File pesign-skip-auth-on-friendly-slot.patch of Package pesign

From 616ec5f25adbde1a4bd78cdcacd6dcd7ecfa5a5c Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 22 Dec 2022 13:49:34 +0800
Subject: [PATCH] cms_common: skip authentication on the 'Friendly' slot

When finding a certificate in a 'Friendly' slot without the need of the
private key, it is not necessary to authenticate the slot.

For example, when the signed attributes and the raw signature are
created in a server and the user has the certificate, signkey.x509, and
tries to import them into myapp.efi:

  $ certutil -N -d nssdb -f passwd
  $ certutil -A -d nssdb -f passwd -n signkey -t CT,CT,CT \
      -i signkey.x509
  $ pesign -n nssdb -c signkey -i myapp.efi -o myapp.efi.signed \
      -d sha256 -I myapp.sattr -R myapp.sig

Since the "signkey" is 'Friendly', i.e. publicly readable, and the
private key is not needed, we can just skip the authentication and find
"signkey" in the slot.

Signed-off-by: Gary Lin <glin@suse.com>
---
 src/cms_common.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cms_common.c b/src/cms_common.c
index cf572ca..44e5cca 100644
--- a/src/cms_common.c
+++ b/src/cms_common.c
@@ -628,7 +628,8 @@ find_certificate(cms_context *cms, int needs_private_key)
 
 	int errnum;
 	SECStatus status;
-	if (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms)) {
+	if ((needs_private_key || !PK11_IsFriendly(psle->slot)) &&
+	    (PK11_NeedLogin(psle->slot) && !PK11_IsLoggedIn(psle->slot, cms))) {
 		status = PK11_Authenticate(psle->slot, PR_TRUE, cms);
 		if (status != SECSuccess) {
 			save_port_err() {
-- 
2.35.3