app-crypt/eid-mw: version bump 4.4.19

Closes: https://bugs.gentoo.org/690038
Submitted-by: Vincent Hardy <vincent.hardy.be@gmail.com>
Package-Manager: Portage-2.3.69, Repoman-2.3.16
Signed-off-by: Amy Liffey <amynka@gentoo.org>

3 files changed, 376 insertions, 0 deletions

diff --git a/app-crypt/eid-mw/Manifest b/app-crypt/eid-mw/Manifest
index debf3f3f29b3..644dc3133d43 100644
--- a/app-crypt/eid-mw/Manifest
+++ b/app-crypt/eid-mw/Manifest
@@ -1,2 +1,3 @@
 DIST eid-mw-4.4.1.tar.gz 7708697 BLAKE2B 7bdbaa37af1cdd5a8abd1519939f663c7c871cea49850932d97c391465de362885b061c024285ab2690473a4bb1ba57a70fdc12a720246b2a610ac9525f6395e SHA512 9de54858ac052eeff101070dd11c5cf60ab1d29b8dc8d946680745acf9aa6ba1044ca5451eca6066b5b467fbc32a2a23bbe7e8551ca7559e6003a4097a304cfc
 DIST eid-mw-4.4.11.tar.gz 7975630 BLAKE2B e7b052736cba98c53e97e9de15ea8e54f508c28471a7a936c5d28539648f5d3454983d9c9a21cf5959a070849865de5ca58d5d29ad64eb08209afd40959c56ae SHA512 35273492abc0efa7146848c82770bcd5e4ce1b7c9971ce45686b4d3244332456011db6df05154ad6a204854fd13ac3dce8f7b8cd6112a2e60a7b8434f3c4a196
+DIST eid-mw-4.4.19.tar.gz 7941144 BLAKE2B c02f975081eacf7803839461ae91e3c6a24c3e2fc60064a981cc71f629925679b0df997e8acbe2da2f1e58dcc665b8633e3c9bf28b07be90ac8cdd0448e80848 SHA512 21530111461302123be662dd60f3fbd56ffd8a0537cac88c99d5a6bcd9163a27bc34e05beaf7502dd5ada247ca324d21590a866907b5a7a02ce3d8d78fcac634
diff --git a/app-crypt/eid-mw/eid-mw-4.4.19.ebuild b/app-crypt/eid-mw/eid-mw-4.4.19.ebuild
new file mode 100644
index 000000000000..98c8bfee6ce3
--- /dev/null
+++ b/app-crypt/eid-mw/eid-mw-4.4.19.ebuild
@@ -0,0 +1,103 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit autotools desktop gnome2-utils xdg-utils
+
+DESCRIPTION="Electronic Identity Card middleware supplied by the Belgian Federal Government"
+HOMEPAGE="https://eid.belgium.be"
+SRC_URI="https://codeload.github.com/fedict/${PN}/tar.gz/v${PV} -> ${P}.tar.gz"
+
+LICENSE="LGPL-3"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~x86"
+IUSE="+dialogs +gtk +p11v220 p11-kit"
+
+RDEPEND=">=sys-apps/pcsc-lite-1.2.9
+	gtk? (
+		x11-libs/gdk-pixbuf[jpeg]
+		x11-libs/gtk+:*
+		dev-libs/libxml2
+		net-misc/curl[ssl]
+		net-libs/libproxy
+		!app-misc/eid-viewer-bin
+	)
+	p11-kit? ( app-crypt/p11-kit )"
+
+DEPEND="${RDEPEND}
+	virtual/pkgconfig"
+
+REQUIRED_USE="dialogs? ( gtk )"
+
+src_prepare() {
+	default
+
+	sed -i -e 's:/beid/rsaref220:/rsaref220:' configure.ac || die
+	sed -i -e 's:/beid::' cardcomm/pkcs11/src/libbeidpkcs11.pc.in || die
+
+	# Buggy internal versioning when autoreconf a tarball release.
+	# Weird numbering is required otherwise we get a seg fault in
+	# about-eid-mw program.
