diff --git a/.gitignore b/.gitignore index 6be2f76..40511aa 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,30 @@ /AusweisApp-2.0.3.tar.gz /AusweisApp-2.0.3.tar.gz.asc /AusweisApp-2.0.3.tar.gz.sha256 +/AusweisApp-2.1.0.tar.gz +/AusweisApp-2.1.0.tar.gz.asc +/AusweisApp-2.1.0.tar.gz.sha256 +/AusweisApp-2.1.1.tar.gz +/AusweisApp-2.1.1.tar.gz.asc +/AusweisApp-2.1.1.tar.gz.sha256 +/AusweisApp-2.2.0.tar.gz +/AusweisApp-2.2.0.tar.gz.asc +/AusweisApp-2.2.0.tar.gz.sha256 +/AusweisApp-2.2.1.tar.gz +/AusweisApp-2.2.1.tar.gz.asc +/AusweisApp-2.2.1.tar.gz.sha256 +/AusweisApp-2.2.2.tar.gz +/AusweisApp-2.2.2.tar.gz.asc +/AusweisApp-2.2.2.tar.gz.sha256 +/AusweisApp-2.3.0.tar.gz +/AusweisApp-2.3.0.tar.gz.asc +/AusweisApp-2.3.0.tar.gz.sha256 +/AusweisApp-2.3.1.tar.gz +/AusweisApp-2.3.1.tar.gz.asc +/AusweisApp-2.3.1.tar.gz.sha256 +/AusweisApp-2.3.2.tar.gz +/AusweisApp-2.3.2.tar.gz.asc +/AusweisApp-2.3.2.tar.gz.sha256 +/AusweisApp-2.4.0.tar.gz +/AusweisApp-2.4.0.tar.gz.asc +/AusweisApp-2.4.0.tar.gz.sha256 diff --git a/0001-Use-legacy-OpenSSL-API.patch b/0001-Use-legacy-OpenSSL-API.patch new file mode 100644 index 0000000..c05c9b5 --- /dev/null +++ b/0001-Use-legacy-OpenSSL-API.patch @@ -0,0 +1,471 @@ +From f5d48a49ea7055b7d4edf5f1398557b475419fb9 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 30 Oct 2025 13:51:15 +0100 +Subject: [PATCH] Use legacy OpenSSL API + +--- + src/card/base/asn1/EcdsaPublicKey.cpp | 39 ----- + src/card/base/asn1/EcdsaPublicKey.h | 6 +- + src/card/base/pace/ec/EcUtil.cpp | 145 ------------------- + src/card/base/pace/ec/EcUtil.h | 12 -- + src/card/base/pace/ec/EcdhGenericMapping.cpp | 5 - + src/card/base/pace/ec/EcdhGenericMapping.h | 4 - + src/card/simulator/SimulatorCard.cpp | 37 ----- + src/card/simulator/SimulatorCard.h | 4 - + src/card/simulator/SimulatorFileSystem.cpp | 9 -- + src/card/simulator/SimulatorFileSystem.h | 4 - + 10 files changed, 1 insertion(+), 264 deletions(-) + +diff --git a/src/card/base/asn1/EcdsaPublicKey.cpp b/src/card/base/asn1/EcdsaPublicKey.cpp +index 7f54045..dc7e26b 100644 +--- a/src/card/base/asn1/EcdsaPublicKey.cpp ++++ b/src/card/base/asn1/EcdsaPublicKey.cpp +@@ -182,7 +182,6 @@ QByteArray EcdsaPublicKey::getUncompressedPublicPoint() const + } + + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + QSharedPointer EcdsaPublicKey::createGroup(const CurveData& pData) const + { + QSharedPointer group = EcUtil::create(EC_GROUP_new_curve_GFp(pData.p.data(), pData.a.data(), pData.b.data(), nullptr)); +@@ -209,8 +208,6 @@ QSharedPointer EcdsaPublicKey::createGroup(const CurveData& pData) con + } + + +-#endif +- + QSharedPointer EcdsaPublicKey::createKey(const QByteArray& pPublicPoint) const + { + return createKey(reinterpret_cast(pPublicPoint.constData()), static_cast(pPublicPoint.size())); +@@ -239,7 +236,6 @@ QSharedPointer EcdsaPublicKey::createKey(const uchar* pPublicPoint, in + return nullptr; + } + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + const auto& group = createGroup(curveData); + if (group.isNull()) + { +@@ -275,39 +271,4 @@ QSharedPointer EcdsaPublicKey::createKey(const uchar* pPublicPoint, in + + return key; + +-#else +- const auto& params = EcUtil::create([&curveData, pPublicPoint, pPublicPointLength, this](OSSL_PARAM_BLD* pBuilder){ +- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", curveData.p.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", curveData.a.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", curveData.b.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", curveData.order.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", curveData.cofactor.data()) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "pub", pPublicPoint, static_cast(pPublicPointLength)) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", mBasePoint->data, static_cast(mBasePoint->length)) +- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); +- }); +- +- if (params == nullptr) +- { +- qCCritical(card) << "Cannot set parameter"; +- return nullptr; +- } +- +- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); +- if (!EVP_PKEY_fromdata_init(ctx.data())) +- { +- qCCritical(card) << "Cannot init pkey"; +- return nullptr; +- } +- +- EVP_PKEY* key = nullptr; +- if (!EVP_PKEY_fromdata(ctx.data(), &key, EVP_PKEY_PUBLIC_KEY, params.data())) +- { +- qCCritical(card) << "Cannot fetch data for pkey"; +- return nullptr; +- } +- +- return EcUtil::create(key); +- +-#endif + } +diff --git a/src/card/base/asn1/EcdsaPublicKey.h b/src/card/base/asn1/EcdsaPublicKey.h +index 860bc74..c85e48b 