Browse Source

Refresh patch queue for upstream version 10

Christoph Biedl 8 months ago
parent
commit
bc428cbffa

+ 0 - 115
debian/patches/cherry-pick/1606661229.v9-5-gfd69796.add-tangd-rotate-keys-helper-script.patch

@@ -1,115 +0,0 @@
-Subject: Add tangd-rotate-keys helper script
-Origin: v9-5-gfd69796 <https://github.com/latchset/tang/commit/v9-5-gfd69796>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Sun Nov 29 11:47:09 2020 -0300
-
-    So that it becomes simpler to perform key rotation on the server side.
-
-    Usage: tangd-rotate-keys [-h] [-v] -d <KEYDIR>
-
-    Example:
-
-    $ sudo tangd-rotate-keys -d /var/db/tang -v
-    Disabled advertisement of key 5AiUA4IhvOFdXzFavO78TKJ8hEsfGk8I6ymy4rBPWi8.jwk -> .5AiUA4IhvOFdXzFavO78TKJ8hEsfGk8I6ymy4rBPWi8.jwk
-    Disabled advertisement of key dDC74X-o31Fq5VJaM9iZ4baZD2hhHw-RrIMkxEz35Xc.jwk -> .dDC74X-o31Fq5VJaM9iZ4baZD2hhHw-RrIMkxEz35Xc.jwk
-    Created new key bIGVyIP2D_NJGQeFA9cf9oix5KEVQyVq9ZGjjv0s3D8.jwk
-    Created new key BL4IR73UhG8yyYbvGJspPIlLvG6AzTnM850tlCKrcII.jwk
-    Keys rotated successfully
-
---- a/src/meson.build
-+++ b/src/meson.build
-@@ -9,5 +9,6 @@
- 
- bins += join_paths(meson.current_source_dir(), 'tang-show-keys')
- libexecbins += join_paths(meson.current_source_dir(), 'tangd-keygen')
-+libexecbins += join_paths(meson.current_source_dir(), 'tangd-rotate-keys')
- 
- # vim:set ts=2 sw=2 et:
---- /dev/null
-+++ b/src/tangd-rotate-keys
-@@ -0,0 +1,85 @@
-+#!/bin/sh -e
-+# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2020 Red Hat, Inc.
-+# Author: Sergio Correia <scorreia@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+SUMMARY="Perform rotation of tang keys"
-+
-+usage() {
-+    local _ret="${1:-1}"
-+    exec >&2
-+    echo "Usage: ${0} [-h] [-v] -d <KEYDIR>"
-+    echo
-+    echo "${SUMMARY}"
-+    echo
-+    echo "  -d KEYDIR  The directory with the keys, e.g. /var/db/tang"
-+    echo
-+    echo "  -h         Display this usage information"
-+    echo
-+    echo "  -v         Verbose. Display additional info on keys created/rotated"
-+    echo
-+    exit "${_ret}"
-+}
-+
-+log() {
-+    local _msg="${1}"
-+    local _verbose="${2:-}"
-+    [ -z "${_verbose}" ] && return 0
-+    echo "${_msg}" >&2
-+}
-+
-+error() {
-+    log "${1}" 1
-+    usage 1
-+}
-+
-+JWKDIR=
-+VERBOSE=
-+while getopts "hvd:" o; do
-+    case "${o}" in
-+        d) JWKDIR="${OPTARG}";;
-+        h) usage 0;;
-+        v) VERBOSE=1;;
-+        *) usage 1;;
-+    esac
-+done
-+
-+[ -z "${JWKDIR}" ] && error "Please specify the keys directory with -d switch"
-+[ -r "${JWKDIR}" ] || error "Error trying to access JWK directory '${JWKDIR}'"
-+
-+cd "${JWKDIR}" || error "Unable to change to keys directory '${JWKDIR}'"
-+    # Disable advertisement of current keys.
-+    for key in *.jwk; do
-+        [ -r "${key}" ] || continue
-+        mv -f -- "${key}" ."${key}"
-+        log "Disabled advertisement of key ${key} -> .${key}" "${VERBOSE}"
-+    done
-+
-+    # Create a new set of keys.
-+    DEFAULT_THP_HASH="S256"
-+    for alg in "ES512" "ECMR"; do
-+        json="$(printf '{"alg": "%s"}' "${alg}")"
-+        jwe="$(jose jwk gen --input "${json}")"
-+        thp="$(printf '%s' "${jwe}" | jose jwk thp --input=- \
-+                                           -a "${DEFAULT_THP_HASH}")"
-+        echo "${jwe}" > "${thp}.jwk"
-+        log "Created new key ${thp}.jwk" "${VERBOSE}"
-+    done
-+cd - >/dev/null
-+
-+log "Keys rotated successfully" "${VERBOSE}"

