p11-kit package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>

SOURCES/p11-kit-doc.patch

@@ -0,0 +1,25 @@
+From 14c50e25d8280ce81a323ef79a71a66892b65f1a Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Mon, 12 Jun 2017 15:38:21 +0200
+Subject: [PATCH] doc: Use correct PKCS#11 URI syntax
+
+---
+ doc/manual/trust.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/manual/trust.xml b/doc/manual/trust.xml
+index f6f2b3e..14dcbba 100644
+--- a/doc/manual/trust.xml
++++ b/doc/manual/trust.xml
+@@ -157,7 +157,7 @@ $ trust list
+ <programlisting>
+ $ trust anchor /path/to/certificate.crt
+ $ trust anchor --remove /path/to/certificate.crt
+-$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;object-type=cert"
++$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert"
+ </programlisting>
+ 
+ 	<para>Store or remove trust anchors in the trust policy store. These are
+-- 
+2.9.4
+

SOURCES/p11-kit-modifiable.patch

@@ -0,0 +1,256 @@
+From acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 18 May 2017 10:45:26 +0200
+Subject: [PATCH 1/2] Revert "trust: Honor "modifiable" setting in persist
+ file"
+
+This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which
+broke "trust anchor --remove".
+---
+ trust/input/verisign-v1.p11-kit |  1 -
+ trust/parser.c                  | 10 +---------
+ trust/test-parser.c             |  1 -
+ 3 files changed, 1 insertion(+), 11 deletions(-)
+
+diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit
+index aea49ea..eaa080d 100644
+--- a/trust/input/verisign-v1.p11-kit
++++ b/trust/input/verisign-v1.p11-kit
+@@ -1,6 +1,5 @@
+ [p11-kit-object-v1]
+ trusted: true
+-modifiable: false
+ 
+ -----BEGIN CERTIFICATE-----
+ MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+diff --git a/trust/parser.c b/trust/parser.c
+index 52d1128..41513d4 100644
+--- a/trust/parser.c
++++ b/trust/parser.c
+@@ -610,7 +610,6 @@ p11_parser_format_persist (p11_parser *parser,
+ {
+ 	CK_BBOOL modifiablev = CK_TRUE;
+ 	CK_ATTRIBUTE *attrs;
+-	CK_ATTRIBUTE *attr;
+ 	p11_array *objects;
+ 	bool ret;
+ 	int i;
+@@ -631,14 +630,7 @@ p11_parser_format_persist (p11_parser *parser,
+ 	ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
+ 	if (ret) {
+ 		for (i = 0; i < objects->num; i++) {
+-			/* By default, we mark objects read from a persist
+-			 * file as modifiable, as the persist format is
+-			 * writable.  However, if CKA_MODIFIABLE is explictly
+-			 * set in the file, respect the setting.  */
+-			attrs = objects->elem[i];
+-			attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE);
+-			if (!attr)
+-				attrs = p11_attrs_build (attrs, &modifiable, NULL);
++			attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+ 			sink_object (parser, attrs);
+ 		}
+ 	}
+diff --git a/trust/test-parser.c b/trust/test-parser.c
+index 088cff9..b5c2525 100644
+--- a/trust/test-parser.c
++++ b/trust/test-parser.c
+@@ -168,7 +168,6 @@ test_parse_p11_kit_persist (void)
+ 		{ CKA_CLASS, &certificate, sizeof (certificate) },
+ 		{ CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) },
+ 		{ CKA_TRUSTED, &truev, sizeof (truev) },
+-		{ CKA_MODIFIABLE, &falsev, sizeof (falsev) },
+ 		{ CKA_X_DISTRUSTED, &falsev, sizeof (falsev) },
+ 		{ CKA_INVALID },
+ 	};
+-- 
+2.9.4
+
+
+From 66c6a7e912d39d66cd4cc91375ac7be418bf7176 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 18 May 2017 11:11:45 +0200
+Subject: [PATCH 2/2] trust: Check magic comment in persist file for
+ modifiablity
+
+A persistent file written by the trust module starts with the line "#
+This file has been auto-generated and written by p11-kit".  This can
+be used as a magic word to determine whether the objects read from a
+.p11-kit file are read-only.
+---
+ trust/parser.c     | 6 +++++-
+ trust/persist.c    | 9 ++++++++-
+ trust/test-token.c | 1 +
+ 3 files changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/trust/parser.c b/trust/parser.c
+index 41513d4..abe86fc 100644
+--- a/trust/parser.c
++++ b/trust/parser.c
+@@ -49,6 +49,7 @@
+ #include "pem.h"
+ #include "pkcs11x.h"
+ #include "persist.h"
++#include "types.h"
+ #include "x509.h"
+ 
+ #include <libtasn1.h>
+@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser,
+ 	ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
+ 	if (ret) {
+ 		for (i = 0; i < objects->num; i++) {
+-			attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
++			CK_BBOOL generatedv;
++			attrs = objects->elem[i];
++			if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
++				attrs = p11_attrs_build (attrs, &modifiable, NULL);
+ 			sink_object (parser, attrs);
+ 		}
+ 	}
+diff --git a/trust/persist.c b/trust/persist.c
+index 63a531e..928260e 100644
+--- a/trust/persist.c
++++ b/trust/persist.c
+@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist,
