diff --git a/.gitignore b/.gitignore index b4dc8e7..fa9b918 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,16 @@ /AusweisApp2-*.tar.gz /AusweisApp2-pubring.gpg +/AusweisApp-2.0.1.tar.gz +/AusweisApp-pubring.gpg +/AusweisApp-2.0.2.tar.gz +/AusweisApp-2.0.2.tar.gz.asc +/AusweisApp-2.0.2.tar.gz.sha256 +/AusweisApp-2.0.3.tar.gz +/AusweisApp-2.0.3.tar.gz.asc +/AusweisApp-2.0.3.tar.gz.sha256 +/AusweisApp-2.1.0.tar.gz +/AusweisApp-2.1.0.tar.gz.asc +/AusweisApp-2.1.0.tar.gz.sha256 +/AusweisApp-2.1.1.tar.gz +/AusweisApp-2.1.1.tar.gz.asc +/AusweisApp-2.1.1.tar.gz.sha256 diff --git a/AusweisApp2-1.26.7.tar.gz.asc b/AusweisApp2-1.26.7.tar.gz.asc deleted file mode 100644 index aa85480..0000000 --- a/AusweisApp2-1.26.7.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEaZvzBVsKSSJO/efHLXR5pTFFEIgFAmTDxJ8ACgkQLXR5pTFF -EIh9Dw//ZMA+HUaRMp9wUCbPxm9XfT2WmVSAdlQPFUcNlue9LTVRGQKzqm0aYHE1 -qDjBdg2u5icS+pcZiX8zgnSijsxUIOVlqEeOq3Ww+X4P5LGI9HugVYCUIGAKrSEr -vGNSnsGs7v7akKVjZea45G6hdGOSm1UrPMp36rSCXmEMzuhDVCg76Ue0rHy2uN9D -2rud1CuLSDEKQs3MqkU1E5lRVX2uuKPz8xgVZTxYixJGlfCa7lPlO1dhEJzAqEtN -r1CMDinjYzjTu3K9ecj5w0HuB/w6VNtAchZ6nT4oUNDUp4AzWYcJEhVVN9iqVRdF -FGijIvMdoe1Zb15b6/lLdzqU1jazJN24swvRzcLFPFsfV7trrIThzv+Mf+LfKEwb -qGUp6cm27y0KxXCuszRhwkAvBgPsOyPzlvcWMTUgoa5bLzOdCwB60iQ0ADCaz306 -GWLZER98OyLeHLP7E/nSv13GlMckqZkOwcR0Fv6yzY0KIZ86loHMeAbxmIcucnOV -bY8Wffe4wfQQhGY/fsgP5v3swwlv1vBtYfLF4CbcFBiW0WJbD3mkt3hJ24E+nrUl -6vhuoj1RJVkEhhF8gnleSxiH1EfsQcKOWKOO3UDFwUQxwtJJ6f8lQXUP+vB3NP/9 -q24xmU1XW4F+F72o2GD262aJn+HpbgWQzUEbMLQx5eAwrs+Dq08= -=Nkl8 ------END PGP SIGNATURE----- diff --git a/AusweisApp2-1.26.7.tar.gz.sha256 b/AusweisApp2-1.26.7.tar.gz.sha256 deleted file mode 100644 index 56fa5a3..0000000 --- a/AusweisApp2-1.26.7.tar.gz.sha256 +++ /dev/null @@ -1 +0,0 @@ -8062fe04332e9a7bee4c75fe3ef3efda6748c1a19a6fda8770f7914939c7bd28 AusweisApp2-1.26.7.tar.gz diff --git a/AusweisApp2-2.0.1-use-legacy-openssl-api.patch b/AusweisApp2-2.0.1-use-legacy-openssl-api.patch new file mode 100644 index 0000000..8f2dcee --- /dev/null +++ b/AusweisApp2-2.0.1-use-legacy-openssl-api.patch @@ -0,0 +1,362 @@ +diff -up AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp.legacyapi AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp +--- AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp 2024-01-05 22:06:07.585023942 +0100 +@@ -182,7 +182,6 @@ QByteArray EcdsaPublicKey::getUncompress + } + + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + QSharedPointer EcdsaPublicKey::createGroup(const CurveData& pData) const + { + QSharedPointer group = EcUtil::create(EC_GROUP_new_curve_GFp(pData.p.data(), pData.a.data(), pData.b.data(), nullptr)); +@@ -209,8 +208,6 @@ QSharedPointer EcdsaPublicKey: + } + + +-#endif +- + QSharedPointer EcdsaPublicKey::createKey(const QByteArray& pPublicPoint) const + { + return createKey(reinterpret_cast(pPublicPoint.constData()), static_cast(pPublicPoint.size())); +@@ -239,7 +236,6 @@ QSharedPointer EcdsaPublicKey: + return nullptr; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + const auto& group = createGroup(curveData); + if (group.isNull()) + { +@@ -275,39 +271,4 @@ QSharedPointer EcdsaPublicKey: + + return key; + +-#else +- const auto& params = EcUtil::create([&curveData, pPublicPoint, pPublicPointLength, this](OSSL_PARAM_BLD* pBuilder){ +- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", curveData.p.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", curveData.a.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", curveData.b.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", curveData.order.