+	echo "${PV}-v${PV}" > .version
+	sed -i \
+		-e '/^GITDESC/ d' \
+		-e '/^VERCLEAN/ d' \
+		scripts/build-aux/genver.sh
+
+	# legacy xpi module : we don't want it anymore
+	sed -i -e '/SUBDIRS/ s:plugins_tools/xpi ::' Makefile.am || die
+	sed -i -e '/plugins_tools\/xpi/ d' configure.ac || die
+
+	# hardcoded lsb_info
+	sed -i \
+		-e "s:get_lsb_info('i'):strdup(_(\"Gentoo\")):" \
+		-e "s:get_lsb_info('r'):strdup(_(\"n/a\")):" \
+		-e "s:get_lsb_info('c'):strdup(_(\"n/a\")):" \
+		plugins_tools/aboutmw/gtk/about-main.c || die
+
+	# Fix libdir for pkcs11_manifestdir
+	sed -i \
+		-e "/pkcs11_manifestdir/ s:prefix)/lib:libdir):" \
+		cardcomm/pkcs11/src/Makefile.am || die
+
+	# See bug #691308
+	eapply "${FILESDIR}/eid-sign-test-${PV}.patch"
+
+	eautoreconf
+}
+
+src_configure() {
+	econf \
+		$(use_enable dialogs) \
+		$(use_enable p11v220) \
+		$(use_enable p11-kit p11kit) \
+		$(use_with gtk gtkvers 'detect') \
+		--with-gnu-ld \
+		--disable-static
+}
+
+src_install() {
+	default
+	rm -r "${ED}"/usr/$(get_libdir)/*.la || die
+	if use gtk; then
+		domenu plugins_tools/eid-viewer/eid-viewer.desktop
+		doicon plugins_tools/eid-viewer/gtk/eid-viewer.png
+	fi
+}
+
+pkg_postinst(){
+	if use gtk; then
+		gnome2_schemas_update
+		xdg_desktop_database_update
+		xdg_icon_cache_update
+	fi
+}
+
+pkg_postrm(){
+	if use gtk; then
+		gnome2_schemas_update
+		xdg_desktop_database_update
+		xdg_icon_cache_update
+	fi
+}
diff --git a/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch b/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch
new file mode 100644
index 000000000000..cf59f99a8ea7
--- /dev/null
+++ b/app-crypt/eid-mw/files/eid-sign-test-4.4.19.patch
@@ -0,0 +1,272 @@
+--- eid-mw-4.4.19/tests/unit/sign.c	2019-07-11 16:08:46.000000000 +0200
++++ eid-mw-git/tests/unit/sign.c	2019-08-04 17:40:08.683942928 +0200
+@@ -19,10 +19,13 @@
+ **************************************************************************** */
+ #ifdef WIN32
+ #include <win32.h>
++#pragma pack(push, cryptoki, 1)
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
+ #else
+ #include <unix.h>
+-#endif
+ #include <pkcs11.h>
++#endif
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
+@@ -33,66 +36,88 @@
+ #include <config.h>
+ #endif
+ 
++#include <stdbool.h>
++
+ #if HAVE_OPENSSL
+-#include <openssl/rsa.h>
++#include <openssl/opensslv.h>
++#include <openssl/evp.h>
+ #include <openssl/engine.h>
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+-static int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
+-	if(!r || !n || !e) {
+-		return 0;
+-	}
+-	r->n = n;
+-	r->e = e;
+-	r->d = d;
+-	return 1;
+-}
+-#endif
+-
+-CK_BYTE digest_sha256[] = {
+-                0x2c, 0x26, 0xb4, 0x6b,
+-                0x68, 0xff, 0xc6, 0x8f,
+-                0xf9, 0x9b, 0x45, 0x3c,
+-                0x1d, 0x30, 0x41, 0x34,
+-                0x13, 0x42, 0x2d, 0x70,
+-		0x64, 0x83, 0xbf, 0xa0,
+-		0xf9, 0x8a, 0x5e, 0x88,
+-		0x62, 0x66, 0xe7, 0xae
+-};
+-
+-int verify_sig(unsigned char* sig, CK_ULONG siglen, CK_BYTE_PTR modulus, CK_ULONG modlen, CK_BYTE_PTR exponent, CK_ULONG explen) {
+-	RSA* rsa = RSA_new();
+-	unsigned char* s = malloc(siglen);
+-	int ret;
+-
+-	RSA_set0_key(rsa, BN_bin2bn(modulus, (int) modlen, NULL), BN_bin2bn(exponent, (int) explen, NULL), NULL);
+-
+-	int v = RSA_verify(NID_sha256, digest_sha256, sizeof(digest_sha256), sig, siglen, rsa);
+-
+-	printf("Signature verification returned: %d\n", v);