+ 0 - 232
debian/patches/cherry-pick/1619654056.v9-3-g69b47ce.tests-unify-tests.patch

@@ -1,232 +0,0 @@
-Subject: Tests: unify tests
-Origin: v9-3-g69b47ce <https://github.com/latchset/tang/commit/v9-3-g69b47ce>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Wed Apr 28 20:54:16 2021 -0300
-
-    Let's try to not duplicate tests but instead reuse them across the
-    supported platforms.
-
---- a/tests/adv
-+++ b/tests/adv
-@@ -1,4 +1,4 @@
--#!/bin/bash -x
-+#!/bin/sh -ex
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2016 Red Hat, Inc.
-@@ -18,35 +18,11 @@
- # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- #
- 
--function fetch() {
--    curl -sfg http://127.0.0.1:$PORT$1
--}
--
--function ver() {
--    jose jws ver -i- -k "$1"
--}
--
--function on_exit() {
--    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
--    [ -d "$TMP" ] && rm -rf $TMP
--}
--
--validate() {
--    if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
--                 -AUo- 2>/dev/null)"; then
--        echo "Advertisement is malformed" >&2
--        exit 1
--    fi
--    _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
--    if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
--        echo "Advertisement is missing signatures" >&2
--        exit 1
--    fi
--}
-+. helpers
- 
--trap 'on_exit' EXIT
--trap 'exit' ERR
-+sanity_check
- 
-+trap 'on_exit' EXIT
- export TMP=`mktemp -d`
- mkdir -p $TMP/db
- 
-@@ -54,8 +30,8 @@
- jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.sig.jwk
- jose jwk gen -i '{"alg": "ES512"}' -o $TMP/db/.oth.jwk
- 
--export PORT=`shuf -i 1024-65536 -n 1`
--$SD_ACTIVATE -l "127.0.0.1:$PORT" -a $VALGRIND tangd $TMP/db &
-+export PORT=$(random_port)
-+start_server "${PORT}"
- export PID=$!
- sleep 0.5
- 
-@@ -95,7 +71,7 @@
-                -g 0 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU \
-                -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
- 
--test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
-+test "$(tang-show-keys $PORT)" = "$(jose jwk thp -i $TMP/db/sig.jwk)"
- 
- # Check that new keys will be created if none exist.
- rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
---- /dev/null
-+++ b/tests/helpers
-@@ -0,0 +1,62 @@
-+#!/bin/sh -ex
-+# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
-+#
-+# Copyright (c) 2016 Red Hat, Inc.
-+# Author: Nathaniel McCallum <npmccallum@redhat.com>
-+#
-+# This program is free software: you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation, either version 3 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful,
-+# but WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+# GNU General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+#
-+
-+fetch() {
-+    curl -sfg "http://127.0.0.1:${PORT}${1}"
-+}
-+
-+ver() {
-+    jose jws ver -i- -k "${1}"
-+}
-+
-+random_port() {
-+    if [ -n "${TANG_BSD}" ]; then
-+        jot -r 1 1024 65536
-+    else
-+        shuf -i 1024-65536 -n 1
-+    fi
-+}
-+
-+start_server() {
-+    "${SOCAT}" TCP-LISTEN:"${1}",bind=127.0.0.1,fork SYSTEM:"${VALGRIND} tangd ${TMP}/db" &
-+}
-+
-+on_exit() {
