rpms/AusweisApp2
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: rpms:rawhide
Branches Tags
rpms:rawhide
rpms:main
rpms:f41
rpms:f42
rpms:f43
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:epel8
rpms:epel9
rpms:f35
rpms:epel8-playground
rpms:f34
rpms:f33
rpms:f31
rpms:f32
rpms:epel7
..
compare: rpms:epel7
Branches Tags
rpms:main
rpms:rawhide
rpms:f41
rpms:f42
rpms:f43
rpms:f40
rpms:f39
rpms:f38
rpms:f37
rpms:f36
rpms:epel8
rpms:epel9
rpms:f35
rpms:epel8-playground
rpms:f34
rpms:f33
rpms:f31
rpms:f32
rpms:epel7

3 commits
rawhide ... epel7

Author SHA1 Message Date
Björn Esser
3ea24cba59
 		Prefer install over cp for single files 2020-09-08 18:04:40 +02:00
Björn Esser
5fd135c735
 		Add pre-built user documentation to the doc package 2020-08-25 11:40:04 +02:00
Björn Esser
5ddec83cbf
 		Initial import (#1851205) 2020-08-25 09:26:46 +02:00
14 changed files with 338 additions and 1139 deletions
Download patch file Download diff file Expand all files Collapse all files

37
.gitignore vendored
View file

@ -1,37 +1,2 @@
/AusweisApp2-*.tar.gz
/AusweisApp2-pubring.gpg
/AusweisApp-2.0.1.tar.gz
/AusweisApp-pubring.gpg
/AusweisApp-2.0.2.tar.gz
/AusweisApp-2.0.2.tar.gz.asc
/AusweisApp-2.0.2.tar.gz.sha256
/AusweisApp-2.0.3.tar.gz
/AusweisApp-2.0.3.tar.gz.asc
/AusweisApp-2.0.3.tar.gz.sha256
/AusweisApp-2.1.0.tar.gz
/AusweisApp-2.1.0.tar.gz.asc
/AusweisApp-2.1.0.tar.gz.sha256
/AusweisApp-2.1.1.tar.gz
/AusweisApp-2.1.1.tar.gz.asc
/AusweisApp-2.1.1.tar.gz.sha256
/AusweisApp-2.2.0.tar.gz
/AusweisApp-2.2.0.tar.gz.asc
/AusweisApp-2.2.0.tar.gz.sha256
/AusweisApp-2.2.1.tar.gz
/AusweisApp-2.2.1.tar.gz.asc
/AusweisApp-2.2.1.tar.gz.sha256
/AusweisApp-2.2.2.tar.gz
/AusweisApp-2.2.2.tar.gz.asc
/AusweisApp-2.2.2.tar.gz.sha256
/AusweisApp-2.3.0.tar.gz
/AusweisApp-2.3.0.tar.gz.asc
/AusweisApp-2.3.0.tar.gz.sha256
/AusweisApp-2.3.1.tar.gz
/AusweisApp-2.3.1.tar.gz.asc
/AusweisApp-2.3.1.tar.gz.sha256
/AusweisApp-2.3.2.tar.gz
/AusweisApp-2.3.2.tar.gz.asc
/AusweisApp-2.3.2.tar.gz.sha256
/AusweisApp-2.4.0.tar.gz
/AusweisApp-2.4.0.tar.gz.asc
/AusweisApp-2.4.0.tar.gz.sha256
/AusweisApp2-*.tar.xz

