cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import security/libdigidocpp 3.14.8

Browse Source 
This is dependency for the upcoming security/qdigidoc4 port.

Input tb (who also provided all the LibreSSL fixes)
Input OK sthen
---
libdigidocpp offers creating, signing and verification of digitally signed
documents, according to XAdES and XML-DSIG standards.

digidoc-tool(1) provides a simple CLI.
This commit is contained in:
kn 2022-07-08 09:12:43 +00:00
parent 954a3ed416
commit a015763b93
13 changed files with 317 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
security/libdigidocpp/Makefile Normal file
View File

@ -0,0 +1,68 @@
COMMENT = library for creating DigiDoc signature files
V = 3.14.8
DISTNAME = libdigidocpp-${V}
CATEGORIES = security
SHARED_LIBS = digidocpp 0.0 # 0.0
DEBUG_PACKAGES = ${BUILD_PACKAGES}
# LGPL 2.1+
PERMIT_PACKAGE = Yes
HOMEPAGE = https://www.id.ee/
MASTER_SITES = https://github.com/open-eid/libdigidocpp/releases/download/v${V}/
# ${WRKSRC}/etc/schema/.../*.xsd.orig
PATCHORIG = .pat.orig
MAINTAINER = Klemens Nanni <kn@openbsd.org>
# C++11
COMPILER = base-clang ports-gcc
WANTLIB += ${COMPILER_LIBCXX} c crypto iconv m minizip ssl xalan-c
WANTLIB += xerces-c xml-security-c z
MODULES = devel/cmake
BUILD_DEPENDS = devel/boost \
devel/xsd>=4.0 \
editors/vim,-main
LIB_DEPENDS = archivers/minizip \
converters/libiconv \
security/xml-security-c \
textproc/xalan-c \
textproc/xerces-c
RUN_DEPENDS = # empty
# move DIGIDOCPP_CONFIG_DIR out of /usr/local/ into /etc/ (PLIST @sample)
CONFIGURE_ARGS = -DCMAKE_INSTALL_SYSCONFDIR=share/examples
# skip documentation and heavy dependency (for now)
CONFIGURE_ARGS += -DCMAKE_DISABLE_FIND_PACKAGE_Doxygen=ON
# no idea if/where JNI is packaged, just disable uneeded Java parts (for now)
#LIB_DEPENDS += devel/swig
CONFIGURE_ARGS += -DCMAKE_DISABLE_FIND_PACKAGE_JNI=ON \
-DCMAKE_DISABLE_FIND_PACKAGE_SWIG=ON
# uses deprecated PoDoFo API and implies OpenSSL 1.0.2
# https://github.com/open-eid/libdigidocpp/issues/450
CONFIGURE_ARGS += -DCMAKE_DISABLE_FIND_PACKAGE_PoDoFo=ON
# minizip's minizip-config.cmake:30 fails since zstd does not ship .cmake files
# but minizip is still found through a later pkg_check_modules()
CONFIGURE_ARGS += -DCMAKE_DISABLE_FIND_PACKAGE_MiniZip=ON
CONFIGURE_ENV += LDFLAGS=${LDFLAGS:Q}
# dlopen()'ed "opensc-pkcs11.so" in libdigidocpp.so
LIB_DEPEPNDS += security/opensc
CONFIGURE_ARGS += -DCMAKE_SHARED_LINKER_FLAGS="${LDFLAGS} \
-Wl,-rpath,/usr/local/lib/pkcs11"
.include <bsd.port.mk>

2
security/libdigidocpp/distinfo Normal file
View File

@ -0,0 +1,2 @@
SHA256 (libdigidocpp-3.14.8.tar.gz) = U5i5IAyJF4359q6M6mQemEuG7+inPYIXqLy8GHv4dkg=
SIZE (libdigidocpp-3.14.8.tar.gz) = 2666986

14
security/libdigidocpp/patches/patch-CMakeLists_txt Normal file
View File

@ -0,0 +1,14 @@
- Require iconv for libdigidocpp
https://github.com/open-eid/libdigidocpp/pull/470
Index: CMakeLists.txt
--- CMakeLists.txt.orig
+++ CMakeLists.txt
@@ -56,6 +55,7 @@ if(UNIX AND NOT APPLE)
find_package(PkgConfig)
pkg_check_modules(MINIZIP minizip IMPORTED_TARGET)
endif()
+find_package(Iconv REQUIRED)
find_package(SWIG)
find_package(JNI)

