[rpms/kryoptic] f44: Merge remote-tracking branch 'upstream/rawhide' into f44

[Jakub Jelen <jjelen@redhat.com>]

A new commit has been pushed.

Repo   : rpms/kryoptic
Branch : f44
Commit : 0a6779970d0166e3a7858a5acd4882dc58ab4abd
Author : Jakub Jelen <jjelen@redhat.com>
Date   : 2026-06-05T20:55:12+02:00
Stats  : +183/-9 in 5 file(s)
URL    : https://src.fedoraproject.org/rpms/kryoptic/c/0a6779970d0166e3a7858a5acd4882dc58ab4abd?branch=f44

Log:
Merge remote-tracking branch 'upstream/rawhide' into f44

---
diff --git a/.gitignore b/.gitignore
index 656dd15..b5534f3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,5 @@
 /kryoptic-1.4.0.tar.gz.asc
 /kryoptic-1.5.0.tar.gz
 /kryoptic-1.5.0.tar.gz.asc
+/kryoptic-1.5.1.tar.gz
+/kryoptic-1.5.1.tar.gz.asc

diff --git a/kryoptic-deadlock.patch b/kryoptic-deadlock.patch
new file mode 100644
index 0000000..08604a1
--- /dev/null
+++ b/kryoptic-deadlock.patch
@@ -0,0 +1,38 @@
+From 5494395faecdd07b4473e6c2ef74a9f858c7c1f4 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Fri, 5 Jun 2026 11:55:15 -0400
+Subject: [PATCH] Fix potential deadlock by resetting config before finalizing
+ state
+
+This commit swaps the order of operations in the finalize function
+to ensure the global configuration is reset before the state is
+finalized. Although the write lock on STATE is supposed to be released
+before the CONFIG lock is acquired, we have observed deadlocks in some
+builds, likely because STATE does not immediately go out of scope.
+
+By ensuring the CONFIG lock is always acquired prior to the STATE lock,
+we align with the locking order used throughout the rest of the codebase
+and eliminate this potential deadlock.
+
+Assisted-by: Gemini <gemini@google.com>
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ src/fns/general.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fns/general.rs b/src/fns/general.rs
+index 419bacf9..54c61059 100644
+--- a/src/fns/general.rs
++++ b/src/fns/general.rs
+@@ -97,9 +97,9 @@ pub extern "C" fn fn_initialize(init_args: CK_VOID_PTR) -> CK_RV {
+ 
+ #[inline(always)]
+ fn finalize(_reserved: CK_VOID_PTR) -> Result<()> {
+-    let ret = STATE.wlock()?.finalize();
+     let mut conf = crate::CONFIG.wlock()?;
+     *conf = Config::new();
++    let ret = STATE.wlock()?.finalize();
+     if ret != CKR_OK {
+         return Err(ret)?;
+     }
+

diff --git a/kryoptic.spec b/kryoptic.spec
index ba1dd2c..4aec254 100644
--- a/kryoptic.spec
+++ b/kryoptic.spec
@@ -6,10 +6,10 @@
 
 %global soname libkryoptic_pkcs11
 
-%global features kryoptic-lib/nssdb,kryoptic-lib/pqc,kryoptic-lib/standard,kryoptic-lib/dynamic
+%global features kryoptic-lib/nssdb,kryoptic-lib/pqc,kryoptic-lib/standard,kryoptic-lib/dynamic,profiles
 
 Name:           kryoptic
-Version:        1.5.0
+Version:        1.5.1
 Release:        %autorelease
 Summary:        PKCS #11 software token written in Rust
 
@@ -33,11 +33,13 @@ Source0:        https://github.com/latchset/kryoptic/releases/download/v%{versio
 Source1:        https://github.com/latchset/kryoptic/releases/download/v%{version}/%{name}-%{version}.tar.gz.asc
 Source2:        https://people.redhat.com/~ssorce/simo_redhat.asc
 %endif
-# https://github.com/latchset/kryoptic/pull/439
-Patch:          kryoptic-1.5.0-asn1.patch
+# https://github.com/latchset/kryoptic/pull/459
+Patch:          kryoptic-deadlock.patch
+
 
 BuildRequires:  cargo-rpm-macros >= 26
 BuildRequires:  openssl-devel
+BuildRequires:  pandoc
 %if %{with gpgcheck}
 BuildRequires: gnupg2
 %endif
@@ -67,11 +69,14 @@ Most notably a migration tool for the SoftHSM database.
 