471
0001-Use-legacy-OpenSSL-API.patch
View file

@ -1,471 +0,0 @@
From f5d48a49ea7055b7d4edf5f1398557b475419fb9 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 30 Oct 2025 13:51:15 +0100
Subject: [PATCH] Use legacy OpenSSL API
---
src/card/base/asn1/EcdsaPublicKey.cpp | 39 -----
src/card/base/asn1/EcdsaPublicKey.h | 6 +-
src/card/base/pace/ec/EcUtil.cpp | 145 -------------------
src/card/base/pace/ec/EcUtil.h | 12 --
src/card/base/pace/ec/EcdhGenericMapping.cpp | 5 -
src/card/base/pace/ec/EcdhGenericMapping.h | 4 -
src/card/simulator/SimulatorCard.cpp | 37 -----
src/card/simulator/SimulatorCard.h | 4 -
src/card/simulator/SimulatorFileSystem.cpp | 9 --
src/card/simulator/SimulatorFileSystem.h | 4 -
10 files changed, 1 insertion(+), 264 deletions(-)
diff --git a/src/card/base/asn1/EcdsaPublicKey.cpp b/src/card/base/asn1/EcdsaPublicKey.cpp
index 7f54045..dc7e26b 100644
--- a/src/card/base/asn1/EcdsaPublicKey.cpp
+++ b/src/card/base/asn1/EcdsaPublicKey.cpp
@@ -182,7 +182,6 @@ QByteArray EcdsaPublicKey::getUncompressedPublicPoint() const
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
QSharedPointer<EC_GROUP> EcdsaPublicKey::createGroup(const CurveData& pData) const
{
QSharedPointer<EC_GROUP> group = EcUtil::create(EC_GROUP_new_curve_GFp(pData.p.data(), pData.a.data(), pData.b.data(), nullptr));
@@ -209,8 +208,6 @@ QSharedPointer<EC_GROUP> EcdsaPublicKey::createGroup(const CurveData& pData) con
}
-#endif
-
QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const QByteArray& pPublicPoint) const
{
return createKey(reinterpret_cast<const uchar*>(pPublicPoint.constData()), static_cast<int>(pPublicPoint.size()));
@@ -239,7 +236,6 @@ QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const uchar* pPublicPoint, in
return nullptr;
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
const auto& group = createGroup(curveData);
if (group.isNull())
{
@@ -275,39 +271,4 @@ QSharedPointer<EVP_PKEY> EcdsaPublicKey::createKey(const uchar* pPublicPoint, in
return key;
-#else
- const auto& params = EcUtil::create([&curveData, pPublicPoint, pPublicPointLength, this](OSSL_PARAM_BLD* pBuilder){
- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", curveData.p.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", curveData.a.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", curveData.b.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", curveData.order.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", curveData.cofactor.data())
- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "pub", pPublicPoint, static_cast<size_t>(pPublicPointLength))
- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", mBasePoint->data, static_cast<size_t>(mBasePoint->length))
- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12);
- });
-
- if (params == nullptr)
- {
- qCCritical(card) << "Cannot set parameter";
- return nullptr;
- }
-
- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr));
- if (!EVP_PKEY_fromdata_init(ctx.data()))
- {
- qCCritical(card) << "Cannot init pkey";
- return nullptr;
- }
-
- EVP_PKEY* key = nullptr;
- if (!EVP_PKEY_fromdata(ctx.data(), &key, EVP_PKEY_PUBLIC_KEY, params.data()))
- {
- qCCritical(card) << "Cannot fetch data for pkey";
- return nullptr;
- }
-
- return EcUtil::create(key);
-
-#endif
}
diff --git a/src/card/base/asn1/EcdsaPublicKey.h b/src/card/base/asn1/EcdsaPublicKey.h
index 860bc74..c85e48b 100644
--- a/src/card/base/asn1/EcdsaPublicKey.h
+++ b/src/card/base/asn1/EcdsaPublicKey.h
@@ -13,9 +13,7 @@
#include <openssl/asn1t.h>
#include <openssl/evp.h>
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
- #include <openssl/ec.h>
-#endif
+#include <openssl/ec.h>
namespace governikus
@@ -105,9 +103,7 @@ using EcdsaPublicKey = struct ecdsapublickey_st
[[nodiscard]] CurveData createCurveData() const;
[[nodiscard]] QSharedPointer<EVP_PKEY> createKey(const uchar* pPublicPoint, int pPublicPointLength) const;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
[[nodiscard]] QSharedPointer<EC_GROUP> createGroup(const CurveData& pData) const;
-#endif
public:
static int decodeCallback(int pOperation, ASN1_VALUE** pVal, const ASN1_ITEM* pIt, void* pExarg);
diff --git a/src/card/base/pace/ec/EcUtil.cpp b/src/card/base/pace/ec/EcUtil.cpp
index 069ad81..546438f 100644
--- a/src/card/base/pace/ec/EcUtil.cpp
+++ b/src/card/base/pace/ec/EcUtil.cpp
@@ -103,148 +103,6 @@ QSharedPointer<EC_POINT> EcUtil::oct2point(const QSharedPointer<const EC_GROUP>&
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer<EVP_PKEY>& pKey, bool pCompressed)
-{
- if (pKey.isNull())
- {
- qCCritical(card) << "Cannot use undefined key";
- return nullptr;
- }
-
- uchar* key = nullptr;
- const size_t length = EVP_PKEY_get1_encoded_public_key(pKey.data(), &key);
- const auto guard = qScopeGuard([key] {
- OPENSSL_free(key);
- });
-
- if (length == 0)
- {
- return QByteArray();
- }
-
- const QByteArray uncompressed(reinterpret_cast<char*>(key), static_cast<int>(length));
- return pCompressed ? EcUtil::compressPoint(uncompressed) : uncompressed;
-}
-
-
-QSharedPointer<BIGNUM> EcUtil::getPrivateKey(const QSharedPointer<const EVP_PKEY>& pKey)
-{
- BIGNUM* privKey = nullptr;
- EVP_PKEY_get_bn_param(pKey.data(), "priv", &privKey);
- return EcUtil::create(privKey);
-}
-
-
-QSharedPointer<OSSL_PARAM> EcUtil::create(const std::function<bool(OSSL_PARAM_BLD* pBuilder)>& pFunc)
-{
- OSSL_PARAM_BLD* bld = OSSL_PARAM_BLD_new();
- const auto guard = qScopeGuard([bld] {
- OSSL_PARAM_BLD_free(bld);
- });
-
- if (bld == nullptr)
- {
- qCCritical(card) << "Cannot create parameter builder";
- return nullptr;
- }
-
- if (!pFunc(bld))
- {
- qCCritical(card) << "Cannot initialize parameter builder";
- return nullptr;
- }
-
- if (OSSL_PARAM* params = OSSL_PARAM_BLD_to_param(bld); params != nullptr)
- {
- static auto deleter = [](OSSL_PARAM* pParam)
- {
- OSSL_PARAM_free(pParam);
- };
-
- return QSharedPointer<OSSL_PARAM>(params, deleter);
- }
-
- qCCritical(card) << "Cannot create parameter";
- return nullptr;
-}
-
-
-QSharedPointer<EVP_PKEY> EcUtil::generateKey(const QSharedPointer<const EC_GROUP>& pCurve)
-{
- if (pCurve.isNull())
- {
- qCCritical(card) << "Curve is undefined";
- return nullptr;
- }
-
- auto generator = EcUtil::point2oct(pCurve, EC_GROUP_get0_generator(pCurve.data()));
-
- auto order = EcUtil::create(BN_new());
- if (!EC_GROUP_get_order(pCurve.data(), order.data(), nullptr))
- {
- qCCritical(card) << "Cannot fetch order";
- return nullptr;
- }
-
- auto cofactor = EcUtil::create(BN_new());
- if (!EC_GROUP_get_cofactor(pCurve.data(), cofactor.data(), nullptr))
- {
- qCCritical(card) << "Cannot fetch cofactor";
- return nullptr;
- }
-
- auto p = EcUtil::create(BN_new());
- auto a = EcUtil::create(BN_new());
- auto b = EcUtil::create(BN_new());
- if (!EC_GROUP_get_curve(pCurve.data(), p.data(), a.data(), b.data(), nullptr))
- {
- qCCritical(card) << "Cannot fetch a, b or p";
- return nullptr;
- }
-
- const auto& params = EcUtil::create([&p, &a, &b, &order, &cofactor, &generator](OSSL_PARAM_BLD* pBuilder){
- return OSSL_PARAM_BLD_push_BN(pBuilder, "p", p.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "a", a.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "b", b.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "order", order.data())
- && OSSL_PARAM_BLD_push_BN(pBuilder, "cofactor", cofactor.data())
- && OSSL_PARAM_BLD_push_octet_string(pBuilder, "generator", generator.data(), static_cast<size_t>(generator.size()))
- && OSSL_PARAM_BLD_push_utf8_string(pBuilder, "field-type", "prime-field", 12);
- });
-
- if (params == nullptr)
- {
- qCCritical(card) << "Cannot set parameter";
- return nullptr;
- }
-
- auto ctx = EcUtil::create(EVP_PKEY_CTX_new_from_name(nullptr, "EC", nullptr));
- if (!ctx)
- {
- qCCritical(card) << "Cannot create EVP_PKEY_CTX";
- return nullptr;
- }
- EVP_PKEY_keygen_init(ctx.data());
-
- if (!EVP_PKEY_CTX_set_params(ctx.data(), params.data()))
- {