+-	if(!v) {
+-		unsigned long e = ERR_get_error();
+-		printf("error %ld: %s\n", e, ERR_error_string(e, NULL));
+-		ret = TEST_RV_FAIL;
+-	} else {
+-		ret = TEST_RV_OK;
++// These were copied from eid-test-ca:derencode.c
++int verify_sig(const unsigned char *sig_in, CK_ULONG siglen, const unsigned char *certificate, size_t certlen, bool is_rsa) {
++#if OPENSSL_VERSION_NUMBER > 0x10100000L
++	X509 *cert = NULL;
++	EVP_PKEY *pkey = NULL;
++	EVP_MD_CTX *mdctx;
++	EVP_PKEY_CTX *pctx;
++	const EVP_MD *md = EVP_get_digestbyname("sha256");
++	unsigned char *sig = (unsigned char*)sig_in;
++
++	if(d2i_X509(&cert, &certificate, certlen) == NULL) {
++		fprintf(stderr, "E: could not parse X509 certificate\n");
++		return TEST_RV_FAIL;
++	}
++	pkey = X509_get0_pubkey(cert);
++	if(pkey == NULL) {
++		fprintf(stderr, "E: could not find public key in certificate\n");
++		return TEST_RV_FAIL;
++	}
++	mdctx = EVP_MD_CTX_new();
++	if(EVP_DigestVerifyInit(mdctx, &pctx, md, NULL, pkey) != 1) {
++		fprintf(stderr, "E: initialization for signature validation failed!\n");
++		return TEST_RV_FAIL;
++	}
++	if(EVP_DigestVerifyUpdate(mdctx, (const unsigned char*)"foo", 3) != 1) {
++		fprintf(stderr, "E: hashing for signature failed!\n");
++		return TEST_RV_FAIL;
+ 	}
+ 
+-	free(s);
+-	RSA_free(rsa);
+-
+-	return ret;
++	ECDSA_SIG* ec_sig;
++	if(!is_rsa) {
++		BIGNUM *r;
++		BIGNUM *s;
++		ec_sig = ECDSA_SIG_new();
++		if((r = BN_bin2bn(sig, siglen / 2, NULL)) == NULL) {
++			fprintf(stderr, "E: could not convert R part of ECDSA signature!\n");
++			return TEST_RV_FAIL;
++		}
++		if((s = BN_bin2bn(sig + (siglen / 2), siglen / 2, NULL)) == NULL) {
++			fprintf(stderr, "E: could not convert S part of ECDSA signature!\n");
++			return TEST_RV_FAIL;
++		}
++		if(ECDSA_SIG_set0(ec_sig, r, s) == 0) {
++			fprintf(stderr, "E: could not set ECDSA_SIG structure!\n");
++			return TEST_RV_FAIL;
++		}
++		siglen = i2d_ECDSA_SIG(ec_sig, NULL);
++		unsigned char *dersig = sig = malloc(siglen);
++		siglen = i2d_ECDSA_SIG(ec_sig, &dersig);
++	}
++	if(EVP_DigestVerifyFinal(mdctx, sig, siglen) != 1) {
++		fprintf(stderr, "E: signature fails validation!\n");
++		return TEST_RV_FAIL;
++	}
++	if(!is_rsa) {
++		free(sig);
++	}
++	printf("signature verified\n");
++	return TEST_RV_OK;
++#else
++	printf("OpenSSL too old for verification\n");
++#endif
+ }
+-
+ #endif
+ 
+-int test_key(char* label, CK_SESSION_HANDLE session, CK_SLOT_ID slot EIDT_UNUSED) {
++int test_key(char* label, CK_SESSION_HANDLE session, CK_SLOT_ID slot) {
+ 	CK_ATTRIBUTE attr[2];
+ 	CK_MECHANISM mech;
++	CK_MECHANISM_TYPE_PTR mechlist;
+ 	CK_BYTE data[] = { 'f', 'o', 'o' };
+ 	CK_BYTE_PTR sig, mod, exp;
+ 	CK_ULONG sig_len, type, count;
+-	CK_OBJECT_HANDLE privatekey, publickey;
++	CK_OBJECT_HANDLE privatekey, publickey, certificate;
++	bool is_rsa = false;
++	int i;
+ 
+ 	attr[0].type = CKA_CLASS;
+ 	attr[0].pValue = &type;
+@@ -113,7 +138,22 @@
+ 		return TEST_RV_SKIP;
+ 	}
+ 
+-	mech.mechanism = CKM_SHA256_RSA_PKCS;
++	check_rv(C_GetMechanismList(slot, NULL_PTR, &count));
++	mechlist = malloc(sizeof(CK_MECHANISM_TYPE) * count);
++#undef CHECK_RV_DEALLOCATE
++#define CHECK_RV_DEALLOCATE free(mechlist)
++
++	check_rv(C_GetMechanismList(slot, mechlist, &count));
++
++	for(i=0; i<count; i++) {
++		if(mechlist[i] == CKM_SHA256_RSA_PKCS) {
++			mech.mechanism = mechlist[i];
++			i=count;
++			is_rsa = true;
++			break;
