Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

[skip changelog]

.gitignore

@@ -1 +1,37 @@
 /AusweisApp2-*.tar.gz
+/AusweisApp2-pubring.gpg
+/AusweisApp-2.0.1.tar.gz
+/AusweisApp-pubring.gpg
+/AusweisApp-2.0.2.tar.gz
+/AusweisApp-2.0.2.tar.gz.asc
+/AusweisApp-2.0.2.tar.gz.sha256
+/AusweisApp-2.0.3.tar.gz
+/AusweisApp-2.0.3.tar.gz.asc
+/AusweisApp-2.0.3.tar.gz.sha256
+/AusweisApp-2.1.0.tar.gz
+/AusweisApp-2.1.0.tar.gz.asc
+/AusweisApp-2.1.0.tar.gz.sha256
+/AusweisApp-2.1.1.tar.gz
+/AusweisApp-2.1.1.tar.gz.asc
+/AusweisApp-2.1.1.tar.gz.sha256
+/AusweisApp-2.2.0.tar.gz
+/AusweisApp-2.2.0.tar.gz.asc
+/AusweisApp-2.2.0.tar.gz.sha256
+/AusweisApp-2.2.1.tar.gz
+/AusweisApp-2.2.1.tar.gz.asc
+/AusweisApp-2.2.1.tar.gz.sha256
+/AusweisApp-2.2.2.tar.gz
+/AusweisApp-2.2.2.tar.gz.asc
+/AusweisApp-2.2.2.tar.gz.sha256
+/AusweisApp-2.3.0.tar.gz
+/AusweisApp-2.3.0.tar.gz.asc
+/AusweisApp-2.3.0.tar.gz.sha256
+/AusweisApp-2.3.1.tar.gz
+/AusweisApp-2.3.1.tar.gz.asc
+/AusweisApp-2.3.1.tar.gz.sha256
+/AusweisApp-2.3.2.tar.gz
+/AusweisApp-2.3.2.tar.gz.asc
+/AusweisApp-2.3.2.tar.gz.sha256
+/AusweisApp-2.4.0.tar.gz
+/AusweisApp-2.4.0.tar.gz.asc
+/AusweisApp-2.4.0.tar.gz.sha256