- qCCritical(card) << "Cannot set params to EVP_PKEY_CTX";
- return nullptr;
- }
-
- EVP_PKEY* key = nullptr;
- if (!EVP_PKEY_generate(ctx.data(), &key))
- {
- qCCritical(card) << "Cannot create EVP_PKEY";
- return nullptr;
- }
-
- return EcUtil::create(key);
-}
-
-
-#else
QByteArray EcUtil::getEncodedPublicKey(const QSharedPointer<EC_KEY>& pKey, bool pCompressed)
{
if (pKey.isNull())
@@ -293,6 +151,3 @@ QSharedPointer<EC_KEY> EcUtil::generateKey(const QSharedPointer<const EC_GROUP>&
return key;
}
-
-
-#endif
diff --git a/src/card/base/pace/ec/EcUtil.h b/src/card/base/pace/ec/EcUtil.h
index 63eb16c..914c268 100644
--- a/src/card/base/pace/ec/EcUtil.h
+++ b/src/card/base/pace/ec/EcUtil.h
@@ -26,24 +26,15 @@ class EcUtil
static QSharedPointer<EC_POINT> oct2point(const QSharedPointer<const EC_GROUP>& pCurve, const QByteArray& pCompressedData);
static QSharedPointer<EC_GROUP> create(EC_GROUP* pEcGroup);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
static QSharedPointer<EC_KEY> create(EC_KEY* pEcKey);
-#endif
static QSharedPointer<EC_POINT> create(EC_POINT* pEcPoint);
static QSharedPointer<BIGNUM> create(BIGNUM* pBigNum);
static QSharedPointer<EVP_PKEY> create(EVP_PKEY* pEcGroup);
static QSharedPointer<EVP_PKEY_CTX> create(EVP_PKEY_CTX* pEcGroup);
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- static QByteArray getEncodedPublicKey(const QSharedPointer<EVP_PKEY>& pKey, bool pCompressed = false);
- static QSharedPointer<BIGNUM> getPrivateKey(const QSharedPointer<const EVP_PKEY>& pKey);
- static QSharedPointer<OSSL_PARAM> create(const std::function<bool(OSSL_PARAM_BLD* pBuilder)>& pFunc);
- static QSharedPointer<EVP_PKEY> generateKey(const QSharedPointer<const EC_GROUP>& pCurve);
-#else
static QByteArray getEncodedPublicKey(const QSharedPointer<EC_KEY>& pKey, bool pCompressed = false);
static QSharedPointer<BIGNUM> getPrivateKey(const QSharedPointer<const EC_KEY>& pKey);
static QSharedPointer<EC_KEY> generateKey(const QSharedPointer<const EC_GROUP>& pCurve);
-#endif
static QSharedPointer<EC_GROUP> createCurve(int pNid);
};
@@ -60,7 +51,6 @@ inline QSharedPointer<EC_GROUP> EcUtil::create(EC_GROUP* pEcGroup)
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
inline QSharedPointer<EC_KEY> EcUtil::create(EC_KEY* pEcKey)
{
static auto deleter = [](EC_KEY* ecKey)
@@ -72,8 +62,6 @@ inline QSharedPointer<EC_KEY> EcUtil::create(EC_KEY* pEcKey)
}
-#endif
-
inline QSharedPointer<EC_POINT> EcUtil::create(EC_POINT* pEcPoint)
{
static auto deleter = [](EC_POINT* ecPoint)
diff --git a/src/card/base/pace/ec/EcdhGenericMapping.cpp b/src/card/base/pace/ec/EcdhGenericMapping.cpp
index 04cee51..571c7a0 100644
--- a/src/card/base/pace/ec/EcdhGenericMapping.cpp
+++ b/src/card/base/pace/ec/EcdhGenericMapping.cpp
@@ -49,12 +49,7 @@ bool EcdhGenericMapping::generateEphemeralDomainParameters(const QByteArray& pRe
return false;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- const QSharedPointer<const EC_POINT> localPubKeyPtr = EcUtil::oct2point(mCurve, EcUtil::getEncodedPublicKey(mLocalKey));
- const EC_POINT* localPubKey = localPubKeyPtr.data();
-#else
const EC_POINT* localPubKey = EC_KEY_get0_public_key(mLocalKey.data());
-#endif
if (!EC_POINT_cmp(mCurve.data(), localPubKey, remotePubKey.data(), nullptr))
{
qCCritical(card) << "The exchanged public keys are equal.";
diff --git a/src/card/base/pace/ec/EcdhGenericMapping.h b/src/card/base/pace/ec/EcdhGenericMapping.h
index e9c9768..188befb 100644
--- a/src/card/base/pace/ec/EcdhGenericMapping.h
+++ b/src/card/base/pace/ec/EcdhGenericMapping.h
@@ -22,11 +22,7 @@ class EcdhGenericMapping
private:
const QSharedPointer<EC_GROUP> mCurve;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- QSharedPointer<EVP_PKEY> mLocalKey;
-#else
QSharedPointer<EC_KEY> mLocalKey;
-#endif
QSharedPointer<EC_POINT> createNewGenerator(const QSharedPointer<const EC_POINT>& pRemotePubKey, const QSharedPointer<const BIGNUM>& pS);
diff --git a/src/card/simulator/SimulatorCard.cpp b/src/card/simulator/SimulatorCard.cpp
index 3c4e218..a39fb54 100644
--- a/src/card/simulator/SimulatorCard.cpp
+++ b/src/card/simulator/SimulatorCard.cpp
@@ -661,42 +661,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const
return QByteArray();
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- const auto& terminalKey = EcUtil::create(EVP_PKEY_new());
- if (terminalKey.isNull() || EVP_PKEY_copy_parameters(terminalKey.data(), mCardKey.data()) == 0)
- {
- qCCritical(card_simulator) << "Initialization of the terminal key failed";
- return QByteArray();
- }
- if (!EVP_PKEY_set1_encoded_public_key(
- terminalKey.data(),
- reinterpret_cast<const unsigned char*>(pPoint.data()),
- static_cast<size_t>(pPoint.length())))
- {
- qCCritical(card_simulator) << "Interpreting the terminal key failed";
- return QByteArray();
- }
-
- const auto& ctx = EcUtil::create(EVP_PKEY_CTX_new_from_pkey(nullptr, mCardKey.data(), nullptr));
- size_t resultLen = 0;
- if (EVP_PKEY_derive_init(ctx.data()) <= 0
- || EVP_PKEY_derive_set_peer(ctx.data(), terminalKey.data()) <= 0
- || EVP_PKEY_derive(ctx.data(), nullptr, &resultLen) <= 0)
- {
- qCCritical(card_simulator) << "Initialization or calculation of the result failed";
- return QByteArray();
- }
-
- QByteArray result(static_cast<qsizetype>(resultLen), '\0');
- if (EVP_PKEY_derive(ctx.data(), reinterpret_cast<uchar*>(result.data()), &resultLen) <= 0)
- {
- qCCritical(card_simulator) << "Calculation of the result failed";
- return QByteArray();
- }
-
- return result;
-
-#else
const auto& curve = EcUtil::create(EC_GROUP_dup(EC_KEY_get0_group(mCardKey.data())));
auto point = EcUtil::oct2point(curve, pPoint);
if (!point)
@@ -715,7 +679,6 @@ QByteArray SimulatorCard::ecMultiplication(const QByteArray& pPoint) const
return EcUtil::point2oct(curve, result.data(), true);
-#endif
}
diff --git a/src/card/simulator/SimulatorCard.h b/src/card/simulator/SimulatorCard.h
index fc9db00..7a881cb 100644
--- a/src/card/simulator/SimulatorCard.h
+++ b/src/card/simulator/SimulatorCard.h
@@ -39,11 +39,7 @@ class SimulatorCard
int mPaceKeyId;
QByteArray mPaceNonce;
QByteArray mPaceTerminalKey;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- QSharedPointer<EVP_PKEY> mCardKey;
-#else
QSharedPointer<EC_KEY> mCardKey;
-#endif
QSharedPointer<const CVCertificate> mTaCertificate;
QByteArray mTaSigningData;
QByteArray mTaAuxData;
diff --git a/src/card/simulator/SimulatorFileSystem.cpp b/src/card/simulator/SimulatorFileSystem.cpp
index 5c01caa..4cbe60c 100644
--- a/src/card/simulator/SimulatorFileSystem.cpp
+++ b/src/card/simulator/SimulatorFileSystem.cpp
@@ -347,11 +347,7 @@ QByteArray SimulatorFileSystem::getPassword(PacePasswordId pPasswordId) const
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
-QSharedPointer<EVP_PKEY> SimulatorFileSystem::getKey(int pKeyId) const
-#else
QSharedPointer<EC_KEY> SimulatorFileSystem::getKey(int pKeyId) const
-#endif
{
if (!mKeys.contains(pKeyId))
{
@@ -367,13 +363,8 @@ QSharedPointer<EC_KEY> SimulatorFileSystem::getKey(int pKeyId) const
return nullptr;
}
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- return privateKey;
-
-#else
return EcUtil::create(EVP_PKEY_get1_EC_KEY(privateKey.data()));
-#endif
}
diff --git a/src/card/simulator/SimulatorFileSystem.h b/src/card/simulator/SimulatorFileSystem.h
index 7d8458f..57065db 100644
--- a/src/card/simulator/SimulatorFileSystem.h
+++ b/src/card/simulator/SimulatorFileSystem.h
@@ -43,11 +43,7 @@ class SimulatorFileSystem
[[nodiscard]] QByteArray getEfCardAccess() const;
[[nodiscard]] QByteArray getPassword(PacePasswordId pPasswordId) const;
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
- [[nodiscard]] QSharedPointer<EVP_PKEY> getKey(int pKeyId) const;
-#else
[[nodiscard]] QSharedPointer<EC_KEY> getKey(int pKeyId) const;
-#endif
[[nodiscard]] QSharedPointer<const CVCertificate> getTrustPoint() const;
void setTrustPoint(const QSharedPointer<const CVCertificate>& pTrustPoint);
--
2.51.0

