proxy: initial import

gnupg-pkcs11-scd-proxy is a set of two utilities a client and a server
that can be used in order to load the gnupg-pkcs11-scd in a different
security context. this is usable when PKCS#11 provider is to be
isolated.

Author: alonbl

.gitignore

@@ -24,6 +24,10 @@ install-sh
 missing
 stamp-h1
 
+gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy
+gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy-server
+gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy.service
+gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy.service.in
 gnupg-pkcs11-scd.spec
 gnupg-pkcs11-scd/gnupg-pkcs11-scd
 

ChangeLog

@@ -6,6 +6,8 @@ Copyright (c) 2006-2017 Alon Bar-Lev <[email protected]>
 
  * Avoid dup of stdin/stdout so that the terminate assuan hack operational
    again.
+ * Introduce gnupg-pkcs11-scd-proxy to allow isolation of the PKCS#11
+   provider.
 
 2017-07-15 - Version 0.8.0
 

Makefile.am

@@ -45,6 +45,7 @@ MAINTAINERCLEANFILES = \
 
 SUBDIRS = \
 	gnupg-pkcs11-scd \
+	gnupg-pkcs11-scd-proxy \
 	distro \
 	$(NULL)
 

configure.ac

@@ -103,6 +103,34 @@ AC_ARG_ENABLE(
 	[enable_pedantic="no"]
 )
 
+AC_ARG_ENABLE(
+	[proxy],
+	[AC_HELP_STRING([--enable-proxy], [enable gnupg-pkcs11-scd-proxy])],
+	,
+	[enable_proxy="no"]
+)
+
+AC_ARG_WITH(
+	[proxy-socket],
+	[AC_HELP_STRING([--with-proxy-socket=FILE], [set proxy socket @<:@LOCALSTATEDIR/run/gnupg-pkcs11-scd-proxy/cmd@:>@])],
+	,
+	[with_proxy_socket="\${localstatedir}/run/gnupg-pkcs11-scd-server/cmd"]
+)
+
+AC_ARG_WITH(
+	[proxy-user],
+	[AC_HELP_STRING([--with-proxy-user=USER], [set proxy user @<:@gnupg-pkcs11-scd-proxy@:>@])],
+	,
+	[with_proxy_user="gnupg-pkcs11-scd-proxy"]
+)
+
+AC_ARG_WITH(
+	[proxy-group],
+	[AC_HELP_STRING([--with-proxy-group=GROUP], [set proxy group @<:@gnupg-pkcs11@:>@])],
+	,
+	[with_proxy_group="gnupg-pkcs11"]
+)
+
 AC_ARG_WITH(
 	[openssl],
 	[AC_HELP_STRING([--without-openssl], [disable OpenSSL linkage)])],
@@ -240,6 +268,12 @@ if test "${with_openssl}" = "no" -a "${with_gnutls}" = "no"; then
 	AC_MSG_ERROR([Cannot locate OpenSSL or GNUTLS])
 fi
 
+AC_SUBST([CONFIG_PROXY_SOCKET], [${with_proxy_socket}])
+AC_SUBST([CONFIG_PROXY_USER], [${with_proxy_user}])
+AC_SUBST([CONFIG_PROXY_GROUP], [${with_proxy_group}])
+AC_DEFINE_UNQUOTED([CONFIG_PROXY_GROUP], ["${with_proxy_group}"], [proxy group])
+AM_CONDITIONAL([ENABLE_PROXY], [test "${enable_proxy}" = "yes"])
+
 if test "${with_openssl}" = "yes"; then
 	AC_MSG_RESULT([Using OpenSSL])
 	AC_DEFINE([ENABLE_OPENSSL], [1], [Use OpenSSL library])
@@ -290,6 +324,8 @@ AC_DEFINE_UNQUOTED([CONFIG_SYSTEM_CONFIG], ["${SYSTEM_CONFIG}"], [system config]
 
 AC_CONFIG_FILES([
 	Makefile
+	gnupg-pkcs11-scd-proxy/Makefile
+	gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy.service.in
 	gnupg-pkcs11-scd/Makefile
 	distro/Makefile
 	distro/debian/Makefile

distro/rpm/gnupg-pkcs11-scd.spec.in

@@ -15,6 +15,7 @@ BuildRequires:	openssl-devel >= 0.9.7a
 BuildRequires:	pkcs11-helper-devel >= 1.03
 BuildRequires:	libassuan-devel
 BuildRequires:	libgcrypt-devel
+BuildRequires:	systemd
 Requires:	openssl >= 0.9.7a
 Requires:	pkcs11-helper >= 1.03
 Requires:	libassuan
@@ -25,20 +26,57 @@ gnupg-pkcs11-scd is a drop-in replacement for the smart-card daemon (scd) shippe
 next-generation GnuPG (gnupg-2). The daemon interfaces to smart-cards
 by using RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki).
 