0001-Use-legacy-OpenSSL-API.patch

@@ -0,0 +1,471 @@
+From f5d48a49ea7055b7d4edf5f1398557b475419fb9 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 30 Oct 2025 13:51:15 +0100
+Subject: [PATCH] Use legacy OpenSSL API
+
+---
+ src/card/base/asn1/EcdsaPublicKey.cpp        |  39 -----
+ src/card/base/asn1/EcdsaPublicKey.h          |   6 +-
+ src/card/base/pace/ec/EcUtil.cpp             | 145 -------------------
+ src/card/base/pace/ec/EcUtil.h               |  12 --
+ src/card/base/pace/ec/EcdhGenericMapping.cpp |   5 -
+ src/card/base/pace/ec/EcdhGenericMapping.h   |   4 -
+ src/card/simulator/SimulatorCard.cpp         |  37 -----
+ src/card/simulator/SimulatorCard.h           |   4 -
+ src/card/simulator/SimulatorFileSystem.cpp   |   9 --
+ src/card/simulator/SimulatorFileSystem.h     |   4 -
+ 10 files changed, 1 insertion(+), 264 deletions(-)
+
+diff --git a/src/card/base/asn1/EcdsaPublicKey.cpp b/src/card/base/asn1/EcdsaPublicKey.cpp
+index 7f54045..dc7e26b 100644
+--- a/src/card/base/asn1/EcdsaPublicKey.cpp
++++ b/src/card/base/asn1/EcdsaPublicKey.cpp
+@@ -182,7 +182,6 @@ QByteArray EcdsaPublicKey::getUncompressedPublicPoint() const
+ }
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ QSharedPointer<EC_GROUP> EcdsaPublicKey::createGroup(const CurveData& pData) const
+ {
+ 	QSharedPointer<EC_GROUP> group = EcUtil::create(EC_GROUP_new_curve_GFp(pData.p.data(), pData.a.data(), pData.b.data(), nullptr));
+@@ -209,8 +208,6 @@ QSharedPointer<EC_GROUP> EcdsaPublicKey::createGroup(const CurveData& pData) con
+ }
+ 
+ 
+-#endif
+-
+ QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const QByteArray& pPublicPoint) const
+ {
+ 	return createKey(reinterpret_cast<const uchar*>(pPublicPoint.constData()), static_cast<int>(pPublicPoint.size()));
+@@ -239,7 +236,6 @@ QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const uchar* pPublicPoint, in
+ 		return nullptr;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 	const auto& group = createGroup(curveData);
+ 	if (group.isNull())
+ 	{
+@@ -275,39 +271,4 @@ QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const uchar* pPublicPoint, in
+ 
+ 	return key;
+ 
+-#else
+-	const auto& params = EcUtil::create([&curveData, pPublicPoint, pPublicPointLength, this](OSSL_PARAM_BLD* pBuilder){
+-				return OSSL_PARAM_BLD_push_BN(pBuilder, "p", curveData.p.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "a", curveData.a.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "b", curveData.b.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "order", curveData.order.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", curveData.cofactor.data())
+-					   && OSSL_PARAM_BLD_push_octet_string(pBuilder, "pub", pPublicPoint, static_cast<size_t>(pPublicPointLength))
+-					   && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", mBasePoint->data, static_cast<size_t>(mBasePoint->length))
+-					   && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12);
+-			});
+-
+-	if (params == nullptr)
+-	{
+-		qCCritical(card) << "Cannot set parameter";
+-		return nullptr;
+-	}
+-
+-	auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr));
+-	if (!EVP_PKEY_fromdata_init(ctx.data()))
+-	{
+-		qCCritical(card) << "Cannot init pkey";
+-		return nullptr;
+-	}
+-
+-	EVP_PKEY* key = nullptr;
+-	if (!EVP_PKEY_fromdata(ctx.data(), &key, EVP_PKEY_PUBLIC_KEY, params.data()))
+-	{
+-		qCCritical(card) << "Cannot fetch data for pkey";
+-		return nullptr;
+-	}
+-
+-	return EcUtil::create(key);
+-
+-#endif
+ }
+diff --git a/src/card/base/asn1/EcdsaPublicKey.h b/src/card/base/asn1/EcdsaPublicKey.h
+index 860bc74..c85e48b 100644
+--- a/src/card/base/asn1/EcdsaPublicKey.h
++++ b/src/card/base/asn1/EcdsaPublicKey.h
+@@ -13,9 +13,7 @@
+ #include <openssl/asn1t.h>
+ #include <openssl/evp.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+-	#include <openssl/ec.h>
+-#endif
++#include <openssl/ec.h>
+ 
+ 
+ namespace governikus
+@@ -105,9 +103,7 @@ using EcdsaPublicKey = struct ecdsapublickey_st
+ 
+ 		[[nodiscard]] CurveData createCurveData() const;
+ 		[[nodiscard]] QSharedPointer<EVP_PKEY> createKey(const uchar* pPublicPoint, int pPublicPointLength) const;
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 		[[nodiscard]] QSharedPointer<EC_GROUP> createGroup(const CurveData& pData) const;
+-#endif
+ 
+ 	public:
+ 		static int decodeCallback(int pOperation, ASN1_VALUE** pVal, const ASN1_ITEM* pIt, void* pExarg);
+diff --git a/src/card/base/pace/ec/EcUtil.cpp b/src/card/base/pace/ec/EcUtil.cpp
+index 069ad81..546438f 100644
+--- a/src/card/base/pace/ec/EcUtil.cpp
++++ b/src/card/base/pace/ec/EcUtil.cpp
+@@ -103,148 +103,6 @@ QSharedPointer<EC_POINT> EcUtil::oct2point(const QSharedPointer<const EC_GROUP>&
+ }
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer<EVP_PKEY>& pKey, bool pCompressed)
+-{
+-	if (pKey.isNull())
+-	{
+-		qCCritical(card) << "Cannot use undefined key";
+-		return nullptr;
+-	}
+-
+-	uchar* key = nullptr;
+-	const size_t length = EVP_PKEY_get1_encoded_public_key(pKey.data(), &key);
+-	const auto guard = qScopeGuard([key] {
+-				OPENSSL_free(key);
+-			});
+-
+-	if (length == 0)
+-	{
+-		return QByteArray();
+-	}
+-
+-	const QByteArray uncompressed(reinterpret_cast<char*>(key), static_cast<int>(length));
+-	return pCompressed ? EcUtil::compressPoint(uncompressed) : uncompressed;
+-}
+-
+-
+-QSharedPointer<BIGNUM> EcUtil::getPrivateKey(const QSharedPointer<const EVP_PKEY>& pKey)
+-{
+-	BIGNUM* privKey = nullptr;
+-	EVP_PKEY_get_bn_param(pKey.data(), "priv", &privKey);
+-	return EcUtil::create(privKey);
+-}
+-
+-
+-QSharedPointer<OSSL_PARAM> EcUtil::create(const std::function<bool(OSSL_PARAM_BLD* pBuilder)>& pFunc)
+-{
+-	OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new();
+-	const auto guard = qScopeGuard([bld] {
+-				OSSL_PARAM_BLD_free(bld);
+-			});
+-
+-	if (bld == nullptr)
+-	{
+-		qCCritical(card) << "Cannot create parameter builder";
+-		return nullptr;
+-	}
+-
+-	if (!pFunc(bld))
+-	{
+-		qCCritical(card) << "Cannot initialize parameter builder";
+-		return nullptr;
+-	}
+-
+-	if (OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld); params != nullptr)
+-	{
+-		static auto deleter = [](OSSL_PARAM* pParam)
+-				{
+-					OSSL_PARAM_free(pParam);
+-				};
+-
+-		return QSharedPointer<OSSL_PARAM>(params, deleter);
+-	}
+-
+-	qCCritical(card) << "Cannot create parameter";
+-	return nullptr;
+-}
+-
+-
+-QSharedPointer<EVP_PKEY> EcUtil::generateKey(const QSharedPointer<const EC_GROUP>& pCurve)
+-{
+-	if (pCurve.isNull())
+-	{
+-		qCCritical(card) << "Curve is undefined";
+-		return nullptr;
+-	}
+-
+-	auto generator = EcUtil::point2oct(pCurve, EC_GROUP_get0_generator(pCurve.data()));
+-
+-	auto order = EcUtil::create(BN_new());
+-	if (!EC_GROUP_get_order(pCurve.data(), order.data(), nullptr))
+-	{
+-		qCCritical(card) << "Cannot fetch order";
+-		return nullptr;
+-	}
+-
+-	auto cofactor = EcUtil::create(BN_new());
+-	if (!EC_GROUP_get_cofactor(pCurve.data(), cofactor.data(), nullptr))
+-	{
+-		qCCritical(card) << "Cannot fetch cofactor";
+-		return nullptr;
+-	}
+-
+-	auto p = EcUtil::create(BN_new());
+-	auto a = EcUtil::create(BN_new());
+-	auto b = EcUtil::create(BN_new());
+-	if (!EC_GROUP_get_curve(pCurve.data(), p.data(), a.data(), b.data(), nullptr))
+-	{
+-		qCCritical(card) << "Cannot fetch a, b or p";
+-		return nullptr;
+-	}
+-
+-	const auto& params = EcUtil::create([&p, &a, &b, &order, &cofactor, &generator](OSSL_PARAM_BLD* pBuilder){
+-				return OSSL_PARAM_BLD_push_BN(pBuilder, "p", p.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "a", a.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "b", b.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "order", order.data())
+-					   && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", cofactor.data())
+-					   && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", generator.data(), static_cast<size_t>(generator.size()))
+-					   && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12);
+-			});
+-
+-	if (params == nullptr)
+-	{
+-		qCCritical(card) << "Cannot set parameter";
+-		return nullptr;
+-	}
+-
+-	auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr));
+-	if (!ctx)
+-	{
+-		qCCritical(card) << "Cannot create EVP_PKEY_CTX";
+-		return nullptr;
+-	}
+-	EVP_PKEY_keygen_init(ctx.data());
+-
