAHbiO8B36Y884sSU5Wc4WMiuJ0Z4XZiZ/DAOl5TFfWwhwU0l +SEe/3BWKRtldEs2hM/NLT7A2pLh6gx5NVJNv7PMTDXVuS8AGqIj6eT41r6cPWE67 +pQhC1u91saqIOLB1PnWxw/a7go9x8sJBmEVz0/DRS3dw8qlTx/aKSooyaGzZsfAY +L1+a/xst8LG4xfyHBSAuHSqi76LXCdBogU2vgz2V46z29hYRDfQQQGb4hE7UCrLp +EBOVzdQv/vAA9B4FTB+f5a7Vi4pQnM4DBqKaf8XP4wgQWBW439yqna7rKFAW+JIr +/w8YbczTTlJ2FT8v8z5tbMOZ5a6nXAn45YXh5d80CzqEVnaG8Bbavw3WR3jD81BO +0WK+K2FcEXzOtWkkwmcj9PrOKVnBmBv5I+0xtpo9Do0vyONyXPDNH/I4b3xilupN +bWV1SXUu8jpCf/PaNrj7oKHB9Nciv+4lqu/L5YmbaSLBxAvHSsxRpKV53dFtU+sR +kQM5I774B+GnFvhd6k2uMerWFaA1aq7gv0oOm/H5ZkndR5+eS0SAx49OrMbxKkk0 +OKzVVxFDJ4pJWyix3dL7CwmewzuI0ZFHCANBKbiILEzDugAD3mEUZxa8lQARAQAB +tD9GbGF0Y2FyIEJ1aWxkYm90IChPZmZpY2lhbCBCdWlsZHMpIDxidWlsZGJvdEBm +bGF0Y2FyLWxpbnV4Lm9yZz6JAk4EEwEIADgWIQT4jP7e/ymltNlSOGTiXZrtBZOz +SgUCWpQVrAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDiXZrtBZOzSi5G +EACHLSjK24szSj4O8/N9B6TOLnNPJ17At/two/iHfTxrT8lcLM/JQd97wPqH+mVK +hrZ8tCwTZemVeFNXPVy98VYBTjAXscnVh/22DIEYs1wbjD6w8TwgUvzUzpaQJUVu +YlLG3vGAMGaK5FK41BFtsIkar6zaIVy5BPhrA6ASsL9wg9bwSrXT5eKksbaqAZEG +sMiYZxYWzxQHlPu19afxmzBJdVY9YUHEqBYboslGMlLcgErzF7CaiLjDEPkt5Cic +9J3HjIJwlKmVBT6DBdt/tuuzHQntYfPRfOaLVtF/QxRxKNyBtxYndG6k9Vq/cuIN +i5fHpyZ66+9cwswrLISQpAVWa0AW/TENuduj8IU24zCGL7RZVf0jnmALrqkmBTfY +KwtTdpaFle0dC7QP+B27vT/GhBao9KVazfLoAT82bt3hXqjDciAKAstEbqxs75f2 +JhIl0HvqyJ47zY/5zphxZlZ+TfqLvJPoEujEUeuEgKm8xmSgtR/49Ysal6ELxbEg +hc6qLINFeSjyRL20aQkeXtQjmZJGuXbUsLBSbVgUOEU+4vvID7EiYyV7X36OmS5N +4SV0MD0bNF578rL4UwhH1WSDSAgkmrfAhgFNof+MlI4qbn39tPiAT9J9dpENay0r ++yd59VhILA3eafkC6m0rtpejx81sDNoSp3UkUS1Qq167ZLkCDQRalBYrARAAsHEO +v6b39tgGxFeheiTnq5j6N+/OjjJyG21x2Y/nSU5lgqPD8DtgKyFlKvP7Xu+BcaZ7 +hWjL0scvq0LOyagWdzWx5nNTSLuf8e+ShlcIs3u8kFX8QMddyD5l76S7nTl9kE1S +i2WkO6B4JgzRQCAQyr2B/knfE2wrxPsJsnB1qzRIAXHKvs8ev8bR+FfFSENxI5Jg +DoU3KbcyJ5lMKdVhIhSyGSPi1/emEpbEIv1XYV9l8g4b6Ht5fVsgeYUZbOF/z5Gc ++Kwf3ikGr3KCM/fl06xS/jpqM08Z/Uyei/L8b7tv9Wjop5SXN0yPAr0KIGQdnq5z +GMPf9rkG0Xg47JSQcvDJb0o/Ybi3ND3Mj/Ci8q5UtBgs9PWVBS4JyihKYx2Lb+Wj ++LERdEuv2qRPXO045VgOT5g0Ntlc8EvmX3ulofbM2f1DnPnq3OxuYRIscR/Nv4gi +coNLexv/+mmhdxVJKCSTVPp4SoK4MdBOT0B6pzZjcQBI1ldePQmRZMQgonekUaje +wWy1hp9o+7qJ8yFkkaLTplbZjQtcwfI7cGqpogQmsIzuxCKxb1ze/jed/ApEj8RD +6+RO/qa3R4EGKlSW7FZH20oEDLyFyeOAmSbZ8cqPny6m8egP5naXwWka4aYelObn +5VY6OdX2CJQUuIq8lXue8wOAPpkPB61JnVjQqaUAEQEAAYkCNgQoAQgAIBYhBPiM +/t7/KaW02VI4ZOJdmu0Fk7NKBQJaqVa3Ah0CAAoJEOJdmu0Fk7NK8WMP/R+T//rW +QeuXMlV+l8bHKcbBGWBvvMV5XcsJKDxtzrclPJLqfuBXSDTwqlirXXqlEeI613kE +UWG0b0Ny0K87g9CnkbsJiizGtyQJp2HuMnjRivTd/1V30ACCaK01nbu1/sdOk6Y4 +Cimv+mGEgzjcXVXs72p+qqhDEaMgf1GYjDrzVHUnKUNIU8QOG2HRVhpP27bOg9Ao +a9Exdo04w3dXxso3KGeVkEE8dN0rKmHQ67jcCqKogzNlsIujbJkgRbwk/e3BgDWX +ifQSMW4SAAl/PVP7z3h6QoLcYSddOMMYwqP5Oqe4obBaKgVrn705s/Z0pW5nEzFg +38hEoJe+CCXjPl0zjHKQGzhwR/MLWvMf6jO06uvASiJuU/hefVCCek9b5SLn+IPU +J+uLh57F1I7O4ohPWY9+sbrpibx2pcSmcefVMwX/iSt6RNlBITYVQLGN8+/0gcRz +3jGf7m+M8Y7KYrmFxtwPsFejygDr6VVvoUarPPnJSzP+UdPqzUCcxdnV7Ub4QMRl +wUyvnwgnpn0xOsZ/Pdh5gOC06Yrkjbr12DWIpUxy/9z/QR2TeImi02trRKpCh9xw +0bKlsWBt1oUnNnQjnMUB9tmWsF1I6DrO/FUcB+5d7iy+MnPB1LIKS8JokODWIrOq +dg763UZfGbp4EbLlO1vcwIdKC6AGoS6hoyPUiQRyBBgBCAAmFiEE+Iz+3v8ppbTZ +Ujhk4l2a7QWTs0oFAlqUFisCGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0W +IQQeEA3Xpnem+aUyyfm1HeN3Bk1ULQUCWpQWKwAKCRC1HeN3Bk1ULe4hD/0XLBuo +inLaN2wVQpbjeIEG9Shbaax+BmsuufjiVgNxKEkBg4q6/miCpdpjYmcvv7nNG5uK +zuQ/fnLzgldiVS0G+0BVBelF1FlT85xaI/enIrsvTauGEsfie7/ljrkV//0MFqdB +ZnM680JDVbvl8f2RDBACmz3PoJr8kg3PZwvb028effeTqhZ8zA5ZW5rum0Cn6dOb +v3OrCyQw/aoUvjH65j3T+fr17Em5dYaxNShFxoMBKxSsr+V4opwGEzBRxuoLrzAl +/LcazNAL/CLj+7JBxFj4FL5fB7VQcBEBDFBwg0ropojUeqT8Y2oyygnwLHc4otwV +TNxezToTFucnIq87IAqpTdEe3dHXx1CRJAyIeXxh6j+rYpidiL4CegIczva/xE+P +CqKV1qsGPysD301pXEYy4W1nLuST1tu/xbZCIJdqUwOxsVN5D9UVsFEr4Szfq0QC +14UQzMeXJSdXE2Z1TAnl7381AUC8LoRp55BH5Jih/zrUT1+HrzwdWBZdBJc04f5I +RiZqhZ8Goso5Ki6yFGCEXuitQUyWS0OWkZTX4m2rNIiPMw8PVweQ+yeqwaAapfm7 +JX4l3Wa9fRpwK8LLV5/iaXti7IEla51lCCHRn+yM+0XcYI//53qQXVobcaC8Z9uy +LfJCjCtETknO2/uGL+kNyoZ4ykMfIhqOaxZWnqfzD/4kHM+EB4Yuti1kxFmSdnjp +MLEOXNFRoJcvPL7kw6ZMQaWZ96UOdlcL2GiHWAyYThsSjWez+kZ60GuDL+JwfQaR +InavuacP3Dw2eg8/W5XAT/G2EEmA4wuDMXZ07aPa3nJPdlCMcwxQLyHb6ZgModxZ +IHXaX/JEylapdh0j4sQf5P8OvK2Qq212OVuIaZPnjloQDeJqJTzP9iGDaJ3Ne6gM +n6nZ3ZIK1qtJc9WxRtjIOLS2ZdMSB5JWb1gE4nEkvDChbWKfeMpv5ox8G6HJe9Xk +sygGj876vmyAHDwl8zsYMvWeFZONxsahKpDFjXKMcnIpV8ZPfaCT4r4G6x4Qil8u +A1iwCKXo4d+uq3qrRKyhGOE+B+H/5QCGmmfAXhBVsR2aUldK0kx/IVi7HJD1aBRF +k+cpC0+vMw4O4f4qXzm2z5qWHftcB/EBhN+h4+IIDSE+wEtz9OdEpXXbPZ1sd7eS +8K4OjjliG2meTQE/wvn1BNtJVJ2rGQX6moCGx/1FYdLXLROv6hOnBslMVHFRbe+9 +OmTFXEDlb6Nh/08PwYdyqk4qXddebALpC0TmyEty8QnjEmL1IhDtMTDVlj/33imb +L0waKqGJ5U3s2fA8VaDZQWL6U/c71xtuVFt6trS4rnsoBzlILPfC1n2wpPvKPEHL +avOKXgf6jXnmSzi5GbnBgbkCDQRaqVbRARAA0R+Z6SrbAI5b8m/j+Q3yc2tc5wDB +i7Hly0SW95ydLkKGaGvHhpLrBM5WwKdtQzF45A9tlyu6iGys5HWPRW3BqMpZrcv8 ++2QHyoI2lYM/b0ioai2gSZB+lao955iJyBQ8c+pLSybxwcdaXTb6iBLGReCYXlrL +QL6H+NYw338x8bhRvaDanPQis81GzxtSZgRjtZbAGSvOgq25A3oCTF45O8cfBz+I +FxNaziS7x6lXuqOatv5n3HzffGOz3q1baKsxMRVGx3PdAI/LvRRd9SeBeTpFZQYY +ujCC5K8ds7yxB39Hel5llKnoXLHNm/wLGukXY+PtJVzhtBDL0X3o6OUfsb9tPzwM +oMyA8gRXf94nw2XRT8MMrjGChB7Clfq9AFP3e44D3MaVWbEGOWNG9rQ5s72dk7dF +K416D5cc+BQ8mvllYzZ8gzOgYKnlfVmhqVDAIkFz601+lLRUdK4pD0t1BCmlINSY +EKQNmp0NCSNVCbWWscKvTjboqb76oH/hjnIDqh3GeGdnIJ8vGwUdNN2NBA0rrK8o ++lD1Kc+e6Whe5xORc5krUZYtDCwW6ylRb118rmrHsojxoTH/kGr2IB0po59LT01l +M6KjLfGWrz76jJZmDLQ2gDBZNjuqDV+raHaKpVgUlbTHvmVvumBCm50Haz5w2vbM +txDxVhxU1FdYY00AEQEAAYkCNgQoAQgAIBYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NK +BQJbq1h6Ah0CAAoJEOJdmu0Fk7NKGuAP/0LeLoKVOI8GRiU25bBek4mElKV5YNwU +8QMf75VPnRxklMFGkrPDuVCHVIsOUGo7jF4EHfH8ACgXNsFx8v9pMgsvk4WvfxbY +hepoNNOF/PLsPc125Z3hNq3uJsAMEpijNt8pNXgMvYj6mUKRGuMcIm1KLlczknwU +vtAIWSV+qqpCUL2miVPzp7Y8lexUeB1dsxAiF4btZIJ2i53S72kPMqwLzHdrPxDt +TiIweNz/T5K+C19MDAZ9AVp5qTcPWhQMDnNz3bY/4B2NcAwPJTCRxt7Ne5Ufxpll +3D92jwKZxREBdBPlRq/Qr4JEm4VXOw4QLFoU/WOyRBd4q4aNeFR00J5unZ2zcQ/E +ZL5OvHmkZ2Xl27Cuky1dAnT6hdadjMgWfQB/giXfP8Tu0Qpi7ISv5fEyUh70RpKr +SPdbUIR92IR8Qu862SSZsn7KoywUb2lFYzj6N9c1XORBexgRQgGAMdcT0REXyyS0 +bl+9aBRntiw00FkEe7V1+EOLTi40bbddLC0Oatxa35lYg38VYmnhHCrkUl3iCLa/ +AlhZmUGXSwmACNRzVRzFPAZMjdql+SEIF0XLYe96sb5twX2aztemy0GMU0ybK3pH +eYrpccUsPRPiHvT4k5TqAA+D1Y1WDjEhidPCbYeyThhAu+lfJiSVn2ex8ESByA/c +/QqOMREjkWlwiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAlqpVtEC +GwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQSmIfHalsk8Y5UGgy1gNEOh +0PxJjAUCWqlW0QAKCRBgNEOh0PxJjFXaD/0cyALbk6YivbqAMCMXnfBFj5kOoG5T +EGC7quviOVI+U5yNyFzqJtayfaxX3EsF9IjZR4cW58gdcQALS/gGAukexDigoYUz +2h1q2r4zr5pxbj+ez9+fftNDpwp7CmuaB5bzVh1bu8gwVJf4yaSsGubBIgfaysB0 +Mzc4eJqIpDFMRQvSOOv7TgzXqAsXQuphoqkB5RuiKtKeugv4qofH5fuM3C/Y4QZ8 +edQlTA41KOay1a76xAK85a8qMCjVQVCrepo5+LYXwZAryp4WKIbTSbUNRr5GGgSa +UWBe0/Rz5eqOL3r1YV1WzttWgBLzZUZJqvaYoWtfJGwjxDAFebE+meqtLIh/IDEu +Tc4D3Vge6kCI1jjNDKMZQYf6j1rybKPVzOgkxjCyRcgUI8Y904l9LZ3/BiRV8dY4 +nBjWmCYVJPlAVzfDxFwF+A2kKInskPriiYJpFX8MVjy/6GfkJTtMZo1bovSDZZ0n +2MbQ+V3mftV8GkL+RPU5xQ79dPx6Ki81Dh31/T0d8FkEpWLbDy3gc1qgvRWcp6bC +uS1Rg0pf7+ftRYDEW7BBOBzmqfNljolHMWPeZT/1sCs7PmDS+kErZARFm0huMljt +8MNx50KljIVGDUbjOmDaOopTqKFhho/UTTe1Kho3iwTIYIgrzfuCT7t2k0Wx+/NI +y6BcGlPHU/R95gl0D/4yrId19rW5h425bWYmKZ6Ilh+H1zipl5OS0iEllmm4sLcp +Mub2+B+YFU3/EvbF0zkCny2HXy2gyZLhbvNm6Zr4FPW/xfaEnB4OXOOnUbA4+RNf +7bTngPXwhaxN+wQti+Uo0LcwKAU5KIBC9KcT46NirakEu5+5XaU2r+lsa7hlJWfb +17e4tmcOB4QfMTsJu+4DcWJqu+cdtm2N4VcorJCvfw/EffnGaGK0mwRvJp7CZiWi +Vc3T70fH+Rbv6NrgJEFV90XuoetQROwqjBEdbL8iNcuvjWO8j8NSlRKrV+UivP+w +yDf0UCQoMTnFshBM0ZnW+8i/jqsg3kKxs7xuxCZVMfwxzkNb6h/YlbqjRR/hFZ56 +Chf1guaCfYJn0vCtdTLWimasemZfcKX7oE9EIbrs8FZcd89FkU0wgrJRscoUAiVP +mbkklT9AvTy7Gp4CCMS8Z22r3Q0d3GgIvFNhakLyDzBKPBf+vJyQEx9SdFIM/Kjv +4grCEjQNrWXXsh8ecurhciHPuiykffmMYyWUzdcc0pQyyyhoYiGbmflGIKx/6M9D +OOW2Q4k7ogubPRLZ/nabZnxJdIbi8WVXgSI2JCuO3+i9dpW+Q9s8F5mPht1QmQnI +ZrA5R/pLRP2oE9x9LDvUPLkQdLIB9RRyTw6D5A1UOI4TuLPOhFpcXqNODjJcO7kC +DQRbq1i2ARAApdwHI9mdWuHcct2tCY4uRFR9m0CliX2vJ3ZOHBmo1wS3HBv0BkAv +zmQwOE5xMDk6i9aN/w6fYii0s1Pfj2cwLz8Iw93icnInk7WGU2KoryWM9+KNGIA+ +XOtyobwTh4BHY5ggeYDkdOs7Nrlj1FTlj428NaevU75Cm9xQm6aAZnZZtjSDBTWw +BuSXfFa70kiZzpwKMP/jB8ylWdA74VzkCFfYcdwJHzzrcDS64VRqNhWM/vRFJmLP +wN4MHkAE5RDb4cjGAwkwmZQuDzuk2O9oOukxKd7v/ZUmql4k0qDxi3M9dC3SJJ+O +fVPRlyZ74UVlspgjr5zxSBCerj/aDbVSWWr6JjgeRTQdg6WKhO0+mfmttiANxv/a +fBMDaxys9ee5sJL+WHP62fucD8ukmMEVM0P971U/JBfV8r8VRpy+OENgt6ynJ9dV +4YCdOT2xo42YwkBCYcVOF6iY2YqFd3oDSZARqEk4vr+A2/eNDU37+OBWr8E1pfO7 +H6FW4/tVRxYjywat6743e0VTjNbwPGmOFBGc0VuwCJzRsY5dwIi9hlXDGwfNpgzd +tB+ON4BEY4f8ooSYCfHa9G2HeXj/+txxN6Km8Oh8OnQpyfJ6POQQVXX+bUG1W8EC +jNBdoi6m00ZqNVtDsNbdKdWTYYhKtgPUOreGmF75k+LLjiqO4jIE1E0AEQEAAYkE +cgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJbq1i2AhsCBQkB4TOAAkAJ +EOJdmu0Fk7NKwXQgBBkBCAAdFiEEYozCEpOAZdq047lJqKvwBYluOU8FAlurWLYA +CgkQqKvwBYluOU9wWBAApKMHrxbOqWa0gij3ODcvzpky76y1YWG45iroC55B56X0 +XslUpHJno7vTLobV5aJDeXlgaYD2ptn53wW31fTZL/1P0lkyIu30OwYwLvOxaFjT +rsVPCwTz80h6TzsaShFiKirZJhPg5UzC0xfmM4aaQGsoC/Z5pOTyfrYrXgbQPNUJ +f8zagYqpo0WZoG2R2cNwH5VzlJAv/JBB0SdMVgBS7bUXP1eudqn1gmZxw6GUEGU5 +5tj4X72ceYHiA+MMlKWsvpwJD9iRsl3yuzcBi8yOA0/jSrXu+5BLGaAAXMyMKETg ++e1ierxZ64yoV+AU6xcKykVzThxG5SoH6NiXsCs0XBOpWxQjfJ4MAeWLfTRMf805 +2OSzRsIf1/p2byyTbuApshp//O9c+jbPgEvG7G4VeQdBROY2/46+XR7Q0BrDMom9 +Bmk93SSbG9oubYKKALrjJaPIzTieLM3t2zLKZ/RJ6JARYDd6+BMdVNs9QS6Hkwq1 +4lIDxz9jqenAXSpnK8fKg2xxzz/UFhoThlY/wlrWP+Sa4FQl1lorcz6Xid+yNoxF +CZw+iWx7FMng0QDM9rtyhAbFkm7JFnDuojVFeNTdTUy+siAZB0cFdP84BkcYugvx +WGM8uYydVOrPlI/nzGomgljIqgzvJm+Crun8eYggmItY53U6xDJmQT7Xrtk7YCa+ +0Q/+PRuDorQauvB53mfynLywqxn3h/NyegDrlyq+5Nqsjm3nq0umUSG4/kXMwALy +0h6boyGWR/rkHnLOE1gLQ6fSlpcN8YHtsW6+czpkVH1b+wws/RPg49muTADHeYeM +n5eC0aVrUq7D7IVH+UGILDWJuzq2b+jO/IpXd9kIPlwY/2PFIjwfoSd7W+pjgVXh +6Z+xtWE5mVXnSfxPIXxv/cNd9LtYyT9R6RN7Xu+3hJz/BRp6MUANbdErYD36zERz +GKUO2eJVbOJReevXb24SZzIJkpBF2qwI5dEl8yk12YpGCu75XtFRux3cVhDpdQsx ++/RZGV7Id1X55s4/LiqF5PSEFTB4kZpiY+meq3sKOPT+Ra9BLeur8yo7ftMK13WB +BL2e/mzwfw+s2x1sjWRCuc5KbnK2yTY9ske2hdtAPmVJTDXBO3JWfZj5xKuuc3mp +q7OEd9+gKTiW4PyZfxQIzwXi9BJ6R3+ax7WYR0bi7Gll0910RNFV3MOiLhupIS0Y +BuipB6OgQNFUSjB6vammTd3R+98jIrtWyRDHPmdtgRcK86EbRpj6MHd7rATkdG+S +D0+DXGwfuWIeq2OA+P6lHWEmjlepFSEBS72P5jmpbRtNd+aHN23VesPI/WBQkfBU +4Tu51CGRd4KZk5ugFZ5YqjaM3m70od1zrsdq+BCNsfzuJqW5Ag0EXZHfzAEQALaX +xQvhNPHFx5PiroyTkEX95SsFuoMVnkXHfjEsBKStVJ6ZEF6t1PV/q+Kj+rQB25up +11tfQdElG8Elw46tsvlfWt4uVsdcttUWNHSsygwfmZbQxBVt+nlWXMaC3/124KP4 +ewOn6YAw9biL+cioV0L0fSw1bnUv9LtUZS0h+KuyQ1KFFv015z9uC2LLT/v0XP6S +8AW9LNrKNI7q6XOW5JpJWSOLGpc6eS5F2T/eplpjxUr1Ua6PSH+g0LJSppbCqIf7 +lNaRCVSSTD2gxCRw1MwWPKqYnseXoilcQe+Zv/wW9k0wyj9ekfkca6mCqBGhe88D +SqBZVaOfCRNNW1AdsTtIJcW9U1e0WFQIVMCADdLyze7ktTHIc8+/vsVM20/8eMEG +MSspehWgJOEgNDhPTAHyolfa6z/U/lOvtTMkhO5L6XrIwSDaKvYHqVuRiOoPXYey +Qfe+PAGszbM9+JH2j3JywKb7RuK5MUL5PBfUGgHseikK2697ix7z2theIjiAO0sm +/JkLC2Q3zKxQL3szkO70xWB5L2yajifNtvncqqPUvq6aFkxcJ1H4DXoDpdytKBt8 +KtcjJcwPBrw7zMQ+bFXRdTDbtDGZxc0AhhfvboC0NtxzpTi0E2z4gY3YGjseJs6h +BW4d875PKG8oBsMMNIqjIuldB0vTQQmh45D/DDG9ABEBAAGJBHIEGAEIACYWIQT4 +jP7e/ymltNlSOGTiXZrtBZOzSgUCXZHfzAIbAgUJAeEzgAJACRDiXZrtBZOzSsF0 +IAQZAQgAHRYhBMj+hTEBIuYmdT2wzzvCD/ivnPGvBQJdkd/MAAoJEDvCD/ivnPGv +9UcP/2s31nMRdyXYAL14xiU5L4lQP2Rsr2BvcsdeCn/ZjK4e5tv52sOAYKkk7yhH +2Egxss+liM70Tg3XWnTfmrxgM1uY64Pvx5G9qlLoDzXElEAHWlIkyV5bj/SUHS3c +B2nuZjZEpDgXGYWQaHV5We0QepvV3e3sv9saOcQN5ihlGnr+MlEOxNQbAnOMamWj +S2ztMakfo/kEH2OuZcikgmT5d2RjQooamgKQXKyVOzOlxYV0L5sGZLSK0DFV3KTI +Qs/ccfr8MLv902If/mLF62lz5ba24p2wUtM+vrp9EaXWExTYR9WTcYBPM8tG7txF +q8mopL7siu/fU/XPUitWjSi6ZDX6RFljESjdR3xs7CwI/DErEak2T8Y3/inAHnGM +HB5amPkqv2LyeEEQ7ZhIjmA4mWgbTsPiQet+qY+GqSKlSIGoJv4KZKBmBKFW6PK6 +xZpWioGj+BLqtduHc0yPf0fW6FDaI57IHMZD8kVXw9dZpn14wExfeYsoptHXRecH +1ouSWd4/IK6PJRWzoAiOu481IREkDml3Rlhqj6UUr5+eseQ6SFWdFo3KlfC+7O5K +VsAmEx99bj/9w0NLr2lHw2uEAPTdpDVUWh0hURxCu4uyEVsCdUmNklVAz9t/zqKV +a8A/MMYxaytsw5e+QftTKPlTBsCJkJo1qypcQDe78OdUIecYABUQAJIDOIV19WSK +ruQW2ICZdMI/6BbGzrKMvxbJnzdC7PMnJbXDEqzsGMMYziK3Qhf/zi4SpUEP/RRe +qJJjzzguFYEtP21/ugXFX0/4uWBkGGkPcSmqtanixg1LefJIlw6g1ZWeteU7x68d +dNyyEC+BP7HaVHX1mCfhkPiPH3zvTa07boOJhsaYWOGyc16RtVlJSJXxgTEY2SJD +JwtnSf5ujVOfIsOGQVshB95BZdGCYIru+n7YSD0ghcm6az0Dnwr6sscQLYOpwb/O +mTp8P7lG9aEqbzSPDtVhWrrbIp+jibgTzGu+jqMFFpBSTcD6F3ClAOkmFpj6UHLn +LnFWBs7rbznZVB1D1EM83ETnE9gc4C3n2OL08kAKHQ1RWDQcG3rU7evgxf0kBFdA +tgn4tIU2qlyR9MG2hy7wsXA9oR9/CndX+NJrkYSQxiRT9OWi85WBIV6LqkdypE3O +fbofQWtv8IuFfAv/a8Ah/38hXn2N1KcVm4IbrNeKjrlmVIhVSkHjVQcX5iw/tPuX +rTqi0XMNnnf0GneaTTVSI1wTa66Ha9SY+MsWKEK7aBI6S+ecpSG7oRhsV7yvzXPQ +ul9QP/O4K8SmteNujH88+sfj62+0qJeHnxAgMo62VXR9L7a0zSPIQJXpNun6BJn6 +HKbWRxot9GQuVdS+tRnE8fZulLeBvixyuQINBF9I4E0BEADd8vDObd3EctBbBMFc +8BPjuEgnfC4c+EltYEm69EZvhVh3jtWtSBrTS9AaT+7+Dt2LphDal0Z1u753R6vL +PVIVt01983cWOP8+tEG8Kj7ghfMV3hBJmYyK8Zumh37L7C9ye/JHUDyePmaDJuCb +DSwKR6H7UXlAjnmP4gmSLnmAZXBEQX1E3AgZy9qMehRc/F4ZZQlU3bSreyNJCm1F +3/FNhQRmsUDv4fHcYnWSwbl8OGqmRfCAj+bzWt998zjapvcwEe/OZfqXgdJ9ZWJc +g8nirp0iwP5bKtC6UTZk5mU6+BukZ4oKhtwlX3/OuHDfshy4+QiSUL3aZhOAVGlx +n0ZU2ERYFqef2x4+THRj9+Y4pSLNbapSHQgSj7kPupS7txtQnJzm+GxkmbbiwgtZ +91Dtv6k5hycPiiCV+UfwvnKEA7lGHHkGCdLS/zWBDb8Iq6RwSOrfFlHG8ihR94zK +rUEYUzrZQa9aCP1aWdrdcr/RejDgNREq+eR3x0OvPqKQRse/NtstvQDzALbztYgR +7ObQMNrK7F+ba1uF9m3fZFi7l79xFT8kvFOzyBmCdVyxqRrbEmC0svG4x3SUMBEn +dvNTjnQMId1WYvEkLldp3Waj0Zca2Yf86oWROLW39xVphTH8MouE97fvCNIKzKD9 +L7xF5TJrw02JHW5lR+4rGI8HMwARAQABiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk +4l2a7QWTs0oFAl9I4E0CGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQR4 +KzvJ8Qz2OKXc9RBbKRDL/L6rkQUCX0jgTQAKCRBbKRDL/L6rkVMzEACYgX7Yk6hh +Qp9BW27lwN0dJJ8+8l73SNFoco5nIcLnXZHiLFXygxXe6WJbEV2QXjp9gvFhtvYt +ijx1RObW8qSnUzSPzYOIo/iYzpe1GgoHmKabF9vD8J3NbLTpt+px2ssIsn/s25fb +gALBuXbtEx9viPIgpQz3s6LafGO4oPUQr0Q2rTyFdK3ib3X44A36KCh790+Rsqhz +jgUWAm6LyXgW/QpjFel8QmnVgVmFJWEMttgDWvUtWlgMO+BgS958dDk1L/s9bQc+ +xqsIav2kvdt9c8/3+xOhC/bp5aa0NYGcdYSsOAMVofbG34dntV3/HKUnvCRnZd9T +2n+s7P1kDnnJTOiVsw9ThF/dvU7zUj4SYvqtYUrwWfd+4xzzXIWISiauZBtx8HOH +/Wi2li1gLkY1caYRzuJJphFY2bgSeZJQw9sjStVh49yOT9DdT4rNZoTS1HXjLSws +YdLCYM7I8p3d6qMucqZhJ/usDH5pCSW/j92hHyl3P9M7fCUN2dVIg0OseVY9d8XF +UnGdwFpbIaXmBbb3blo47CE68U1MUTSegitkJLQPM0YWmK+5+NI+Yh9HynepbAaq +IVOzjoIMS2wshy4Yxg2zMTj4bWgJ2PhFGtqA4Ia7KP33Qj/iVl6JKEq6axhI7nZu +8ofvuE7W5JudWR8KKraR9ULU7AEtiU9mask7D/9Y6PgP5rMp6+2uYYxBsc1is9dW +XqdAVHEUSLroBRaqq3ywi/WsBOZR47J/k1xHeCPiGUot0tlHSKy84danVxFnSZm1 +8QtD6UEDgq0tWNrOSPG6tu+2I/Ma8FGrs6gWZxyVKu3G1HgnZ8gg0NzA5vATa5Kv +stN3wCtzAU2NqrvP2T4mWeakXmDe61O696h101WfOazGC5NDjWDdTHQLdYdxPzr7 +yDinIBNPwBX9NEmjxS1x/QtMfMzE4hp8AZwEjgnYDWxiG4yFPdfEVlKgy3TxC68l +VoGyrl3gbTSdXqj+gPHjeVpZviB11WZcEuMdjhKwILS5l4u/gZR1Akw5wPPc4g1O +71M+qy8wivBs107Yzvin3BqnVjO+ZZ0Wm0HOg/bLYo+7zbWdq/C2PTJdCbKRWa0I +hpZca59g7ANOc8ycEg7NVFsLwLeWwBwGRMkqQ8ciS6EOXY6VdkGbtZCC8r1SXdgh +rkvnyXftWOnv/RmQzOchr1wwo2+D9VEu6EhCYBlRTKXZp9FZIF/y4n8eJt4YxaPN +EoJhXjTMWaFJ4/BHSwgyQDa/LfTik5xZnk3zJb1XW8qQzCYvMkwjxil72kl60l9f +C38qY4FLQmyjl5vQ3lgACKffbJJ9ujNgMkbNZgOX3dEGr6p0CzMFxLOavvG4a9nu +ImM5rbOC6ZJdwLUTArkCDQRhEoRvARAArCO3OaYvwccaRumfHLqVyhEKNpeRG31Q +MrR2QF/gncdpPama8f4sVqY7EJYgT4/zgoTP3mTSNNETj1KzcA+ZhJhzv548JWwt +jokyFp5POXEq0PbTZ1Zg4/2Gn9QVxWa+dIstK6r2H+jz0oazB5sahf+BlAVH6+1n +9YFq3utQ/xvkZk+R3qxNdAIDcLKFVUM6Z56fJSnl6Sx2PmJAM2MqZ2oJtfFpa9T/ +xv3Nsb0h4b/WvkM8vVpHqnSYdALlQMlho+lM/c/HiFyr4M8tGm3+SMW2TSP4zEe9 +SEOcfvLHRTpWDebaoMJ9sUU4aLNWswpnQ+YsEcmFvUTtcH6DpHOX3MDL+ol+Uy6I +pc/ASp+7/pRgO0lqm27lzzNoBp0qdA2J2fgnET+z3HDx3MyliQsaCDf2e25pikLe +JbtAh362peGWz5GkzqEi0kkbRRftjWLRNSosFEBQPx72jcdh312O3zcBk2q/oiAv +tbzCUTWohVeL4lXxVMEeey/BLH+/KCyBR9TD/lPi1Hddd6Orrj5kjjWnUeqXPnSO +RfPwI/zdQM1hECHP1gHp+lLNR0d64vZDN+A3L8YbD6N4qic6fJUXe/VFU7zHOTkb +QitV6QkhifsJnYrOQbJ4pVVKgU6zvOy4vsSTLUqShvKkzHGbbtyR1zsLGS6nwrHD +NeWZfEBgKVsAEQEAAYkEcgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJh +EoRvAhsCBQkB4TOAAkAJEOJdmu0Fk7NKwXQgBBkBCAAdFiEEhYpWD5fJrrIuwccy +lh3d1SUNSkIFAmEShG8ACgkQlh3d1SUNSkKoURAAn96VKV6sP9fkMzmf1mdQIfx9 +L++Yy+ZkGi3ZEGnnsPureu9EhaVmIuhhlCJHhgK3T4xqx8Pmn+xKLrnq2/V/xXqt +HwLsgv+aex+9PnIXITDmXbsoFblt4FDz+mNhiBqXueKc95J5jsdib38nH+qA7v7b +I5D5VrDYtgEc13KGOtRMeVF/iul/hMF8JJZUL/oQaTtUtk+5w5cmCyGucPj2Ivyd +el9SLHCZqSc4BHYrHZAUy2IWB9u1y15j82HezcJcxpg355PaG5EnYaDY1wo+ZqMx +ZvmZB2mUcDh9IKLTngbex0MmCoEr1qBcFrOvp5iZkGl0xmySGlWfAKKDLLL/hfEU +ahjiFyA4DEooCGR2sPWUgNrEnVANJEBfq1azbouroRfdiSYBv/lqJGJwahPo4NCu ++kbyERBqYWvAKegjuGy0+rvTicFfaDx824Kt10aDxt56Hqd6/AvQeC+XFSfijpUr +voPO8pPlwyUEzkxD9h0WbKWTDe3tdP9dILr3jTcBLvJLsUPQ5mrsU7ccB5OtpdOt +NhIWzjr9jqBvRYm5xoOFh0ox5R0909IIRhwNbQqLDIi/xknK4LBwH1VDnWzc6LtZ +LHjG0+9mQ5rqXnDotxbsYgJzqab4/lMsiwD7RynzGY4r6bBinOGU6FEST6I2f/TU +TyRYTcyieT0mwBVJaJBK4Q/9EkVthCy8DLt6D3ZGTRED1Kw8j8+4X2ColntFjHzf +x1pk8GOAcdOlEQFAzmaexQPfSKZtSXl5BxXkCjFJsXt37BQSgVuYcP5wZgyItlCk +anDKWUN69AYFJEsaGPwENaYvnqsnisWqdYLoxkC1GsTaaVSsDi+eDPyGqmCmUnBh +FDzA673kf/mUj+FHRsioncJFwln23Ml4UgGGorpz1DeSHqD0Qp4xwYMNTf8sBHmq +BtJdFr4en0ajT9QlxADm4uReJMZeQ2LNtDj52UGWO1tcqSQFLhNmPzpMxJ1tjRcl +McNTzxH9afCj6kd+1Lo3kvnqylUk9S3Hrguj9kp6cMYliVEMmmRs6pQdpcUnCtjx +SJi/nIzHqZihlAzBn50X+Euare91mKbrmgFc/mvBfbIwILD7ZB+AKAZDLhLSmjlO +4FSPe6TINjbpNC4aj/sEvShdL2UABOWKP9qG/XIxQCWY9zrvq/AjSlwjrT9ybon9 +Up4P4Y0iST50ruicfF5C63NjZAg0cHtk8wf8uwoqedH0yiHJpWaSDKIH146r8USn +yr23wLqJv4jzqZyw5/qSpp6pYQ5LMenZLL5AcXwMFHo9w3csh/LCjHxESdS7Jlh6 +SXrvlKGv1V62GtLZE2SqveYjZN1Av8Pa4S1OYfqN262rDUi0vIYvvVYTeuAW8W74 +1b25Ag0EYvTakgEQAJW0+3yvZLYH3v7iT/1FMX0zxDaWKZOBC0H3JsMxKtrM7WA5 +0cnyMRqUoqBdH3ktgUBphFvyY4dmAHuwAjRwe160s77fXR2Y3XcWC5NRkeNUgIp9 +ghcN5dakkOuogxUCueQKDnB0zeSltvNkVcnRKWYbRhsy7NoEu4r7iQ2KtLCWhlRF +A84kgmYfRRRCH5ngL/eKbE9cp/v1y5N4xYosJqx6RhajfsWHstH4g38CflSB/dHh +9tDPvQ/QygCuS7ENS59JDmy2pTuL5bfdTGj8mYhV3O+bVgwMXDz5bDGAqnNIzgMp +WmAxiRUnYVBWFgoHfdiZFQ3YjgTCC86CG/8keszlyqsOQhpe3qOL4Syq3mtsEkKv +EJ8/jglN5tlGro79/tm6HGNBomGB8lqo80DDycW4LMGCenS/24we8KGOX946rwPF +j7y5FHFHouyCREqIEX+WUU2RHioMLENxbdF6QYo3yz9b3U+UMyflhgOP5KAlJI4U +enP1r6eagEyYO4I12sjlJYcINeP2k5NXwZCT8LIGblRXnWXDJF5coFd+pAl0c2o9 +lEh8WZv/wvQ44dfz0dyY3aZgYm0lro5xjtnNW/V/sJLcLSC8TIj7smHRJC07pxVK ++2u1x7sl2VzpNuGNnsqmNHj9oyQyBkwj8/Ne7PmFYkovV715PjAADtBG+OflABEB +AAGJBHIEGAEIACYWIQT4jP7e/ymltNlSOGTiXZrtBZOzSgUCYvTakgIbAgUJAeEz +gAJACRDiXZrtBZOzSsF0IAQZAQgAHRYhBI1tp4U8/hse00btDe299BEmfslUBQJi +9NqSAAoJEO299BEmfslUF4IP/0mOsYR+W+BNBB1tUjYGHyA2NOblXu6zmVNCCDFc +kayM+8NH6AbYpLO3TiM55JmeukRCM3se2Zvf/wr2Ks5ywDAXvdYxw38ueUJmnKSx +yz/2yk4CJiYC6mnjvU4Gs7o+4yQQ4wPVSD6IVt1kVccuZEO0c9qTIbOhhIxHjXv6 +1pKY/kLElBHntLPoFZxwDSmtCTpnde8gmOUlg/tI2Ku8w+Sv/c0cGVWwJA/WmRMV +tEvkBhtwgq/OrUkiU59PdUXD7Uuy7Btgh2LuOYaSQR5a4H4/Q6OZzEGrzqWoC946 +x55LtMolg/fhvMTo8siStREfd98KrBEDrryq3Zmv1j88sBoqUjyIF3a779Ktw8vs +Vu9nz+x8Woy+OewBhYtoCbx7FlCtsbSjQkkgZ4t0X4pLH+G1uL28xsoXD8B1Grgc +HXaBvS2pCpSAb7Zx6wSVkQKTm0/GEZSv43C427bywWeHLynoOUYSsY1BLDPwGbOU +bDGB2tzuXysebAaWrmbYfC34ITBEzod/L5Pwh+AvJrOYjvOL81zMKk6Ldt57AjCB +FZOrhqo4UMeFJeEbIywmGRlHg3EYqlrj8uuOu0PIFfDEHzFzdSyPIjNQGbFGmTuk +ksynNf5VbV3j7pEi04qJrA0KwQQY3WDUypu0AllP7WldbxoJYye1KAQOnH/sXfN3 +vGseJ6kP/A1FDR5A/snA51kUalfZ6MbNxSC4RLRhKM0L8ICYl50X3DyJBS5ScakR +JTkiaPv6l5RlpUs+R8L0FZ20gNSZIn70D3jFzh29lEGnbf+P2UKQvmr9TUBcZBNA +Nfj2EXdmZAzQu8QEPk7/8PONeszftNYxSjk7UtO+Z9QQzTnipksIQDvIGBuX27a0 +i4a0NgHko0HsxtsfAruAWEXVlWyNtMcNvdozbHkPqr4kvw76we3MIPTSBuZ8DUuf +upatEcblh2VyRIWbzFmvuq7GnAmfynyU9NU+2kjmW6peYX5/c72LKWghsnPCx8xF +k15blEo/kSMKN5vr+ZyiFas7IDJd2xmx1pd2xYvoNBl72ClflvsdMEnqx6Tpdh9B +uvyCrat1qt4F8aKqao8sXbopH7QvDBpqGqgMGLkoPheOXypBvnvoYKL7tOoF4XJL +AFM9PKGECoegwC0Mla15amgkfViUWdCsDy8UsSlPfBdvHdJrhChuPDwZV9GztZjj +NdYVRi1OaxZP24IN7o40VFxvMh12E3HaideLi5MzZxxkXhr8m485b2hgvkuNUjoD +nvFn8rZe8axx9FFhpg7/JvCAik3IxRbusM3WDqmFuBGK33phfD5wAKIWrBwT3iMU +4GnMNmKOMrYCE/edg4eOPFj+wjWw8ZGD8XrnHVI0k8fGOoLvAm/xuQINBGQHFqQB +EACucSUehSi8KixdOc9pYVWBCoqu5V2NlrjbpVVpmPB118fLPaZV4MSB/AnHssWw +XDeO9zWyyLYstN78D/dWcX8Al74JFtBAM0lfgnqE5na8JZYrEivdsjQUO3Cf250G +yXJwpK+CXpAtH6qVrO595exknHKKTv2dfV51UxDXXzYhLznnYHZoTnzpMKUSwqwP +ywdwDVkalpXfFxP43w+gSuX7uOAI/hhX/iRE0drVDy85422FZnncNdigO6JjARn7 +CAoYDcb4K1+zn9WcwzWqV4+yhYDt+yf+o+TLhyF9BarG8cQ1tE4RfaDMZuXp0iKL +itX01mFb0sQ2ZF0YBhQdGaBj/AcfE4e7Sacz9gC93Xd3FaVt0zgsTxMt3Z0dMzAw +9lf7i/aPFFJQLoAZtuYU4hb3S4CG0+l3WPTdW5U276bV5WrTyvibfpNs8mctH4lB +I4jhSkqoPwZ+8gts3XT336P3F2Z/i3cbLmfjbSeAUYRV5BdkozbuWfO6JrZq/BId +KEUMlVi99CJD1fREyMXnr3aROdw7jKhtW5x59Act/ZXB9jixJ5EdxMe5aLeYKNSm +L8I4TXG4DEvbPu/HCHNMlDRoga1CCmVaUEhuJwQaH4PhhlX9M69Bmz42NS8A0Fol +JkiCsCQTQjyzvgXb1Pa0WKUVjPkQIGEUAaQdAGcns9svJQARAQABiQRyBBgBCAAm +FiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAmQHFqQCGwIFCQPCZwACQAkQ4l2a7QWT +s0rBdCAEGQEIAB0WIQTpQm2LZ+Nd9Ha9BIGF98iGiDficQUCZAcWpAAKCRCF98iG +iDficV5MEAClR4UiibpFIYRsbdtPQC/RUIRPbx8naJ8o9h3RqnQKQPgIPkJUS8d9 +vVHQlQ8rhzrzWctOMWHgDRDEojLjXwyYSHRBawJN39D/Fs+D6Nrg9gFkdBmrU2My ++Xia2Wgb+R2qUTnl8sP+d8k8zUC8UoZIX2ksK5yzw3Zwozg6X5Bd70zIru1RJtQd +9ZFDb/PVobWGbqS+saGEDi0Wa7YrmRRA+kQtvMIywX5LFJ5/bSqH3BsJduwmCnJH +84WcxYW6Ntbta7MsnmrDEwfKwmu6d0XgL0mUaOGlt7UoECckZLU/VWh+V9hhSjPi +Dp1IX3ucfmWfsEokN1ePMnl1LWbew7yF5WsNl0/BLVczx99uoYZ6FeW3cy+8PT3q +5Tuc7kjV9oQddJcS+slmlpyuXGH+vXa8WvSDWxPHat1tPhh2QEMGbVFeCw9XhwLu +98YC+Hc2BImD9FfL46GMXPmiBJ5S9qqJjb2lGB+Y4lnbus8DavpudumgO2b3p4CH +eWQYCZY993gcZIiI1/9YMXtXABZ034XoennSq1gzoAxmWGoEk9E/ZNcDLhigW2UN +D8w/mfBKD729NhGSBlL8LmAxwHe61fnL2Z+yTjVvWfsgMXSsn1U0QYkjgE6rzqDY +1w29Iduo1QLvcXQj+fVvu0O5zYPeRYV+RHG+l65KmB8Tjomq6FW2tsInD/92KSGF +0TIk0rOjJA8Zy7Eers21QsTScUrfI3hntzcPpMZzWRBWuyXqf/4350lRTki3hMSx +YB/eJlwehTmUAkC9E3oUE36PJqpp2mzC2cP68CIOdUtkdOVqzkfeZ54LlaJxgo5y +BuC9AqUH5OfVNjZps3yygYv2ahIPBMR8JNduUiTAuvXbIENVy58q6/rZjHcKRp8b +MUX6uWJrIXO5aSAIEljx9DbQoxSbmNJPiriuSKHbhrNPpI4xRlO9gTbaEC0ELKGC +qw0lA1it1XvbZtP4CHcfJ0hyGvy9yvDH2poMgjkhu7OZdN1qBsBRHIIED/Ijy+tz +nq7rQvmaDqZavlQbYREHdrjB/sS10Sblfu9h+vIwSx05UwSNGWNiDrvkQDPbVnTh +R32zsNAlq+f0CEmsgbYPrE/lFwfFS49F2Kmma92qcDiK76Audz/dqz6xPvYQCqra +a6Sa/uYr9aiaLsZTJ7nQ904KUE+Zwk7gcO32Bl7UO3NvkWlvSqOWGS/75WUgbrD6 +RARo6Xv6c8/OxgizzkboGBrdqqpmbG9PGi+gMrxShYtmZYcpD+dB91oKMC5q2lu6 +IGrEVlky2zd7KvrIE3YMETdYL0Eec/H0Jwuxnp9sr7GkBSUns0IczEK/En/NLcBm +TkvXzMghTKTbYL9TjbK/CLzOR+5XXCHxXgDGLg== +=VZfW +-----END PGP PUBLIC KEY BLOCK----- +" + +DATA_DIR="$1" +PUBLIC_KEYS_DIR="$2" + +GNUPGHOME="${PWD}/gnupg" +mkdir -p "${GNUPGHOME}" +chmod 700 "${GNUPGHOME}" +trap 'rm -rf ${GNUPGHOME}' EXIT + +# Setup GnuPG for verifying the image signature +gpg --batch --quiet --import <<< "${GPG_KEY}" + +echo "Verifying files" +# Check that we have a signature for the files we work on +test -f "${DATA_DIR}/flatcar_production_update.bin.bz2.sig" +test -f "${DATA_DIR}/flatcar_production_image.vmlinuz.sig" +for FILE_PATH in "${DATA_DIR}"/*.sig; do + gpg --verify "${FILE_PATH}" +done + +echo "Generating extension payloads" +shopt -s nullglob +for EXTENSION_PATH in "${DATA_DIR}/flatcar-"*.raw "${DATA_DIR}/oem-"*.raw; do + # Check that we have a signature for the files we work on + test -f "${EXTENSION_PATH}".sig + OUTPUT_PATH="${EXTENSION_PATH/.raw/.gz}" + if [ ! -f "${OUTPUT_PATH}" ]; then + echo "Generating ${OUTPUT_PATH}" + ./core_sign_update \ + --image "${EXTENSION_PATH}" \ + --output "${OUTPUT_PATH}" \ + --private_keys "${PRIVATE_KEYS}" \ + --public_keys "${PUBLIC_KEYS_DIR}/flatcar.pub.pem" \ + --keys_separator "+" + else + echo "ERROR: Found update payload already: ${OUTPUT_PATH}." + exit 1 + fi +done +shopt -u nullglob + +echo "Extracting flatcar_production_update.bin.bz2" +bunzip2 -f -k "${DATA_DIR}/flatcar_production_update.bin.bz2" + +echo "Generating generic update payload" +OUTPUT_PATH="${DATA_DIR}/flatcar_production_update.gz" +if [ ! -f "${OUTPUT_PATH}" ]; then + echo "Update payload not found. Building..." + ./core_sign_update \ + --image "${DATA_DIR}/flatcar_production_update.bin" \ + --kernel "${DATA_DIR}/flatcar_production_image.vmlinuz" \ + --output "${OUTPUT_PATH}" \ + --private_keys "${PRIVATE_KEYS}" \ + --public_keys "${PUBLIC_KEYS_DIR}/flatcar.pub.pem" \ + --keys_separator "+" +else + echo "ERROR: Found update payload already: ${OUTPUT_PATH}." + exit 1 +fi + +echo "Payload generated: ${OUTPUT_PATH}" From f37db1f3b10f85adfa6d71ef40b61685e25f431b Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 15 Dec 2023 10:10:28 +0100 Subject: [PATCH 6/9] core_sign_update: use version 2 if only 1 key is provided Signed-off-by: Mathieu Tortuyaux --- core_sign_update | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/core_sign_update b/core_sign_update index 065b64ad0a7..cce8aad5033 100755 --- a/core_sign_update +++ b/core_sign_update @@ -163,8 +163,13 @@ delta_generator --signature_file ${files} --in_file update --out_file update.sig i=1 for key in "${public_keys[@]}"; do + version="${i}" + if [ ${#public_keys[@]} == 1 ]; then + version=2 + fi + delta_generator \ - --public_key_version "${i}" \ + --public_key_version "${version}" \ --public_key "${key}" \ --in_file update.signed From b112006fa7b8a0778fd76c2738c300c8191d21f6 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 15 Dec 2023 10:12:44 +0100 Subject: [PATCH 7/9] sdk: add download_payloads directly from the flatcar-build-scripts (no modification) Signed-off-by: Mathieu Tortuyaux --- data/download_payloads | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 