-+    if [ "$PID" ]; then kill "${PID}"; wait "${PID}" || true; fi
-+    [ -d "${TMP}" ] && rm -rf "${TMP}"
-+}
-+
-+validate() {
-+    if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
-+                 -AUo- 2>/dev/null)"; then
-+        echo "Advertisement is malformed" >&2
-+        exit 1
-+    fi
-+    _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
-+    if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
-+        echo "Advertisement is missing signatures" >&2
-+        exit 1
-+    fi
-+}
-+
-+sanity_check() {
-+    # Skip test if socat is not available.
-+    [ -n "${SOCAT}" ] || exit 77
-+}
---- a/tests/meson.build
-+++ b/tests/meson.build
-@@ -18,9 +18,8 @@
-   include_directories: incdir
- )
- 
--sd_activate = find_program(
--  'systemd-socket-activate',
--  'systemd-activate',
-+socat = find_program(
-+  'socat',
-   required: false
- )
- 
-@@ -28,15 +27,21 @@
- env.prepend('PATH',
-   join_paths(meson.source_root(), 'src'),
-   join_paths(meson.build_root(), 'src'),
-+  join_paths(meson.source_root(), 'tests'),
-+  join_paths(meson.build_root(), 'tests'),
-   separator: ':'
- )
- 
--if sd_activate.found()
--  env.set('SD_ACTIVATE', sd_activate.path() + ' --inetd')
-+if build_machine.system() == 'freebsd'
-+  env.set('TANG_BSD', '1')
-+endif
- 
--  test('adv', find_program('adv'), env: env, timeout: 60)
--  test('rec', find_program('rec'), env: env)
-+if socat.found()
-+  env.set('SOCAT', socat.path())
- endif
-+
-+test('adv', find_program('adv'), env: env, timeout: 60)
-+test('rec', find_program('rec'), env: env)
- test('test-keys', test_keys, env: env, timeout: 60)
- 
- # vim:set ts=2 sw=2 et:
---- a/tests/rec
-+++ b/tests/rec
-@@ -1,4 +1,4 @@
--#!/bin/bash -x
-+#!/bin/sh -ex
- # vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
- #
- # Copyright (c) 2016 Red Hat, Inc.
-@@ -18,14 +18,11 @@
- # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- #
- 
--function on_exit() {
--    if [ "$PID" ]; then kill $PID; wait $PID || true; fi
--    [ -d "$TMP" ] && rm -rf $TMP
--}
-+. helpers
- 
--trap 'on_exit' EXIT
--trap 'exit' ERR
-+sanity_check
- 
-+trap 'on_exit' EXIT
- export TMP=`mktemp -d`
- mkdir -p $TMP/db
- 
-@@ -39,19 +36,19 @@
- jose jwk pub -i $TMP/exc.jwk -o $TMP/exc.pub.jwk
- 
- # Start the server
--port=`shuf -i 1024-65536 -n 1`
--$SD_ACTIVATE -l 127.0.0.1:$port -a $VALGRIND tangd $TMP/db &
-+export PORT=$(random_port)
-+start_server "${PORT}"
- export PID=$!
- sleep 0.5
- 
- # Make sure that GET fails
--! curl -sf http://127.0.0.1:$port/rec
--! curl -sf http://127.0.0.1:$port/rec/
-+! curl -sf http://127.0.0.1:$PORT/rec
-+! curl -sf http://127.0.0.1:$PORT/rec/
- 
- # Make a recovery request (NOTE: this is insecure! Don't do this in real code!)
- good=`jose jwk exc -i '{"alg":"ECMR","key_ops":["deriveKey"]}' -l $TMP/exc.jwk -r $TMP/db/exc.jwk`
- test=`curl -sf -X POST \
-            -H "Content-Type: application/jwk+json" \
-            --data-binary @- \
--           http://127.0.0.1:$port/rec/${exc_kid} < $TMP/exc.pub.jwk`
--[ "$good" == "$test" ]
-+           http://127.0.0.1:$PORT/rec/${exc_kid} < $TMP/exc.pub.jwk`
-+[ "$good" = "$test" ]