+-	if (!EVP_PKEY_CTX_set_params(ctx.data(), params.data()))
+-	{
+-		qCCritical(card) << "Cannot set params to EVP_PKEY_CTX";
+-		return nullptr;
+-	}
+-
+-	EVP_PKEY* key = nullptr;
+-	if (!EVP_PKEY_generate(ctx.data(), &key))
+-	{
+-		qCCritical(card) << "Cannot create EVP_PKEY";
+-		return nullptr;
+-	}
+-
+-	return EcUtil::create(key);
+-}
+-
+-
+-#else
+ QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer<EC_KEY>& pKey, bool pCompressed)
+ {
+ 	if (pKey.isNull())
+@@ -293,6 +151,3 @@ QSharedPointer<EC_KEY> EcUtil::generateKey(const QSharedPointer<const EC_GROUP>&
+ 
+ 	return key;
+ }
+-
+-
+-#endif
+diff --git a/src/card/base/pace/ec/EcUtil.h b/src/card/base/pace/ec/EcUtil.h
+index 63eb16c..914c268 100644
+--- a/src/card/base/pace/ec/EcUtil.h
++++ b/src/card/base/pace/ec/EcUtil.h
+@@ -26,24 +26,15 @@ class EcUtil
+ 		static QSharedPointer<EC_POINT> oct2point(const QSharedPointer<const EC_GROUP>& pCurve, const QByteArray& pCompressedData);
+ 
+ 		static QSharedPointer<EC_GROUP> create(EC_GROUP* pEcGroup);
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ 		static QSharedPointer<EC_KEY> create(EC_KEY* pEcKey);
+-#endif
+ 		static QSharedPointer<EC_POINT> create(EC_POINT* pEcPoint);
+ 		static QSharedPointer<BIGNUM> create(BIGNUM* pBigNum);
+ 		static QSharedPointer<EVP_PKEY> create(EVP_PKEY* pEcGroup);
+ 		static QSharedPointer<EVP_PKEY_CTX> create(EVP_PKEY_CTX* pEcGroup);
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-		static QByteArray getEncodedPublicKey(const QSharedPointer<EVP_PKEY>& pKey, bool pCompressed = false);
+-		static QSharedPointer<BIGNUM> getPrivateKey(const QSharedPointer<const EVP_PKEY>& pKey);
+-		static QSharedPointer<OSSL_PARAM> create(const std::function<bool(OSSL_PARAM_BLD* pBuilder)>& pFunc);
+-		static QSharedPointer<EVP_PKEY> generateKey(const QSharedPointer<const EC_GROUP>& pCurve);
+-#else
+ 		static QByteArray getEncodedPublicKey(const QSharedPointer<EC_KEY>& pKey, bool pCompressed = false);
+ 		static QSharedPointer<BIGNUM> getPrivateKey(const QSharedPointer<const EC_KEY>& pKey);
+ 		static QSharedPointer<EC_KEY> generateKey(const QSharedPointer<const EC_GROUP>& pCurve);
+-#endif
+ 
+ 		static QSharedPointer<EC_GROUP> createCurve(int pNid);
+ };
+@@ -60,7 +51,6 @@ inline QSharedPointer<EC_GROUP> EcUtil::create(EC_GROUP* pEcGroup)
+ }
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ inline QSharedPointer<EC_KEY> EcUtil::create(EC_KEY* pEcKey)
+ {
+ 	static auto deleter = [](EC_KEY* ecKey)
+@@ -72,8 +62,6 @@ inline QSharedPointer<EC_KEY> EcUtil::create(EC_KEY* pEcKey)
+ }
+ 
+ 
+-#endif
+-
+ inline QSharedPointer<EC_POINT> EcUtil::create(EC_POINT* pEcPoint)
+ {
+ 	static auto deleter = [](EC_POINT* ecPoint)
+diff --git a/src/card/base/pace/ec/EcdhGenericMapping.cpp b/src/card/base/pace/ec/EcdhGenericMapping.cpp
+index 04cee51..571c7a0 100644
+--- a/src/card/base/pace/ec/EcdhGenericMapping.cpp
++++ b/src/card/base/pace/ec/EcdhGenericMapping.cpp
+@@ -49,12 +49,7 @@ bool EcdhGenericMapping::generateEphemeralDomainParameters(const QByteArray& pRe
+ 		return false;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	const QSharedPointer<const EC_POINT> localPubKeyPtr = EcUtil::oct2point(mCurve, EcUtil::getEncodedPublicKey(mLocalKey));
+-	const EC_POINT* localPubKey = localPubKeyPtr.data();
+-#else
+ 	const EC_POINT* localPubKey = EC_KEY_get0_public_key(mLocalKey.data());
+-#endif
+ 	if (!EC_POINT_cmp(mCurve.data(), localPubKey, remotePubKey.data(), nullptr))
+ 	{
+ 		qCCritical(card) << "The exchanged public keys are equal.";
+diff --git a/src/card/base/pace/ec/EcdhGenericMapping.h b/src/card/base/pace/ec/EcdhGenericMapping.h
+index e9c9768..188befb 100644
+--- a/src/card/base/pace/ec/EcdhGenericMapping.h
++++ b/src/card/base/pace/ec/EcdhGenericMapping.h
+@@ -22,11 +22,7 @@ class EcdhGenericMapping
+ 
+ 	private:
+ 		const QSharedPointer<EC_GROUP> mCurve;
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-		QSharedPointer<EVP_PKEY> mLocalKey;
+-#else
+ 		QSharedPointer<EC_KEY> mLocalKey;
+-#endif
+ 
+ 		QSharedPointer<EC_POINT> createNewGenerator(const QSharedPointer<const EC_POINT>& pRemotePubKey, const QSharedPointer<const BIGNUM>& pS);
+ 
+diff --git a/src/card/simulator/SimulatorCard.cpp b/src/card/simulator/SimulatorCard.cpp
+index 3c4e218..a39fb54 100644
+--- a/src/card/simulator/SimulatorCard.cpp
++++ b/src/card/simulator/SimulatorCard.cpp
+@@ -661,42 +661,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const
+ 		return QByteArray();
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	const auto& terminalKey = EcUtil::create(EVP_PKEY_new());
+-	if (terminalKey.isNull() || EVP_PKEY_copy_parameters(terminalKey.data(), mCardKey.data()) == 0)
+-	{
+-		qCCritical(card_simulator) << "Initialization of the terminal key failed";
+-		return QByteArray();
+-	}
+-	if (!EVP_PKEY_set1_encoded_public_key(
+-			terminalKey.data(),
+-			reinterpret_cast<const unsigned char*>(pPoint.data()),
+-			static_cast<size_t>(pPoint.length())))
+-	{
+-		qCCritical(card_simulator) << "Interpreting the terminal key failed";
+-		return QByteArray();
+-	}
+-
+-	const auto& ctx = EcUtil::create(EVP_PKEY_CTX_new_from_pkey(nullptr, mCardKey.data(), nullptr));
+-	size_t resultLen = 0;
+-	if (EVP_PKEY_derive_init(ctx.data()) <= 0
+-			|| EVP_PKEY_derive_set_peer(ctx.data(), terminalKey.data()) <= 0
+-			|| EVP_PKEY_derive(ctx.data(), nullptr, &resultLen) <= 0)
+-	{
+-		qCCritical(card_simulator) << "Initialization or calculation of the result failed";
+-		return QByteArray();
+-	}
+-
+-	QByteArray result(static_cast<qsizetype>(resultLen), '\0');
+-	if (EVP_PKEY_derive(ctx.data(), reinterpret_cast<uchar*>(result.data()), &resultLen) <= 0)
+-	{
+-		qCCritical(card_simulator) << "Calculation of the result failed";
+-		return QByteArray();
+-	}
+-
+-	return result;
+-
+-#else
+ 	const auto& curve = EcUtil::create(EC_GROUP_dup(EC_KEY_get0_group(mCardKey.data())));
+ 	auto point = EcUtil::oct2point(curve, pPoint);
+ 	if (!point)
+@@ -715,7 +679,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const
+ 
+ 	return EcUtil::point2oct(curve, result.data(), true);
+ 
+-#endif
+ }
+ 
+ 
+diff --git a/src/card/simulator/SimulatorCard.h b/src/card/simulator/SimulatorCard.h
+index fc9db00..7a881cb 100644
+--- a/src/card/simulator/SimulatorCard.h
++++ b/src/card/simulator/SimulatorCard.h
+@@ -39,11 +39,7 @@ class SimulatorCard
+ 		int mPaceKeyId;
+ 		QByteArray mPaceNonce;
+ 		QByteArray mPaceTerminalKey;
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-		QSharedPointer<EVP_PKEY> mCardKey;
+-#else
+ 		QSharedPointer<EC_KEY> mCardKey;
+-#endif
+ 		QSharedPointer<const CVCertificate> mTaCertificate;
+ 		QByteArray mTaSigningData;
+ 		QByteArray mTaAuxData;
+diff --git a/src/card/simulator/SimulatorFileSystem.cpp b/src/card/simulator/SimulatorFileSystem.cpp
+index 5c01caa..4cbe60c 100644
+--- a/src/card/simulator/SimulatorFileSystem.cpp
++++ b/src/card/simulator/SimulatorFileSystem.cpp
+@@ -347,11 +347,7 @@ QByteArray SimulatorFileSystem::getPassword(PacePasswordId pPasswordId) const
+ }
+ 
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-QSharedPointer<EVP_PKEY> SimulatorFileSystem::getKey(int pKeyId) const
+-#else
+ QSharedPointer<EC_KEY> SimulatorFileSystem::getKey(int pKeyId) const
+-#endif
+ {
+ 	if (!mKeys.contains(pKeyId))
+ 	{
+@@ -367,13 +363,8 @@ QSharedPointer<EC_KEY> SimulatorFileSystem::getKey(int pKeyId) const
+ 		return nullptr;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-	return privateKey;
+-
+-#else
+ 	return EcUtil::create(EVP_PKEY_get1_EC_KEY(privateKey.data()));
+ 
+-#endif
+ }
+ 
+ 
+diff --git a/src/card/simulator/SimulatorFileSystem.h b/src/card/simulator/SimulatorFileSystem.h
+index 7d8458f..57065db 100644
+--- a/src/card/simulator/SimulatorFileSystem.h
++++ b/src/card/simulator/SimulatorFileSystem.h
+@@ -43,11 +43,7 @@ class SimulatorFileSystem
+ 
+ 		[[nodiscard]] QByteArray getEfCardAccess() const;
+ 		[[nodiscard]] QByteArray getPassword(PacePasswordId pPasswordId) const;
+-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+-		[[nodiscard]] QSharedPointer<EVP_PKEY> getKey(int pKeyId) const;
+-#else
+ 		[[nodiscard]] QSharedPointer<EC_KEY> getKey(int pKeyId) const;
+-#endif
+ 		[[nodiscard]] QSharedPointer<const CVCertificate> getTrustPoint() const;
+ 		void setTrustPoint(const QSharedPointer<const CVCertificate>& pTrustPoint);
+ 
+-- 
+2.51.0
+