15
security/libdigidocpp/patches/patch-cmake_modules_FindPKCS11_cmake Normal file
View File

@ -0,0 +1,15 @@
Set correct OpenSC PKCS11 module path
https://github.com/open-eid/cmake/pull/34
Index: cmake/modules/FindPKCS11.cmake
--- cmake/modules/FindPKCS11.cmake.orig
+++ cmake/modules/FindPKCS11.cmake
@@ -9,7 +9,7 @@ if(APPLE)
elseif(WIN32)
set(PKCS11_MODULE opensc-pkcs11.dll)
else()
- set(PKCS11_MODULE opensc-pkcs11.so)
+ set(PKCS11_MODULE /usr/local/lib/pkcs11/opensc-pkcs11.so)
endif()
include(FindPackageHandleStandardArgs)

19
security/libdigidocpp/patches/patch-src_CMakeLists_txt Normal file
View File

@ -0,0 +1,19 @@
Link digidocpp against iconv to unbreak src/digidoc-tool and tests/TSLTests
build:
ld: error: undefined symbol: libiconv_open
https://github.com/open-eid/libdigidocpp/pull/470
Index: src/CMakeLists.txt
--- src/CMakeLists.txt.orig
+++ src/CMakeLists.txt
@@ -227,7 +227,7 @@ set_target_properties(digidocpp PROPERTIES
target_link_libraries(digidocpp
PRIVATE ${CMAKE_DL_LIBS} minizip
- PUBLIC digidocpp_priv
+ PUBLIC digidocpp_priv Iconv::Iconv
)
if( BUILD_TOOLS )

32
security/libdigidocpp/patches/patch-src_crypto_Digest_cpp Normal file
View File

@ -0,0 +1,32 @@
LibreSSL doesn't support sha3.
Index: src/crypto/Digest.cpp
--- src/crypto/Digest.cpp.orig
+++ src/crypto/Digest.cpp
@@ -128,7 +128,7 @@ void Digest::reset(const string &uri)
case NID_sha256: result = EVP_DigestInit(d->ctx, EVP_sha256()); break;
case NID_sha384: result = EVP_DigestInit(d->ctx, EVP_sha384()); break;
case NID_sha512: result = EVP_DigestInit(d->ctx, EVP_sha512()); break;
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
case NID_sha3_224: result = EVP_DigestInit(d->ctx, EVP_sha3_224()); break;
case NID_sha3_256: result = EVP_DigestInit(d->ctx, EVP_sha3_256()); break;
case NID_sha3_384: result = EVP_DigestInit(d->ctx, EVP_sha3_384()); break;
@@ -167,7 +167,7 @@ int Digest::toMethod(const string &uri)
if(uri == URI_SHA256 || uri == URI_RSA_SHA256 || uri == URI_RSA_PSS_SHA256 || uri == URI_ECDSA_SHA256) return NID_sha256;
if(uri == URI_SHA384 || uri == URI_RSA_SHA384 || uri == URI_RSA_PSS_SHA384 || uri == URI_ECDSA_SHA384) return NID_sha384;
if(uri == URI_SHA512 || uri == URI_RSA_SHA512 || uri == URI_RSA_PSS_SHA512 || uri == URI_ECDSA_SHA512) return NID_sha512;
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
if(uri == URI_SHA3_224 || uri == URI_RSA_PSS_SHA3_224) return NID_sha3_224;
if(uri == URI_SHA3_256 || uri == URI_RSA_PSS_SHA3_256) return NID_sha3_256;
if(uri == URI_SHA3_384 || uri == URI_RSA_PSS_SHA3_384) return NID_sha3_384;
@@ -238,7 +238,7 @@ std::string Digest::toUri(int nid)
case NID_sha256: return URI_SHA256;
case NID_sha384: return URI_SHA384;
case NID_sha512: return URI_SHA512;
-#if OPENSSL_VERSION_NUMBER > 0x10101000L
+#if OPENSSL_VERSION_NUMBER > 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
case NID_sha3_224: return URI_SHA3_224;
case NID_sha3_256: return URI_SHA3_256;
case NID_sha3_384: return URI_SHA3_384;

18
security/libdigidocpp/patches/patch-src_crypto_OpenSSLHelpers_h Normal file
View File