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", curveData.cofactor.data()) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "pub", pPublicPoint, static_cast(pPublicPointLength)) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", mBasePoint->data, static_cast(mBasePoint->length)) +- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); +- }); +- +- if (params == nullptr) +- { +- qCCritical(card) << "Cannot set parameter"; +- return nullptr; +- } +- +- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); +- if (!EVP_PKEY_fromdata_init(ctx.data())) +- { +- qCCritical(card) << "Cannot init pkey"; +- return nullptr; +- } +- +- EVP_PKEY* key = nullptr; +- if (!EVP_PKEY_fromdata(ctx.data(), &key, EVP_PKEY_PUBLIC_KEY, params.data())) +- { +- qCCritical(card) << "Cannot fetch data for pkey"; +- return nullptr; +- } +- +- return EcUtil::create(key); +- +-#endif + } +diff -up AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h.legacyapi AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h +--- AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h 2024-01-05 21:26:24.850152676 +0100 +@@ -13,9 +13,7 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L +- #include +-#endif ++#include + + + namespace governikus +@@ -105,9 +103,7 @@ using EcdsaPublicKey = struct ecdsapubli + + [[nodiscard]] CurveData createCurveData() const; + [[nodiscard]] QSharedPointer createKey(const uchar* pPublicPoint, int pPublicPointLength) const; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + [[nodiscard]] QSharedPointer createGroup(const CurveData& pData) const; +-#endif + + public: + static int decodeCallback(int pOperation, ASN1_VALUE** pVal, const ASN1_ITEM* pIt, void* pExarg); +diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp +--- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp 2024-01-05 21:51:28.494919678 +0100 +@@ -37,13 +37,8 @@ QByteArray EcdhGenericMapping::generateT + + mTerminalKey = EcUtil::generateKey(mCurve); + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- return EcUtil::getEncodedPublicKey(mTerminalKey); +- +-#else + return EcUtil::point2oct(mCurve, EC_KEY_get0_public_key(mTerminalKey.data())); + +-#endif + } + + +@@ -56,12 +51,7 @@ bool EcdhGenericMapping::generateEphemer + return false; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- const QSharedPointer terminalPubKeyPtr = EcUtil::oct2point(mCurve, EcUtil::getEncodedPublicKey(mTerminalKey)); +- const EC_POINT* terminalPubKey = terminalPubKeyPtr.data(); +-#else + const EC_POINT* terminalPubKey = EC_KEY_get0_public_key(mTerminalKey.data()); +-#endif + if (!EC_POINT_cmp(mCurve.data(), terminalPubKey, cardPubKey.data(), nullptr)) + { + qCCritical(card) << "The exchanged public keys are equal."; +@@ -81,12 +71,7 @@ bool EcdhGenericMapping::generateEphemer + + QSharedPointer EcdhGenericMapping::createNewGenerator(const QSharedPointer& pCardPubKey, const QSharedPointer& pS) + { +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- const auto& privKeyPtr = EcUtil::getPrivateKey(mTerminalKey); +- const BIGNUM* privKey = privKeyPtr.data(); +-#else + const BIGNUM* privKey = EC_KEY_get0_private_key(mTerminalKey.data()); +-#endif + + if (!privKey) + { +diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h +--- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h 2024-01-05 21:52:19.801808499 +0100 +@@ -22,11 +22,7 @@ class EcdhGenericMapping + + private: + const QSharedPointer mCurve; +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- QSharedPointer mTerminalKey; +-#else + QSharedPointer mTerminalKey; +-#endif + + QSharedPointer createNewGenerator(const QSharedPointer& pCardPubKey, const QSharedPointer& pS); + +diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp +--- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp 2024-01-05 21:37:17.920243239 +0100 +@@ -105,15 +105,8 @@ KeyAgreement::CardResult EcdhKeyAgreemen + return {CardReturnCode::PROTOCOL_ERROR}; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- const QByteArray terminalEphemeralPublicKeyBytes = EcUtil::getEncodedPublicKey(terminalEphemeralKey); +- +- const auto& privKeyPtr = EcUtil::getPrivateKey(terminalEphemeralKey); +- const BIGNUM* terminalEphemeralPrivateKey = privKeyPtr.data(); +-#else + const QByteArray terminalEphemeralPublicKeyBytes = EcUtil::point2oct(curve, EC_KEY_get0_public_key(terminalEphemeralKey.data())); + const BIGNUM* const terminalEphemeralPrivateKey = EC_KEY_get0_private_key(terminalEphemeralKey.data()); +-#endif + + // Make a copy of the terminal public key for later mutual authentication. + mTerminalPublicKey = EcUtil::oct2point(curve, terminalEphemeralPublicKeyBytes); +diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp +--- AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp 2024-01-05 20:33:28.156797843 +0100 +@@ -88,137 +88,6 @@ QSharedPointer EcUtil::oct2poi + } + + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +-QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer& pKey) +-{ +- if (pKey.isNull()) +- { +- qCCritical(card) << "Cannot use undefined key"; +- return nullptr; +- } +- +- uchar* key = nullptr; +- const size_t length = EVP_PKEY_get1_encoded_public_key(pKey.data(), &key); +- const auto guard = qScopeGuard([key] { +- OPENSSL_free(key); +- }); +- +- return length > 0 ? QByteArray(reinterpret_cast(key), static_cast(length)) : QByteArray(); +-} +- +- +-QSharedPointer EcUtil::getPrivateKey(const QSharedPointer& pKey) +-{ +- BIGNUM* privKey = nullptr; +- EVP_PKEY_get_bn_param(pKey.data(), "priv", &privKey); +- return EcUtil::create(privKey); +-} +- +- +-QSharedPointer EcUtil::create(const std::function& pFunc) +-{ +- OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new(); +- const auto guard = qScopeGuard([bld] { +- OSSL_PARAM_BLD_free(bld); +- }); +- +- if (bld == nullptr) +- { +- qCCritical(card) << "Cannot create parameter builder"; +- return nullptr; +- } +- +- if (OSSL_PARAM* params = nullptr; +- pFunc(bld) && (params = OSSL_PARAM_BLD_to_param(bld)) != nullptr) +- { +- static auto deleter = [](OSSL_PARAM* pParam) +- { +- OSSL_PARAM_free(pParam); +- }; +- +- return QSharedPointer(params, deleter); +- } +- +- qCCritical(card) << "Cannot create parameter"; +- return nullptr; +-} +- +- +-QSharedPointer EcUtil::generateKey(const QSharedPointer& pCurve) +-{ +- if (pCurve.isNull()) +- { +- qCCritical(card) << "Curve is undefined"; +- return nullptr; +- } +- +- auto generator = EcUtil::point2oct(pCurve, EC_GROUP_get0_generator(pCurve.data())); +- +- auto order = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_order(pCurve.data(), order.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch order"; +- return nullptr; +- } +- +- auto cofactor = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_cofactor(pCurve.data(), cofactor.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch cofactor"; +- return nullptr; +- } +- +- auto p = EcUtil::create(BN_new()); +- auto a = EcUtil::create(BN_new()); +- auto b = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_curve(pCurve.data(), p.data(), a.data(), b.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch a, b or p"; +- return nullptr; +- } +- +- const auto& params = EcUtil::create([&p, &a, &b, &order, &cofactor, &generator](OSSL_PARAM_BLD* pBuilder){ +- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", p.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", a.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", b.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", order.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", cofactor.data()) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", generator.data(), static_cast(generator.size())) +- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); +- }); +- +- if (params == nullptr) +- { +- qCCritical(card) << "Cannot set parameter"; +- return nullptr; +- } +- +- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); +- if (!ctx) +- { +- qCCritical(card) << "Cannot create EVP_PKEY_CTX"; +- return nullptr; +- } +- EVP_PKEY_keygen_init(ctx.data()); +- +- if (!EVP_PKEY_CTX_set_params(ctx.data(), params.data())) +- { +- qCCritical(card) << "Cannot set params to EVP_PKEY_CTX"; +- return nullptr; +- } +- +- EVP_PKEY* key = nullptr; +- if (!EVP_PKEY_generate(ctx.data(), &key)) +- { +- qCCritical(card) << "Cannot create EVP_PKEY"; +- return nullptr; +- } +- +- return EcUtil::create(key); +-} +- +- +-#else + QSharedPointer EcUtil::generateKey(const QSharedPointer& pCurve) + { + if (pCurve.isNull()) +@@ -242,6 +111,3 @@ QSharedPointer EcUtil::generateK + + return key; + } +- +- +-#endif +diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h +--- AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 ++++ AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h 2024-01-05 22:15:17.157430740 +0100 +@@ -30,9 +30,7 @@ class EcUtil + + static QSharedPointer create(EC_GROUP* pEcGroup); + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + static QSharedPointer create(EC_KEY* pEcKey); +-#endif + + static QSharedPointer create(EC_POINT* pEcPoint); + +@@ -42,14 +40,7 @@ class EcUtil + + static QSharedPointer create(EVP_PKEY_CTX* pEcGroup); + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- static QByteArray getEncodedPublicKey(const QSharedPointer& pKey); +- static QSharedPointer getPrivateKey(const QSharedPointer& pKey); +- static QSharedPointer create(const std::function& pFunc); +- static QSharedPointer generateKey(const QSharedPointer& pCurve); +-#else + static QSharedPointer generateKey(const QSharedPointer& pCurve); +-#endif + + static QSharedPointer createCurve(int pNid); + }; +@@ -66,7 +57,6 @@ inline QSharedPointer EcUtil:: + } + + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + inline QSharedPointer EcUtil::create(EC_KEY* pEcKey) + { + static auto deleter = [](EC_KEY* ecKey) +@@ -78,8 +68,6 @@ inline QSharedPointer EcUtil::cr + } + + +-#endif +- + inline QSharedPointer EcUtil::create(EC_POINT* pEcPoint) + { + static auto deleter = [](EC_POINT* ecPoint) diff --git a/AusweisApp2.spec b/AusweisApp2.spec index 601ae1b..ec79e9d 100644 --- a/AusweisApp2.spec +++ b/AusweisApp2.spec @@ -6,10 +6,10 @@ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ -fipshmac %{buildroot}%{_bindir}/%{name} \\\ - %{buildroot}%{_libexecdir}/%{name} \\\ - %{buildroot}%{_datadir}/%{name}/openssl.cnf \ -c="%{buildroot}%{_datadir}/%{name}/config.json" \ +fipshmac %{buildroot}%{_bindir}/%{newname} \\\ + %{buildroot}%{_libexecdir}/%{newname} \\\ + %{buildroot}%{_datadir}/%{newname}/openssl.cnf \ +c="%{buildroot}%{_datadir}/%{newname}/config.json" \ if [[ -f ${c} ]]; then \ fipshmac ${c} \ fi \ @@ -37,10 +37,12 @@ fi \ # Package summary. Gets overwritten by subpackages otherwise. %global pkg_sum Online identification with German ID card (Personalausweis) +# Upstream renamed to AusweisApp with 2.0 release +%global newname AusweisApp Name: AusweisApp2 -Version: 1.26.7 -Release: 3%{?dist} +Version: 2.1.1 +Release: %autorelease Summary: %{pkg_sum} License: EUPL 1.2 @@ -53,15 +55,19 @@ URL: https://www.ausweisapp.bund.de/en # gpg2 --keyserver keyserver.ubuntu.com --recv-keys 699BF3055B0A49224EFDE7C72D7479A531451088 # gpg2 --export --export-options export-minimal 699BF3055B0A49224EFDE7C72D7479A531451088 > %%{name}-pubring.gpg -Source0000: %{rel_url}/%{name}-%{version}.tar.gz -Source0001: %{rel_url}/%{name}-%{version}.tar.gz.asc +Source0000: %{rel_url}/%{newname}-%{version}.tar.gz +Source0001: %{rel_url}/%{newname}-%{version}.tar.gz.asc Source0002: %{name}-pubring.gpg -Source0003: %{rel_url}/%{name}-%{version}.tar.gz.sha256 +Source0003: %{rel_url}/%{newname}-%{version}.tar.gz.sha256 Source0004: https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%%20EN.txt#/EUPL-12_EN.txt Source1000: gen_openssl_cnf.py # Downstream. Patch01000: %{name}-1.24.1-use_Qt_TranslationsPath.patch +# Needed because Fedora's openssl does not support elliptic curves using custom parameters. +# Request to enable them was denied: https://bugzilla.redhat.com/show_bug.cgi?id=2259403 +# It is currently not clear if the legacy API works by accident or by design. It does work as of January 2024. +Patch01001: %{name}-2.0.1-use-legacy-openssl-api.patch BuildRequires: cmake BuildRequires: crypto-policies @@ -124,6 +130,12 @@ Requires: openssl-libs%{?_isa} >= 3.0.8-2 # Needed for running fipscheck on application startup. # Requires: fipscheck +%if 0%{?qt6_build} +# Needed for GUI elements to be rendered +Requires: qt6-qtimageformats%{?_isa} +Requires: qt6-qtsvg%{?_isa} +%endif + %description The AusweisApp2 is a software to identify yourself online with your ID card (Personalausweis) or your electronic @@ -180,7 +192,7 @@ pushd %{_sourcedir} sha256sum -c %{SOURCE3} popd -%autosetup -p 1 +%autosetup -p 1 -n %{newname}-%{version} install -pm 0644 %{SOURCE4} LICENSE.en.txt # Generate application specific OpenSSL configuration. @@ -192,13 +204,13 @@ install -pm 0644 %{SOURCE4} LICENSE.en.txt cat << EOF > fedora_%{name}_wrapper.sh #!