AusweisApp2-1.20.1-doxygen_exclude_build_dir.patch

@@ -1,42 +0,0 @@
-From 7da59790e72ed2073a58f612772aa3fd18022f87 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
-Date: Fri, 21 Aug 2020 12:42:43 +0200
-Subject: [PATCH] Doxyfile: Exclude binary, CMake, libs, and test directories.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-These directories do not contain any useful source files
-for the documentation of the internal API of AusweisApp2,
-and thus should not be included in its API documentation
-generated by Doxygen.
-
-Additionally this comes in handy for distributing the API
-documentation architecture independent, when the name of
-the binary directory contains the name of the system's
-architecture the build is targeted to.
-
-Also explicitly set the 'FULL_PATH_NAMES' parameter to 'YES',
-as this is needed for properly stripping and/or excluding
-the paths during generation of the documentation files.
-
-Signed-off-by: Björn Esser <besser82@fedoraproject.org>
----
- Doxyfile.in | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/Doxyfile.in b/Doxyfile.in
-index 7c4633f..2242bff 100644
---- a/Doxyfile.in
-+++ b/Doxyfile.in
-@@ -11,7 +11,10 @@ OPTIMIZE_OUTPUT_C      = YES
- QT_AUTOBRIEF           = YES
- BUILTIN_STL_SUPPORT    = YES
- GENERATE_TREEVIEW      = YES
-+FULL_PATH_NAMES        = YES
- STRIP_FROM_PATH        = @PROJECT_SOURCE_DIR@
-+EXCLUDE_PATTERNS       = @PROJECT_BINARY_DIR@/* \
-+                         */CMake* */libs/* */test/*
- 
- SEARCHENGINE           = YES
- COLS_IN_ALPHA_INDEX    = 10

AusweisApp2-1.20.1-use_Qt_TranslationsPath.patch

@@ -1,21 +0,0 @@
-Index: AusweisApp2-1.20.1/src/global/FileDestination.h
-===================================================================
---- AusweisApp2-1.20.1.orig/src/global/FileDestination.h
-+++ AusweisApp2-1.20.1/src/global/FileDestination.h
-@@ -8,6 +8,7 @@
- 
- #include <QCoreApplication>
- #include <QDebug>
-+#include <QLibraryInfo>
- #include <QStandardPaths>
- #include <QStringBuilder>
- 
-@@ -41,6 +42,8 @@ class FileDestination
- 			QStandardPaths::StandardLocation pStandard = QStandardPaths::AppDataLocation)
- 		{
- 			#if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || (defined(Q_OS_BSD4) && !defined(Q_OS_MACOS) && !defined(Q_OS_IOS))
-+			if (pFilename.compare(QStringLiteral("translations")) == 0)
-+				return QLibraryInfo::location(QLibraryInfo::TranslationsPath);
- 			const auto match = QStandardPaths::locate(pStandard, pFilename, pOption);
- 			if (!match.isNull())
- 			{

AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch

@@ -0,0 +1,41 @@
+From 056e560ed6432e99a297d1c1d2c89c89621bd825 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 6 Mar 2025 01:00:00 +0100
+Subject: [PATCH] AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch
+
+---
+ src/global/FileDestination.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/global/FileDestination.h b/src/global/FileDestination.h
+index 2fd5826..781e9b9 100644
+--- a/src/global/FileDestination.h
++++ b/src/global/FileDestination.h
+@@ -7,8 +7,10 @@
+ #include <QCoreApplication>
+ #include <QDebug>
+ #include <QFile>
++#include <QLibraryInfo>
+ #include <QStandardPaths>
+ #include <QStringBuilder>
++#include <QtGlobal>
+ 
+ 
+ namespace governikus
+@@ -51,6 +53,13 @@ class FileDestination
+ 			QStandardPaths::StandardLocation pStandard = QStandardPaths::AppDataLocation)
+ 		{
+ #if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || (defined(Q_OS_BSD4) && !defined(Q_OS_MACOS) && !defined(Q_OS_IOS))
++#if (QT_VERSION < QT_VERSION_CHECK(6, 0, 0))
++			if (pFilename.compare(QStringLiteral("translations")) == 0)
++			{
++				return QLibraryInfo::location(QLibraryInfo::TranslationsPath);
++			}
++#endif
++
+ 			if (const auto& match = QStandardPaths::locate(pStandard, pFilename, pOption); !match.isNull())
+ 			{
+ 				return match;
+-- 
+2.48.1
+