+ 	CK_ATTRIBUTE *attrs;
+ 	bool failed;
+ 	bool skip;
++	CK_BBOOL generatedv = CK_FALSE;
++	CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
++	static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
+ 
+ 	return_val_if_fail (persist != NULL, false);
+ 	return_val_if_fail (objects != NULL, false);
+@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist,
+ 	attrs = NULL;
+ 	failed = false;
+ 
++	if (length >= sizeof (comment) - 1 &&
++	    memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
++		generatedv = CK_TRUE;
++
+ 	p11_lexer_init (&lexer, filename, (const char *)data, length);
+ 	while (p11_lexer_next (&lexer, &failed)) {
+ 		switch (lexer.tok_type) {
+@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist,
+ 				p11_lexer_msg (&lexer, "unrecognized or invalid section header");
+ 				skip = true;
+ 			} else {
+-				attrs = p11_attrs_build (NULL, NULL);
++				attrs = p11_attrs_build (NULL, &generated, NULL);
+ 				return_val_if_fail (attrs != NULL, false);
+ 				skip = false;
+ 			}
+diff --git a/trust/test-token.c b/trust/test-token.c
+index ad22fcb..3e7d735 100644
+--- a/trust/test-token.c
++++ b/trust/test-token.c
+@@ -610,6 +610,7 @@ static void
+ test_modify_multiple (void)
+ {
+ 	const char *test_data =
++		"# This file has been auto-generated and written by p11-kit.\n"
+ 		"[p11-kit-object-v1]\n"
+ 		"class: data\n"
+ 		"label: \"first\"\n"
+-- 
+2.9.4
+
+From d661194319f2375c1764125b449bf924c0cbc8a1 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 18 May 2017 14:27:36 +0200
+Subject: [PATCH] trust: Simplify the check for the magic
+
+Instead of reusing the CKA_X_GENERATED attribute, check the file
+contents directly in the caller side.
+---
+ trust/parser.c  |  7 +++----
+ trust/persist.c | 19 +++++++++++--------
+ trust/persist.h |  3 +++
+ 3 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/trust/parser.c b/trust/parser.c
+index abe86fc..f92cdc9 100644
+--- a/trust/parser.c
++++ b/trust/parser.c
+@@ -630,11 +630,10 @@ p11_parser_format_persist (p11_parser *parser,
+ 
+ 	ret = p11_persist_read (parser->persist, parser->basename, data, length, objects);
+ 	if (ret) {
++		if (!p11_persist_is_generated (data, length))
++			modifiablev = CK_FALSE;
+ 		for (i = 0; i < objects->num; i++) {
+-			CK_BBOOL generatedv;
+-			attrs = objects->elem[i];
+-			if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv)
+-				attrs = p11_attrs_build (attrs, &modifiable, NULL);
++			attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL);
+ 			sink_object (parser, attrs);
+ 		}
+ 	}
+diff --git a/trust/persist.c b/trust/persist.c
+index 928260e..887b316 100644
+--- a/trust/persist.c
++++ b/trust/persist.c
+@@ -70,6 +70,16 @@ p11_persist_magic (const unsigned char *data,
+ 	return (strnstr ((char *)data, "[" PERSIST_HEADER "]", length) != NULL);
+ }
+ 
++bool
++p11_persist_is_generated (const unsigned char *data,
++			  size_t length)
++{
++	static const char comment[] =
++		"# This file has been auto-generated and written by p11-kit.";
++	return length >= sizeof (comment) - 1 &&
++		memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0;
++}
++
+ p11_persist *
+ p11_persist_new (void)
+ {
+@@ -631,9 +641,6 @@ p11_persist_read (p11_persist *persist,
+ 	CK_ATTRIBUTE *attrs;
+ 	bool failed;
+ 	bool skip;
+-	CK_BBOOL generatedv = CK_FALSE;
+-	CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) };
+-	static const char comment[] = "# This file has been auto-generated and written by p11-kit.";
+ 
+ 	return_val_if_fail (persist != NULL, false);
+ 	return_val_if_fail (objects != NULL, false);
+@@ -642,10 +649,6 @@ p11_persist_read (p11_persist *persist,
+ 	attrs = NULL;
+ 	failed = false;
+ 
+-	if (length >= sizeof (comment) - 1 &&
+-	    memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0)
+-		generatedv = CK_TRUE;
+-
+ 	p11_lexer_init (&lexer, filename, (const char *)data, length);
+ 	while (p11_lexer_next (&lexer, &failed)) {
+ 		switch (lexer.tok_type) {
+@@ -657,7 +660,7 @@ p11_persist_read (p11_persist *persist,
+ 				p11_lexer_msg (&lexer, "unrecognized or invalid section header");
+ 				skip = true;
+ 			} else {
+-				attrs = p11_attrs_build (NULL, &generated, NULL);
++				attrs = p11_attrs_build (NULL, NULL);
+ 				return_val_if_fail (attrs != NULL, false);
+ 				skip = false;
+ 			}
+diff --git a/trust/persist.h b/trust/persist.h
+index 0ef142c..6344e4e 100644
+--- a/trust/persist.h
++++ b/trust/persist.h
+@@ -60,4 +60,7 @@ bool             p11_persist_write  (p11_persist *persist,
+ 
+ void             p11_persist_free   (p11_persist *persist);
+ 
++bool             p11_persist_is_generated (const unsigned char *data,
++					   size_t length);
++
+ #endif /* P11_PERSIST_H_ */
+-- 
+2.9.4
+