10
AusweisApp2-1.14.3-CMake_warning.patch Normal file
View file

@ -0,0 +1,10 @@
Index: AusweisApp2-1.14.3/resources/CMakeLists.txt
===================================================================
--- AusweisApp2-1.14.3.orig/resources/CMakeLists.txt
+++ AusweisApp2-1.14.3/resources/CMakeLists.txt
@@ -27,4 +27,4 @@ ENDIF()
SET(RCC ${CMAKE_BINARY_DIR}/src/${PROJECT_NAME}.rcc)
SET(RCC ${RCC} PARENT_SCOPE)
qt5_add_binary_resources(AusweisAppRcc "${QRC_FILES}" DESTINATION ${RCC})
-SET(QML_IMPORT_PATH ${CMAKE_CURRENT_SOURCE_DIR}/qml ${CMAKE_CURRENT_SOURCE_DIR}/qml_stationary CACHE string "qml files" FORCE)
+SET(QML_IMPORT_PATH ${CMAKE_CURRENT_SOURCE_DIR}/qml ${CMAKE_CURRENT_SOURCE_DIR}/qml_stationary CACHE STRING "qml files" FORCE)

13
AusweisApp2-1.14.3-config_h_fix_static_assert_base_file.patch Normal file
View file

@ -0,0 +1,13 @@
Index: AusweisApp2-1.14.3/src/config.h.in
===================================================================
--- AusweisApp2-1.14.3.orig/src/config.h.in
+++ AusweisApp2-1.14.3/src/config.h.in
@@ -21,7 +21,7 @@
return (*pFirst && *pSecond) ? ((*pFirst == *pSecond || isComparableSep(*pFirst, *pSecond)) && isEqual(pFirst + 1, pSecond + 1)) : (!*pFirst && !*pSecond);
}
- static_assert(isEqual("@CMAKE_CURRENT_SOURCE_DIR@/main.cpp", __BASE_FILE__), "config.h include is allowed in main.cpp only! Provided: " __BASE_FILE__);
+ static_assert(isEqual("../src/main.cpp", __BASE_FILE__), "config.h include is allowed in main.cpp only! Provided: " __BASE_FILE__);
#endif
/* DO NOT INCLUDE THIS

13
AusweisApp2-1.14.3-desktop_file.patch Normal file
View file

@ -0,0 +1,13 @@
Index: AusweisApp2-1.14.3/resources/packaging/linux/AusweisApp2.desktop.in
===================================================================
--- AusweisApp2-1.14.3.orig/resources/packaging/linux/AusweisApp2.desktop.in
+++ AusweisApp2-1.14.3/resources/packaging/linux/AusweisApp2.desktop.in
@@ -5,6 +5,7 @@ Exec=@CMAKE_INSTALL_PREFIX@/bin/AusweisA
Icon=AusweisApp2
StartupNotify=true
Terminal=false
-Categories=Network;Utility
+Categories=Network;Utility;
+GenericName=Authentication App
Keywords=nPA,eID,eAT,Personalausweis,Aufenthaltstitel,Identity,Card
Name=AusweisApp2

52
AusweisApp2-1.14.3-disable_online_update.patch Normal file
View file

@ -0,0 +1,52 @@
Index: AusweisApp2-1.14.3/src/widget/GeneralSettingsWidget.ui
===================================================================
--- AusweisApp2-1.14.3.orig/src/widget/GeneralSettingsWidget.ui
+++ AusweisApp2-1.14.3/src/widget/GeneralSettingsWidget.ui
@@ -32,7 +32,7 @@
<item row="0" column="0">
<widget class="QLabel" name="updateLabel">
<property name="enabled">
- <bool>true</bool>
+ <bool>false</bool>
</property>
<property name="focusPolicy">
<enum>Qt::TabFocus</enum>
@@ -45,7 +45,7 @@
<item row="0" column="1">
<widget class="QCheckBox" name="regularlyUpdateCheckBox">
<property name="enabled">
- <bool>true</bool>
+ <bool>false</bool>
</property>
<property name="accessibleName">
<string>check software update on program start</string>
@@ -54,14 +54,14 @@
<string>check on program start</string>
</property>
<property name="checked">
- <bool>true</bool>
+ <bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QPushButton" name="updateCheckButton">
<property name="enabled">
- <bool>true</bool>
+ <bool>false</bool>
</property>
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
Index: AusweisApp2-1.14.3/src/settings/GeneralSettings.cpp
===================================================================
--- AusweisApp2-1.14.3.orig/src/settings/GeneralSettings.cpp
+++ AusweisApp2-1.14.3/src/settings/GeneralSettings.cpp
@@ -266,7 +266,7 @@ void GeneralSettings::setLanguage(const
bool GeneralSettings::isAutoUpdateCheck() const
{
- return mStoreCommon->value(SETTINGS_NAME_AUTO(), true).toBool();
+ return mStoreCommon->value(SETTINGS_NAME_AUTO(), false).toBool();
}

42
AusweisApp2-1.14.3-doxygen_exclude_build_dir.patch Normal file
View file

@ -0,0 +1,42 @@
From 7da59790e72ed2073a58f612772aa3fd18022f87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= <besser82@fedoraproject.org>
Date: Fri, 21 Aug 2020 12:42:43 +0200
Subject: [PATCH] Doxyfile: Exclude binary, CMake, libs, and test directories.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
These directories do not contain any useful source files
for the documentation of the internal API of AusweisApp2,
and thus should not be included in its API documentation
generated by Doxygen.
Additionally this comes in handy for distributing the API
documentation architecture independent, when the name of
the binary directory contains the name of the system's
architecture the build is targeted to.
Also explicitly set the 'FULL_PATH_NAMES' parameter to 'YES',
as this is needed for properly stripping and/or excluding
the paths during generation of the documentation files.
Signed-off-by: Björn Esser <besser82@fedoraproject.org>
---
Doxyfile.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/Doxyfile.in b/Doxyfile.in
index 7c4633f..2242bff 100644
--- a/Doxyfile.in
+++ b/Doxyfile.in
@@ -11,7 +11,10 @@ OPTIMIZE_OUTPUT_C = YES
QT_AUTOBRIEF = YES
BUILTIN_STL_SUPPORT = YES
GENERATE_TREEVIEW = YES
+FULL_PATH_NAMES = YES
STRIP_FROM_PATH = @PROJECT_SOURCE_DIR@
+EXCLUDE_PATTERNS = @PROJECT_BINARY_DIR@/* \
+ */CMake* */libs/* */test/*
SEARCHENGINE = YES
COLS_IN_ALPHA_INDEX = 10

59
AusweisApp2-1.14.3-use_datadir.patch Normal file
View file

@ -0,0 +1,59 @@
From 1d510c6152efe43195bc14f56f472eec0ad0af6f Mon Sep 17 00:00:00 2001
From: tuxmaster5000 <837503+tuxmaster5000@users.noreply.github.com>
Date: Sun, 10 Mar 2019 14:49:42 +0100
Subject: [PATCH 1/2] - Load translation from Qt path on Linux(relase build) -
Load config.json from /usr/share/AusweisApp2 on Linux(relase build) Both are
needed, to package the app as an rpm package.
---
src/global/FileDestination.h | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
Index: AusweisApp2-1.14.3/src/global/FileDestination.h
===================================================================
--- AusweisApp2-1.14.3.orig/src/global/FileDestination.h
+++ AusweisApp2-1.14.3/src/global/FileDestination.h
@@ -8,6 +8,7 @@
#include <QCoreApplication>
#include <QStringBuilder>
+#include <QLibraryInfo>
namespace governikus
{
@@ -24,6 +25,9 @@ class FileDestination
#ifdef Q_OS_ANDROID
return QStringLiteral("assets:");
+ #elif defined(Q_OS_LINUX)
+ return QStringLiteral("/usr/share/AusweisApp2");
+
#else
return QCoreApplication::applicationDirPath();
@@ -34,13 +38,23 @@ class FileDestination
public:
static QString getPath(const QString& pFilename)
{
- return getPath() % QLatin1Char('/') % pFilename;
+ #if defined(Q_OS_LINUX)
+ if (pFilename.compare(QStringLiteral("translations")) == 0)
+ return QLibraryInfo::location(QLibraryInfo::TranslationsPath);
+ else
+ #endif
+ return getPath() % QLatin1Char('/') % pFilename;
}
static QString getPath(const char* pFilename)
{
- return getPath() % QLatin1Char('/') % QString::fromUtf8(pFilename);
+ #if defined(Q_OS_LINUX)
+ if (strcmp(pFilename, "translations") == 0)
+ return QLibraryInfo::location(QLibraryInfo::TranslationsPath);
+ else
+ #endif
+ return getPath() % QLatin1Char('/') % QString::fromUtf8(pFilename);
}

41
AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch
View file

@ -1,41 +0,0 @@
From 056e560ed6432e99a297d1c1d2c89c89621bd825 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 6 Mar 2025 01:00:00 +0100
Subject: [PATCH] AusweisApp2-1.24.1-use_Qt_TranslationsPath.patch
---
src/global/FileDestination.h | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/global/FileDestination.h b/src/global/FileDestination.h
index 2fd5826..781e9b9 100644
--- a/src/global/FileDestination.h
+++ b/src/global/FileDestination.h
@@ -7,8 +7,10 @@
#include <QCoreApplication>
#include <QDebug>
#include <QFile>
+#include <QLibraryInfo>
#include <QStandardPaths>
#include <QStringBuilder>
+#include <QtGlobal>
namespace governikus
@@ -51,6 +53,13 @@ class FileDestination
QStandardPaths::StandardLocation pStandard = QStandardPaths::AppDataLocation)
{
#if (defined(Q_OS_LINUX) && !defined(Q_OS_ANDROID)) || (defined(Q_OS_BSD4) && !defined(Q_OS_MACOS) && !defined(Q_OS_IOS))
+#if (QT_VERSION < QT_VERSION_CHECK(6, 0, 0))
+ if (pFilename.compare(QStringLiteral("translations")) == 0)
+ {
+ return QLibraryInfo::location(QLibraryInfo::TranslationsPath);
+ }
+#endif
+
if (const auto& match = QStandardPaths::locate(pStandard, pFilename, pOption); !match.isNull())
{
return match;
--
2.48.1