AusweisApp2.spec

@@ -2,62 +2,91 @@
 # %%define with lazy expansion is used here intentionally, because
 # this needs to be expanded inside of a higher level macro that
 # gets expanded itself.
-%define __spec_install_post                    \
-%{?__debug_package:%{__debug_install_post}}    \
-%{__arch_install_post}                         \
-%{__os_install_post}                           \
-fipshmac %{buildroot}%{_bindir}/%{name}        \\\
-  %{buildroot}%{_libexecdir}/%{name}           \\\
-  %{buildroot}%{_datadir}/%{name}/config.json  \\\
-  %{buildroot}%{_datadir}/%{name}/openssl.cnf  \
+%define __spec_install_post                      \
+%{?__debug_package:%{__debug_install_post}}      \
+%{__arch_install_post}                           \
+%{__os_install_post}                             \
+fipshmac %{buildroot}%{_bindir}/%{newname}          \\\
+  %{buildroot}%{_libexecdir}/%{newname}             \\\
+  %{buildroot}%{_datadir}/%{newname}/openssl.cnf    \
+c="%{buildroot}%{_datadir}/%{newname}/config.json"  \
+if [[ -f ${c} ]]; then                           \
+  fipshmac ${c}                                  \
+fi                                               \
 %{nil}
 
 # Always do out-of-source builds with CMake.
 %{?__cmake_in_source_build:%undefine __cmake_in_source_build}
 
-# Build and package Doxygen documentation?
-%bcond_without    doxy
+# Do not build non-lto objects to reduce build time significantly.
+%global build_cflags   %(echo '%{build_cflags}'   | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
+%global build_cxxflags %(echo '%{build_cxxflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
+%global build_fflags   %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
+%global build_fcflags  %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
+
+%if 0%{?fedora} || 0%{?rhel} >= 9
+%global qt6_build 1
+%else
+%global qt6_build 0
+%endif
 
 # Package summary.  Gets overwritten by subpackages otherwise.
 %global pkg_sum   Online identification with German ID card (Personalausweis)
 
+# Upstream renamed to AusweisApp with 2.0 release
+%global newname   AusweisApp
 
 Name:             AusweisApp2
-Version:          1.20.2
-Release:          10%{?dist}
+Version:          2.4.0
+Release:          %autorelease
 Summary:          %{pkg_sum}
 
-# Init forge packaging helpers.
-%global forgeurl  https://github.com/Governikus/%{name}
-%global tag       %{version}
-%forgemeta
-
-License:          EUPL 1.2
+License:          EUPL-1.2
 URL:              https://www.ausweisapp.bund.de/en
-Source0000:       %{forgesource}
-Source0001:       https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%%20EN.txt#/EUPL-12_EN.txt
-Source0002:       gen_openssl_cnf.py
 
-# Upstreamed.
-Patch00001:       %{forgeurl}/pull/28.patch#/%{name}-1.20.1-doxygen_exclude_build_dir.patch
+# Url to releases on github.
+%global rel_url   https://github.com/Governikus/%{name}/releases/download/%{version}
+
+# Generate gpg-keyring:
+# gpg2 --keyserver keyserver.ubuntu.com --recv-keys 699BF3055B0A49224EFDE7C72D7479A531451088
+# gpg2 --export --export-options export-minimal 699BF3055B0A49224EFDE7C72D7479A531451088 > %%{name}-pubring.gpg
+
+Source0000:       %{rel_url}/%{newname}-%{version}.tar.gz
+Source0001:       %{rel_url}/%{newname}-%{version}.tar.gz.asc
+Source0002:       %{name}-pubring.gpg
+Source0003:       %{rel_url}/%{newname}-%{version}.tar.gz.sha256
+Source0004:       https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%%20EN.txt#/EUPL-12_EN.txt
+Source1000:       gen_openssl_cnf.py
 
 # Downstream.
-Patch01000:       %{name}-1.20.1-use_Qt_TranslationsPath.patch
+Patch01000:       %{name}-1.24.1-use_Qt_TranslationsPath.patch
+# Needed because Fedora's openssl does not support elliptic curves using custom parameters.
+# Request to enable them was denied: https://bugzilla.redhat.com/show_bug.cgi?id=2259403
+# It is currently not clear if the legacy API works by accident or by design. It does work as of March 2025.
+Patch01001:       0001-Use-legacy-OpenSSL-API.patch
 
 BuildRequires:    cmake
 BuildRequires:    crypto-policies
 BuildRequires:    desktop-file-utils
-BuildRequires:    fipscheck
 BuildRequires:    gcc-c++
-BuildRequires:    help2man
+BuildRequires:    gnupg2
 BuildRequires:    http-parser-devel
-BuildRequires:    java-openjdk-headless
 BuildRequires:    libappstream-glib
 BuildRequires:    libudev-devel
+BuildRequires:    libxkbcommon-devel
 BuildRequires:    ninja-build
 BuildRequires:    openssl-devel
 BuildRequires:    pcsc-lite-devel
 BuildRequires:    python3-devel
+%if 0%{?qt6_build}
+BuildRequires:    qt6-qtbase-devel
+BuildRequires:    qt6-qtbase-private-devel
+BuildRequires:    qt6-qtscxml-devel
+BuildRequires:    qt6-qtshadertools-devel
+BuildRequires:    qt6-qtsvg-devel
+BuildRequires:    qt6-qttools-devel
+BuildRequires:    qt6-qtwebsockets-devel
+%else
 BuildRequires:    qt5-linguist
 BuildRequires:    qt5-qtbase-devel
 BuildRequires:    qt5-qtconnectivity-devel
@@ -65,30 +94,44 @@ BuildRequires:    qt5-qtdeclarative-devel
 BuildRequires:    qt5-qtquickcontrols2-devel
 BuildRequires:    qt5-qtsvg-devel
 BuildRequires:    qt5-qtwebsockets-devel
+%endif
+BuildRequires:    %{_bindir}/sha256sum
+BuildRequires:    %{_bindir}/fipshmac
 
 # Lowercase package name.
 %global lc_name   %{lua:print(string.lower(rpm.expand("%{name}")))}
 
 # Make sure this package automatically replaces the security hazard
 # built in some COPR.
-Obsoletes:        %{name}            < 1.20.1
-Obsoletes:        %{lc_name}         < 1.20.1
+Obsoletes:        %{name}                < 1.20.1
+Obsoletes:        %{lc_name}             < 1.20.1
 
 # Provide the lowercase name for convenience as well.
-Provides:         %{lc_name}         = %{version}-%{release}
-Provides:         %{lc_name}%{?_isa} = %{version}-%{release}
+Provides:         %{lc_name}             = %{version}-%{release}
+Provides:         %{lc_name}%{?_isa}     = %{version}-%{release}
 
 # Do not raise conflicts about shared license files.
-Requires:         %{name}-data       = %{version}-%{release}
-Requires:         (%{name}-doc       = %{version}-%{release} if %{name}-doc)
+Requires:         %{name}-data           = %{version}-%{release}
+Requires:         (%{name}-doc           = %{version}-%{release} if %{name}-doc)
 