100644 +--- a/src/card/base/asn1/EcdsaPublicKey.h ++++ b/src/card/base/asn1/EcdsaPublicKey.h +@@ -13,9 +13,7 @@ + #include + #include + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L +- #include +-#endif ++#include + + + namespace governikus +@@ -105,9 +103,7 @@ using EcdsaPublicKey = struct ecdsapublickey_st + + [[nodiscard]] CurveData createCurveData() const; + [[nodiscard]] QSharedPointer createKey(const uchar* pPublicPoint, int pPublicPointLength) const; +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + [[nodiscard]] QSharedPointer createGroup(const CurveData& pData) const; +-#endif + + public: + static int decodeCallback(int pOperation, ASN1_VALUE** pVal, const ASN1_ITEM* pIt, void* pExarg); +diff --git a/src/card/base/pace/ec/EcUtil.cpp b/src/card/base/pace/ec/EcUtil.cpp +index 069ad81..546438f 100644 +--- a/src/card/base/pace/ec/EcUtil.cpp ++++ b/src/card/base/pace/ec/EcUtil.cpp +@@ -103,148 +103,6 @@ QSharedPointer EcUtil::oct2point(const QSharedPointer& + } + + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +-QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer& pKey, bool pCompressed) +-{ +- if (pKey.isNull()) +- { +- qCCritical(card) << "Cannot use undefined key"; +- return nullptr; +- } +- +- uchar* key = nullptr; +- const size_t length = EVP_PKEY_get1_encoded_public_key(pKey.data(), &key); +- const auto guard = qScopeGuard([key] { +- OPENSSL_free(key); +- }); +- +- if (length == 0) +- { +- return QByteArray(); +- } +- +- const QByteArray uncompressed(reinterpret_cast(key), static_cast(length)); +- return pCompressed ? EcUtil::compressPoint(uncompressed) : uncompressed; +-} +- +- +-QSharedPointer EcUtil::getPrivateKey(const QSharedPointer& pKey) +-{ +- BIGNUM* privKey = nullptr; +- EVP_PKEY_get_bn_param(pKey.data(), "priv", &privKey); +- return EcUtil::create(privKey); +-} +- +- +-QSharedPointer EcUtil::create(const std::function& pFunc) +-{ +- OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new(); +- const auto guard = qScopeGuard([bld] { +- OSSL_PARAM_BLD_free(bld); +- }); +- +- if (bld == nullptr) +- { +- qCCritical(card) << "Cannot create parameter builder"; +- return nullptr; +- } +- +- if (!pFunc(bld)) +- { +- qCCritical(card) << "Cannot initialize parameter builder"; +- return nullptr; +- } +- +- if (OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld); params != nullptr) +- { +- static auto deleter = [](OSSL_PARAM* pParam) +- { +- OSSL_PARAM_free(pParam); +- }; +- +- return QSharedPointer(params, deleter); +- } +- +- qCCritical(card) << "Cannot create parameter"; +- return nullptr; +-} +- +- +-QSharedPointer EcUtil::generateKey(const QSharedPointer& pCurve) +-{ +- if (pCurve.isNull()) +- { +- qCCritical(card) << "Curve is undefined"; +- return nullptr; +- } +- +- auto generator = EcUtil::point2oct(pCurve, EC_GROUP_get0_generator(pCurve.data())); +- +- auto order = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_order(pCurve.data(), order.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch order"; +- return nullptr; +- } +- +- auto cofactor = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_cofactor(pCurve.data(), cofactor.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch cofactor"; +- return nullptr; +- } +- +- auto p = EcUtil::create(BN_new()); +- auto a = EcUtil::create(BN_new()); +- auto b = EcUtil::create(BN_new()); +- if (!EC_GROUP_get_curve(pCurve.data(), p.data(), a.data(), b.data(), nullptr)) +- { +- qCCritical(card) << "Cannot fetch a, b or p"; +- return nullptr; +- } +- +- const auto& params = EcUtil::create([&p, &a, &b, &order, &cofactor, &generator](OSSL_PARAM_BLD* pBuilder){ +- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", p.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", a.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", b.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", order.data()) +- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", cofactor.data()) +- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", generator.data(), static_cast(generator.size())) +- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); +- }); +- +- if (params == nullptr) +- { +- qCCritical(card) << "Cannot set parameter"; +- return nullptr; +- } +- +- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); +- if (!ctx) +- { +- qCCritical(card) << "Cannot create EVP_PKEY_CTX"; +- return nullptr; +- } +- EVP_PKEY_keygen_init(ctx.data()); +- +- if (!EVP_PKEY_CTX_set_params(ctx.data(), params.data())) +- { +- qCCritical(card) << "Cannot set params to