File 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff of Package p11-kit.3050

From a7f02ca0a88019da353381a25d2e7c42150abb39 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <ludwig.nussel@suse.de>
Date: Fri, 6 Dec 2013 10:00:32 +0100
Subject: [PATCH] trust: allow to also add openssl style hashes to
 pem-directory

For backward compatibility with older openssl and other libs like
gnutls /etc/ssl/certs needs to be created as pem-directory rather
than openssl-directory on openSUSE. Therefore also allow to install
openssl style hashes there to avoid having to call c_rehash with a
script.
---
 trust/extract-openssl.c | 76 ++++++++++++++++++++++++++-----------------------
 trust/extract-pem.c     | 26 +++++++++++++----
 trust/extract.c         |  1 +
 trust/extract.h         |  5 ++++
 trust/tests/Makefile.am |  1 +
 5 files changed, 69 insertions(+), 40 deletions(-)

diff --git a/trust/extract-openssl.c b/trust/extract-openssl.c
index 912c90d..16e12fd 100644
--- a/trust/extract-openssl.c
+++ b/trust/extract-openssl.c
@@ -587,6 +587,46 @@ symlink_for_subject_old_hash (p11_enumerate *ex)
 
 #endif /* OS_UNIX */
 
+
+/*
+ * The OpenSSL style c_rehash stuff
+ *
+ * Different versions of openssl build these hashes differently
+ * so output both of them. Shouldn't cause confusion, because
+ * multiple certificates can hash to the same link anyway,
+ * and this is the reason for the trailing number after the dot.
+ *
+ * The trailing number is incremented p11_save_symlink_in() if it
+ * conflicts with something we've already written out.
+ *
+ * On Windows no symlinks.
+ */
+bool
+p11_openssl_symlink (p11_enumerate *ex,
+                     p11_save_dir *dir,
+                     const char *filename)
+{
+	bool ret = true;
+#ifdef OS_UNIX
+	char *linkname;
+
+	linkname = symlink_for_subject_hash (ex);
+	if (linkname) {
+		ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+		free (linkname);
+	}
+
+	if (ret) {
+		linkname = symlink_for_subject_old_hash (ex);
+		if (linkname) {
+			ret = p11_save_symlink_in (dir, linkname, ".0", filename);
+			free (linkname);
+		}
+	}
+#endif /* OS_UNIX */
+	return ret;
+}
+
 bool
 p11_extract_openssl_directory (p11_enumerate *ex,
                                const char *destination)
@@ -601,10 +641,6 @@ p11_extract_openssl_directory (p11_enumerate *ex,
 	char *name;
 	CK_RV rv;
 
-#ifdef OS_UNIX
-	char *linkname;
-#endif
-
 	dir = p11_save_open_directory (destination, ex->flags);
 	if (dir == NULL)
 		return false;
@@ -638,37 +674,7 @@ p11_extract_openssl_directory (p11_enumerate *ex,
 					filename = p11_path_base (path);
 			}
 
-			/*
-			 * The OpenSSL style c_rehash stuff
-			 *
-			 * Different versions of openssl build these hashes differently
-			 * so output both of them. Shouldn't cause confusion, because
-			 * multiple certificates can hash to the same link anyway,
-			 * and this is the reason for the trailing number after the dot.
-			 *
-			 * The trailing number is incremented p11_save_symlink_in() if it
-			 * conflicts with something we've already written out.
-			 *
-			 * On Windows no symlinks.
-			 */
-
-#ifdef OS_UNIX
-			if (ret) {
-				linkname = symlink_for_subject_hash (ex);
-				if (linkname) {
-					ret = p11_save_symlink_in (dir, linkname, ".0", filename);
-					free (linkname);
-				}
-			}
-
-			if (ret) {
-				linkname = symlink_for_subject_old_hash (ex);
-				if (linkname) {
-					ret = p11_save_symlink_in (dir, linkname, ".0", filename);
-					free (linkname);
-				}
-			}
-#endif /* OS_UNIX */
+			ret = p11_openssl_symlink(ex, dir, filename);
 
 			free (filename);
 			free (path);
diff --git a/trust/extract-pem.c b/trust/extract-pem.c
index 1e1c857..04dc600 100644
--- a/trust/extract-pem.c
+++ b/trust/extract-pem.c
@@ -42,6 +42,7 @@
 #include "message.h"
 #include "pem.h"
 #include "save.h"
+#include "path.h"
 
 #include <stdlib.h>
 
@@ -107,6 +108,8 @@ p11_extract_pem_directory (p11_enumerate *ex,
 	p11_buffer buf;
 	bool ret = true;
 	char *filename;
+	char *path;
+	char *name;
 	CK_RV rv;
 
 	dir = p11_save_open_directory (destination, ex->flags);
@@ -121,14 +124,27 @@ p11_extract_pem_directory (p11_enumerate *ex,
 		if (!p11_pem_write (ex->cert_der, ex->cert_len, "CERTIFICATE", &buf))
 			return_val_if_reached (false);
 
-		filename = p11_enumerate_filename (ex);
-		return_val_if_fail (filename != NULL, false);
+		name = p11_enumerate_filename (ex);
+		return_val_if_fail (name != NULL, false);
 
-		file = p11_save_open_file_in (dir, filename, ".pem");
-		free (filename);
+		path = NULL;
 
-		ret = p11_save_write_and_finish (file, buf.data, buf.len);
+		file = p11_save_open_file_in (dir, name, ".pem");
 
+		ret = p11_save_write (file, buf.data, buf.len);
+
+		if (!p11_save_finish_file (file, &path, ret))
+			ret = false;
+
+		/* XXX: getenv is a hack here, any better idea? */
+		if (ret && getenv("P11_KIT_PEMDIR_HASH")) {
+			filename = p11_path_base (path);
+			ret = p11_openssl_symlink(ex, dir, filename);
+			free (filename);
+		}
+
+		free (path);
+		free (name);
 		if (!ret)
 			break;
 	}
diff --git a/trust/extract.c b/trust/extract.c
index 1a38f11..1a23967 100644
--- a/trust/extract.c
+++ b/trust/extract.c
@@ -46,6 +46,7 @@
 #include "pkcs11x.h"
 #include "save.h"
 #include "tool.h"
+#include "digest.h"
 
 #include <assert.h>
 #include <ctype.h>
diff --git a/trust/extract.h b/trust/extract.h
index ca14238..d2e58c3 100644
--- a/trust/extract.h
+++ b/trust/extract.h
@@ -39,6 +39,7 @@
 
 #include "enumerate.h"
 #include "pkcs11.h"
+#include "save.h"
 
 enum {
 	/* These overlap with the flags in save.h, so start higher */
@@ -75,4 +76,8 @@ int             p11_trust_extract              (int argc,
 int             p11_trust_extract_compat       (int argc,
                                                 char *argv[]);
 
+/* from extract-openssl.c but also used in extract-pem.c */
+bool            p11_openssl_symlink            (p11_enumerate *ex,
+                                                p11_save_dir *dir,
+                                                const char *filename);
 #endif /* P11_EXTRACT_H_ */
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
index e53a6ae..6d81363 100644
--- a/trust/tests/Makefile.am
+++ b/trust/tests/Makefile.am
@@ -105,6 +105,7 @@ test_bundle_SOURCES = \
 	test-bundle.c \
 	$(TRUST)/enumerate.c \
 	$(TRUST)/extract-pem.c \
+	$(TRUST)/extract-openssl.c \
 	$(TRUST)/save.c \
 	$(NULL)
 
-- 
1.8.1.4
openSUSE Build Service is sponsored by