+%if !0%{?qt6_build}
 # RHBZ#1885310
 # Needed for the GUI to show up on startup.
 Requires:         qt5-qtquickcontrols2%{?_isa}
+%endif
+
+# Brainpool ECC
+Requires:         openssl-libs%{?_isa}  >= 3.0.8-2
 
 # Needed for running fipscheck on application startup.
 # Requires:         fipscheck
 
+%if 0%{?qt6_build}
+# Needed for GUI elements to be rendered
+Requires:         qt6-qtimageformats%{?_isa}
+Requires:         qt6-qtsvg%{?_isa}
+%endif
+
 %description
 The AusweisApp2 is a software to identify yourself online
 with your ID card (Personalausweis) or your electronic
@@ -103,7 +146,7 @@ online ID.
 Summary:          Architecture-independent files used by %{name}
 BuildArch:        noarch
 
-Requires:         %{name}            = %{version}-%{release}
+Requires:         %{name}                = %{version}-%{release}
 Requires:         hicolor-icon-theme
 
 %description data
@@ -115,46 +158,46 @@ used by %{name}.
 Summary:          User and API documentation for %{name}
 BuildArch:        noarch
 
-%if %{with doxy}
-BuildRequires:    doxygen
-BuildRequires:    graphviz
-%endif
 BuildRequires:    hardlink
 BuildRequires:    python3-sphinx
 BuildRequires:    python3-sphinx_rtd_theme
 
 # Do not raise conflicts about shared license files.
-Requires:         (%{name}           = %{version}-%{release} if %{name})
-
-# The doc-api package is faded, since we can ship the
-# Doxygen documentation noarch'ed as well now.
-Obsoletes:        %{name}-doc-api    < 1.20.1-2
-Provides:         %{name}-doc-api    = %{version}-%{release}
+Requires:         (%{name}               = %{version}-%{release} if %{name})
 
 %description doc
 This package contains the user and API documentation for %{name}.
 
 
 %prep
-%forgeautosetup -p 1
-install -pm 0644 %{SOURCE1} LICENSE.en.txt
+# Verify tarball integrity.
+%{gpgverify}                \
+  --keyring='%{SOURCE2}'    \
+  --signature='%{SOURCE1}'  \
+  --data='%{SOURCE0}'
+pushd %{_sourcedir}
+sha256sum -c %{SOURCE3}
+popd
+
+%autosetup -p 1 -n %{newname}-%{version}
+install -pm 0644 %{SOURCE4} LICENSE.en.txt
 
 # Generate application specific OpenSSL configuration.
 # See the comments in the resulting file for further information.
-%{__python3} %{SOURCE2} resources/config.json.in \
+%{__python3} %{SOURCE1000} resources/config.json.in \
   > fedora_%{name}_openssl.cnf
 
 # Create the shell wrapper.
 cat << EOF > fedora_%{name}_wrapper.sh
 #!/bin/sh
 # /usr/bin/fipscheck                               \\
-#     %{_bindir}/%{name}                         \\
-#     %{_libexecdir}/%{name}                     \\
-#     %{_datadir}/%{name}/config.json           \\
-#     %{_datadir}/%{name}/openssl.cnf           \\
+#     %{_bindir}/%{newname}                         \\
+#     %{_libexecdir}/%{newname}                     \\
+#     %{_datadir}/%{newname}/config.json           \\
+#     %{_datadir}/%{newname}/openssl.cnf           \\
 # || exit \$?;
-OPENSSL_CONF=%{_datadir}/%{name}/openssl.cnf  \\
-%{_libexecdir}/%{name} "\$@";
+OPENSSL_CONF=%{_datadir}/%{newname}/openssl.cnf  \\
+%{_libexecdir}/%{newname} "\$@";
 EOF
 
 
@@ -170,21 +213,16 @@ EOF
   -DINTEGRATED_SDK:BOOL=OFF                \
   -DPYTHON_EXECUTABLE:STRING=%{__python3}  \
   -DSELFPACKER:BOOL=OFF                    \
+  -DUSE_SMARTEID:BOOL=ON                   \
   -G Ninja
 %cmake_build
 
 %if (0%{?fedora} || 0%{?rhel} > 8)
 # Documentation.
-%cmake_build --target inst inte notes sdk
-%if %{with doxy}
-%cmake_build --target doxy
-%endif
+%cmake_build --target installation_integration_de installation_integration_en notes sdk
 %else
 # Documentation.
-%ninja_build -C %{_vpath_builddir} inst inte notes sdk
-%if %{with doxy}
-%ninja_build -C %{_vpath_builddir} doxy
-%endif
+%ninja_build -C %{_vpath_builddir} installation_integration_de installation_integration_en notes sdk
 %endif
 
 
@@ -194,35 +232,25 @@ EOF
 # Relocate the application binary so we can call it through
 # a shell wrapper and move installed files to proper locations.
 mkdir -p %{buildroot}{%{_libexecdir},%{_qt5_translationdir}}
-mv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_libexecdir}/%{name}
-mv %{buildroot}%{_datadir}/%{name}/translations/* \
-  %{buildroot}%{_qt5_translationdir}
-rm -fr %{buildroot}%{_datadir}/%{name}/translations
+mv %{buildroot}%{_bindir}/%{newname} %{buildroot}%{_libexecdir}/%{newname}
 
 # Install the shell wrapper and custom OpenSSL configuration.
-install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{name}
+install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{newname}
 install -pm 0644 fedora_%{name}_openssl.cnf   \
-  %{buildroot}%{_datadir}/%{name}/openssl.cnf
+  %{buildroot}%{_datadir}/%{newname}/openssl.cnf
 
-# Generate man-page.
-mkdir -p %{buildroot}%{_mandir}/man1
-help2man                                              \
-  --no-discard-stderr --no-info                       \
-  --manual="%{name}" --name="%{pkg_sum}" --section=1  \
-  --help-option="--platform offscreen --help-all"     \
-  --version-option="--platform offscreen --version"   \
-  --output=%{buildroot}%{_mandir}/man1/%{name}.1      \
-  %{buildroot}%{_libexecdir}/%{name}
+# Move translation in proper location.
+%if !(0%{?qt6_build})
+mv %{buildroot}%{_datadir}/%{newname}/translations/* \
+  %{buildroot}%{_qt5_translationdir}
+rm -fr %{buildroot}%{_datadir}/%{newname}/translations
+%endif
 