@ -0,0 +1,18 @@
LibreSSL doesn't have BIO_ADDR support, so this exception cannot be hit.
Index: src/crypto/OpenSSLHelpers.h
--- src/crypto/OpenSSLHelpers.h.orig
+++ src/crypto/OpenSSLHelpers.h
@@ -118,10 +118,12 @@ class OpenSSLException : public Exception
while((error = ERR_get_error()) != 0)
{
Exception e(ERR_lib_error_string(error), 0, ERR_error_string(error, nullptr));
+#ifndef LIBRESSL_VERSION_NUMBER
if(ERR_GET_LIB(error) == ERR_R_BIO_LIB &&
ERR_GET_FUNC(error) == BIO_F_BIO_LOOKUP_EX &&
ERR_GET_REASON(error) == ERR_R_SYS_LIB)
e.setCode(ExceptionCode::HostNotFound);
+#endif
addCause(e);
}
}

55
security/libdigidocpp/patches/patch-src_crypto_TS_cpp Normal file
View File

@ -0,0 +1,55 @@
Provide OPENSSL_memdup() and TS accessors for LibreSSL
"Upgrade openssl 1.1.1m and fix crash with new openssl version (#453)"
https://github.com/open-eid/libdigidocpp/commit/42a8cfd
Index: src/crypto/TS.cpp
--- src/crypto/TS.cpp.orig
+++ src/crypto/TS.cpp
@@ -40,7 +40,22 @@
using namespace digidoc;
using namespace std;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(LIBRESSL_VERSION_NUMBER)
+void *OPENSSL_memdup(const void *data, size_t size)
+{
+ void *copy;
+
+ if (data == NULL || size >= INT_MAX)
+ return NULL;
+
+ if ((copy = malloc(size)) == NULL)
+ return NULL;
+
+ return memcpy(copy, data, size);
+}
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f)
{
ctx->flags = unsigned(f);
@@ -48,6 +63,7 @@ static void TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx
static void TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *hexstr, long len)
{
+ OPENSSL_free(ctx->imprint);
ctx->imprint = hexstr;
ctx->imprint_len = unsigned(len);
}
@@ -257,11 +273,10 @@ void TS::verify(const Digest &digest)
{
SCOPE(TS_VERIFY_CTX, ctx, TS_VERIFY_CTX_new());
TS_VERIFY_CTX_set_flags(ctx.get(), TS_VFY_IMPRINT|TS_VFY_VERSION|TS_VFY_SIGNATURE);
- TS_VERIFY_CTX_set_imprint(ctx.get(), data.data(), long(data.size()));
+ TS_VERIFY_CTX_set_imprint(ctx.get(),
+ (unsigned char*)OPENSSL_memdup(data.data(), data.size()), long(data.size()));
TS_VERIFY_CTX_set_store(ctx.get(), store.release());
- int err = TS_RESP_verify_token(ctx.get(), d.get());
- TS_VERIFY_CTX_set_imprint(ctx.get(), nullptr, 0); //Avoid CRYPTO_free
- if(err != 1)
+ if(TS_RESP_verify_token(ctx.get(), d.get()) != 1)
{
unsigned long err = ERR_get_error();
if(ERR_GET_LIB(err) == ERR_LIB_TS && ERR_GET_REASON(err) == TS_R_CERTIFICATE_VERIFY_ERROR)

14
security/libdigidocpp/patches/patch-src_crypto_X509Cert_cpp Normal file
View File

@ -0,0 +1,14 @@
Use old-style STACK_OF stuff for LibreSSL
Index: src/crypto/X509Cert.cpp
--- src/crypto/X509Cert.cpp.orig
+++ src/crypto/X509Cert.cpp
@@ -86,7 +86,7 @@ DECLARE_ASN1_FUNCTIONS(QCStatement)
* QCStatements ::= SEQUENCE OF QCStatement
*/
using QCStatements = STACK_OF(QCStatement);
-#if OPENSSL_VERSION_NUMBER < 0x10010000L
+#if OPENSSL_VERSION_NUMBER < 0x10010000L || defined(LIBRESSL_VERSION_NUMBER)
#include <openssl/safestack.h>
#define sk_QCStatement_num(st) sk_num((_STACK*)st)
#define sk_QCStatement_value(st, i) (QCStatement*)sk_value((_STACK*)st, i)