/bin/sh # /usr/bin/fipscheck \\ -# %{_bindir}/%{name} \\ -# %{_libexecdir}/%{name} \\ -# %{_datadir}/%{name}/config.json \\ -# %{_datadir}/%{name}/openssl.cnf \\ +# %{_bindir}/%{newname} \\ +# %{_libexecdir}/%{newname} \\ +# %{_datadir}/%{newname}/config.json \\ +# %{_datadir}/%{newname}/openssl.cnf \\ # || exit \$?; -OPENSSL_CONF=%{_datadir}/%{name}/openssl.cnf \\ -%{_libexecdir}/%{name} "\$@"; +OPENSSL_CONF=%{_datadir}/%{newname}/openssl.cnf \\ +%{_libexecdir}/%{newname} "\$@"; EOF @@ -220,13 +232,13 @@ EOF %if (0%{?fedora} || 0%{?rhel} > 8) # Documentation. -%cmake_build --target inst inte notes sdk +%cmake_build --target installation_integration notes sdk %if %{with doxy} %cmake_build --target doxy %endif %else # Documentation. -%ninja_build -C %{_vpath_builddir} inst inte notes sdk +%ninja_build -C %{_vpath_builddir} installation_integration notes sdk %if %{with doxy} %ninja_build -C %{_vpath_builddir} doxy %endif @@ -239,29 +251,28 @@ EOF # Relocate the application binary so we can call it through # a shell wrapper and move installed files to proper locations. mkdir -p %{buildroot}{%{_libexecdir},%{_qt5_translationdir}} -mv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_libexecdir}/%{name} +mv %{buildroot}%{_bindir}/%{newname} %{buildroot}%{_libexecdir}/%{newname} # Install the shell wrapper and custom OpenSSL configuration. -install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{name} +install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{newname} install -pm 0644 fedora_%{name}_openssl.cnf \ - %{buildroot}%{_datadir}/%{name}/openssl.cnf + %{buildroot}%{_datadir}/%{newname}/openssl.cnf # Move translation in proper location. %if !(0%{?qt6_build}) -mv %{buildroot}%{_datadir}/%{name}/translations/* \ +mv %{buildroot}%{_datadir}/%{newname}/translations/* \ %{buildroot}%{_qt5_translationdir} -rm -fr %{buildroot}%{_datadir}/%{name}/translations +rm -fr %{buildroot}%{_datadir}/%{newname}/translations %endif # Excessive docs. -mkdir -p %{buildroot}%{_pkgdocdir}/{installation,integration,notes,sdk} +mkdir -p %{buildroot}%{_pkgdocdir}/{installation_integration,notes,sdk} install -pm 0644 README.rst %{buildroot}%{_pkgdocdir} %if %{with doxy} mkdir -p %{buildroot}%{_pkgdocdir}/doxy cp -a %{_vpath_builddir}/doc/html/* %{buildroot}%{_pkgdocdir}/doxy %endif -cp -a %{_vpath_builddir}/docs/inst/html/* %{buildroot}%{_pkgdocdir}/installation -cp -a %{_vpath_builddir}/docs/inte/html/* %{buildroot}%{_pkgdocdir}/integration +cp -a %{_vpath_builddir}/docs/installation_integration/html/* %{buildroot}%{_pkgdocdir}/installation_integration cp -a %{_vpath_builddir}/docs/notes/html/* %{buildroot}%{_pkgdocdir}/notes cp -a %{_vpath_builddir}/docs/sdk/html/* %{buildroot}%{_pkgdocdir}/sdk find %{buildroot}%{_pkgdocdir} -type d -print0 | xargs -0 chmod -c 0755 @@ -291,12 +302,12 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %license AUTHORS %license LICENSE.en.txt %license LICENSE.txt -%{_bindir}/.%{name}.hmac -%{_bindir}/%{name} +%{_bindir}/.%{newname}.hmac +%{_bindir}/%{newname} %{_datadir}/applications/com.governikus.%{lc_name}.desktop -%{_libexecdir}/.%{name}.hmac -%{_libexecdir}/%{name} -%{_mandir}/man1/%{name}.1* +%{_libexecdir}/.%{newname}.hmac +%{_libexecdir}/%{newname} +%{_mandir}/man1/%{newname}.1* %{_metainfodir}/com.governikus.%{lc_name}.metainfo.xml @@ -305,7 +316,7 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %else %files data -f %{lc_name}.icons -f %{lc_name}.lang %endif -%{_datadir}/%{name} +%{_datadir}/%{newname} %files doc @@ -314,171 +325,4 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %changelog -* Fri Oct 13 2023 Jan Grulich - 1.26.7-3 -- Rebuild (qt6) - -* Thu Oct 05 2023 Jan Grulich - 1.26.7-2 -- Rebuild (qt6) - -* Fri Jul 28 2023 Björn Esser - 1.26.7-1 -- New upstream release - Fixes rhbz#2227358 - -* Fri Jul 28 2023 Björn Esser - 1.26.6-1 -- New upstream release - Fixes rhbz#2227095 - -* Wed Jul 26 2023 Björn Esser - 1.26.5-1 -- New upstream release - Fixes rhbz#2226708 - -* Wed Jul 19 2023 Fedora Release Engineering - 1.26.4-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Fri Jul 14 2023 Björn Esser - 1.26.4-4 -- Rebuild(Qt_6.5) - Fixes rhbz#2222625 - -* Sun Jun 04 2023 Björn Esser - 1.26.4-3 -- Rebuild(Qt_6.5) - -* Sun May 07 2023 Björn Esser - 1.26.4-2 -- Rebuild(Qt_6.5) - -* Mon May 01 2023 Björn Esser - 1.26.4-1 -- New upstream release - -* Thu Mar 23 2023 Björn Esser - 1.26.3-1 -- New upstream release -- Enable use of Brainpool ECC - -* Sat Jan 28 2023 Björn Esser - 1.26.2-2 -- Drop Qt6 version lock, as this is already ensured by symbol versioning - -* Sun Jan 22 2023 Björn Esser - 1.26.2-1 -- New upstream release - -* Wed Jan 18 2023 Fedora Release Engineering - 1.24.