SOURCES/p11-kit-oaep.patch

@@ -0,0 +1,38 @@
+From c11a951a24b91f80e109951b0fe2ce418ea70f17 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Tue, 23 May 2017 11:55:25 +0200
+Subject: [PATCH] pkcs11: Make CK_RSA_PKCS_OAEP_PARAMS useful
+
+---
+ common/pkcs11.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/common/pkcs11.h b/common/pkcs11.h
+index 357c9bb..ad1cdec 100644
+--- a/common/pkcs11.h
++++ b/common/pkcs11.h
+@@ -738,6 +738,12 @@ struct ck_mechanism_info
+   ck_flags_t flags;
+ };
+ 
++#define CKG_MGF1_SHA1 0x00000001UL
++#define CKG_MGF1_SHA224 0x00000005UL
++#define CKG_MGF1_SHA256 0x00000002UL
++#define CKG_MGF1_SHA384 0x00000003UL
++#define CKG_MGF1_SHA512 0x00000004UL
++
+ typedef unsigned long ck_rsa_pkcs_mgf_type_t;
+ typedef unsigned long ck_rsa_pkcs_oaep_source_type_t;
+ 
+@@ -1319,7 +1325,7 @@ typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR;
+ typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS;
+ typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR;
+ 
+-typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAM;
++typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS;
+ typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR;
+ 
+ #define NULL_PTR NULL
+-- 
+2.9.4
+