24
AusweisApp2.metainfo.xml Normal file
View file

@ -0,0 +1,24 @@
<?xml version="1.0" encoding="utf-8"?>
<component type="desktop-application">
<id>AusweisApp2_CE</id>
<metadata_license>CC-BY-SA-3.0</metadata_license>
<project_license>EUPL-1.2</project_license>
<developer_name>Governikus GmbH &amp; Co. KG</developer_name>
<name>AusweisApp2</name>
<summary>Official authentication app for German ID card and residence permit</summary>
<description>
<p>The AusweisApp2 is a software, that you can install on your Computer/Smartphone/Tablet, to identify yourself online with your ID card or your electronic residence permit.
The App is availible for the most used operating systems and works in all common browsers.</p>
<p>The AusweisApp2 offers you an intigrated self-assessment where you are able to view your data that is stored on the online ID.</p>
<p>In the app you will also find an overview with the available services, a running overview and you can manage your PIN there.</p>
<p>This app is on behalf of the Federal Office for Information Security.</p>
</description>
<categories>
<category>Utility</category>
</categories>
<url type="homepage">https://www.ausweisapp.bund.de/</url>
<launchable type="desktop-id">AusweisApp2.desktop</launchable>
<provides>
<binary>AusweisApp2</binary>
</provides>
</component>