EVP_PKEY_CTX"; +- return nullptr; +- } +- +- EVP_PKEY* key = nullptr; +- if (!EVP_PKEY_generate(ctx.data(), &key)) +- { +- qCCritical(card) << "Cannot create EVP_PKEY"; +- return nullptr; +- } +- +- return EcUtil::create(key); +-} +- +- +-#else + QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer& pKey, bool pCompressed) + { + if (pKey.isNull()) +@@ -293,6 +151,3 @@ QSharedPointer EcUtil::generateKey(const QSharedPointer& + + return key; + } +- +- +-#endif +diff --git a/src/card/base/pace/ec/EcUtil.h b/src/card/base/pace/ec/EcUtil.h +index 63eb16c..914c268 100644 +--- a/src/card/base/pace/ec/EcUtil.h ++++ b/src/card/base/pace/ec/EcUtil.h +@@ -26,24 +26,15 @@ class EcUtil + static QSharedPointer oct2point(const QSharedPointer& pCurve, const QByteArray& pCompressedData); + + static QSharedPointer create(EC_GROUP* pEcGroup); +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + static QSharedPointer create(EC_KEY* pEcKey); +-#endif + static QSharedPointer create(EC_POINT* pEcPoint); + static QSharedPointer create(BIGNUM* pBigNum); + static QSharedPointer create(EVP_PKEY* pEcGroup); + static QSharedPointer create(EVP_PKEY_CTX* pEcGroup); + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- static QByteArray getEncodedPublicKey(const QSharedPointer& pKey, bool pCompressed = false); +- static QSharedPointer getPrivateKey(const QSharedPointer& pKey); +- static QSharedPointer create(const std::function& pFunc); +- static QSharedPointer generateKey(const QSharedPointer& pCurve); +-#else + static QByteArray getEncodedPublicKey(const QSharedPointer& pKey, bool pCompressed = false); + static QSharedPointer getPrivateKey(const QSharedPointer& pKey); + static QSharedPointer generateKey(const QSharedPointer& pCurve); +-#endif + + static QSharedPointer createCurve(int pNid); + }; +@@ -60,7 +51,6 @@ inline QSharedPointer EcUtil::create(EC_GROUP* pEcGroup) + } + + +-#if OPENSSL_VERSION_NUMBER < 0x30000000L + inline QSharedPointer EcUtil::create(EC_KEY* pEcKey) + { + static auto deleter = [](EC_KEY* ecKey) +@@ -72,8 +62,6 @@ inline QSharedPointer EcUtil::create(EC_KEY* pEcKey) + } + + +-#endif +- + inline QSharedPointer EcUtil::create(EC_POINT* pEcPoint) + { + static auto deleter = [](EC_POINT* ecPoint) +diff --git a/src/card/base/pace/ec/EcdhGenericMapping.cpp b/src/card/base/pace/ec/EcdhGenericMapping.cpp +index 04cee51..571c7a0 100644 +--- a/src/card/base/pace/ec/EcdhGenericMapping.cpp ++++ b/src/card/base/pace/ec/EcdhGenericMapping.cpp +@@ -49,12 +49,7 @@ bool EcdhGenericMapping::generateEphemeralDomainParameters(const QByteArray& pRe + return false; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- const QSharedPointer localPubKeyPtr = EcUtil::oct2point(mCurve, EcUtil::getEncodedPublicKey(mLocalKey)); +- const EC_POINT* localPubKey = localPubKeyPtr.data(); +-#else + const EC_POINT* localPubKey = EC_KEY_get0_public_key(mLocalKey.data()); +-#endif + if (!EC_POINT_cmp(mCurve.data(), localPubKey, remotePubKey.data(), nullptr)) + { + qCCritical(card) << "The exchanged public keys are equal."; +diff --git a/src/card/base/pace/ec/EcdhGenericMapping.h b/src/card/base/pace/ec/EcdhGenericMapping.h +index e9c9768..188befb 100644 +--- a/src/card/base/pace/ec/EcdhGenericMapping.h ++++ b/src/card/base/pace/ec/EcdhGenericMapping.h +@@ -22,11 +22,7 @@ class EcdhGenericMapping + + private: + const QSharedPointer mCurve; +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- QSharedPointer mLocalKey; +-#else + QSharedPointer mLocalKey; +-#endif + + QSharedPointer createNewGenerator(const QSharedPointer& pRemotePubKey, const QSharedPointer& pS); + +diff --git a/src/card/simulator/SimulatorCard.cpp b/src/card/simulator/SimulatorCard.cpp +index 3c4e218..a39fb54 100644 +--- a/src/card/simulator/SimulatorCard.cpp ++++ b/src/card/simulator/SimulatorCard.cpp +@@ -661,42 +661,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const + return QByteArray(); + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- const auto& terminalKey = EcUtil::create(EVP_PKEY_new()); +- if (terminalKey.isNull() || EVP_PKEY_copy_parameters(terminalKey.data(), mCardKey.data()) == 0) +- { +- qCCritical(card_simulator) << "Initialization of the terminal key failed"; +- return QByteArray(); +- } +- if (!EVP_PKEY_set1_encoded_public_key( +- terminalKey.data(), +- reinterpret_cast(pPoint.data()), +- static_cast(pPoint.length()))) +- { +- qCCritical(card_simulator) << "Interpreting the terminal key failed"; +- return QByteArray(); +- } +- +- const auto& ctx = EcUtil::create(EVP_PKEY_CTX_new_from_pkey(nullptr, mCardKey.data(), nullptr)); +- size_t