+ 0 - 96
debian/patches/cherry-pick/1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch

@@ -1,96 +0,0 @@
-Subject: Fix generation of new keys when no keys are available
-Origin: v9-1-g5482313 <https://github.com/latchset/tang/commit/v9-1-g5482313>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Fri Apr 30 11:12:06 2021 -0300
-
-    When no keys are available, tang creates a new pair of keys, however
-    currently it checks the total number of keys, including rotated keys,
-    to decide whether to create new keys.
-
-    So not to have issues when all the keys have been rotated, let's check
-    instead the total number of "regular" keys, the ones that will be
-    advertised, and if there are none, then tang can create new keys.
-
-    This fixes an issue when we do have all keys rotated.
-    Tests added as well.
-
---- a/src/keys.c
-+++ b/src/keys.c
-@@ -392,12 +392,15 @@
-             json_t* arr = tki->m_keys;
-             if (d->d_name[0] == '.') {
-                 arr = tki->m_rotated_keys;
-+                tki->m_rotated_keys_count++;
-+            } else {
-+                tki->m_keys_count++;
-             }
-+
-             if (json_array_append(arr, json) == -1) {
-                 fprintf(stderr, "Unable to append JSON (%s) to array; skipping\n", d->d_name);
-                 continue;
-             }
--            tki->m_keys_count++;
-         }
-     }
-     closedir(dir);
---- a/src/keys.h
-+++ b/src/keys.h
-@@ -34,8 +34,8 @@
-     json_t* m_sign;               /* Set of signing keys made from regular
-                                      keys. */
- 
--    size_t m_keys_count;          /* Number of keys (regular + rotated). */
--
-+    size_t m_keys_count;          /* Number of regular keys. */
-+    size_t m_rotated_keys_count;  /* Number of rotated keys. */
- };
- 
- void cleanup_tang_keys_info(struct tang_keys_info**);
---- a/tests/adv
-+++ b/tests/adv
-@@ -83,3 +83,15 @@
-                -g 1 -Og protected -SyOg cty -Sq "jwk-set+json" -EUUUUU
- 
- test "$(tang-show-keys $PORT)" == "$(jose jwk thp -i $TMP/db/sig.jwk)"
-+
-+# Check that new keys will be created if none exist.
-+rm -rf "${TMP}/db" && mkdir -p "${TMP}/db"
-+fetch /adv
-+
-+# Now let's rotate these keys and check if we still create new keys.
-+cd "${TMP}/db"
-+for k in *.jwk; do
-+    mv -f -- "${k}" ".${k}"
-+done
-+cd -
-+fetch /adv
---- a/tests/test-keys.c.in
-+++ b/tests/test-keys.c.in
-@@ -140,7 +140,7 @@
-     json_auto_t* keys = json_deep_copy(tki->m_keys);
-     ASSERT(keys);
-     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
--    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
-+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
- 
-     for (int i = 0; hashes[i]; i++) {
-         json_array_foreach(keys, idx, jwk) {
-@@ -203,7 +203,7 @@
-     json_auto_t* keys = json_deep_copy(tki->m_keys);
-     ASSERT(keys);
-     ASSERT(json_array_extend(keys, tki->m_rotated_keys) == 0);
--    ASSERT(json_array_size(keys) == (size_t)tki->m_keys_count);
-+    ASSERT(json_array_size(keys) == (size_t)(tki->m_keys_count + tki->m_rotated_keys_count));
- 
-     for (int i = 0; hashes[i]; i++) {
-         json_array_foreach(keys, idx, jwk) {
-@@ -230,7 +230,8 @@
-      * - qgmqJSo6AEEuVQY7zVlklqdTMqY.jwk
-      * - -bWkGaJi0Zdvxaj4DCp28umLcRA.jwk
-      */
--    ASSERT(tki->m_keys_count == 4);
-+    ASSERT(tki->m_keys_count == 2);
-+    ASSERT(tki->m_rotated_keys_count == 2);
-     ASSERT(json_array_size(tki->m_keys) == 2);
-     ASSERT(json_array_size(tki->m_rotated_keys) == 2);
- 

+ 0 - 76
debian/patches/cherry-pick/1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch

@@ -1,76 +0,0 @@
-Subject: Keys: fix signature generation
-Origin: v9-2-gafb6055 <https://github.com/latchset/tang/commit/v9-2-gafb6055>
-Upstream-Author: Sergio Correia <scorreia@redhat.com>
-Date: Fri Apr 30 11:30:24 2021 -0300
-
-    No need to create and pass an array with our template option.
-    This was causing issues when we had multiple (>2) pairs of keys.
-
-    Tests added to cover this scenario.
-
---- a/src/keys.c
-+++ b/src/keys.c
-@@ -233,21 +233,11 @@
-     json_auto_t* sig_template = json_pack("{s:{s:s}}",
-                                           "protected", "cty", "jwk-set+json");
- 
--    /* Use the template with the signing keys. */
--    json_auto_t* sig_template_arr = json_array();
--    size_t arr_size = json_array_size(sig_keys);
--    for (size_t i = 0; i < arr_size; i++) {
--        if (json_array_append(sig_template_arr, sig_template) == -1) {
--            fprintf(stderr, "Unable to append sig template to array\n");
--            return NULL;
--        }
--    }
--
-     __attribute__ ((__cleanup__(cleanup_str))) char* data_to_sign = json_dumps(payload, 0);
-     json_auto_t* jws = json_pack("{s:o}", "payload",
-                                  jose_b64_enc(data_to_sign, strlen(data_to_sign)));
- 
--    if (!jose_jws_sig(NULL, jws, sig_template_arr, sig_keys)) {
-+    if (!jose_jws_sig(NULL, jws, sig_template, sig_keys)) {
-         fprintf(stderr, "Error trying to jose_jws_sign\n");
-         return NULL;
-     }
---- a/tests/adv
-+++ b/tests/adv
-@@ -31,6 +31,19 @@
-     [ -d "$TMP" ] && rm -rf $TMP
- }
- 
-+validate() {
-+    if ! _jwks="$(jose fmt --json="${1}" -Og payload -SyOg keys \
-+                 -AUo- 2>/dev/null)"; then
-+        echo "Advertisement is malformed" >&2
-+        exit 1
-+    fi
-+    _ver="$(printf '%s' "${_jwks}" | jose jwk use -i- -r -u verify -o-)"
-+    if ! printf '%s' "${_ver}" | jose jws ver -i "${1}" -k- -a; then
-+        echo "Advertisement is missing signatures" >&2
-+        exit 1
-+    fi
-+}
-+
- trap 'on_exit' EXIT
- trap 'exit' ERR
- 
-@@ -95,3 +108,18 @@
- done
- cd -
- fetch /adv
-+
-+# Lets's now test with multiple pairs of keys.
-+for i in 1 2 3 4 5 6 7 8 9; do
-+    tangd-keygen "${TMP}"/db other-sig-${i} other-exc-${i}
-+done
-+
-+# Verify the advertisement is correct.
-+validate "$(fetch /adv)"
-+
-+# And make sure we can fetch an adv by its thumbprint.
-+for jwk in "${TMP}"/db/other-sig-*.jwk; do
-+    for alg in $(jose alg -k hash); do
-+        fetch /adv/"$(jose jwk thp -a "${alg}" -i "${jwk}")" | ver "${jwk}"
-+    done
-+done

+ 2 - 2
debian/patches/debian/2021-04-19.non-usrmerged.patch

@@ -12,5 +12,5 @@ Forwarded: not-needed
 -systemunitdir = join_paths(get_option('prefix'), 'lib/systemd/system')
 +systemunitdir = join_paths('/lib/systemd/system')
  licensedir = join_paths(get_option('prefix'), 'share', 'licenses', meson.project_name())
- jwkdir = join_paths(get_option('localstatedir'), 'db', meson.project_name())
- 
+ if build_machine.system() == 'freebsd'
+   licensedir += '-'+meson.project_version()

+ 3 - 3
debian/patches/for-upstream/2018-08-11.use-asciidoctor-to-build-manpages.patch

@@ -5,16 +5,16 @@ Bug: https://github.com/latchset/tang/issues/32
 
 --- a/meson.build
 +++ b/meson.build
-@@ -46,7 +46,7 @@
+@@ -49,7 +49,7 @@
  )
  
  jose = dependency('jose', version: '>=8')
 -a2x = find_program('a2x', required: false)
 +asciidoctor = find_program('asciidoctor', required: false)
  compiler = meson.get_compiler('c')
- if not compiler.has_header('http_parser.h')
+ if not compiler.has_header('http_parser.h',args : '-I/usr/local/include')
    error('http-parser devel files not found.')
-@@ -69,16 +69,16 @@
+@@ -72,16 +72,16 @@
  install_data(units, install_dir: systemunitdir)
  install_data(licenses, install_dir: licensedir)
  

+ 0 - 4
debian/patches/series

@@ -1,9 +1,5 @@
 
 # cherry-picked commits. Keep in upstream's chronological order
-cherry-pick/1619791926.v9-1-g5482313.fix-generation-of-new-keys-when-no-keys-are-available.patch
-cherry-pick/1619793024.v9-2-gafb6055.keys-fix-signature-generation.patch
-cherry-pick/1619654056.v9-3-g69b47ce.tests-unify-tests.patch
-cherry-pick/1606661229.v9-5-gfd69796.add-tangd-rotate-keys-helper-script.patch
 
 # patches for upstream
 for-upstream/2018-08-11.use-asciidoctor-to-build-manpages.patch