SOURCES/p11-kit-strerror.patch

@@ -0,0 +1,17 @@
+diff -up ./p11-kit/rpc-transport.c.strerror ./p11-kit/rpc-transport.c
+--- ./p11-kit/rpc-transport.c.strerror	2017-06-12 11:44:45.799209430 +0200
++++ ./p11-kit/rpc-transport.c	2017-06-12 11:46:41.979498070 +0200
+@@ -1065,7 +1065,12 @@ rpc_unix_connect (p11_rpc_client_vtable
+ 	}
+ 
+ 	if (connect (fd, (struct sockaddr *)&run->sa, sizeof (run->sa)) < 0) {
+-		p11_debug ("failed to connect to socket: %s", strerror (errno));
++		int errn = errno;
++		char strerr[P11_MESSAGE_MAX];
++		snprintf (strerr, sizeof (strerr), "Unknown error %d", errn);
++		strerror_r (errn, strerr, sizeof (strerr));
++		strerr[P11_MESSAGE_MAX - 1] = 0;
++		p11_debug ("failed to connect to socket: %s", strerr);
+ 		close (fd);
+ 		return CKR_DEVICE_REMOVED;
+ 	}

SOURCES/trust-extract-compat

@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+
+set -e
+
+if test "$UID" != "0"; then
+	echo "p11-kit: the 'extract-trust' command must be run as root" >&2
+	exit 2
+fi
+
+if test $# -gt 1; then
+	echo "p11-kit: no additional arguments are supported for this command" >&2
+	exit 2
+fi
+
+exec /usr/bin/update-ca-trust
+