resultLen = 0; +- if (EVP_PKEY_derive_init(ctx.data()) <= 0 +- || EVP_PKEY_derive_set_peer(ctx.data(), terminalKey.data()) <= 0 +- || EVP_PKEY_derive(ctx.data(), nullptr, &resultLen) <= 0) +- { +- qCCritical(card_simulator) << "Initialization or calculation of the result failed"; +- return QByteArray(); +- } +- +- QByteArray result(static_cast(resultLen), '\0'); +- if (EVP_PKEY_derive(ctx.data(), reinterpret_cast(result.data()), &resultLen) <= 0) +- { +- qCCritical(card_simulator) << "Calculation of the result failed"; +- return QByteArray(); +- } +- +- return result; +- +-#else + const auto& curve = EcUtil::create(EC_GROUP_dup(EC_KEY_get0_group(mCardKey.data()))); + auto point = EcUtil::oct2point(curve, pPoint); + if (!point) +@@ -715,7 +679,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const + + return EcUtil::point2oct(curve, result.data(), true); + +-#endif + } + + +diff --git a/src/card/simulator/SimulatorCard.h b/src/card/simulator/SimulatorCard.h +index fc9db00..7a881cb 100644 +--- a/src/card/simulator/SimulatorCard.h ++++ b/src/card/simulator/SimulatorCard.h +@@ -39,11 +39,7 @@ class SimulatorCard + int mPaceKeyId; + QByteArray mPaceNonce; + QByteArray mPaceTerminalKey; +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- QSharedPointer mCardKey; +-#else + QSharedPointer mCardKey; +-#endif + QSharedPointer mTaCertificate; + QByteArray mTaSigningData; + QByteArray mTaAuxData; +diff --git a/src/card/simulator/SimulatorFileSystem.cpp b/src/card/simulator/SimulatorFileSystem.cpp +index 5c01caa..4cbe60c 100644 +--- a/src/card/simulator/SimulatorFileSystem.cpp ++++ b/src/card/simulator/SimulatorFileSystem.cpp +@@ -347,11 +347,7 @@ QByteArray SimulatorFileSystem::getPassword(PacePasswordId pPasswordId) const + } + + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +-QSharedPointer SimulatorFileSystem::getKey(int pKeyId) const +-#else + QSharedPointer SimulatorFileSystem::getKey(int pKeyId) const +-#endif + { + if (!mKeys.contains(pKeyId)) + { +@@ -367,13 +363,8 @@ QSharedPointer SimulatorFileSystem::getKey(int pKeyId) const + return nullptr; + } + +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- return privateKey; +- +-#else + return EcUtil::create(EVP_PKEY_get1_EC_KEY(privateKey.data())); + +-#endif + } + + +diff --git a/src/card/simulator/SimulatorFileSystem.h b/src/card/simulator/SimulatorFileSystem.h +index 7d8458f..57065db 100644 +--- a/src/card/simulator/SimulatorFileSystem.h ++++ b/src/card/simulator/SimulatorFileSystem.h +@@ -43,11 +43,7 @@ class SimulatorFileSystem + + [[nodiscard]] QByteArray getEfCardAccess() const; + [[nodiscard]] QByteArray getPassword(PacePasswordId pPasswordId) const; +-#if OPENSSL_VERSION_NUMBER >= 0x30000000L +- [[nodiscard]] QSharedPointer getKey(int pKeyId) const; +-#else + [[nodiscard]] QSharedPointer getKey(int pKeyId) const; +-#endif + [[nodiscard]] QSharedPointer getTrustPoint() const; + void setTrustPoint(const QSharedPointer& pTrustPoint); + +-- +2.51.0 + diff --git a/AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch b/AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch index 2cc4234..e4fcd01 100644 --- a/AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch +++ b/AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch @@ -1,8 +1,17 @@ -Index: AusweisApp2-1.24.1/src/global/FileDestination.h -=================================================================== ---- AusweisApp2-1.24.1.orig/src/global/FileDestination.h -+++ AusweisApp2-1.24.1/src/global/FileDestination.h -@@ -9,8 +9,10 @@ +From 056e560ed6432e99a297d1c1d2c89c89621bd825 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 6 Mar 2025 01:00:00 +0100 +Subject: [PATCH] AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch + +--- + src/global/FileDestination.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/global/FileDestination.h b/src/global/FileDestination.h +index 2fd5826..781e9b9 100644 +--- a/src/global/FileDestination.h ++++ b/src/global/FileDestination.h +@@ -7,8 +7,10 @@ #include #include #include @@ -11,9 +20,9 @@ Index: AusweisApp2-1.24.1/src/global/FileDestination.h #include +#include + namespace governikus - { -@@ -52,6 +54,13 @@ class FileDestination +@@ -51,6 +53,13 @@ class FileDestination QStandardPaths::StandardLocation pStandard = QStandardPaths::AppDataLocation) { #if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || (defined(Q_OS_BSD4) && !defined(Q_OS_MACOS) && !defined(Q_OS_IOS)) @@ -27,3 +36,6 @@ Index: AusweisApp2-1.24.1/src/global/FileDestination.h