 # Excessive docs.
-mkdir -p %{buildroot}%{_pkgdocdir}/{installation,integration,notes,sdk}
+mkdir -p %{buildroot}%{_pkgdocdir}/{installation_integration_{de,en},notes,sdk}
 install -pm 0644 README.rst %{buildroot}%{_pkgdocdir}
-%if %{with doxy}
-mkdir -p %{buildroot}%{_pkgdocdir}/doxy
-cp -a %{_vpath_builddir}/doc/html/* %{buildroot}%{_pkgdocdir}/doxy
-%endif
-cp -a %{_vpath_builddir}/docs/inst/html/* %{buildroot}%{_pkgdocdir}/installation
-cp -a %{_vpath_builddir}/docs/inte/html/* %{buildroot}%{_pkgdocdir}/integration
+cp -a %{_vpath_builddir}/docs/installation_integration_de/html/* %{buildroot}%{_pkgdocdir}/installation_integration_de
+cp -a %{_vpath_builddir}/docs/installation_integration_en/html/* %{buildroot}%{_pkgdocdir}/installation_integration_en
 cp -a %{_vpath_builddir}/docs/notes/html/* %{buildroot}%{_pkgdocdir}/notes
 cp -a %{_vpath_builddir}/docs/sdk/html/* %{buildroot}%{_pkgdocdir}/sdk
 find %{buildroot}%{_pkgdocdir} -type d -print0 | xargs -0 chmod -c 0755
@@ -235,10 +263,13 @@ find %{buildroot}%{_datadir}/icons/hicolor -type f -print | \
 sed -e 's!^%{buildroot}!!g' > %{lc_name}.icons
 
 # Find translation files.
+%if !(0%{?qt6_build})
 %find_lang %{lc_name} --with-qt
+%endif
 
 
 %check
+%ctest
 appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/*.metainfo.xml
 desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
 
@@ -249,17 +280,21 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
 %license AUTHORS
 %license LICENSE.en.txt
 %license LICENSE.txt
-%{_bindir}/.%{name}.hmac
-%{_bindir}/%{name}
+%{_bindir}/.%{newname}.hmac
+%{_bindir}/%{newname}
 %{_datadir}/applications/com.governikus.%{lc_name}.desktop
-%{_libexecdir}/.%{name}.hmac
-%{_libexecdir}/%{name}
-%{_mandir}/man1/%{name}.1*
+%{_libexecdir}/.%{newname}.hmac
+%{_libexecdir}/%{newname}
+%{_mandir}/man1/%{newname}.1*
 %{_metainfodir}/com.governikus.%{lc_name}.metainfo.xml
 
 
+%if 0%{?qt6_build}
+%files data -f %{lc_name}.icons
+%else
 %files data -f %{lc_name}.icons -f %{lc_name}.lang
-%{_datadir}/%{name}
+%endif
+%{_datadir}/%{newname}
 
 
 %files doc
@@ -268,86 +303,4 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
 
 
 %changelog
-* Sun Nov 15 08:50:35 CET 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-10
-- Add runtime dependency on qt5-qtquickcontrols2
-
-* Sat Oct  3 12:51:03 CEST 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-9
-- Disable fipscheck in shell wrapper as it does not work in Fedora 33+
-
-* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-8
-- Make shell wrapper exit with the exit code of fipscheck on failure
-
-* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-7
-- Calculate fipshmac for config files and shell wrapper
-- Run fipscheck in shell wrapper before application starts
-
-* Fri Sep 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-6
-- Use a python script to generate a tailored OpenSSL configuration
-
-* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-5
-- Some small spec file optimizations
-
-* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-4
-- Use a more elaborate application specific OpenSSL configuration
-  This also re-enables SHA384 hashes in ciphers
-
-* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-3
-- Do not enable SHA384 ciphers in custom OpenSSL configuration
-
-* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-2
-- Use application specific OpenSSL config through a shell wrapper
-
-* Mon Sep 07 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-1
-- New upstream release
-
-* Mon Aug 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-3
-- Add a patch to load translations from Qt5 TranslationsPath
-- Move translation files to proper location
-- Drop invokation of ctest, as we cannot run the testsuite
-  from a release build
-- Replace patch adding English license with the actual license file
-
-* Fri Aug 21 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-2
-- Add a patch to exclude the build directory in the Doxyfile
-- Merge doc-api package with the doc package, since the Doxygen
-  API documentation can be shipped noarch'ed as well now
-
-* Wed Aug 19 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-1
-- Initial import (#1851205)
-
-* Fri Jul 17 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.11
-- Use %%cmake_{build,install} macros on newer distributions
-
-* Sat Jul 04 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.10
-- Add license text in English language
-
-* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.9
-- Also obsolete package with %%{name} previous to this package version
-
-* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.8
-- Ensure archful packages always require equal architecture
-
-* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.7
-- Make sure permissions of the documentation files are correct
-- Remove hidden files in documentation
-- Drop 'LICENSE.officially.txt', as it only applies to binary copies,
-  which are distributed on behalf of the federal government of Germany
-
-* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.6
-- Use '--help-all' option when generating man-page
-- Split build of Doxygen API docs from building user docs
-
-* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.5
-- Add generated man-page
-
-* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.4
-- Use a macro for lowercase package name
-
-* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.3
-- Use ninja-build instead of GNU Make to speed up the build a bit
-
-* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.2
-- Adaptions for building on EPEL
-
-* Wed Jun 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.1
-- Initial spec file for review
+%autochangelog