SPECS/p11-kit.spec

@@ -0,0 +1,304 @@
+Name:           p11-kit
+Version:        0.23.5
+Release:        3%{?dist}
+Summary:        Library for loading and sharing PKCS#11 modules
+
+License:        BSD
+URL:            http://p11-glue.freedesktop.org/p11-kit.html
+Source0:        http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz
+Source1:        trust-extract-compat
+Patch0:		p11-kit-modifiable.patch
+Patch1:		p11-kit-strerror.patch
+Patch2:		p11-kit-oaep.patch
+Patch3:		p11-kit-doc.patch
+
+BuildRequires:  libtasn1-devel >= 2.3
+BuildRequires:  nss-softokn-freebl
+BuildRequires:	libffi-devel
+BuildRequires:	gtk-doc
+
+%description
+p11-kit provides a way to load and enumerate PKCS#11 modules, as well
+as a standard configuration setup for installing PKCS#11 modules in
+such a way that they're discoverable.
+
+%package devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%package doc
+Summary:        Documentation files for %{name}
+BuildArch:	noarch
+
+%description doc
+The %{name}-doc package contains additional documentation for p11-kit
+and developing applications to take advantage of it.
+
+%package trust
+Summary:        System trust module from %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires(post):   %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+Conflicts:        nss < 3.14.3-9
+
+%description trust
+The %{name}-trust package contains a system trust PKCS#11 module which
+contains certificate anchors and black lists.
+
+
+# solution taken from icedtea-web.spec
+%define multilib_arches ppc64 sparc64 x86_64 s390x
+%ifarch %{multilib_arches}
+%define alt_ckbi  libnssckbi.so.%{_arch}
+%else
+%define alt_ckbi  libnssckbi.so
+%endif
+
+
+%prep
+%autosetup -p1
+
+%build
+# These paths are the source paths that  come from the plan here:
+# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks
+%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --with-hash-impl=freebl --disable-silent-rules
+make %{?_smp_mflags} V=1
+
+%install
+make install DESTDIR=$RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules
+rm -f $RPM_BUILD_ROOT%{_libdir}/*.la
+rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la
+install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/
+# Install the example conf with %%doc instead
+rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example
+# We don't support PKCS#11 forwarding in RHEL-7 yet
+rm -f $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/p11-kit-server
+rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/p11-kit-client.so
+
+%check
+make check
+
+
+%post -p /sbin/ldconfig
+
+%post trust
+%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
+	%{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30
+
+# Fix bad links from earlier p11-kit packages which didn't include s390x
+%posttrans trust
+%ifarch s390x
+if %{_sbindir}/update-alternatives --display libnssckbi.so | grep -q lib64; then
+    %{_sbindir}/update-alternatives --remove libnssckbi.so %{_libdir}/pkcs11/p11-kit-trust.so
+    if test -e /usr/lib/nss/libnssckbi.so; then
+        %{_sbindir}/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
+    fi
+fi
+%endif
+
+%postun -p /sbin/ldconfig
+
+%postun trust
+if [ $1 -eq 0 ] ; then
+	# package removal
+	%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so
+fi
+
+
+%files
+%doc AUTHORS COPYING NEWS README
+%doc p11-kit/pkcs11.conf.example
+%dir %{_sysconfdir}/pkcs11
+%dir %{_sysconfdir}/pkcs11/modules
+%dir %{_datadir}/p11-kit
+%dir %{_datadir}/p11-kit/modules
+%dir %{_libexecdir}/p11-kit
+%{_bindir}/p11-kit
+%{_libdir}/libp11-kit.so.*
+%{_libdir}/p11-kit-proxy.so
+%{_libexecdir}/p11-kit/p11-kit-remote
+%{_mandir}/man8/p11-kit.8.gz
+%{_mandir}/man5/pkcs11.conf.5.gz
+
+%files devel
+%{_includedir}/p11-kit-1/
+%{_libdir}/libp11-kit.so
+%{_libdir}/pkgconfig/p11-kit-1.pc
+
+%files doc
+%doc %{_datadir}/gtk-doc/
+
+%files trust
+%{_bindir}/trust
+%{_mandir}/man1/trust.1.gz
+%{_libdir}/pkcs11/p11-kit-trust.so
+%{_datadir}/p11-kit/modules/p11-kit-trust.module
+%{_libexecdir}/p11-kit/trust-extract-compat
+
+
+%changelog
+* Mon Jun 12 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-3
+- Avoid reference to thread-unsafe strerror rhbz#1378947
+- Fix PKCS#11 OAEP interface rhbz#1191209
+- Update documentation to follow RFC7512 rhbz#1165977
+
+* Thu May 18 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-2
+- Make "trust anchor --remove" work again
+
+* Mon Mar  6 2017 Daiki Ueno <dueno@redhat.com> - 0.23.5-1
+- Rebase to upstream version 0.23.5
+
+* Wed Feb 22 2017 Daiki Ueno <dueno@redhat.com> - 0.23.4-1
+- Rebase to upstream version 0.23.4
+
+* Thu Jan 08 2015 Stef Walter <stefw@redhat.com> - 0.20.7-3
+- Fix incorrect alternative links for s390 and s390x rhbz#1174178
+
+* Sun Oct 05 2014 Stef Walter <stefw@redhat.com> - 0.20.7-2
+- Fix deadlock related to forking and pthread_atfork rhbz#1148774
+
+* Thu Sep 18 2014 Stef Walter <stefw@redhat.com> - 0.20.7-1