305
AusweisApp2.spec
View file

@ -2,91 +2,64 @@
# %%define with lazy expansion is used here intentionally, because
# this needs to be expanded inside of a higher level macro that
# gets expanded itself.
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
fipshmac %{buildroot}%{_bindir}/%{newname} \\\
%{buildroot}%{_libexecdir}/%{newname} \\\
%{buildroot}%{_datadir}/%{newname}/openssl.cnf \
c="%{buildroot}%{_datadir}/%{newname}/config.json" \
if [[ -f ${c} ]]; then \
fipshmac ${c} \
fi \
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
bindir="%{buildroot}%{_bindir}" \
fipsdir="%{buildroot}%{_libdir}/fipscheck" \
mkdir -p "$fipsdir" \
fipshmac -d "$fipsdir" "$bindir/%{name}" \
%{nil}
# Always do out-of-source builds with CMake.
%{?__cmake_in_source_build:%undefine __cmake_in_source_build}
# Build and package Doxygen documentation?
%bcond_without doxy
# Do not build non-lto objects to reduce build time significantly.
%global build_cflags %(echo '%{build_cflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
%global build_cxxflags %(echo '%{build_cxxflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
%global build_fflags %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
%global build_fcflags %(echo '%{build_fflags}' | sed -e 's!-ffat-lto-objects!-fno-fat-lto-objects!g')
# Enable full binary hardening by default.
%global _hardened_build 1
%if 0%{?fedora} || 0%{?rhel} >= 9
%global qt6_build 1
%else
%global qt6_build 0
%endif
# Init forge packaging helpers.
%global forgeurl https://github.com/Governikus/%{name}
# Package summary. Gets overwritten by subpackages otherwise.
%global pkg_sum Online identification with German ID card (Personalausweis)
# Upstream renamed to AusweisApp with 2.0 release
%global newname AusweisApp
Name: AusweisApp2
Version: 2.4.0
Release: %autorelease
Version: 1.14.3
Release: 2%{?dist}
Summary: %{pkg_sum}
License: EUPL-1.2
License: EUPL 1.2
URL: https://www.ausweisapp.bund.de/en
# Url to releases on github.
%global rel_url https://github.com/Governikus/%{name}/releases/download/%{version}
# Generate gpg-keyring:
# gpg2 --keyserver keyserver.ubuntu.com --recv-keys 699BF3055B0A49224EFDE7C72D7479A531451088
# gpg2 --export --export-options export-minimal 699BF3055B0A49224EFDE7C72D7479A531451088 > %%{name}-pubring.gpg
Source0000: %{rel_url}/%{newname}-%{version}.tar.gz
Source0001: %{rel_url}/%{newname}-%{version}.tar.gz.asc
Source0002: %{name}-pubring.gpg
Source0003: %{rel_url}/%{newname}-%{version}.tar.gz.sha256
Source0000: %{forgeurl}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source0001: %{name}-%{version}-notes_html.tar.xz
Source0002: %{name}-%{version}-sdk_html.tar.xz
Source0003: %{name}.metainfo.xml
Source0004: https://joinup.ec.europa.eu/sites/default/files/custom-page/attachment/2020-03/EUPL-1.2%%20EN.txt#/EUPL-12_EN.txt
Source1000: gen_openssl_cnf.py
# Upstreamed.
Patch00001: %{forgeurl}/pull/28.patch#/%{name}-1.14.3-doxygen_exclude_build_dir.patch
# Downstream.
Patch01000: %{name}-1.24.1-use_Qt_TranslationsPath.patch
# Needed because Fedora's openssl does not support elliptic curves using custom parameters.
# Request to enable them was denied: https://bugzilla.redhat.com/show_bug.cgi?id=2259403
# It is currently not clear if the legacy API works by accident or by design. It does work as of March 2025.
Patch01001: 0001-Use-legacy-OpenSSL-API.patch
Patch01000: %{name}-1.14.3-CMake_warning.patch
Patch01001: %{name}-1.14.3-config_h_fix_static_assert_base_file.patch
Patch01002: %{name}-1.14.3-use_datadir.patch
Patch01003: %{name}-1.14.3-disable_online_update.patch
Patch01004: %{name}-1.14.3-desktop_file.patch
BuildRequires: cmake
BuildRequires: crypto-policies
BuildRequires: cmake3
BuildRequires: desktop-file-utils
BuildRequires: gcc-c++
BuildRequires: gnupg2
BuildRequires: devtoolset-9
BuildRequires: fipscheck
BuildRequires: help2man
BuildRequires: http-parser-devel
BuildRequires: java-openjdk-headless
BuildRequires: libappstream-glib
BuildRequires: libudev-devel
BuildRequires: libxkbcommon-devel
BuildRequires: ninja-build
BuildRequires: openssl-devel
BuildRequires: pcsc-lite-devel
BuildRequires: python3-devel
%if 0%{?qt6_build}
BuildRequires: qt6-qtbase-devel
BuildRequires: qt6-qtbase-private-devel
BuildRequires: qt6-qtscxml-devel
BuildRequires: qt6-qtshadertools-devel
BuildRequires: qt6-qtsvg-devel
BuildRequires: qt6-qttools-devel
BuildRequires: qt6-qtwebsockets-devel
%else
BuildRequires: qt5-linguist
BuildRequires: qt5-qtbase-devel
BuildRequires: qt5-qtconnectivity-devel
@ -94,43 +67,15 @@ BuildRequires: qt5-qtdeclarative-devel
BuildRequires: qt5-qtquickcontrols2-devel
BuildRequires: qt5-qtsvg-devel
BuildRequires: qt5-qtwebsockets-devel
%endif
BuildRequires: %{_bindir}/sha256sum
BuildRequires: %{_bindir}/fipshmac
# Lowercase package name.
%global lc_name %{lua:print(string.lower(rpm.expand("%{name}")))}
# Make sure this package automatically replaces the security hazard
# built in some COPR.
Obsoletes: %{name} < 1.20.1
Obsoletes: %{lc_name} < 1.20.1
# Provide the lowercase name for convenience as well.
Provides: %{lc_name} = %{version}-%{release}
Provides: %{lc_name}%{?_isa} = %{version}-%{release}
Provides: %{lc_name} = %{version}-%{release}
Provides: %{lc_name}%{?_isa} = %{version}-%{release}
# Do not raise conflicts about shared license files.
Requires: %{name}-data = %{version}-%{release}
Requires: (%{name}-doc = %{version}-%{release} if %{name}-doc)
%if !0%{?qt6_build}
# RHBZ#1885310
# Needed for the GUI to show up on startup.
Requires: qt5-qtquickcontrols2%{?_isa}
%endif
# Brainpool ECC
Requires: openssl-libs%{?_isa} >= 3.0.8-2
# Needed for running fipscheck on application startup.
# Requires: fipscheck
%if 0%{?qt6_build}
# Needed for GUI elements to be rendered
Requires: qt6-qtimageformats%{?_isa}
Requires: qt6-qtsvg%{?_isa}
%endif
Requires: %{name}-data = %{version}-%{release}
%description
The AusweisApp2 is a software to identify yourself online
@ -146,7 +91,7 @@ online ID.
Summary: Architecture-independent files used by %{name}
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: hicolor-icon-theme
%description data
@ -155,152 +100,144 @@ used by %{name}.
%package doc
Summary: User and API documentation for %{name}
Summary: User and API-documentation for %{name}
BuildArch: noarch
%if %{with doxy}
BuildRequires: doxygen
BuildRequires: graphviz
%endif
BuildRequires: hardlink
BuildRequires: python3-sphinx
BuildRequires: python3-sphinx_rtd_theme
# Do not raise conflicts about shared license files.
Requires: (%{name} = %{version}-%{release} if %{name})
Requires: %{name} = %{version}-%{release}
%description doc
This package contains the user and API documentation for %{name}.
This package contains the User and API-documentation for %{name}.
%prep
# Verify tarball integrity.
%{gpgverify} \
--keyring='%{SOURCE2}' \
--signature='%{SOURCE1}' \
--data='%{SOURCE0}'
pushd %{_sourcedir}
sha256sum -c %{SOURCE3}
popd
%autosetup -p 1 -n %{newname}-%{version}
%autosetup -p 1
install -pm 0644 %{SOURCE4} LICENSE.en.txt
# Generate application specific OpenSSL configuration.
# See the comments in the resulting file for further information.
%{__python3} %{SOURCE1000} resources/config.json.in \
> fedora_%{name}_openssl.cnf
# Create the shell wrapper.
cat << EOF > fedora_%{name}_wrapper.sh
#!/bin/sh
# /usr/bin/fipscheck \\
# %{_bindir}/%{newname} \\
# %{_libexecdir}/%{newname} \\
# %{_datadir}/%{newname}/config.json \\
# %{_datadir}/%{newname}/openssl.cnf \\
# || exit \$?;
OPENSSL_CONF=%{_datadir}/%{newname}/openssl.cnf \\
%{_libexecdir}/%{newname} "\$@";
EOF
%build
# We need GCC >= 4.9 for building.
source /opt/rh/devtoolset-9/enable
# The project does not ship any libraries that are meant to be
# consumed externally. Thus we disable shared libs explicitly.
# See: https://github.com/Governikus/AusweisApp2/pull/24
# and: https://github.com/Governikus/AusweisApp2/pull/26
%cmake \
-DBUILD_SHARED_LIBS:BOOL=OFF \
-DBUILD_TESTING:BOOL=OFF \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DINTEGRATED_SDK:BOOL=OFF \
-DPYTHON_EXECUTABLE:STRING=%{__python3} \
-DSELFPACKER:BOOL=OFF \
-DUSE_SMARTEID:BOOL=ON \
-G Ninja
%cmake_build
%cmake3 \
-DBUILD_SHARED_LIBS:BOOL=OFF \
-DBUILD_TESTING:BOOL=OFF \
-DCMAKE_BUILD_TYPE:STRING=Release \
-DFORCE_LEGACY_OPENSSL:BOOL=ON \
-DSELFPACKER:BOOL=OFF \
-G Ninja \
-S . -B %{_vpath_builddir}
%ninja_build -C %{_vpath_builddir}
%if (0%{?fedora} || 0%{?rhel} > 8)
# Documentation.
%cmake_build --target installation_integration_de installation_integration_en notes sdk
%else
# Documentation.
%ninja_build -C %{_vpath_builddir} installation_integration_de installation_integration_en notes sdk
%if %{with doxy}
%ninja_build -C %{_vpath_builddir} doxy
%endif
%install
%cmake_install
%ninja_install -C %{_vpath_builddir}
# Relocate the application binary so we can call it through
# a shell wrapper and move installed files to proper locations.
mkdir -p %{buildroot}{%{_libexecdir},%{_qt5_translationdir}}
mv %{buildroot}%{_bindir}/%{newname} %{buildroot}%{_libexecdir}/%{newname}
# Move installed files to proper locations.
mkdir -p %{buildroot}%{_datadir}/%{name} %{buildroot}%{_qt5_translationdir}
mv %{buildroot}%{_bindir}/%{name}.rcc %{buildroot}%{_bindir}/config.json \
%{buildroot}%{_bindir}/qtlogging.ini %{buildroot}%{_datadir}/%{name}
mv %{buildroot}%{_prefix}/translations/* %{buildroot}%{_qt5_translationdir}
rm -fr %{buildroot}%{_prefix}/translations
# Install the shell wrapper and custom OpenSSL configuration.
install -pm 0755 fedora_%{name}_wrapper.sh %{buildroot}%{_bindir}/%{newname}
install -pm 0644 fedora_%{name}_openssl.cnf \
%{buildroot}%{_datadir}/%{newname}/openssl.cnf
# Install the icon-theme file.
mkdir -p %{buildroot}%{_datadir}/icons/hicolor/scalable/apps
install -pm 0644 resources/images/npa.svg \
%{buildroot}%{_datadir}/icons/hicolor/scalable/apps/%{name}.svg
# Move translation in proper location.
%if !(0%{?qt6_build})
mv %{buildroot}%{_datadir}/%{newname}/translations/* \
%{buildroot}%{_qt5_translationdir}
rm -fr %{buildroot}%{_datadir}/%{newname}/translations
%endif
# Install the metainfo.xml file.
mkdir -p %{buildroot}%{_metainfodir}
install -pm 0644 %{SOURCE3} %{buildroot}%{_metainfodir}
# Generate man-page.
mkdir -p %{buildroot}%{_mandir}/man1
help2man \
--no-discard-stderr --no-info \
--manual="%{name}" --name="%{pkg_sum}" --section=1 \
--help-option="--platform offscreen --help" \
--version-option="--platform offscreen --version" \
--output=%{buildroot}%{_mandir}/man1/%{name}.1 \
%{buildroot}%{_bindir}/%{name}
# Excessive docs.
mkdir -p %{buildroot}%{_pkgdocdir}/{installation_integration_{de,en},notes,sdk}
mkdir -p %{buildroot}%{_pkgdocdir}/notes \
%{buildroot}%{_pkgdocdir}/sdk
install -pm 0644 README.rst %{buildroot}%{_pkgdocdir}
cp -a %{_vpath_builddir}/docs/installation_integration_de/html/* %{buildroot}%{_pkgdocdir}/installation_integration_de
cp -a %{_vpath_builddir}/docs/installation_integration_en/html/* %{buildroot}%{_pkgdocdir}/installation_integration_en
cp -a %{_vpath_builddir}/docs/notes/html/* %{buildroot}%{_pkgdocdir}/notes
cp -a %{_vpath_builddir}/docs/sdk/html/* %{buildroot}%{_pkgdocdir}/sdk
%if %{with doxy}
mkdir -p %{buildroot}%{_pkgdocdir}/doxy
cp -a %{_vpath_builddir}/doc/html/* %{buildroot}%{_pkgdocdir}/doxy
%endif
tar xf %{SOURCE1} -C %{buildroot}%{_pkgdocdir}/notes
tar xf %{SOURCE2} -C %{buildroot}%{_pkgdocdir}/sdk
find %{buildroot}%{_pkgdocdir} -type d -print0 | xargs -0 chmod -c 0755
find %{buildroot}%{_pkgdocdir} -type f -print0 | xargs -0 chmod -c 0644
find %{buildroot}%{_pkgdocdir} -type f -name '.*' -delete -print
hardlink -cfv %{buildroot}%{_pkgdocdir}
# Find installed icons.
find %{buildroot}%{_datadir}/icons/hicolor -type f -print | \
sed -e 's!^%{buildroot}!!g' > %{lc_name}.icons
# Find translation files.
%if !(0%{?qt6_build})
%find_lang %{lc_name} --with-qt
%endif
%check
%ctest
appstream-util validate-relax --nonet %{buildroot}%{_metainfodir}/*.metainfo.xml
desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop
%post data
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
%postun data
if [ $1 -eq 0 ]; then
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
fi
%posttrans data
/usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%files
%dir %{_libdir}/fipscheck
%dir %{_pkgdocdir}
%doc %{_pkgdocdir}/README.rst
%license AUTHORS
%license LICENSE.en.txt
%license LICENSE.txt
%{_bindir}/.%{newname}.hmac
%{_bindir}/%{newname}
%{_datadir}/applications/com.governikus.%{lc_name}.desktop
%{_libexecdir}/.%{newname}.hmac
%{_libexecdir}/%{newname}
%{_mandir}/man1/%{newname}.1*
%{_metainfodir}/com.governikus.%{lc_name}.metainfo.xml
%{_bindir}/%{name}
%{_datadir}/applications/%{name}.desktop
%{_libdir}/fipscheck/%{name}.hmac
%{_mandir}/man1/%{name}.1*
%{_metainfodir}/%{name}.metainfo.xml
%if 0%{?qt6_build}
%files data -f %{lc_name}.icons
%else
%files data -f %{lc_name}.icons -f %{lc_name}.lang
%endif
%{_datadir}/%{newname}
%files data -f %{lc_name}.lang
%{_datadir}/%{name}
%{_datadir}/icons/hicolor/scalable/apps/%{name}.svg
%files doc
%doc %{_pkgdocdir}
%license %{_licensedir}/%{name}*
%changelog
%autochangelog
* Tue Aug 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.14.3-2
- Add pre-built user documentation to the doc package
* Thu Aug 20 2020 Björn Esser <besser82@fedoraproject.org> - 1.14.3-1
- Initial import (#1851205)

