Bug#771690: unblock: softhsm/1.3.7-2

[Ondřej Surý <ondrej@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Please unblock package softhsm

There's a security bug that we have agree that doesn't need to be
fixed in wheezy, but I forgot to fix it in jessie.

The patch comes from upstream and looks simple enough (just a couple
of opens with S_IRUSR | S_IWUSR before opening the file for writting).

$ diffstat softhsm_1.3.7-2.debdiff
 changelog                 |    9 ++
 control                   |    4 
 gbp.conf                  |    4 
 patches/SUPPORT-101.patch |  198 ++++++++++++++++++++++++++++++++++++++++++++++
 patches/series            |    1 
 5 files changed, 212 insertions(+), 4 deletions(-)

(Vcs-URLs and GBP configuration fixes also included.)

unblock softhsm/1.3.7-2

- -- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUfJ+IXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHTRMP+gNoezXk2RrvKrpI389vG3+R
ZAQZrEA3302e7gEd+bnyQ2H4HQ8X8cXCpcRpXiDCk9bKWo35acMSUcMXudS90eAg
2UPU7rAvGBpYmyn4BuMtzt8FxxYCHmDtGH/BWSiZaFqtzmLJwfRnh8o6g8vgVgSZ
a1H2npmtjHmD2feToxSBwRa0fC2anLqPM1E9V3yUqIMosTNV8nLBnFJLiLkgUxVN
8IgTBVK2+aCpA1lGdCmInURZwKS1B+jEy7ObwipTv7K1fkRxarEuF10BhiBvwvVc
BOwN9RwJTf7mQfu+aaaIRMSrtfs9kt98UYLS+ryNnrAlCRgz8LJYYFsLgXXoIEGP
VHwAx3eTCnP+C3zt7hu7v8MnQ1Fuw0HLeS7GTeeBPcepc78MODG1LijwQ0DIvLQ4
SQskOa6KZ9dSAji/diu3X5cV5fJrVSoccAwEx1GnnjfgKLkwk7wfUnoZzvSKwAz7
xgdh/LbW1o8Wq3JZ7iTHS+EgQRJg1x5bsBA1G9WZlFFQK2sPodnzQwTlOmZtrovK
Ma2n4dq3LzCHRtbHm50iBAS3j5sVkumGXu1Kwe/+CHTqGesBlvQi06Wj7BAv3xLr
J3oHk/tERh3ZkS/pGepAKVGoXeRk7XcBkUK/DzKwGJucoDIQIrOGt3R8mIZsdJ1i
gVgF52i+ImFB/C4SBvRA
=Fg5l
-----END PGP SIGNATURE-----