+- Update to upstream stable 0.20.7 release
+- Expose pkcs11x.h header and defines for attached extensions rhbz#1142305
+
+* Tue Sep 09 2014 Stef Walter <stefw@redhat.com> - 0.20.6-1
+- Update to upstream stable 0.20.6 release
+- Respect critical = no in p11-kit-proxy.so rhbz#1128615
+
+* Fri Sep 05 2014 Stef Walter <stefw@redhat.com> - 0.20.5-1
+- Update to upstream version 0.20.5
+- Fixes several issues highlighted at rhbz#1128218
+
+* Thu Aug 07 2014 Stef Walter <stefw@redhat.com> - 0.20.4-1
+- Rebase to upstream version 0.20.x (#1122528)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 0.18.7-4
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.18.7-3
+- Mass rebuild 2013-12-27
+
+* Mon Nov 04 2013 Stef Walter <stefw@redhat.com> - 0.18.7-2
+- Move devel docs into subpackage due to gtk-doc multilib incompatibility (#983176)
+
+* Thu Oct 10 2013 Stef Walter <stefw@redhat.com> - 0.18.7-1
+- Update to new upstream point release for RHEL bug fixes
+
+* Thu Jul 18 2013 Stef Walter <stefw@redhat.com> - 0.18.5-1
+- Update to new upstream point release
+- Use freebl for hash algorithms
+- Don't load configs in home dir when setuid or setgid
+- Use $TMPDIR instead of $TEMP while testing
+- Open files and fds with O_CLOEXEC
+- Abort initialization if critical module fails to load
+- Don't use thread-unsafe: strerror, getpwuid
+- Fix p11_kit_space_strlen() result when empty string
+
+* Tue Jun 25 2013 Stef Walter <stefw@redhat.com> - 0.18.4-1
+- Fix running the extract-trust external command
+
+* Wed Jun 05 2013 Stef Walter <stefw@redhat.com> - 0.18.3-1
+- Update to new upstream stable release
+- Fix intermittent firefox cert validation issues (#960230)
+- Include the manual pages in the package
+
+* Tue May 14 2013 Stef Walter <stefw@redhat.com> - 0.18.2-1
+- Update to new upstream stable release
+- Reduce the libtasn1 dependency minimum version
+
+* Thu May 02 2013 Stef Walter <stefw@redhat.com> - 0.18.1-1
+- Update to new upstream stable release
+- 'p11-kit extract-trust' lives in libdir
+
+* Thu Apr 04 2013 Stef Walter <stefw@redhat.com> - 0.18.0-1
+- Update to new upstream stable release
+- Various logging tweaks (#928914, #928750)
+- Make the 'p11-kit extract-trust' explicitly reject
+  additional arguments
+
+* Fri Mar 29 2013 Stef Walter <stefw@redhat.com> - 0.17.5-2
+- Fix problem with empathy connecting to Google Talk (#928913)
+
+* Thu Mar 28 2013 Stef Walter <stefw@redhat.com> - 0.17.5-1
+- Make 'p11-kit extract-trust' call update-ca-trust
+- Work around 32-bit oveflow of certificate dates
+- Build fixes
+
+* Tue Mar 26 2013 Stef Walter <stefw@redhat.com> - 0.17.4-2
+- Pull in patch from upstream to fix build on ppc (#927394)
+
+* Wed Mar 20 2013 Stef Walter <stefw@redhat.com> - 0.17.4-1
+- Update to upstream version 0.17.4
+
+* Mon Mar 18 2013 Stef Walter <stefw@redhat.com> - 0.17.3-1
+- Update to upstream version 0.17.3
+- Put the trust input paths in the right order
+
+* Tue Mar 12 2013 Stef Walter <stefw@redhat.com> - 0.16.4-1
+- Update to upstream version 0.16.4
+
+* Fri Mar 08 2013 Stef Walter <stefw@redhat.com> - 0.16.3-1
+- Update to upstream version 0.16.3
+- Split out system trust module into its own package.
+- p11-kit-trust provides an alternative to an nss module
+
+* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.1-1
+- Update to upstream version 0.16.1
+- Setup source directories as appropriate for Shared System Certificates feature
+
+* Tue Mar 05 2013 Stef Walter <stefw@redhat.com> - 0.16.0-1
+- Update to upstream version 0.16.0
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.14-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Mon Sep 17 2012 Kalev Lember <kalevlember@gmail.com> - 0.14-1
+- Update to 0.14
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jul 16 2012 Kalev Lember <kalevlember@gmail.com> - 0.13-1
+- Update to 0.13
+
+* Tue Mar 27 2012 Kalev Lember <kalevlember@gmail.com> - 0.12-1
+- Update to 0.12
+- Run self tests in %%check
+
+* Sat Feb 11 2012 Kalev Lember <kalevlember@gmail.com> - 0.11-1
+- Update to 0.11
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Tue Dec 20 2011 Matthias Clasen <mclasen@redhat.com> - 0.9-1
+- Update to 0.9
+
+* Wed Oct 26 2011 Kalev Lember <kalevlember@gmail.com> - 0.8-1
+- Update to 0.8
+
+* Mon Sep 19 2011 Matthias Clasen <mclasen@redhat.com> - 0.6-1
+- Update to 0.6
+
+* Sun Sep 04 2011 Kalev Lember <kalevlember@gmail.com> - 0.5-1
+- Update to 0.5
+
+* Sun Aug 21 2011 Kalev Lember <kalevlember@gmail.com> - 0.4-1
+- Update to 0.4
+- Install the example config file to documentation directory
+
+* Wed Aug 17 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-2
+- Tighten -devel subpackage deps (#725905)
+
+* Fri Jul 29 2011 Kalev Lember <kalevlember@gmail.com> - 0.3-1
+- Update to 0.3
+- Upstream rewrote the ASL 2.0 bits, which makes the whole package
+  BSD-licensed
+
+* Tue Jul 12 2011 Kalev Lember <kalevlember@gmail.com> - 0.2-1
+- Initial RPM release