if (const auto& match = QStandardPaths::locate(pStandard, pFilename, pOption); !match.isNull()) { return match; +-- +2.48.1 + diff --git a/AusweisApp2-2.0.1-use-legacy-openssl-api.patch b/AusweisApp2-2.0.1-use-legacy-openssl-api.patch deleted file mode 100644 index 8f2dcee..0000000 --- a/AusweisApp2-2.0.1-use-legacy-openssl-api.patch +++ /dev/null @@ -1,362 +0,0 @@ -diff -up AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp.legacyapi AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp ---- AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.cpp 2024-01-05 22:06:07.585023942 +0100 -@@ -182,7 +182,6 @@ QByteArray EcdsaPublicKey::getUncompress - } - - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - QSharedPointer EcdsaPublicKey::createGroup(const CurveData& pData) const - { - QSharedPointer group = EcUtil::create(EC_GROUP_new_curve_GFp(pData.p.data(), pData.a.data(), pData.b.data(), nullptr)); -@@ -209,8 +208,6 @@ QSharedPointer EcdsaPublicKey: - } - - --#endif -- - QSharedPointer EcdsaPublicKey::createKey(const QByteArray& pPublicPoint) const - { - return createKey(reinterpret_cast(pPublicPoint.constData()), static_cast(pPublicPoint.size())); -@@ -239,7 +236,6 @@ QSharedPointer EcdsaPublicKey: - return nullptr; - } - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - const auto& group = createGroup(curveData); - if (group.isNull()) - { -@@ -275,39 +271,4 @@ QSharedPointer EcdsaPublicKey: - - return key; - --#else -- const auto& params = EcUtil::create([&curveData, pPublicPoint, pPublicPointLength, this](OSSL_PARAM_BLD* pBuilder){ -- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", curveData.p.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", curveData.a.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", curveData.b.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", curveData.order.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", curveData.cofactor.data()) -- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "pub", pPublicPoint, static_cast(pPublicPointLength)) -- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", mBasePoint->data, static_cast(mBasePoint->length)) -- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); -- }); -- -- if (params == nullptr) -- { -- qCCritical(card) << "Cannot set parameter"; -- return nullptr; -- } -- -- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); -- if (!EVP_PKEY_fromdata_init(ctx.data())) -- { -- qCCritical(card) << "Cannot init pkey"; -- return nullptr; -- } -- -- EVP_PKEY* key = nullptr; -- if (!EVP_PKEY_fromdata(ctx.data(), &key, EVP_PKEY_PUBLIC_KEY, params.data())) -- { -- qCCritical(card) << "Cannot fetch data for pkey"; -- return nullptr; -- } -- -- return EcUtil::create(key); -- --#endif - } -diff -up AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h.legacyapi AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h ---- AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/asn1/EcdsaPublicKey.h 2024-01-05 21:26:24.850152676 +0100 -@@ -13,9 +13,7 @@ - #include - #include - --#if OPENSSL_VERSION_NUMBER < 0x30000000L -- #include --#endif -+#include - - - namespace governikus -@@ -105,9 +103,7 @@ using EcdsaPublicKey = struct ecdsapubli - - [[nodiscard]] CurveData createCurveData() const; - [[nodiscard]] QSharedPointer createKey(const uchar* pPublicPoint, int pPublicPointLength) const; --#if OPENSSL_VERSION_NUMBER < 0x30000000L - [[nodiscard]] QSharedPointer createGroup(const CurveData& pData) const; --#endif - - public: - static int decodeCallback(int pOperation, ASN1_VALUE** pVal, const ASN1_ITEM* pIt, void* pExarg); -diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp ---- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.cpp 2024-01-05 21:51:28.494919678 +0100 -@@ -37,13 +37,8 @@ QByteArray EcdhGenericMapping::generateT - - mTerminalKey = EcUtil::generateKey(mCurve); - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- return EcUtil::getEncodedPublicKey(mTerminalKey); -- --#else - return EcUtil::point2oct(mCurve, EC_KEY_get0_public_key(mTerminalKey.data())); - --#endif - } - - -@@ -56,12 +51,7 @@ bool EcdhGenericMapping::generateEphemer - return false; - } - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- const QSharedPointer terminalPubKeyPtr = EcUtil::oct2point(mCurve, EcUtil::getEncodedPublicKey(mTerminalKey)); -- const EC_POINT* terminalPubKey = terminalPubKeyPtr.data(); --#else - const EC_POINT* terminalPubKey = EC_KEY_get0_public_key(mTerminalKey.data()); --#endif - if (!EC_POINT_cmp(mCurve.data(), terminalPubKey, cardPubKey.data(), nullptr)) - { - qCCritical(card) << "The exchanged public keys are equal."; -@@ -81,12 +71,7 @@ bool EcdhGenericMapping::generateEphemer - - QSharedPointer EcdhGenericMapping::createNewGenerator(const QSharedPointer& pCardPubKey, const QSharedPointer& pS) - { --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- const auto& privKeyPtr = EcUtil::getPrivateKey(mTerminalKey); -- const BIGNUM* privKey = privKeyPtr.data(); --#else - const BIGNUM* privKey = EC_KEY_get0_private_key(mTerminalKey.data()); --#endif - - if (!privKey) - { -diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h ---- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhGenericMapping.h 2024-01-05 21:52:19.801808499 +0100 -@@ -22,11 +22,7 @@ class EcdhGenericMapping - - private: - const QSharedPointer mCurve; --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- QSharedPointer mTerminalKey; --#else - QSharedPointer mTerminalKey; --#endif - - QSharedPointer createNewGenerator(const QSharedPointer& pCardPubKey, const QSharedPointer& pS); - -diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp ---- AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/pace/ec/EcdhKeyAgreement.cpp 2024-01-05 21:37:17.920243239 +0100 -@@ -105,15 +105,8 @@ KeyAgreement::CardResult EcdhKeyAgreemen - return {CardReturnCode::PROTOCOL_ERROR}; - } - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- const QByteArray terminalEphemeralPublicKeyBytes = EcUtil::getEncodedPublicKey(terminalEphemeralKey); -- -- const auto& privKeyPtr = EcUtil::getPrivateKey(terminalEphemeralKey); -- const BIGNUM* terminalEphemeralPrivateKey = privKeyPtr.data(); --#else - const QByteArray terminalEphemeralPublicKeyBytes = EcUtil::point2oct(curve, EC_KEY_get0_public_key(terminalEphemeralKey.data())); - const BIGNUM* const terminalEphemeralPrivateKey = EC_KEY_get0_private_key(terminalEphemeralKey.data()); --#endif - - // Make a copy of the terminal public key for later mutual authentication. - mTerminalPublicKey = EcUtil::oct2point(curve, terminalEphemeralPublicKeyBytes); -diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp ---- AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.cpp 2024-01-05 20:33:28.156797843 +0100 -@@ -88,137 +88,6 @@ QSharedPointer EcUtil::oct2poi - } - - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L --QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer& pKey) --{ -- if (pKey.isNull()) -- { -- qCCritical(card) << "Cannot use undefined key"; -- return nullptr; -- } -- -- uchar* key = nullptr; -- const size_t length = EVP_PKEY_get1_encoded_public_key(pKey.data(), &key); -- const auto guard = qScopeGuard([key] { -- OPENSSL_free(key); -- }); -- -- return length > 0 ? QByteArray(reinterpret_cast(key), static_cast(length)) : QByteArray(); --} -- -- --QSharedPointer EcUtil::getPrivateKey(const QSharedPointer& pKey) --{ -- BIGNUM* privKey = nullptr; -- EVP_PKEY_get_bn_param(pKey.data(), "priv", &privKey); -- return EcUtil::create(privKey); --} -- -- --QSharedPointer EcUtil::create(const std::function& pFunc) --{ -- OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new(); -- const auto guard = qScopeGuard([bld] { -- OSSL_PARAM_BLD_free(bld); -- }); -- -- if (bld == nullptr) -- { -- qCCritical(card) << "Cannot create parameter builder"; -- return nullptr; -- } -- -- if (OSSL_PARAM* params = nullptr; -- pFunc(bld) && (params = OSSL_PARAM_BLD_to_param(bld)) != nullptr) -- { -- static auto deleter = [](OSSL_PARAM* pParam) -- { -- OSSL_PARAM_free(pParam); -- }; -- -- return QSharedPointer(params, deleter); -- } -- -- qCCritical(card) << "Cannot create parameter"; -- return nullptr; --} -- -- --QSharedPointer EcUtil::generateKey(const QSharedPointer& pCurve) --{ -- if (pCurve.isNull()) -- { -- qCCritical(card) << "Curve is undefined"; -- return nullptr; -- } -- -- auto generator = EcUtil::point2oct(pCurve, EC_GROUP_get0_generator(pCurve.data())); -- -- auto order = EcUtil::create(BN_new()); -- if (!EC_GROUP_get_order(pCurve.data(), order.data(), nullptr)) -- { -- qCCritical(card) << "Cannot fetch order"; -- return nullptr; -- } -- -- auto cofactor = EcUtil::create(BN_new()); -- if (!EC_GROUP_get_cofactor(pCurve.data(), cofactor.data(), nullptr)) -- { -- qCCritical(card) << "Cannot fetch cofactor"; -- return nullptr; -- } -- -- auto p = EcUtil::create(BN_new()); -- auto a = EcUtil::create(BN_new()); -- auto b = EcUtil::create(BN_new()); -- if (!EC_GROUP_get_curve(pCurve.data(), p.data(), a.data(), b.data(), nullptr)) -- { -- qCCritical(card) << "Cannot fetch a, b or p"; -- return nullptr; -- } -- -- const auto& params = EcUtil::create([&p, &a, &b, &order, &cofactor, &generator](OSSL_PARAM_BLD* pBuilder){ -- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", p.