Attachment: softhsm_1.3.7-2.debian.tar.xz
Description: application/xz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: softhsm
Binary: softhsm-common, softhsm, libsofthsm-dev, libsofthsm, softhsm-dbg
Architecture: any
Version: 1.3.7-2
Maintainer: Ondřej Surý <ondrej@debian.org>
Homepage: http://trac.opendnssec.org/wiki/SoftHSM
Standards-Version: 3.9.1
Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/softhsm.git
Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/softhsm.git
Build-Depends: quilt (>= 0.46-7~), debhelper (>= 7.0.50~), autotools-dev, libbotan1.10-dev (>= 1.10.0-1~), libsqlite3-dev (>= 3.4.2), hardening-wrapper, autoconf, dh-autoreconf, automake, libtool
Build-Conflicts: libbotan1.8-dev
Package-List:
 libsofthsm deb libs extra arch=any
 libsofthsm-dev deb libdevel extra arch=any
 softhsm deb admin extra arch=any
 softhsm-common deb admin extra arch=any
 softhsm-dbg deb debug extra arch=any
Checksums-Sha1:
 e8bf4269472f9e63d1dfeda238b1d542d6c036f2 438437 softhsm_1.3.7.orig.tar.gz
 c6ff73a951409ac6f903745b1760cc55c9ec2aa4 8828 softhsm_1.3.7-2.debian.tar.xz
Checksums-Sha256:
 d12d6456a85561266d9da427565f3ee3746a35df6670d5e6be75de253c2810a4 438437 softhsm_1.3.7.orig.tar.gz
 fbfa54f534125903493bbba3425844adeac665328808c2a60c86175f15556630 8828 softhsm_1.3.7-2.debian.tar.xz
Files:
 acfda39ee23c32f38ee51692d6c6a44b 438437 softhsm_1.3.7.orig.tar.gz
 315b2804602ca9110a49a39ec9cdc179 8828 softhsm_1.3.7-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUfJ8DXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHrvYP/01JMr66P+XusLqKPrE5SAZu
3xuv+bWo79n2Hs4lur7ASLiTmm8tl+shuQ06d64jBYQsBJuG1wRf9FV6Di4G/TWw
5T0cDTtSx569MURDt2ry+EVG0yN989sZbpH2/fZ2soD+IgY8wR1dM9CuAFrKxbyf
kKP6f5QP1IW3a36QP8tSXIfn2V6sdpoeyzA2AOtb4i4YAzm5rfgk4703lnit+Z82
PmhRRhKD2qd0ZNc7c495dEERY2wmT2CVk496f8iSm26u6mr6aBdvx9zU0RW4L/qu
qTJz9J1ZY/2WZgeQv5LRF1jDetrDhZHG5W7f3UFXvDxqqEwOG9nvFKgt1WPwo+QX
1I2goM9apkC/Q2TSdGTrdiH73Z6cynGA+n4HGVbiZRpApR1aIwqqBhc29TIsZtqI
7IM++EVLN9hSYi5qQH27tnMU7RmkkVA4sgzLAMhYltNnp3yv8VGyKaxcuSVi2kmf
9s1mOwxqAgA+rEMiMl5PbIAPmcdtSHetOhvep/OiqDPu6qwa37aqDUBJAZ5Umizj
L76NUVLDTJRewExe/HQkqaKYycjYxtqdnLTWRtfVzWzyMUCC/HLCo5mRi3MH5D78
Zx7ADBmEccebeidKGbg0AZ0f2gTgM1/1AJObipO7ld32oYvUUKspVTLoHIpz+IBL
J1AozIwhEA2WG3FjfpJu
=KCHc
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 01 Dec 2014 17:52:05 +0100
Source: softhsm
Binary: softhsm-common softhsm libsofthsm-dev libsofthsm softhsm-dbg
Architecture: source amd64
Version: 1.3.7-2
Distribution: unstable
Urgency: medium
Maintainer: Ondřej Surý <ondrej@debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
 libsofthsm - a cryptographic store accessible through a PKCS #11
 libsofthsm-dev - a cryptographic store accessible through a PKCS #11
 softhsm    - a cryptographic store accessible through a PKCS #11
 softhsm-common - a cryptographic store accessible through a PKCS #11
 softhsm-dbg - Debug symbols for SoftHSM
Closes: 752092