175
changelog
View file

@ -1,175 +0,0 @@
* Thu Dec 28 2023 Julian Sikorski <belegdol@fedoraproject.org> - 2.0.1-1
- Update to 2.0.1
- Fix up config.json.in section names
* Wed Nov 29 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-4
- Rebuild (qt6)
* Fri Oct 13 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-3
- Rebuild (qt6)
* Thu Oct 05 2023 Jan Grulich <jgrulich@redhat.com> - 1.26.7-2
- Rebuild (qt6)
* Fri Jul 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.7-1
- New upstream release
Fixes rhbz#2227358
* Fri Jul 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.6-1
- New upstream release
Fixes rhbz#2227095
* Wed Jul 26 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.5-1
- New upstream release
Fixes rhbz#2226708
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.26.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Fri Jul 14 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-4
- Rebuild(Qt_6.5)
Fixes rhbz#2222625
* Sun Jun 04 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-3
- Rebuild(Qt_6.5)
* Sun May 07 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-2
- Rebuild(Qt_6.5)
* Mon May 01 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.4-1
- New upstream release
* Thu Mar 23 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.3-1
- New upstream release
- Enable use of Brainpool ECC
* Sat Jan 28 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.2-2
- Drop Qt6 version lock, as this is already ensured by symbol versioning
* Sun Jan 22 2023 Björn Esser <besser82@fedoraproject.org> - 1.26.2-1
- New upstream release
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.24.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sun Nov 27 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.4-2
- Rebuild(qt6)
* Sun Nov 06 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.4-1
- New upstream release
* Fri Sep 02 2022 Björn Esser <besser82@fedoraproject.org> - 1.24.1-1
- New upstream release
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jan 26 2022 Björn Esser <besser82@fedoraproject.org> - 1.22.3-1
- New upstream release
- Explicitly BR '/usr/bin/fipshmac' instead of fipscheck package
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.22.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 1.22.2-4
- Rebuilt with OpenSSL 3.0.0
* Tue Aug 31 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-3
- Drop forge-macros and perform tarbal verification during %%prep
* Tue Aug 31 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-2
- Add a patch to disable use of Brainpool Elliptic Curves
* Sun Aug 22 2021 Björn Esser <besser82@fedoraproject.org> - 1.22.2-1
- New upstream release
- Disable enforcing of FIPS mode for OpenSSL
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.2-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Jan 25 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.20.2-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sun Nov 15 08:50:35 CET 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-10
- Add runtime dependency on qt5-qtquickcontrols2
* Sat Oct 3 12:51:03 CEST 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-9
- Disable fipscheck in shell wrapper as it does not work in Fedora 33+
* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-8
- Make shell wrapper exit with the exit code of fipscheck on failure
* Sat Sep 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-7
- Calculate fipshmac for config files and shell wrapper
- Run fipscheck in shell wrapper before application starts
* Fri Sep 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-6
- Use a python script to generate a tailored OpenSSL configuration
* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-5
- Some small spec file optimizations
* Thu Sep 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-4
- Use a more elaborate application specific OpenSSL configuration
This also re-enables SHA384 hashes in ciphers
* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-3
- Do not enable SHA384 ciphers in custom OpenSSL configuration
* Wed Sep 23 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-2
- Use application specific OpenSSL config through a shell wrapper
* Mon Sep 07 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.2-1
- New upstream release
* Mon Aug 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-3
- Add a patch to load translations from Qt5 TranslationsPath
- Move translation files to proper location
- Drop invokation of ctest, as we cannot run the testsuite
from a release build
- Replace patch adding English license with the actual license file
* Fri Aug 21 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-2
- Add a patch to exclude the build directory in the Doxyfile
- Merge doc-api package with the doc package, since the Doxygen
API documentation can be shipped noarch'ed as well now
* Wed Aug 19 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-1
- Initial import (#1851205)
* Fri Jul 17 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.11
- Use %%cmake_{build,install} macros on newer distributions
* Sat Jul 04 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.10
- Add license text in English language
* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.9
- Also obsolete package with %%{name} previous to this package version
* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.8
- Ensure archful packages always require equal architecture
* Fri Jun 26 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.7
- Make sure permissions of the documentation files are correct
- Remove hidden files in documentation
- Drop 'LICENSE.officially.txt', as it only applies to binary copies,
which are distributed on behalf of the federal government of Germany
* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.6
- Use '--help-all' option when generating man-page
- Split build of Doxygen API docs from building user docs
* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.5
- Add generated man-page
* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.4
- Use a macro for lowercase package name
* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.3
- Use ninja-build instead of GNU Make to speed up the build a bit
* Thu Jun 25 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.2
- Adaptions for building on EPEL
* Wed Jun 24 2020 Björn Esser <besser82@fedoraproject.org> - 1.20.1-0.1
- Initial spec file for review