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", a.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", b.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", order.data()) -- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", cofactor.data()) -- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", generator.data(), static_cast(generator.size())) -- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12); -- }); -- -- if (params == nullptr) -- { -- qCCritical(card) << "Cannot set parameter"; -- return nullptr; -- } -- -- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr)); -- if (!ctx) -- { -- qCCritical(card) << "Cannot create EVP_PKEY_CTX"; -- return nullptr; -- } -- EVP_PKEY_keygen_init(ctx.data()); -- -- if (!EVP_PKEY_CTX_set_params(ctx.data(), params.data())) -- { -- qCCritical(card) << "Cannot set params to EVP_PKEY_CTX"; -- return nullptr; -- } -- -- EVP_PKEY* key = nullptr; -- if (!EVP_PKEY_generate(ctx.data(), &key)) -- { -- qCCritical(card) << "Cannot create EVP_PKEY"; -- return nullptr; -- } -- -- return EcUtil::create(key); --} -- -- --#else - QSharedPointer EcUtil::generateKey(const QSharedPointer& pCurve) - { - if (pCurve.isNull()) -@@ -242,6 +111,3 @@ QSharedPointer EcUtil::generateK - - return key; - } -- -- --#endif -diff -up AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h.legacyapi AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h ---- AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h.legacyapi 2023-11-08 16:55:33.000000000 +0100 -+++ AusweisApp-2.0.1/src/card/base/pace/ec/EcUtil.h 2024-01-05 22:15:17.157430740 +0100 -@@ -30,9 +30,7 @@ class EcUtil - - static QSharedPointer create(EC_GROUP* pEcGroup); - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - static QSharedPointer create(EC_KEY* pEcKey); --#endif - - static QSharedPointer create(EC_POINT* pEcPoint); - -@@ -42,14 +40,7 @@ class EcUtil - - static QSharedPointer create(EVP_PKEY_CTX* pEcGroup); - --#if OPENSSL_VERSION_NUMBER >= 0x30000000L -- static QByteArray getEncodedPublicKey(const QSharedPointer& pKey); -- static QSharedPointer getPrivateKey(const QSharedPointer& pKey); -- static QSharedPointer create(const std::function& pFunc); -- static QSharedPointer generateKey(const QSharedPointer& pCurve); --#else - static QSharedPointer generateKey(const QSharedPointer& pCurve); --#endif - - static QSharedPointer createCurve(int pNid); - }; -@@ -66,7 +57,6 @@ inline QSharedPointer EcUtil:: - } - - --#if OPENSSL_VERSION_NUMBER < 0x30000000L - inline QSharedPointer EcUtil::create(EC_KEY* pEcKey) - { - static auto deleter = [](EC_KEY* ecKey) -@@ -78,8 +68,6 @@ inline QSharedPointer EcUtil::cr - } - - --#endif -- - inline QSharedPointer EcUtil::create(EC_POINT* pEcPoint) - { - static auto deleter = [](EC_POINT* ecPoint) diff --git a/AusweisApp2.spec b/AusweisApp2.spec index 691d9a0..cd964a5 100644 --- a/AusweisApp2.spec +++ b/AusweisApp2.spec @@ -24,10 +24,6 @@ fi \ %global build_fflags %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g') %global build_fcflags %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g') -# Build and package Doxygen documentation? -%bcond_without doxy - -# Do we build with Qt6? %if 0%{?fedora} || 0%{?rhel} >= 9 %global qt6_build 1 %else @@ -41,11 +37,11 @@ fi \ %global newname AusweisApp Name: AusweisApp2 -Version: 2.0.3 +Version: 2.4.0 Release: %autorelease Summary: %{pkg_sum} -License: EUPL 1.2 +License: EUPL-1.2 URL: https://www.ausweisapp.bund.de/en # Url to releases on github. @@ -64,7 +60,10 @@ Source1000: gen_openssl_cnf.py # Downstream. Patch01000: %{name}-1.24.1-use_Qt_TranslationsPath.patch -Patch01001: %{name}-2.0.1-use-legacy-openssl-api.patch +# Needed because Fedora's openssl does not support elliptic curves using custom parameters. +# Request to enable them was denied: https://bugzilla.redhat.com/show_bug.cgi?id=2259403 +# It is currently not clear if the legacy API works by accident or by design. It does work as of March 2025. +Patch01001: 0001-Use-legacy-OpenSSL-API.patch BuildRequires: cmake BuildRequires: crypto-policies @@ -159,10 +158,6 @@ used by %{name}. Summary: User and API documentation for %{name} BuildArch: noarch -%if %{with doxy} -BuildRequires: doxygen -BuildRequires: graphviz -%endif BuildRequires: hardlink BuildRequires: python3-sphinx BuildRequires: python3-sphinx_rtd_theme @@ -170,11 +165,6 @@ BuildRequires: python3-sphinx_rtd_theme # Do not raise conflicts about shared license files. Requires: (%{name} = %{version}-%{release} if %{name}) -# The doc-api package is faded, since we can ship the -# Doxygen documentation noarch'ed as well now. -Obsoletes: %{name}-doc-api < 1.20.1-2 -Provides: %{name}-doc-api = %{version}-%{release} - %description doc This package contains the user and API documentation for %{name}. @@ -229,16 +219,10 @@ EOF %if (0%{?fedora} || 0%{?rhel} > 8) # Documentation. -%cmake_build --target installation_integration notes sdk -%if %{with doxy} -%cmake_build --target doxy -%endif +%cmake_build --target installation_integration_de installation_integration_en notes sdk %else # Documentation. -%ninja_build -C %{_vpath_builddir} installation_integration notes sdk -%if %{with doxy} -%ninja_build -C %{_vpath_builddir} doxy -%endif +%ninja_build -C %{_vpath_builddir} installation_integration_de installation_integration_en notes sdk %endif @@ -263,13 +247,10 @@ rm -fr %{buildroot}%{_datadir}/%{newname}/translations %endif # Excessive docs. -mkdir -p %{buildroot}%{_pkgdocdir}/{installation_integration,notes,sdk} +mkdir -p %{buildroot}%{_pkgdocdir}/{installation_integration_{de,en},notes,sdk} install -pm 0644 README.rst %{buildroot}%{_pkgdocdir} -%if %{with doxy} -mkdir -p %{buildroot}%{_pkgdocdir}/doxy -cp -a %{_vpath_builddir}/doc/html/* %{buildroot}%{_pkgdocdir}/doxy -%endif -cp -a %{_vpath_builddir}/docs/installation_integration/html/* %{buildroot}%{_pkgdocdir}/installation_integration +cp -a %{_vpath_builddir}/docs/installation_integration_de/html/* %{buildroot}%{_pkgdocdir}/installation_integration_de +cp -a %{_vpath_builddir}/docs/installation_integration_en/html/* %{buildroot}%{_pkgdocdir}/installation_integration_en cp -a %{_vpath_builddir}/docs/notes/html/* %{buildroot}%{_pkgdocdir}/notes cp -a %{_vpath_builddir}/docs/sdk/html/* %{buildroot}%{_pkgdocdir}/sdk find %{buildroot}%{_pkgdocdir} -type d -print0 | xargs -0 chmod -c 0755 diff --git a/gen_openssl_cnf.py b/gen_openssl_cnf.py index 340e8c4..25e7e5c 100644 --- a/gen_openssl_cnf.py +++ b/gen_openssl_cnf.py @@ -76,10 +76,14 @@ class _Const(object): @constant def KEYSIZE_SECTIONS(): return [ - 'minStaticKeySizes', - 'minEphemeralKeySizes', + 'minKeySizes', + 'sizesIfd', ] + @constant + def KEYSIZE_MIN_SECTION(): + return 'min' + @constant def TLS_VERSIONS(): return { @@ -101,9 +105,15 @@ def get_min_ssl_sec_level(json_data): if option in json_data[section]: if min_keysize > json_data[section][option]: min_keysize = json_data[section][option] + elif option in json_data[section][CONST.KEYSIZE_MIN_SECTION]: + if min_keysize > json_data[section][CONST.KEYSIZE_MIN_SECTION][option]: + min_keysize = json_data[section][CONST.KEYSIZE_MIN_SECTION][option] if CONST.KEYSIZE_EC_OPTION in json_data[section]: if min_ecsize > json_data[section][CONST.KEYSIZE_EC_OPTION]: min_ecsize = json_data[section][CONST.KEYSIZE_EC_OPTION] + elif CONST.KEYSIZE_EC_OPTION in json_data[section][CONST.KEYSIZE_MIN_SECTION]: + if min_ecsize > json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]: + min_ecsize = json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION] if min_keysize >= 1000 and min_ecsize >= 160: sec_level = 1 diff --git a/sources b/sources index 28492ab..7862543 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ -SHA512 (AusweisApp-2.0.3.tar.gz) = 4843c1cc0e510a350ef99e5c3810a1ed526832894d269b3791ff55341ad781186396275168d7c82d1abaf06cfb825ae626dad0a9bde2baec4db4e72103252053 -SHA512 (AusweisApp-2.0.3.tar.gz.asc) = 6efb1afff620f557c8b17e698c273086ea9189fd8689ada6ea2aaa0f3c8a41f4871472e9f35a626e63668e787f056fb15964b0f860808a923413ead3ece76f4c -SHA512 (AusweisApp-2.0.3.tar.gz.sha256) = 5b349772a7bc456ff3912d2f9d885840ddb104bd4d45e77cf4b4e0d63650de3865a0fb6ade88983142f21b28165c366c2ca313e37979082c2d9b12559c20f828 +SHA512 (AusweisApp-2.4.0.tar.gz) = 6e0d89b30176f7722bebab01322363ee38ff43573167061d4a97d840b669f3e579ad9fb62345b97b75490690fd5e03f25994eaa1a77334171fcdd28d39ec3e4a +SHA512 (AusweisApp-2.4.0.tar.gz.asc) = ac8ffdb68d5847978bf639a8f32462053bddcace5d9c3d6cb16e788bb2dbe98ae3b7cafe089246fa786fa4b3e048b81b608cbe77e948a843b2dcd774796d2a56 +SHA512 (AusweisApp-2.4.0.tar.gz.sha256) = 257634437251fc22b3d85386a282ee4ce68d2f0db1112a912a54db9a6741ecb79b4180c490486d9ff8519246e62165b5953ed5739e9de0e180bb46decfeff16a SHA512 (AusweisApp2-pubring.gpg) = 3aae27b673f4eb2f7d3bda6c839b3d11829a730bde546e92abb889abb1c2453e786dc906154074485406692f5b9abbb3e1fb293e6b397696b6371016723621cd