Changes:
 softhsm (1.3.7-2) unstable; urgency=medium
 .
   * Fix softhsm-keyconv creating security-sensibe file world-readable
     (Closes: #752092)
   * Update Vcs-Urls to point to anonscm.debian.org
   * Standardize gbp repository layout
Checksums-Sha1:
 4c35616ee05d048a2375f4cee1436a6b73368c68 2357 softhsm_1.3.7-2.dsc
 c6ff73a951409ac6f903745b1760cc55c9ec2aa4 8828 softhsm_1.3.7-2.debian.tar.xz
 0518fb60f5350f82dcf7901b0d2f0066385e6ff4 10664 softhsm-common_1.3.7-2_amd64.deb
 83fba268f1fd131b057d2bfa27759a52a77a3a18 36342 softhsm_1.3.7-2_amd64.deb
 bd313351be1f9cc74531e8ae31f34d86698f2ff0 55302 libsofthsm-dev_1.3.7-2_amd64.deb
 24020d12d2ab913dda0f69c63ffc8d00c8bfe74c 42530 libsofthsm_1.3.7-2_amd64.deb
 2957155e0e75d437afdc0f6c23b2111348e8f6d9 362020 softhsm-dbg_1.3.7-2_amd64.deb
Checksums-Sha256:
 1a892255d2de9cb84ec2e3b60c314e81f1e0b4cdb1db2bffa3c0ae81958d57a0 2357 softhsm_1.3.7-2.dsc
 fbfa54f534125903493bbba3425844adeac665328808c2a60c86175f15556630 8828 softhsm_1.3.7-2.debian.tar.xz
 fc1a91adeaf6428622ce4dc27e5ab4d94d4d1189134f1f634b68c8c6870edd5d 10664 softhsm-common_1.3.7-2_amd64.deb
 5d03f963dd75ad348311b7efb8195ca310836413abe2e4806836a2b4964b115f 36342 softhsm_1.3.7-2_amd64.deb
 611379a9b87081d04a35e4104383f8b043d04a6b54d6c6e5687c08eccdb3f547 55302 libsofthsm-dev_1.3.7-2_amd64.deb
 b3469ada39383bf8b4739026f364221635e1fd4fe8ca27027c2566366af87969 42530 libsofthsm_1.3.7-2_amd64.deb
 6276210c230ee637ce08dbcc60403c1f5d13584ea3c53aad577664b74f9edcf6 362020 softhsm-dbg_1.3.7-2_amd64.deb
Files:
 223f9b3f0cad7934378ed682c3586264 2357 admin extra softhsm_1.3.7-2.dsc
 315b2804602ca9110a49a39ec9cdc179 8828 admin extra softhsm_1.3.7-2.debian.tar.xz
 97c3802f0978c97dcda7bd863ac13f40 10664 admin extra softhsm-common_1.3.7-2_amd64.deb
 8a91b788bb45e507bc76ff8f98b8d2f2 36342 admin extra softhsm_1.3.7-2_amd64.deb
 9832693ff6b2d124606911be2e7f0215 55302 libdevel extra libsofthsm-dev_1.3.7-2_amd64.deb
 3b6a231af6062514b749a02e1bce233f 42530 libs extra libsofthsm_1.3.7-2_amd64.deb
 884fdeb46dc266637dedd32e00ce15eb 362020 debug extra softhsm-dbg_1.3.7-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUfJ8HXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHsLEQAKiZDQFIBZcH8gRa1nwsPy1Q
fx+mI7ZjREpw/COvGGkn2gWm0DYS8sXmaKhPpbnRtlfJoocfzRZ8E0dlSQWSYArK
R+NvSRBf1GqByloJx7N0FgDVoZuTeYvrGwXtVybXlTzstaCgqRjCTDI00M5p54dt
nqej5sLRNsGtDaFIm6npNRA3B86yA8/VAvhsG1L7Jla5S7FkZNcE0v6BDBHqt91R
yLjeTipvuswZGNBYZQ6yVRUD5i/Brlwa0xJNl4HE5gymbYKeqT9PdapNxSw7/sIl
sHAZPqNKPgOkw0I4+yBMM//xRQQ7dYCrJ+yfrUksbtq002+ZHej4bF0VBb6UYhYi
5xBSFWC+EjKdmyDiaoUbWPG8xpqTn+B5Tr2LoLqOaSCPy5RwepdRaa6xw5FbcSZI
1PbjJSW0jkwmpOMShmb2SVQJ1IyU54Ns0gvDtn1wjV5v3WkBYmSP0hBb4nfxsstT
lED+mciI6ZQJMME8ytenoosFx0sNotOP7EwqWeeoBGRyGK3Vx4Ti4FNdbEUaPSn2
751ynGJ5y76peSMkqN0XWErBSSPnpSKMUfRK8MfFucbZ64cPnV+5O4Snty7lkQRg
2O38NcCIet08SlARqLWS8UhFB5TxSWIw8P3ke7aCrkACFt3LEzZ9wscfe6xVXI6f
Z46CcRH5g8wnEUL+hsHW
=MSkf
-----END PGP SIGNATURE-----

