Postings by Nathaniel McCallum

yubico-piv-tool & p11-kit

So apparently yubico-piv-tool ships $libdir/*, but this
doesn't get picked up by p11-kit by default. I suspect it has gone
unnoticed largely because for most crucial operations the opensc
module also works with Yubikeys. However, this is not true for all
operations (in particular, in my case, key creation).

How can we make this happen? Is there some intentional reason Yubico's
PKCS#11 module has been excluded?

Update python-cffi in F23

I submitted an update in F23 to python-cffi 1.4.2. [1]

I do not anticipate any issues. However, because so many packages
depend on python-cffi, I would like some intentional testing before I
push the update.


For more information on the reasons behind the update, see the bugs
attached to the update. Thanks!

[1] -

python-cryptography 0.8.2 [F21/F22]

I have submitted new packages for python-cryptography to F21 and F22:

<a href=",python-cryptography-0.8.2-1.fc22" title=",python-cryptography-0.8.2-1.fc22"></a>

<a href=",python-cryptography-0.8.2-1.fc21" title=",python-cryptography-0.8.2-1.fc21"></a>

This includes an upstream fix and a fix for a missing dependency
(python*-pyasn1). Please test. Thanks!


python-yubico updates (testing wanted)

<a href="" title=""></a>
<a href="" title=""></a>
<a href="" title=""></a>

I have just created updates for python-yubico. This new upstream
release just adds support for new YubiKey devices (such as YubiKey
NEO). I'd love some testing!

To test:
1. Install the new python-yubico package
2. Insert your YubiKey
3. Run:
$ python -c 'import yubico; yubico.find_yubikey()'

If this command silently returns, everything should be working.


OpenSSL missing NIST p224r1

On Fedora 21, OpenSSL doesn't appear to support NIST p224r1, but *does*
support other NIST curves. I presume this was intentional, but I'm not
sure why. Can someone enlighten me?

$ openssl ecparam -list_curves
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field


Rawhide LDFLAGS (-pie)

FreeIPA is experiencing build-failure in Koji Rawhide.

<a href="" title=""></a>

This is due to -pie being present in the LDFLAGS on rawhide. This in
turn requires that all code be compiled with -fPIC, which is not
normally required for simple executables. Nor is -fPIC being added to
the list of CFLAGS by Koji.

Where does this bug lie, and who needs to fix it? I could add -fPIC to
FreeIPA, but this doesn't seem correct.