changelog

@@ -0,0 +1,175 @@
+* Thu Dec 28 2023 Julian Sikorski <belegdol@fedoraproject.org> - 2.0.1-1
+- Update to 2.0.1
+- Fix up config.json.in section names
+
+* Wed Nov 29 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-4
+- Rebuild (qt6)
+
+* Fri Oct 13 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-3
+- Rebuild (qt6)
+
+* Thu Oct 05 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-2
+- Rebuild (qt6)
+
+* Fri Jul 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.7-1
+- New upstream release
+  Fixes rhbz#2227358
+
+* Fri Jul 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.6-1
+- New upstream release
+  Fixes rhbz#2227095
+
+* Wed Jul 26 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.5-1
+- New upstream release
+  Fixes rhbz#2226708
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.4-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri Jul 14 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-4
+- Rebuild(Qt_6.5)
+  Fixes rhbz#2222625
+
+* Sun Jun 04 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-3
+- Rebuild(Qt_6.5)
+
+* Sun May 07 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-2
+- Rebuild(Qt_6.5)
+
+* Mon May 01 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-1
+- New upstream release
+
+* Thu Mar 23 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.3-1
+- New upstream release
+- Enable use of Brainpool ECC
+
+* Sat Jan 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.2-2
+- Drop Qt6 version lock, as this is already ensured by symbol versioning
+
+* Sun Jan 22 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.2-1
+- New upstream release
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.24.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sun Nov 27 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.4-2
+- Rebuild(qt6)
+
+* Sun Nov 06 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.4-1
+- New upstream release
+
+* Fri Sep 02 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.1-1
+- New upstream release
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jan 26 2022 Björn Esser <besser82@fedoraproject.org> - 1.22.3-1
+- New upstream release
+- Explicitly BR '/usr/bin/fipshmac' instead of fipscheck package
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.22.2-4
+- Rebuilt with OpenSSL 3.0.0
+
+* Tue Aug 31 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-3
+- Drop forge-macros and perform tarbal verification during %%prep
+
+* Tue Aug 31 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-2
+- Add a patch to disable use of Brainpool Elliptic Curves
+
+* Sun Aug 22 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-1
+- New upstream release
+- Disable enforcing of FIPS mode for OpenSSL
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.2-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.2-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sun Nov 15 08:50:35 CET 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-10
+- Add runtime dependency on qt5-qtquickcontrols2
+
+* Sat Oct  3 12:51:03 CEST 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-9
+- Disable fipscheck in shell wrapper as it does not work in Fedora 33+
+
+* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-8
+- Make shell wrapper exit with the exit code of fipscheck on failure
+
+* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-7
+- Calculate fipshmac for config files and shell wrapper
+- Run fipscheck in shell wrapper before application starts
+
+* Fri Sep 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-6
+- Use a python script to generate a tailored OpenSSL configuration
+
+* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-5
+- Some small spec file optimizations
+
+* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-4
+- Use a more elaborate application specific OpenSSL configuration
+  This also re-enables SHA384 hashes in ciphers
+
+* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-3
+- Do not enable SHA384 ciphers in custom OpenSSL configuration
+
+* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-2
+- Use application specific OpenSSL config through a shell wrapper
+
+* Mon Sep 07 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-1
+- New upstream release
+
+* Mon Aug 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-3
+- Add a patch to load translations from Qt5 TranslationsPath
+- Move translation files to proper location
+- Drop invokation of ctest, as we cannot run the testsuite
+  from a release build
+- Replace patch adding English license with the actual license file
+
+* Fri Aug 21 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-2
+- Add a patch to exclude the build directory in the Doxyfile
+- Merge doc-api package with the doc package, since the Doxygen
+  API documentation can be shipped noarch'ed as well now
+
+* Wed Aug 19 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-1
+- Initial import (#1851205)
+
+* Fri Jul 17 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.11
+- Use %%cmake_{build,install} macros on newer distributions
+
+* Sat Jul 04 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.10
+- Add license text in English language
+
+* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.9
+- Also obsolete package with %%{name} previous to this package version
+
+* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.8
+- Ensure archful packages always require equal architecture
+
+* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.7
+- Make sure permissions of the documentation files are correct
+- Remove hidden files in documentation
+- Drop 'LICENSE.officially.txt', as it only applies to binary copies,
+  which are distributed on behalf of the federal government of Germany
+
+* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.6
+- Use '--help-all' option when generating man-page
+- Split build of Doxygen API docs from building user docs
+
+* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.5
+- Add generated man-page
+
+* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.4
+- Use a macro for lowercase package name
+
+* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.3
+- Use ninja-build instead of GNU Make to speed up the build a bit
+
+* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.2
+- Adaptions for building on EPEL
+
+* Wed Jun 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.1
+- Initial spec file for review

gen_openssl_cnf.py

@@ -49,8 +49,9 @@ class _Const(object):
         return [
                    'tlsSettings',
                    'tlsSettingsPsk',
-                   'tlsSettingsRemoteReader',
-                   'tlsSettingsRemoteReaderPairing',
+                   'tlsSettingsRemoteIfd',
+                   'tlsSettingsRemoteIfdPairing',
+                   'tlsSettingsLocalIfd',
                ]
 
     @constant
@@ -75,10 +76,14 @@ class _Const(object):
     @constant
     def KEYSIZE_SECTIONS():
         return [
-                   'minStaticKeySizes',
-                   'minEphemeralKeySizes',
+                   'minKeySizes',
+                   'sizesIfd',
                ]
 
+    @constant
+    def KEYSIZE_MIN_SECTION():
+        return 'min'
+
     @constant
     def TLS_VERSIONS():
         return {
@@ -100,9 +105,15 @@ def get_min_ssl_sec_level(json_data):
                 if option in json_data[section]:
                     if min_keysize > json_data[section][option]:
                         min_keysize = json_data[section][option]
+                elif option in json_data[section][CONST.KEYSIZE_MIN_SECTION]:
+                    if min_keysize > json_data[section][CONST.KEYSIZE_MIN_SECTION][option]:
+                        min_keysize = json_data[section][CONST.KEYSIZE_MIN_SECTION][option]
             if CONST.KEYSIZE_EC_OPTION in json_data[section]:
                     if min_ecsize > json_data[section][CONST.KEYSIZE_EC_OPTION]:
                         min_ecsize = json_data[section][CONST.KEYSIZE_EC_OPTION]
+            elif CONST.KEYSIZE_EC_OPTION in json_data[section][CONST.KEYSIZE_MIN_SECTION]:
+                    if min_ecsize > json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]:
+                        min_ecsize = json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]
 
     if min_keysize >=  1000 and min_ecsize >= 160:
         sec_level = 1
@@ -168,7 +179,7 @@ def print_config_file(conf_dict, sec_level):
                   '# application chooses the algorithm used for a connection from a preset',
                   '# list, that is ordered in descending preference.  This configuration',
                   '# also limits the minimum and maximum cryptographic protocol versions',
-                  '# to a range needed by AusweisApp2.  Additionally FIPS mode is enforced.',
+                  '# to a range needed by AusweisApp2.',
                   '# The settings used to generate this file have been taken from the',
                   '# \'config.json\' file, which can be found in the same directory as this',
                   '# configuration file.',
@@ -183,7 +194,7 @@ def print_config_file(conf_dict, sec_level):
                   'system_default = AusweisApp2_ciphers',
                   '',
                   '[AusweisApp2_evp]',
-                  'fips_mode = yes',
+                  'fips_mode = no',
                   '',
                   '[AusweisApp2_ciphers]',
               )

sources

@@ -1 +1,4 @@
-SHA512 (AusweisApp2-1.20.2.tar.gz) = 4a968d3d9043f9eba5927f049155e203448a27034f0c051c10fbaa262bb7b4257c5a6de4763c1fa470a1c46d51bf67636f14c136c7e7c8038eab7e929dcb38c2
+SHA512 (AusweisApp-2.4.0.tar.gz) = 6e0d89b30176f7722bebab01322363ee38ff43573167061d4a97d840b669f3e579ad9fb62345b97b75490690fd5e03f25994eaa1a77334171fcdd28d39ec3e4a
+SHA512 (AusweisApp-2.4.0.tar.gz.asc) = ac8ffdb68d5847978bf639a8f32462053bddcace5d9c3d6cb16e788bb2dbe98ae3b7cafe089246fa786fa4b3e048b81b608cbe77e948a843b2dcd774796d2a56
+SHA512 (AusweisApp-2.4.0.tar.gz.sha256) = 257634437251fc22b3d85386a282ee4ce68d2f0db1112a912a54db9a6741ecb79b4180c490486d9ff8519246e62165b5953ed5739e9de0e180bb46decfeff16a
+SHA512 (AusweisApp2-pubring.gpg) = 3aae27b673f4eb2f7d3bda6c839b3d11829a730bde546e92abb889abb1c2453e786dc906154074485406692f5b9abbb3e1fb293e6b397696b6371016723621cd