+%package proxy
+Summary:	GnuPG compatible smart-card proxy daemon for gnupg-pkcs11-scd
+Requires: 	%{name} = %{version}-%{release}
+Requires(pre):		/usr/sbin/useradd
+Requires(post):		systemd
+Requires(preun):	systemd
+Requires(postun):	systemd
+
+%description proxy
+A proxy for gnupg-pkcs11-scd.
+
+%pre proxy
+getent group gnupg-pkcs11-scd-proxy >/dev/null || groupadd -r gnupg-pkcs11-scd-proxy
+getent group gnupg-pkcs11 >/dev/null || groupadd -r gnupg-pkcs11
+getent passwd gnupg-pkcs11-scd-proxy >/dev/null || \
+	useradd -r -g gnupg-pkcs11-scd-proxy -G gnupg-pkcs11 -s /sbin/nologin \
+		-d / -c "gnupg-pkcs11-scd-proxy" gnupg-pkcs11-scd-proxy
+%post proxy
+%systemd_post gnupg-pkcs11-scd-proxy.service
+%preun proxy
+%systemd_preun gnupg-pkcs11-scd-proxy.service
+%postun proxy
+%systemd_postun gnupg-pkcs11-scd-proxy.service
+
 %prep
 %setup -q
 
 %build
-%configure
+%configure \
+	--enable-proxy \
+	--with-proxy-socket=/run/gnupg-pkcs11-scd-proxy/cmd \
+	%{nil}
 %{__make} %{?_smp_mflags}
 
 %install
 %{__make} %{?_smp_mflags} install DESTDIR="%{?buildroot}"
+install -dm 755 "%{buildroot}%{_unitdir}"
+install -m 644 "gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy.service" "%{buildroot}%{_unitdir}/"
 
 %files
-%{_bindir}/*
-%{_mandir}/man1/*
-%{_docdir}/%{name}/*
+%{_bindir}/gnupg-pkcs11-scd
+%{_mandir}/man1/gnupg-pkcs11-scd.*
+%{_docdir}/%{name}/COPYING
+%{_docdir}/%{name}/README
+%{_docdir}/%{name}/gnupg-pkcs11-scd.conf.example
+
+%files proxy
+%{_bindir}/gnupg-pkcs11-scd-proxy
+%{_bindir}/gnupg-pkcs11-scd-proxy-server
+%{_mandir}/man1/gnupg-pkcs11-scd-proxy.*
+%{_unitdir}/gnupg-pkcs11-scd-proxy.service
 
 %changelog
 * Mon Jan 15 2007 Eddy Nigg <[email protected]>

gnupg-pkcs11-scd-proxy/Makefile.am

@@ -0,0 +1,76 @@
+#
+# Copyright (c) 2006-2007 Zeljko Vrba <[email protected]>
+# Copyright (c) 2006-2017 Alon Bar-Lev <[email protected]>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+#     o Redistributions of source code must retain the above copyright notice,
+#       this list of conditions and the following disclaimer.
+#     o Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     o Neither the name of the <ORGANIZATION> nor the names of its
+#       contributors may be used to endorse or promote products derived from
+#       this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+# LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+MAINTAINERCLEANFILES = \
+	$(srcdir)/Makefile.in \
+	$(NULKL)
+CLEANFILES = \
+	gnupg-pkcs11-scd-proxy.1.html \
+	gnupg-pkcs11-scd-proxy.service \
+	$(NULL)
+
+SUFFIXES = .in
+
+AM_CPPFLAGS = \
+	-DCONFIG_PROXY_SOCKET='"@CONFIG_PROXY_SOCKET@"' \
+	-DCONFIG_SCD_BIN='"$(bindir)/gnupg-pkcs11-scd"' \
+	$(NULL)
+
+if ENABLE_PROXY
+bin_PROGRAMS = \
+	gnupg-pkcs11-scd-proxy \
+	gnupg-pkcs11-scd-proxy-server \
+	$(NULL)
+nodist_noinst_DATA = \
+	gnupg-pkcs11-scd-proxy.service \
+	$(NULL)
+dist_man_MANS = \
+	gnupg-pkcs11-scd-proxy.1 \
+	$(NULL)
+else
+EXTRA_DIST = \
+	gnupg-pkcs11-scd-proxy.1 \
+	$(NULL)
+endif
+
+gnupg_pkcs11_scd_proxy_SOURCES= \
+	gnupg-pkcs11-scd-proxy.c \
+	$(NULL)
+
+gnupg_pkcs11_scd_proxy_server_SOURCES= \
+	gnupg-pkcs11-scd-proxy-server.c \
+	$(NULL)
+
+
+.in:
+	sed \
+		-e 's#@bindir_POST[@]#$(bindir)#g' \
+		-e 's#@CONFIG_PROXY_SOCKET_POST[@]#$(CONFIG_PROXY_SOCKET)#g' \
+		< $< > $@