 %build
 export CONFDIR=%{_sysconfdir}
-%cargo_build -f %{features} -- --package kryoptic
-%cargo_build -f %{features} -- --package kryoptic-tools
+%cargo_build -f %{features} -- --all
 %{cargo_license_summary -f %{features}}
 %{cargo_license -f %{features}} > LICENSE.dependencies
 
+pandoc -s -t man doc/kryoptic.conf.man.md -o kryoptic.conf.5
+pandoc -s -t man doc/kryoptic.man.md -o kryoptic.7
+pandoc -s -t man tools/softhsm/softhsm_migrate.man.md -o softhsm_migrate.1
+
 %install
 install -Dp target/rpm/softhsm_migrate $RPM_BUILD_ROOT%{_bindir}/softhsm_migrate
 install -Dp target/rpm/%{soname}.so $RPM_BUILD_ROOT%{_libdir}/pkcs11/%{soname}.so
@@ -79,9 +84,14 @@ install -Dp target/rpm/%{soname}.so $RPM_BUILD_ROOT%{_libdir}/pkcs11/%{soname}.s
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/
 echo "module: %{soname}.so" > $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/kryoptic.module
 
+install -Dp -m 0644 kryoptic.conf.5 $RPM_BUILD_ROOT%{_mandir}/man5/kryoptic.conf.5
+install -Dp -m 0644 kryoptic.7 $RPM_BUILD_ROOT%{_mandir}/man7/kryoptic.7
+install -Dp -m 0644 softhsm_migrate.1 $RPM_BUILD_ROOT%{_mandir}/man1/softhsm_migrate.1
+
 %if %{with check}
 %check
-%cargo_test -f %{features}
+export TEST_PKCS11_MODULE=$RPM_BUILD_ROOT%{_libdir}/pkcs11/%{soname}.so
+%cargo_test -f %{features},integration_tests
 %endif
 
 %files
@@ -94,10 +104,13 @@ echo "module: %{soname}.so" > $RPM_BUILD_ROOT%{_datadir}/p11-kit/modules/kryopti
 %dir %{_datadir}/p11-kit
 %dir %{_datadir}/p11-kit/modules
 %{_datadir}/p11-kit/modules/kryoptic.module
+%{_mandir}/man5/kryoptic.conf.5*
+%{_mandir}/man7/kryoptic.7*
 
 
 %files tools
 %{_bindir}/softhsm_migrate
+%{_mandir}/man1/softhsm_migrate.1*
 
 %changelog
 %autochangelog

diff --git a/sources b/sources
index 03b16f1..3bec875 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (kryoptic-1.5.0.tar.gz) = e7f868a87f92f283de6d3f534b0728aba93d585e434c4d98ef88610a2c33632ae25d8c9680fe4db258fa5b0270b7d546f548d4149970a176c468b6f0ab1c1b53
-SHA512 (kryoptic-1.5.0.tar.gz.asc) = 3384e1fd51d2eb8d210f4ff3fc2c3d0142d87251964c752292949bfc4ff76bcebb7618c54c7661d9a0d1f28ffab748a50acaf6ee285870a6d88035f83106c837
+SHA512 (kryoptic-1.5.1.tar.gz) = 150c0ca38a7b2dc3b96ed42c7acab217ca4a17c89ff9765fa0d2354d4b70f64ffe3341178e42d8bd3ec7bfc963700d1f2a0b13956e156b7e6db18e773e5e037a
+SHA512 (kryoptic-1.5.1.tar.gz.asc) = 4b6f47c7c76cb156dd3fa449f7b9f4171c728c1f41cf42902ae9b8ea3aa8e7f63201e0b88b539a8c5470a5b1da2ef8f1da5d3b82d0fe67b724273ee6a7c095e0