++		}
++	}
++
+ 	check_rv(C_SignInit(session, &mech, privatekey));
+ 
+ 	check_rv(C_Sign(session, data, sizeof(data), NULL, &sig_len));
+@@ -124,42 +164,68 @@
+ 
+ 	hex_dump((char*)sig, sig_len);
+ 
+-	type = CKO_PUBLIC_KEY;
+-	check_rv(C_FindObjectsInit(session, attr, 2));
+-	check_rv(C_FindObjects(session, &publickey, 1, &count));
+-	verbose_assert(count == 1);
+-	check_rv(C_FindObjectsFinal(session));
++	if(is_rsa) {
++		type = CKO_PUBLIC_KEY;
++		check_rv(C_FindObjectsInit(session, attr, 2));
++		check_rv(C_FindObjects(session, &publickey, 1, &count));
++		verbose_assert(count == 1);
++		check_rv(C_FindObjectsFinal(session));
+ 
+-	attr[0].type = CKA_MODULUS;
+-	attr[0].pValue = NULL_PTR;
+-	attr[0].ulValueLen = 0;
++		attr[0].type = CKA_MODULUS;
++		attr[0].pValue = NULL_PTR;
++		attr[0].ulValueLen = 0;
+ 
+-	attr[1].type = CKA_PUBLIC_EXPONENT;
+-	attr[1].pValue = NULL_PTR;
+-	attr[1].ulValueLen = 0;
++		attr[1].type = CKA_PUBLIC_EXPONENT;
++		attr[1].pValue = NULL_PTR;
++		attr[1].ulValueLen = 0;
+ 
+-	check_rv(C_GetAttributeValue(session, publickey, attr, 2));
++		check_rv(C_GetAttributeValue(session, publickey, attr, 2));
+ 
+-	verbose_assert(attr[0].ulValueLen == sig_len);
++		verbose_assert(attr[0].ulValueLen == sig_len);
+ 
+-	mod = malloc(attr[0].ulValueLen);
+-	mod[0] = 0xde; mod[1] = 0xad; mod[2] = 0xbe; mod[3] = 0xef;
+-	exp = malloc(attr[1].ulValueLen);
+-	exp[0] = 0xde; exp[1] = 0xad; exp[2] = 0xbe; exp[3] = 0xef;
++		mod = malloc(attr[0].ulValueLen);
++		mod[0] = 0xde; mod[1] = 0xad; mod[2] = 0xbe; mod[3] = 0xef;
++		exp = malloc(attr[1].ulValueLen);
++		exp[0] = 0xde; exp[1] = 0xad; exp[2] = 0xbe; exp[3] = 0xef;
+ 
+-	attr[0].pValue = mod;
+-	attr[1].pValue = exp;
++		attr[0].pValue = mod;
++		attr[1].pValue = exp;
+ 
+-	check_rv(C_GetAttributeValue(session, publickey, attr, 2));
++		check_rv(C_GetAttributeValue(session, publickey, attr, 2));
+ 
+-	printf("Received key modulus with length %lu:\n", attr[0].ulValueLen);
+-	hex_dump((char*)mod, attr[0].ulValueLen);
++		printf("Received key modulus with length %lu:\n", attr[0].ulValueLen);
++		hex_dump((char*)mod, attr[0].ulValueLen);
+ 
+-	printf("Received public exponent of key with length %lu:\n", attr[1].ulValueLen);
+-	hex_dump((char*)exp, attr[1].ulValueLen);
++		printf("Received public exponent of key with length %lu:\n", attr[1].ulValueLen);
++		hex_dump((char*)exp, attr[1].ulValueLen);
++	}
+ 
+-#if HAVE_OPENSSL
+-	return verify_sig(sig, sig_len, mod, attr[0].ulValueLen, exp, attr[1].ulValueLen);
++#if HAVE_OPENSSL && OPENSSL_VERSION_NUMBER > 0x10100000L
++	unsigned char cert[4096];
++	attr[0].type = CKA_CLASS;
++	attr[0].pValue = &type;
++	type = CKO_CERTIFICATE;
++	attr[0].ulValueLen = sizeof(CK_ULONG);
++
++	attr[1].type = CKA_LABEL;
++	attr[1].pValue = label;
++	attr[1].ulValueLen = strlen(label);
++
++	check_rv(C_FindObjectsInit(session, attr, 2));
++	check_rv(C_FindObjects(session, &certificate, 1, &count));
++	verbose_assert(count == 1);
++	check_rv(C_FindObjectsFinal(session));
++
++	attr[0].type = CKA_VALUE;
++	attr[0].pValue = cert;
++	attr[0].ulValueLen = sizeof(cert);
++
++	check_rv(C_GetAttributeValue(session, certificate, attr, 1));
++
++	printf("Received certificate with length %lu:\n", attr[0].ulValueLen);
++	hex_dump((char*)cert, attr[0].ulValueLen);
++
++	return verify_sig(sig, sig_len, cert, attr[0].ulValueLen, is_rsa);
+ #else
+ 	return TEST_RV_OK;
+ #endif