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Sun Nov 27 2022 Björn Esser - 1.24.4-2 -- Rebuild(qt6) - -* Sun Nov 06 2022 Björn Esser - 1.24.4-1 -- New upstream release - -* Fri Sep 02 2022 Björn Esser - 1.24.1-1 -- New upstream release - -* Wed Jul 20 2022 Fedora Release Engineering - 1.22.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jan 26 2022 Björn Esser - 1.22.3-1 -- New upstream release -- Explicitly BR '/usr/bin/fipshmac' instead of fipscheck package - -* Wed Jan 19 2022 Fedora Release Engineering - 1.22.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Tue Sep 14 2021 Sahana Prasad - 1.22.2-4 -- Rebuilt with OpenSSL 3.0.0 - -* Tue Aug 31 2021 Björn Esser - 1.22.2-3 -- Drop forge-macros and perform tarbal verification during %%prep - -* Tue Aug 31 2021 Björn Esser - 1.22.2-2 -- Add a patch to disable use of Brainpool Elliptic Curves - -* Sun Aug 22 2021 Björn Esser - 1.22.2-1 -- New upstream release -- Disable enforcing of FIPS mode for OpenSSL - -* Wed Jul 21 2021 Fedora Release Engineering - 1.20.2-12 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Mon Jan 25 2021 Fedora Release Engineering - 1.20.2-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Sun Nov 15 08:50:35 CET 2020 Björn Esser - 1.20.2-10 -- Add runtime dependency on qt5-qtquickcontrols2 - -* Sat Oct 3 12:51:03 CEST 2020 Björn Esser - 1.20.2-9 -- Disable fipscheck in shell wrapper as it does not work in Fedora 33+ - -* Sat Sep 26 2020 Björn Esser - 1.20.2-8 -- Make shell wrapper exit with the exit code of fipscheck on failure - -* Sat Sep 26 2020 Björn Esser - 1.20.2-7 -- Calculate fipshmac for config files and shell wrapper -- Run fipscheck in shell wrapper before application starts - -* Fri Sep 25 2020 Björn Esser - 1.20.2-6 -- Use a python script to generate a tailored OpenSSL configuration - -* Thu Sep 24 2020 Björn Esser - 1.20.2-5 -- Some small spec file optimizations - -* Thu Sep 24 2020 Björn Esser - 1.20.2-4 -- Use a more elaborate application specific OpenSSL configuration - This also re-enables SHA384 hashes in ciphers - -* Wed Sep 23 2020 Björn Esser - 1.20.2-3 -- Do not enable SHA384 ciphers in custom OpenSSL configuration - -* Wed Sep 23 2020 Björn Esser - 1.20.2-2 -- Use application specific OpenSSL config through a shell wrapper - -* Mon Sep 07 2020 Björn Esser - 1.20.2-1 -- New upstream release - -* Mon Aug 24 2020 Björn Esser - 1.20.1-3 -- Add a patch to load translations from Qt5 TranslationsPath -- Move translation files to proper location -- Drop invokation of ctest, as we cannot run the testsuite - from a release build -- Replace patch adding English license with the actual license file - -* Fri Aug 21 2020 Björn Esser - 1.20.1-2 -- Add a patch to exclude the build directory in the Doxyfile -- Merge doc-api package with the doc package, since the Doxygen - API documentation can be shipped noarch'ed as well now - -* Wed Aug 19 2020 Björn Esser - 1.20.1-1 -- Initial import (#1851205) - -* Fri Jul 17 2020 Björn Esser - 1.20.1-0.11 -- Use %%cmake_{build,install} macros on newer distributions - -* Sat Jul 04 2020 Björn Esser - 1.20.1-0.10 -- Add license text in English language - -* Fri Jun 26 2020 Björn Esser - 1.20.1-0.9 -- Also obsolete package with %%{name} previous to this package version - -* Fri Jun 26 2020 Björn Esser - 1.20.1-0.8 -- Ensure archful packages always require equal architecture - -* Fri Jun 26 2020 Björn Esser - 1.20.1-0.7 -- Make sure permissions of the documentation files are correct -- Remove hidden files in documentation -- Drop 'LICENSE.officially.txt', as it only applies to binary copies, - which are distributed on behalf of the federal government of Germany - -* Thu Jun 25 2020 Björn Esser - 1.20.1-0.6 -- Use '--help-all' option when generating man-page -- Split build of Doxygen API docs from building user docs - -* Thu Jun 25 2020 Björn Esser - 1.20.1-0.5 -- Add generated man-page - -* Thu Jun 25 2020 Björn Esser - 1.20.1-0.4 -- Use a macro for lowercase package name - -* Thu Jun 25 2020 Björn Esser - 1.20.1-0.3 -- Use ninja-build instead of GNU Make to speed up the build a bit - -* Thu Jun 25 2020 Björn Esser - 1.20.1-0.2 -- Adaptions for building on EPEL - -* Wed Jun 24 2020 Björn Esser - 1.20.1-0.1 -- Initial spec file for review +%autochangelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..630945e --- /dev/null +++ b/changelog @@ -0,0 +1,172 @@ +* Thu Dec 28 2023 Julian Sikorski - 2.0.1-1 +- Update to 2.0.1 +- Fix up config.json.in section names + +* Fri Oct 13 2023 Jan Grulich - 1.26.7-3 +- Rebuild (qt6) + +* Thu Oct 05 2023 Jan Grulich - 1.26.7-2 +- Rebuild (qt6) + +* Fri Jul 28 2023 Björn Esser - 1.26.7-1 +- New upstream release + Fixes rhbz#2227358 + +* Fri Jul 28 2023 Björn Esser - 1.26.6-1 +- New upstream release + Fixes rhbz#2227095 + +* Wed Jul 26 2023 Björn Esser - 1.26.5-1 +- New upstream release + Fixes rhbz#2226708 + +* Wed Jul 19 2023 Fedora Release Engineering - 1.26.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Fri Jul 14 2023 Björn Esser - 1.26.4-4 +- Rebuild(Qt_6.5) + Fixes rhbz#2222625 + +* Sun Jun 04 2023 Björn Esser - 1.26.4-3 +- Rebuild(Qt_6.5) + +* Sun May 07 2023 Björn Esser - 1.26.4-2 +- Rebuild(Qt_6.5) + +* Mon May 01 2023 Björn Esser - 1.26.4-1 +- New upstream release + +* Thu Mar 23 2023 Björn Esser - 1.26.3-1 +- New upstream release +- Enable use of Brainpool ECC + +* Sat Jan 28 2023 Björn Esser - 1.26.2-2 +- Drop Qt6 version lock, as this is already ensured by symbol versioning + +* Sun Jan 22 2023 Björn Esser - 1.26.2-1 +- New upstream release + +* Wed Jan 18 2023 Fedora Release Engineering - 1.24.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Sun Nov 27 2022 Björn Esser - 1.24.4-2 +- Rebuild(qt6) + +* Sun Nov 06 2022 Björn Esser - 1.24.4-1 +- New upstream release + +* Fri Sep 02 2022 Björn Esser - 1.24.1-1 +- New upstream release + +* Wed Jul 20 2022 Fedora Release Engineering - 1.22.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 26 2022 Björn Esser - 1.22.3-1 +- New upstream release +- Explicitly BR '/usr/bin/fipshmac' instead of fipscheck package + +* Wed Jan 19 2022 Fedora Release Engineering - 1.22.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 1.22.2-4 +- Rebuilt with OpenSSL 3.0.0 + +* Tue Aug 31 2021 Björn Esser - 1.22.2-3 +- Drop forge-macros and perform tarbal verification during %%prep + +* Tue Aug 31 2021 Björn Esser - 1.22.2-2 +- Add a patch to disable use of Brainpool Elliptic Curves + +* Sun Aug 22 2021 Björn Esser - 1.22.2-1 +- New upstream release +- Disable enforcing of FIPS mode for OpenSSL + +* Wed Jul 21 2021 Fedora Release Engineering - 1.20.2-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Jan 25 2021 Fedora Release Engineering - 1.20.2-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sun Nov 15 08:50:35 CET 2020 Björn Esser - 1.20.2-10 +- Add runtime dependency on qt5-qtquickcontrols2 + +* Sat Oct 3 12:51:03 CEST 2020 Björn Esser - 1.20.2-9 +- Disable fipscheck in shell wrapper as it does not work in Fedora 33+ + +* Sat Sep 26 2020 Björn Esser - 1.20.2-8 +- Make shell wrapper exit with the exit code of fipscheck on failure + +* Sat Sep 26 2020 Björn Esser - 1.20.2-7 +- Calculate fipshmac for config files and shell wrapper +- Run fipscheck in shell wrapper before application starts + +* Fri Sep 25 2020 Björn Esser - 1.20.2-6 +- Use a python script to generate a tailored OpenSSL configuration + +* Thu Sep 24 2020 Björn Esser - 1.20.2-5 +- Some small spec file optimizations + +* Thu Sep 24 2020 Björn Esser - 1.20.2-4 +- Use a more elaborate application specific OpenSSL configuration + This also re-enables SHA384 hashes in ciphers + +* Wed Sep 23 2020 Björn Esser - 1.20.2-3 +- Do not enable SHA384 ciphers in custom OpenSSL configuration + +* Wed Sep 23 2020 Björn Esser - 1.20.2-2 +- Use application specific OpenSSL config through a shell wrapper + +* Mon Sep 07 2020 Björn Esser - 1.20.2-1 +- New upstream release + +* Mon Aug 24 2020 Björn Esser - 1.20.1-3 +- Add a patch to load translations from Qt5 TranslationsPath +- Move translation files to proper location +- Drop invokation of ctest, as we cannot run the testsuite + from a release build +- Replace patch adding English license with the actual license file + +* Fri Aug 21 2020 Björn Esser - 1.20.1-2 +- Add a patch to exclude the build directory in the Doxyfile +- Merge doc-api package with the doc package, since the Doxygen + API documentation can be shipped noarch'ed as well now + +* Wed Aug 19 2020 Björn Esser - 1.20.1-1 +- Initial import (#1851205) + +* Fri Jul 17 2020 Björn Esser - 1.20.1-0.11 +- Use %%cmake_{build,install} macros on newer distributions + +* Sat Jul 04 2020 Björn Esser - 1.20.1-0.10 +- Add license text in English language + +* Fri Jun 26 2020 Björn Esser - 1.20.1-0.9 +- Also obsolete package with %%{name} previous to this package version + +* Fri Jun 26 2020 Björn Esser - 1.20.1-0.8 +- Ensure archful packages always require equal architecture + +* Fri Jun 26 2020 Björn Esser - 1.20.1-0.7 +- Make sure permissions of the documentation files are correct +- Remove hidden files in documentation +- Drop 'LICENSE.officially.txt', as it only applies to binary copies, + which are distributed on behalf of the federal government of Germany + +* Thu Jun 25 2020 Björn Esser - 1.20.1-0.6 +- Use '--help-all' option when generating man-page +- Split build of Doxygen API docs from building user docs + +* Thu Jun 25 2020 Björn Esser - 1.20.1-0.5 +- Add generated man-page + +* Thu Jun 25 2020 Björn Esser - 1.20.1-0.4 +- Use a macro for lowercase package name + +* Thu Jun 25 2020 Björn Esser - 1.20.1-0.3 +- Use ninja-build instead of GNU Make to speed up the build a bit + +* Thu Jun 25 2020 Björn Esser - 1.20.1-0.2 +- Adaptions for building on EPEL + +* Wed Jun 24 2020 Björn Esser - 1.20.1-0.1 +- Initial spec file for review diff --git a/gen_openssl_cnf.py b/gen_openssl_cnf.py index 531c0d4..25e7e5c 100644 --- a/gen_openssl_cnf.py +++ b/gen_openssl_cnf.py @@ -49,8 +49,9 @@ class _Const(object): return [ 'tlsSettings', 'tlsSettingsPsk', - 'tlsSettingsRemoteReader', - 'tlsSettingsRemoteReaderPairing', + 'tlsSettingsRemoteIfd', + 'tlsSettingsRemoteIfdPairing', + 'tlsSettingsLocalIfd', ] @constant @@ -75,10 +76,14 @@ class _Const(object): @constant def KEYSIZE_SECTIONS(): return [ - 'minStaticKeySizes', - 'minEphemeralKeySizes', + 'minKeySizes', + 'sizesIfd', ] + @constant + def KEYSIZE_MIN_SECTION(): + return 'min' + @constant def TLS_VERSIONS(): return { @@ -100,9 +105,15 @@ def get_min_ssl_sec_level(json_data): if option in json_data[section]: if min_keysize > json_data[section][option]: min_keysize = json_data[section][option] + elif option in json_data[section][CONST.KEYSIZE_MIN_SECTION]: + if min_keysize > json_data[section][CONST.KEYSIZE_MIN_SECTION][option]: + min_keysize = json_data[section][CONST.KEYSIZE_MIN_SECTION][option] if CONST.KEYSIZE_EC_OPTION in json_data[section]: if min_ecsize > json_data[section][CONST.KEYSIZE_EC_OPTION]: min_ecsize = json_data[section][CONST.KEYSIZE_EC_OPTION] + elif CONST.KEYSIZE_EC_OPTION in json_data[section][CONST.KEYSIZE_MIN_SECTION]: + if min_ecsize > json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]: + min_ecsize = json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION] if min_keysize >= 1000 and min_ecsize >= 160: sec_level = 1 diff --git a/sources b/sources index dbcbd1d..07f74ad 100644 --- a/sources +++ b/sources @@ -1,2 +1,4 @@ -SHA512 (AusweisApp2-1.26.7.tar.gz) = 4a94042efc5f95e2df6518fcaf863ed6deebb160d35a5cdd7155a3b6aa6128b213408ce42310d942ee4e83e03cb2c3d898738846bb37995aa1ff03f660ac54b0 +SHA512 (AusweisApp-2.1.1.tar.gz) = f2cc9de898c3b2e61eb9ac208a21d60708aceeeb79d73f0382bc4b68e4011178217594bd99ac24b07d0d3fbd80b46e5c3ddc6c76bb764e24dc473197f4e1d4c9 +SHA512 (AusweisApp-2.1.1.tar.gz.asc) = 560a7e53f1d991e03d584caf29e158d72b1ca654682a14b2507347deb761b9c333db54550124b380fd2d84a861ea120ef6548075ca76e4b9bf462d9d22ebc725 +SHA512 (AusweisApp-2.1.1.tar.gz.sha256) = 49296a1d54b014f74fbda708d3a428178223f476ceb352a781c6942e88a1a853d30bccaa3fafc325944becd4fe61b3036a4e3985d5b185aaf8579ea12c60a40f SHA512 (AusweisApp2-pubring.gpg) = 3aae27b673f4eb2f7d3bda6c839b3d11829a730bde546e92abb889abb1c2453e786dc906154074485406692f5b9abbb3e1fb293e6b397696b6371016723621cd