228
gen_openssl_cnf.py
View file

@ -1,228 +0,0 @@
# -*- coding: utf-8 -*-
#
# Generate OpenSSL configuration file for AusweisApp2 from settings found
# in the application's 'config.json' file.
#
# Copyright (c) 2020 Björn Esser <besser82@fedoraproject.org>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import json, sys
def constant(f):
def fset(self, value):
raise TypeError
def fget(self):
return f()
return property(fget, fset)
class _Const(object):
@constant
def CONF_OPTIONS():
return [
'ciphers',
'ellipticCurves',
'signatureAlgorithms',
]
@constant
def CONF_SECTIONS():
return [
'tlsSettings',
'tlsSettingsPsk',
'tlsSettingsRemoteIfd',
'tlsSettingsRemoteIfdPairing',
'tlsSettingsLocalIfd',
]
@constant
def DEFAULT_CIPHERS_TLS13():
return [
'TLS_AES_256_GCM_SHA384',
'TLS_AES_128_GCM_SHA256',
]
@constant
def KEYSIZE_EC_OPTION():
return 'Ec'
@constant
def KEYSIZE_OPTIONS():
return [
'Rsa',
'Dsa',
'Dh',
]
@constant
def KEYSIZE_SECTIONS():
return [
'minKeySizes',
'sizesIfd',
]
@constant
def KEYSIZE_MIN_SECTION():
return 'min'
@constant
def TLS_VERSIONS():
return {
'TlsV1_2': (2, 'TLSv1.2'),
'TlsV1_3': (3, 'TLSv1.3'),
}
CONST = _Const()
def get_min_ssl_sec_level(json_data):
sec_level = 0
min_keysize = sys.maxsize
min_ecsize = sys.maxsize
for section in CONST.KEYSIZE_SECTIONS:
if section in json_data:
for option in CONST.KEYSIZE_OPTIONS:
if option in json_data[section]:
if min_keysize > json_data[section][option]:
min_keysize = json_data[section][option]
elif option in json_data[section][CONST.KEYSIZE_MIN_SECTION]:
if min_keysize > json_data[section][CONST.KEYSIZE_MIN_SECTION][option]:
min_keysize = json_data[section][CONST.KEYSIZE_MIN_SECTION][option]
if CONST.KEYSIZE_EC_OPTION in json_data[section]:
if min_ecsize > json_data[section][CONST.KEYSIZE_EC_OPTION]:
min_ecsize = json_data[section][CONST.KEYSIZE_EC_OPTION]
elif CONST.KEYSIZE_EC_OPTION in json_data[section][CONST.KEYSIZE_MIN_SECTION]:
if min_ecsize > json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]:
min_ecsize = json_data[section][CONST.KEYSIZE_MIN_SECTION][CONST.KEYSIZE_EC_OPTION]
if min_keysize >= 1000 and min_ecsize >= 160:
sec_level = 1
if min_keysize >= 2000 and min_ecsize >= 224:
sec_level = 2
if min_keysize >= 3000 and min_ecsize >= 256:
sec_level = 3
if min_keysize >= 7000 and min_ecsize >= 384:
sec_level = 4
if min_keysize >= 15000 and min_ecsize >= 512:
sec_level = 5
return sec_level
def get_proto_ver(json_data):
conf_dict = {
'minProtocolVersion': list(CONST.TLS_VERSIONS.keys())[-1],
'maxProtocolVersion': list(CONST.TLS_VERSIONS.keys())[0],
}
for section in CONST.CONF_SECTIONS:
if section in json_data:
if 'protocolVersion' in json_data[section]:
have = conf_dict['minProtocolVersion']
want = json_data[section]['protocolVersion']
if CONST.TLS_VERSIONS[want][0] < CONST.TLS_VERSIONS[have][0]:
conf_dict['minProtocolVersion'] = want
have = conf_dict['maxProtocolVersion']
if CONST.TLS_VERSIONS[want][0] > CONST.TLS_VERSIONS[have][0]:
conf_dict['maxProtocolVersion'] = want
return conf_dict
def get_ssl_cipher_config(json_data):
conf_dict = dict.fromkeys(CONST.CONF_OPTIONS)
for option in CONST.CONF_OPTIONS:
conf_dict[option] = list()
for section in CONST.CONF_SECTIONS:
if section in json_data:
for option in CONST.CONF_OPTIONS:
if option in json_data[section]:
for value in json_data[section][option]:
if option == 'ciphers' and value.startswith('TLS_'):
if not 'ciphers_tls13' in conf_dict:
conf_dict['ciphers_tls13'] = list()
if not value in conf_dict['ciphers_tls13']:
conf_dict['ciphers_tls13'].append(value)
else:
if not value in conf_dict[option]:
conf_dict[option].append(value)
return conf_dict
def print_config_file(conf_dict, sec_level):
max_tls_proto = CONST.TLS_VERSIONS[conf_dict['maxProtocolVersion']][0]
prelude = (
'# This application specific OpenSSL configuration enables all cipher',
'# algorithms, elliptic curves, and signature algorithms, which are',
'# needed for AusweisApp2 to provide full functionality to the end-user.',
'# The order of the algorithms in the list is of no importance, as the',
'# application chooses the algorithm used for a connection from a preset',
'# list, that is ordered in descending preference. This configuration',
'# also limits the minimum and maximum cryptographic protocol versions',
'# to a range needed by AusweisApp2.',
'# The settings used to generate this file have been taken from the',
'# \'config.json\' file, which can be found in the same directory as this',
'# configuration file.',
'',
'openssl_conf = AusweisApp2_conf',
'',
'[AusweisApp2_conf]',
'ssl_conf = AusweisApp2_OpenSSL',
'',
'[AusweisApp2_OpenSSL]',
'alg_section = AusweisApp2_evp',
'system_default = AusweisApp2_ciphers',
'',
'[AusweisApp2_evp]',
'fips_mode = no',
'',
'[AusweisApp2_ciphers]',
)
print('%s' % '\n'.join(prelude))
print('MinProtocol = %s' % (CONST.TLS_VERSIONS[conf_dict['minProtocolVersion']][1]))
print('MaxProtocol = %s' % (CONST.TLS_VERSIONS[conf_dict['maxProtocolVersion']][1]))
if max_tls_proto >= CONST.TLS_VERSIONS['TlsV1_3'][0]:
if 'ciphers_tls13' in conf_dict:
print('Cipherlist = %s' % (':'.join(conf_dict['ciphers_tls13'])))
else:
print('Cipherlist = %s' % (':'.join(CONST.DEFAULT_CIPHERS_TLS13)))
print('CipherString = @SECLEVEL=%d:%s' % (sec_level, ':'.join(conf_dict['ciphers'])))
print('Curves = %s' % (':'.join(conf_dict['ellipticCurves'])))
print('SignatureAlgorithms = %s' % (':'.join(conf_dict['signatureAlgorithms'])))
def main():
if not len(sys.argv) == 2:
sys.exit('Usage: %s <path_to_config.json>' % sys.argv[0])
with open(sys.argv[1], 'r') as conf_file:
conf = json.load(conf_file)
ssl_conf = get_proto_ver(conf)
ssl_conf.update(get_ssl_cipher_config(conf))
print_config_file(ssl_conf, get_min_ssl_sec_level(conf))
if __name__ == '__main__':
main()

7
sources
View file

@ -1,4 +1,3 @@
SHA512 (AusweisApp-2.4.0.tar.gz) = 6e0d89b30176f7722bebab01322363ee38ff43573167061d4a97d840b669f3e579ad9fb62345b97b75490690fd5e03f25994eaa1a77334171fcdd28d39ec3e4a
SHA512 (AusweisApp-2.4.0.tar.gz.asc) = ac8ffdb68d5847978bf639a8f32462053bddcace5d9c3d6cb16e788bb2dbe98ae3b7cafe089246fa786fa4b3e048b81b608cbe77e948a843b2dcd774796d2a56
SHA512 (AusweisApp-2.4.0.tar.gz.sha256) = 257634437251fc22b3d85386a282ee4ce68d2f0db1112a912a54db9a6741ecb79b4180c490486d9ff8519246e62165b5953ed5739e9de0e180bb46decfeff16a
SHA512 (AusweisApp2-pubring.gpg) = 3aae27b673f4eb2f7d3bda6c839b3d11829a730bde546e92abb889abb1c2453e786dc906154074485406692f5b9abbb3e1fb293e6b397696b6371016723621cd
SHA512 (AusweisApp2-1.14.3.tar.gz) = 2217fc454fe875b3e4d405aa24075f35e1b1a6725d25ca5317370ae78e8d68c8b8e562bff0565c0d50860980e8d01d2b880ee05f557112b13f2899cb800e2279
SHA512 (AusweisApp2-1.14.3-notes_html.tar.xz) = 36d4268b95a357a03c61092744e6aa81ecee97f0246349f129583ac5cc13ac0377aec85b9a71b8b8ef083e0ac6bc4c7576de2629e9e836c580bd122dbdcd9a40
SHA512 (AusweisApp2-1.14.3-sdk_html.tar.xz) = f8fc1af5e6a3685293b8e3d5b20ff9eb7cb51e77c68d86f351b0c1585e15b92f3af810211a4c30354d509295057d25c2bc084501d3a7c8ce43138141a9f1ccdf