12
security/libdigidocpp/patches/patch-src_crypto_X509Crypto_cpp Normal file
View File

@ -0,0 +1,12 @@
Index: src/crypto/X509Crypto.cpp
--- src/crypto/X509Crypto.cpp.orig
+++ src/crypto/X509Crypto.cpp
@@ -37,7 +37,7 @@
using namespace digidoc;
using namespace std;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
/*-
* IssuerSerial ::= SEQUENCE {
* issuer GeneralNames,

15
security/libdigidocpp/patches/patch-src_digidoc-tool_1_cmake Normal file
View File

@ -0,0 +1,15 @@
Set correct OpenSC PKCS11 module path
https://github.com/open-eid/libdigidocpp/pull/473
Index: src/digidoc-tool.1.cmake
--- src/digidoc-tool.1.cmake.orig
+++ src/digidoc-tool.1.cmake
@@ -55,7 +55,7 @@ Command sign:
--postalCode= - postalCode of production place
--country= - country of production place
--role= - option can occur multiple times. Signer role(s)
- --pkcs11[=] - default is /Library/OpenSC/lib/opensc-pkcs11.so. Path of PKCS11 driver.
+ --pkcs11[=] - default is ${PKCS11_MODULE}. Path of PKCS11 driver.
--pkcs12= - pkcs12 signer certificate (use --pin for password)
--pin= - default asks pin from prompt
--sha(224,256,384,512) - set default digest method (default sha256)

4
security/libdigidocpp/pkg/DESCR Normal file
View File

@ -0,0 +1,4 @@
libdigidocpp offers creating, signing and verification of digitally signed
documents, according to XAdES and XML-DSIG standards.
digidoc-tool(1) provides a simple CLI.

49
security/libdigidocpp/pkg/PLIST Normal file
View File

@ -0,0 +1,49 @@
@bin bin/digidoc-tool
include/digidocpp/
include/digidocpp/Conf.h
include/digidocpp/Container.h
include/digidocpp/DataFile.h
include/digidocpp/Exception.h
include/digidocpp/Exports.h
include/digidocpp/Signature.h
include/digidocpp/XmlConf.h
include/digidocpp/crypto/
include/digidocpp/crypto/PKCS11Signer.h
include/digidocpp/crypto/PKCS12Signer.h
include/digidocpp/crypto/Signer.h
include/digidocpp/crypto/X509Cert.h
@lib lib/libdigidocpp.so.${LIBdigidocpp_VERSION}
lib/pkgconfig/libdigidocpp.pc
@man man/man1/digidoc-tool.1
share/examples/digidocpp/
@sample ${SYSCONFDIR}/digidocpp/
share/examples/digidocpp/798.p12
@sample ${SYSCONFDIR}/digidocpp/798.p12
share/examples/digidocpp/digidocpp.conf
@sample ${SYSCONFDIR}/digidocpp/digidocpp.conf
share/examples/digidocpp/schema/
@sample ${SYSCONFDIR}/digidocpp/schema/
share/examples/digidocpp/schema/OpenDocument_dsig.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/OpenDocument_dsig.xsd
share/examples/digidocpp/schema/OpenDocument_manifest.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/OpenDocument_manifest.xsd
share/examples/digidocpp/schema/XAdES01903v132-201601-relaxed.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/XAdES01903v132-201601-relaxed.xsd
share/examples/digidocpp/schema/XAdES01903v132-201601.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/XAdES01903v132-201601.xsd
share/examples/digidocpp/schema/XAdES01903v141-201601.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/XAdES01903v141-201601.xsd
share/examples/digidocpp/schema/conf.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/conf.xsd
share/examples/digidocpp/schema/en_31916201v010101.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/en_31916201v010101.xsd
share/examples/digidocpp/schema/ts_119612v020101_additionaltypes_xsd.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/ts_119612v020101_additionaltypes_xsd.xsd
share/examples/digidocpp/schema/ts_119612v020101_sie_xsd.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/ts_119612v020101_sie_xsd.xsd
share/examples/digidocpp/schema/ts_119612v020201_201601xsd.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/ts_119612v020201_201601xsd.xsd
share/examples/digidocpp/schema/xml.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/xml.xsd
share/examples/digidocpp/schema/xmldsig-core-schema.xsd
@sample ${SYSCONFDIR}/digidocpp/schema/xmldsig-core-schema.xsd