data/download_payloads diff --git a/data/download_payloads b/data/download_payloads new file mode 100755 index 00000000000..f9bcae0f5df --- /dev/null +++ b/data/download_payloads @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -euo pipefail + +if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then + echo "Usage: $0 RELEASE_DESCRIPTORS..." + echo "Example: $0 alpha:1786.0.0 beta:1781.2.0" + echo "Downloads the release update payloads to ARCH-usr/VERSION/ folders." + echo "Expected to be run in .../sdk/src/scripts/data/" + echo "(usually before entering the chroot and running ./generate_payload data/ARCH-usr/VERSION/ keys/)." + exit 1 +fi + +if [ "$(basename "${PWD}")" != "data" ] || [ "$(basename "$(readlink -f ..)")" != "scripts" ]; then + echo "Expected to be run in .../sdk/src/scripts/data/" >&2 + exit 1 +fi + +# Same as in copy-to-origin.sh and set-symlink.sh +for TUPLE_COL in "$@"; do + IFS=":" read -r -a TUPLE <<< "${TUPLE_COL}" + CHANNEL="${TUPLE[0]}" + VERSION="${TUPLE[1]}" + for ARCH in amd64 arm64; do + echo "Downloading ${CHANNEL} ${VERSION} ${ARCH}" + rm -rf "${ARCH}-usr/${VERSION}" + mkdir -p "${ARCH}-usr/${VERSION}" && cd "${ARCH}-usr/${VERSION}" + BASEURL="https://bincache.flatcar-linux.net/images/${ARCH}/${VERSION}/" + # Note: Don't replace this with 'mapfile -t array < <(curl)' or 'read -r -a array <<< "$(curl)"' because that has no error checking + EXTRA_PAYLOADS=($(curl -H 'Accept: application/json' -fsSL "${BASEURL}" | jq -r ".[].name" | { grep -P '^(oem|flatcar)-.*raw(.sig)?$' || true ; })) + wget "${BASEURL}"{flatcar_production_update.bin.bz2,flatcar_production_update.bin.bz2.sig,flatcar_production_image.vmlinuz,flatcar_production_image.vmlinuz.sig} + for EXTRA_PAYLOAD in "${EXTRA_PAYLOADS[@]}"; do + wget "${BASEURL}${EXTRA_PAYLOAD}" + done + cd ../.. + done +done +echo "Success" From ab72a2c2fe0508bd05232716ac9fbdafc163ebb0 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Fri, 15 Dec 2023 11:08:08 +0100 Subject: [PATCH 8/9] generate_payload: handle the downloading of releases Signed-off-by: Mathieu Tortuyaux --- generate_payload | 116 +++++++++++++++++++++++++---------------------- 1 file changed, 63 insertions(+), 53 deletions(-) diff --git a/generate_payload b/generate_payload index 789a11fccce..39bfddc44a3 100755 --- a/generate_payload +++ b/generate_payload @@ -2,11 +2,14 @@ set -e -if [ $# -ne 2 ]; then - echo "usage: ${0} DATA_DIR KEYS_DIR" +if [ $# -lt 1 ]; then + echo "usage: $0 alpha:1786.0.0 beta:1781.2.0" exit 1 fi +# DOWNLOAD can be set to 1 to download release artifacts automatically. +DOWNLOAD="${DOWNLOAD:-0}" + if [ -z "${PRIVATE_KEYS}" ]; then echo "PRIVATE_KEYS must be set using the URI form (https://www.rfc-editor.org/rfc/rfc7512#section-2.3)" echo "or using an absolute or relative path." @@ -361,63 +364,70 @@ TkvXzMghTKTbYL9TjbK/CLzOR+5XXCHxXgDGLg== -----END PGP PUBLIC KEY BLOCK----- " -DATA_DIR="$1" -PUBLIC_KEYS_DIR="$2" - GNUPGHOME="${PWD}/gnupg" mkdir -p "${GNUPGHOME}" chmod 700 "${GNUPGHOME}" trap 'rm -rf ${GNUPGHOME}' EXIT +if [ "${DOWNLOAD}" != 0 ]; then + echo "Downloading files" + pushd ./data + ./download_payloads "$@" + popd +fi + # Setup GnuPG for verifying the image signature gpg --batch --quiet --import <<< "${GPG_KEY}" -echo "Verifying files" -# Check that we have a signature for the files we work on -test -f "${DATA_DIR}/flatcar_production_update.bin.bz2.sig" -test -f "${DATA_DIR}/flatcar_production_image.vmlinuz.sig" -for FILE_PATH in "${DATA_DIR}"/*.sig; do - gpg --verify "${FILE_PATH}" -done - -echo "Generating extension payloads" -shopt -s nullglob -for EXTENSION_PATH in "${DATA_DIR}/flatcar-"*.raw "${DATA_DIR}/oem-"*.raw; do - # Check that we have a signature for the files we work on - test -f "${EXTENSION_PATH}".sig - OUTPUT_PATH="${EXTENSION_PATH/.raw/.gz}" - if [ ! -f "${OUTPUT_PATH}" ]; then - echo "Generating ${OUTPUT_PATH}" - ./core_sign_update \ - --image "${EXTENSION_PATH}" \ - --output "${OUTPUT_PATH}" \ - --private_keys "${PRIVATE_KEYS}" \ - --public_keys "${PUBLIC_KEYS_DIR}/flatcar.pub.pem" \ - --keys_separator "+" - else - echo "ERROR: Found update payload already: ${OUTPUT_PATH}." - exit 1 - fi +for d in ./data/*/*; do + DATA_DIR="${d}" + echo "Verifying files for ${DATA_DIR}" + # Check that we have a signature for the files we work on + test -f "${DATA_DIR}/flatcar_production_update.bin.bz2.sig" + test -f "${DATA_DIR}/flatcar_production_image.vmlinuz.sig" + for FILE_PATH in "${DATA_DIR}"/*.sig; do + gpg --verify "${FILE_PATH}" + done + + echo "Generating extension payloads for ${DATA_DIR}" + shopt -s nullglob + for EXTENSION_PATH in "${DATA_DIR}/flatcar-"*.raw "${DATA_DIR}/oem-"*.raw; do + # Check that we have a signature for the files we work on + test -f "${EXTENSION_PATH}".sig + OUTPUT_PATH="${EXTENSION_PATH/.raw/.gz}" + if [ ! -f "${OUTPUT_PATH}" ]; then + echo "Generating ${OUTPUT_PATH}" + ./core_sign_update \ + --image "${EXTENSION_PATH}" \ + --output "${OUTPUT_PATH}" \ + --private_keys "${PRIVATE_KEYS}" \ + --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \ + --keys_separator "+" + else + echo "ERROR: Found update payload already: ${OUTPUT_PATH}." + exit 1 + fi + done + shopt -u nullglob + + echo "Extracting flatcar_production_update.bin.bz2 for ${DATA_DIR}" + bunzip2 -f -k "${DATA_DIR}/flatcar_production_update.bin.bz2" + + echo "Generating generic update payload for ${DATA_DIR}" + OUTPUT_PATH="${DATA_DIR}/flatcar_production_update.gz" + if [ ! -f "${OUTPUT_PATH}" ]; then + echo "Update payload not found. Building..." + ./core_sign_update \ + --image "${DATA_DIR}/flatcar_production_update.bin" \ + --kernel "${DATA_DIR}/flatcar_production_image.vmlinuz" \ + --output "${OUTPUT_PATH}" \ + --private_keys "${PRIVATE_KEYS}" \ + --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \ + --keys_separator "+" + else + echo "ERROR: Found update payload already: ${OUTPUT_PATH}." + exit 1 + fi + + echo "Payload generated: ${OUTPUT_PATH}" done -shopt -u nullglob - -echo "Extracting flatcar_production_update.bin.bz2" -bunzip2 -f -k "${DATA_DIR}/flatcar_production_update.bin.bz2" - -echo "Generating generic update payload" -OUTPUT_PATH="${DATA_DIR}/flatcar_production_update.gz" -if [ ! -f "${OUTPUT_PATH}" ]; then - echo "Update payload not found. Building..." - ./core_sign_update \ - --image "${DATA_DIR}/flatcar_production_update.bin" \ - --kernel "${DATA_DIR}/flatcar_production_image.vmlinuz" \ - --output "${OUTPUT_PATH}" \ - --private_keys "${PRIVATE_KEYS}" \ - --public_keys "${PUBLIC_KEYS_DIR}/flatcar.pub.pem" \ - --keys_separator "+" -else - echo "ERROR: Found update payload already: ${OUTPUT_PATH}." - exit 1 -fi - -echo "Payload generated: ${OUTPUT_PATH}" From 05d4afbcc3300f0da887ada67ce53c66477ccbc9 Mon Sep 17 00:00:00 2001 From: Mathieu Tortuyaux Date: Thu, 18 Jan 2024 15:51:38 +0100 Subject: [PATCH 9/9] sys-apps/baselayout: pull pkcs11 SSL configuration Signed-off-by: Mathieu Tortuyaux --- ...ayout-3.6.8-r14.ebuild => baselayout-3.6.8-r15.ebuild} | 0 .../sys-apps/baselayout/baselayout-9999.ebuild | 8 +++++++- 2 files changed, 7 insertions(+), 1 deletion(-) rename sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/{baselayout-3.6.8-r14.ebuild => baselayout-3.6.8-r15.ebuild} (100%) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild similarity index 100% rename from sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r14.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild diff --git a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild index 70df4767180..cb046dca95e 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild @@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com" if [[ "${PV}" == 9999 ]]; then KEYWORDS="~amd64 ~arm ~arm64 ~x86" else - CROS_WORKON_COMMIT="a482cb4b69ffa5cf92d9cd719409e7abd7f382a3" # flatcar-master + CROS_WORKON_COMMIT="937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7" # flatcar-master KEYWORDS="amd64 arm arm64 x86" fi @@ -183,6 +183,12 @@ src_install() { if use arm64; then sed -i -e '/pam_sss.so/d' "${D}"/usr/lib/pam.d/* || die fi + + if use cros_host; then + # inject custom SSL configuration required for signing payloads from the SDK container using OpenSSL. + insinto "/etc/ssl/" + doins "${S}/baselayout/pkcs11.cnf" + fi } pkg_postinst() {