diff -Nru softhsm-1.3.7/debian/changelog softhsm-1.3.7/debian/changelog
--- softhsm-1.3.7/debian/changelog	2014-06-01 23:52:54.000000000 +0200
+++ softhsm-1.3.7/debian/changelog	2014-12-01 17:52:26.000000000 +0100
@@ -1,3 +1,12 @@
+softhsm (1.3.7-2) unstable; urgency=medium
+
+  * Fix softhsm-keyconv creating security-sensibe file world-readable
+    (Closes: #752092)
+  * Update Vcs-Urls to point to anonscm.debian.org
+  * Standardize gbp repository layout
+
+ -- Ondřej Surý <ondrej@debian.org>  Mon, 01 Dec 2014 17:52:05 +0100
+
 softhsm (1.3.7-1) unstable; urgency=medium
 
   * New upstream version 1.3.7
diff -Nru softhsm-1.3.7/debian/control softhsm-1.3.7/debian/control
--- softhsm-1.3.7/debian/control	2014-06-01 23:52:54.000000000 +0200
+++ softhsm-1.3.7/debian/control	2014-12-01 17:52:26.000000000 +0100
@@ -15,8 +15,8 @@
 Build-Conflicts: libbotan1.8-dev
 Standards-Version: 3.9.1
 Homepage: http://trac.opendnssec.org/wiki/SoftHSM
-Vcs-Browser: http://git.debian.org/?p=pkg-nlnetlabs/softhsm.git
-Vcs-Git: git://git.debian.org/pkg-nlnetlabs/softhsm.git
+Vcs-Browser: http://anonscm.debian.org/?p=pkg-nlnetlabs/softhsm.git
+Vcs-Git: git://anonscm.debian.org/pkg-nlnetlabs/softhsm.git
 
 Package: softhsm-common
 Architecture: any
diff -Nru softhsm-1.3.7/debian/gbp.conf softhsm-1.3.7/debian/gbp.conf
--- softhsm-1.3.7/debian/gbp.conf	2014-06-01 23:52:54.000000000 +0200
+++ softhsm-1.3.7/debian/gbp.conf	2014-12-01 17:52:26.000000000 +0100
@@ -1,7 +1,7 @@
 [DEFAULT]
-debian-branch = debian-sid
+debian-branch = master
 debian-tag = debian/%(version)s
-upstream-branch = upstream-sid
+upstream-branch = upstream
 upstream-tag = upstream/%(version)s
 