diff --git a/kryoptic-1.5.0-asn1.patch b/kryoptic-1.5.0-asn1.patch
new file mode 100644
index 0000000..bd44a52
--- /dev/null
+++ b/kryoptic-1.5.0-asn1.patch
@@ -0,0 +1,121 @@
+From 1e8c4164c81a5efc35afd46de3e2b40e27f77093 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 9 Apr 2026 10:08:15 +0200
+Subject: [PATCH] Update to asn1 0.24.0
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ Cargo.toml             |  2 +-
+ src/kasn1/mod.rs       |  6 ++++++
+ src/kasn1/pyca/pkcs.rs | 21 +++++++++++++++++----
+ 3 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/Cargo.toml b/Cargo.toml
+index f911da6a..d80276e1 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -53,7 +53,7 @@ test = true
+ bindgen = "0.72"
+ 
+ [dependencies]
+-asn1 = "0.22"
++asn1 = "0.24"
+ bimap = "0.6.3"
+ bitflags = "2.4.1"
+ constant_time_eq = "0.4.2"
+diff --git a/src/kasn1/mod.rs b/src/kasn1/mod.rs
+index baf85381..356f71eb 100644
+--- a/src/kasn1/mod.rs
++++ b/src/kasn1/mod.rs
+@@ -106,7 +106,10 @@ impl<'a> asn1::SimpleAsn1Readable<'a> for DerEncBigUint<'a> {
+     }
+ }
+ impl<'a> asn1::SimpleAsn1Writable for DerEncBigUint<'a> {
++    type Error = asn1::WriteError;
++
+     const TAG: asn1::Tag = asn1::BigUint::TAG;
++
+     /// Writes out a DerEncBigUint
+     fn write_data(&self, dest: &mut asn1::WriteBuf) -> asn1::WriteResult {
+         dest.push_slice(self.as_bytes())
+@@ -162,7 +165,10 @@ impl<'a> asn1::SimpleAsn1Readable<'a> for DerEncOctetString<'a> {
+     }
+ }
+ impl<'a> asn1::SimpleAsn1Writable for DerEncOctetString<'a> {
++    type Error = asn1::WriteError;
++
+     const TAG: asn1::Tag = asn1::Tag::primitive(0x04);
++
+     /// Writes out a DerEncOctetString
+     fn write_data(&self, dest: &mut asn1::WriteBuf) -> asn1::WriteResult {
+         dest.push_slice(self.as_bytes())
+diff --git a/src/kasn1/pyca/pkcs.rs b/src/kasn1/pyca/pkcs.rs
+index e4f35096..2b34d6e5 100644
+--- a/src/kasn1/pyca/pkcs.rs
++++ b/src/kasn1/pyca/pkcs.rs
+@@ -7,7 +7,7 @@
+ // 2.0, and the BSD License. See the LICENSE file in the root of this repository
+ // for complete details.
+ 
+-use asn1::{Asn1DefinedByWritable, SimpleAsn1Writable};
++use asn1::{Asn1DefinedByWritable, SimpleAsn1Writable, WriteError};
+ 
+ //use crate::oid;
+ 
+@@ -305,6 +305,8 @@ impl<'a> asn1::Asn1Readable<'a> for RawTlv<'a> {
+     }
+ }
+ impl asn1::Asn1Writable for RawTlv<'_> {
++    type Error = WriteError;
++
+     fn write(&self, w: &mut asn1::Writer<'_>) -> asn1::WriteResult {
+         w.write_tlv(self.tag, Some(self.value.len()), move |dest| {
+             dest.push_slice(self.value)
+@@ -366,10 +368,15 @@ impl<'a, T: asn1::SimpleAsn1Readable<'a>, U> asn1::SimpleAsn1Readable<'a>
+     }
+ }
+ 
+-impl<T: asn1::SimpleAsn1Writable, U: asn1::SimpleAsn1Writable>
+-    asn1::SimpleAsn1Writable for Asn1ReadableOrWritable<T, U>
++impl<
++        T: asn1::SimpleAsn1Writable<Error = WriteError>,
++        U: asn1::SimpleAsn1Writable<Error = WriteError>,
++    > asn1::SimpleAsn1Writable for Asn1ReadableOrWritable<T, U>
+ {
++    type Error = asn1::WriteError;
++
+     const TAG: asn1::Tag = U::TAG;
++
+     fn write_data(&self, w: &mut asn1::WriteBuf) -> asn1::WriteResult {
+         match self {
+             Asn1ReadableOrWritable::Read(v) => T::write_data(v, w),
+@@ -680,6 +687,7 @@ impl<'a> asn1::SimpleAsn1Readable<'a> for UnvalidatedVisibleString<'a> {
+ }
+ 
+ impl asn1::SimpleAsn1Writable for UnvalidatedVisibleString<'_> {
++    type Error = WriteError;
+     const TAG: asn1::Tag = asn1::VisibleString::TAG;
+     fn write_data(&self, _: &mut asn1::WriteBuf) -> asn1::WriteResult {
+         unimplemented!();
+@@ -700,6 +708,7 @@ impl<'a> Utf8StoredBMPString<'a> {
+ }
+ 
+ impl asn1::SimpleAsn1Writable for Utf8StoredBMPString<'_> {
++    type Error = asn1::WriteError;
+     const TAG: asn1::Tag = asn1::BMPString::TAG;
+     fn write_data(&self, writer: &mut asn1::WriteBuf) -> asn1::WriteResult {
+         for ch in self.0.encode_utf16() {
+@@ -747,7 +756,11 @@ impl<'a, T: asn1::Asn1Readable<'a>> asn1::Asn1Readable<'a> for WithTlv<'a, T> {
+     }
+ }
+ 
+-impl<T: asn1::Asn1Writable> asn1::Asn1Writable for WithTlv<'_, T> {
++impl<T: asn1::Asn1Writable<Error = WriteError>> asn1::Asn1Writable
++    for WithTlv<'_, T>
++{
++    type Error = WriteError;
++
+     fn write(&self, w: &mut asn1::Writer<'_>) -> asn1::WriteResult<()> {
+         self.value.write(w)
+     }
+