 [git-dch]
diff -Nru softhsm-1.3.7/debian/patches/series softhsm-1.3.7/debian/patches/series
--- softhsm-1.3.7/debian/patches/series	2014-06-01 23:52:54.000000000 +0200
+++ softhsm-1.3.7/debian/patches/series	2014-12-01 17:52:26.000000000 +0100
@@ -1 +1,2 @@
+SUPPORT-101.patch
 002_libtool_export_symbols_fix.patch
diff -Nru softhsm-1.3.7/debian/patches/SUPPORT-101.patch softhsm-1.3.7/debian/patches/SUPPORT-101.patch
--- softhsm-1.3.7/debian/patches/SUPPORT-101.patch	1970-01-01 01:00:00.000000000 +0100
+++ softhsm-1.3.7/debian/patches/SUPPORT-101.patch	2014-12-01 17:52:26.000000000 +0100
@@ -0,0 +1,198 @@
+From aa2d1ebb0ef31c71a4db4435f3dc056cacf87209 Mon Sep 17 00:00:00 2001
+From: Rickard Bellgrim <rickard@opendnssec.org>
+Date: Sun, 26 Oct 2014 08:08:43 +0100
+Subject: [PATCH 1/2] SOFTHSM-101: softhsm-keyconv creates files with sensitive
+ material in insecure way. Also applies to softhsm when using --export or
+ --optimize.
+
+---
+ NEWS                        |  8 ++++++++
+ src/bin/softhsm-keyconv.cpp | 50 ++++++++++++++++++++++++++++++++++++++++++---
+ src/bin/softhsm.cpp         | 31 +++++++++++++++++++++++++++-
+ 3 files changed, 85 insertions(+), 4 deletions(-)
+
+--- softhsm.orig/NEWS
++++ softhsm/NEWS
+@@ -1,5 +1,13 @@
+ NEWS for SoftHSM -- History of user visible changes
+ 
++SoftHSM develop
++
++Bugfixes:
++* SOFTHSM-101: softhsm-keyconv creates files with sensitive material
++  in insecure way. Also applies to softhsm when using --export or
++  --optimize.
++
++
+ SoftHSM 1.3.7 - 2014-05-28
+ 
+ Bugfixes:
+--- softhsm.orig/src/bin/softhsm-keyconv.cpp
++++ softhsm/src/bin/softhsm-keyconv.cpp
+@@ -48,6 +48,10 @@
+ #include <iostream>
+ #include <fstream>
+ #include <stdint.h>
++#include <fcntl.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <errno.h>
+ 
+ void usage() {
+   printf("Converting between BIND .private-key format and PKCS#8 key file format.\n");
+@@ -391,6 +395,15 @@ int to_pkcs8(char *in_path, char *out_pa
+     return 1;
+   }
+ 
++  // Create and set file permissions if the file does not exist.
++  int fd = open(out_path, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            out_path, errno);
++    return 1;
++  }
++  close(fd);
++
+   // Save the the key to the disk
+   switch(algorithm) {
+     case DNS_KEYALG_ERROR:
+@@ -735,8 +748,16 @@ int save_rsa_bind(char *name, int ttl, B
+   snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag);
+   snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
+ 
+-  // Create the private key file
++  // Create and set file permissions if the file does not exist.
++  int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            priv_out, errno);
++    return 1;
++  }
++  close(fd);
+ 
++  // Create the private key file
+   file_pointer = fopen(priv_out, "w");
+   if (!file_pointer) {
+     fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out);
+@@ -786,8 +807,16 @@ int save_rsa_bind(char *name, int ttl, B
+ 
+   printf("The private key has been written to %s\n", priv_out);
+ 
+-  // Create the public key file
++  // Create and set file permissions if the file does not exist.
++  fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            pub_out, errno);
++    return 1;
++  }
++  close(fd);
+ 
++  // Create the public key file
+   file_pointer = fopen(pub_out, "w");
+   if (!file_pointer) {
+     fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out);
+@@ -836,6 +865,15 @@ int save_dsa_bind(char *name, int ttl, B
+   snprintf(priv_out, MAX_LINE, "K%s+%03i+%05i.private", name, algorithm, key_tag);
+   snprintf(pub_out, MAX_LINE, "K%s+%03i+%05i.key", name, algorithm, key_tag);
+ 
++  // Create and set file permissions if the file does not exist.
++  int fd = open(priv_out, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            priv_out, errno);
++    return 1;
++  }
++  close(fd);
++
+   file_pointer = fopen(priv_out, "w");
+   if (!file_pointer) {
+     fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", priv_out);
+@@ -873,8 +911,16 @@ int save_dsa_bind(char *name, int ttl, B
+ 
+   printf("The private key has been written to %s\n", priv_out);
+ 
+-  // Create the public key file
++  // Create and set file permissions if the file does not exist.
++  fd = open(pub_out, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            pub_out, errno);
++    return 1;
++  }
++  close(fd);
+ 
++  // Create the public key file
+   file_pointer = fopen(pub_out, "w");
+   if (!file_pointer) {
+     fprintf(stderr, "Error: Could not open output file %.100s for writing.\n", pub_out);
+--- softhsm.orig/src/bin/softhsm.cpp
++++ softhsm/src/bin/softhsm.cpp
+@@ -46,6 +46,10 @@
+ #include <iostream>
+ #include <fstream>
+ #include <sched.h>
++#include <fcntl.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <errno.h>
+ 
+ #ifdef HAVE_DLOPEN
+ #include <dlfcn.h>
+@@ -1005,6 +1009,15 @@ int removeSessionObjs(char *dbPath) {
+   CK_BBOOL ckFalse = CK_FALSE;
+   int retVal = 0;
+ 
++  // Create and set file permissions if the DB does not exist.
++  int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR);
++  if(fd == -1) {
++    fprintf(stderr, "Could not open the token database. errno=%i. "
++                    "Probably wrong privileges: %s", errno, dbPath);
++    return 1;
++  }
++  close(fd);
++
+   if(sqlite3_open(dbPath, &db) != 0) {
+     fprintf(stderr, "ERROR: Could not connect to database.\n");
+     return 1;
+@@ -1278,6 +1291,15 @@ CK_RV writeKeyToDisk(char *filePath, cha
+     return CKR_GENERAL_ERROR;
+   }
+ 
++  // Create and set file permissions if the file does not exist.
++  int fd = open(filePath, O_CREAT, S_IRUSR | S_IWUSR);
++  if (fd == -1) {
++    fprintf(stderr, "ERROR: Could not open the output file: %s (errno %i)\n",
++            filePath, errno);
++    return CKR_GENERAL_ERROR;
++  }
++  close(fd);
++
+   std::ofstream privFile(filePath);
+ 
+   if(!privFile) {
+@@ -1468,6 +1490,15 @@ Botan::Private_Key* getPrivKey(char *dbP
+   sqlite3_stmt *select_sql = NULL;
+   Botan::Private_Key *privKey = NULL;
+ 
++  // Create and set file permissions if the DB does not exist.
++  int fd = open(dbPath, O_CREAT, S_IRUSR | S_IWUSR);
++  if(fd == -1) {
++    fprintf(stderr, "Could not open the token database. errno=%i. "
++                    "Probably wrong privileges: %s", errno, dbPath);
++    return NULL;
++  }
++  close(fd);
++
+   if(sqlite3_open(dbPath, &db) == 0 && sqlite3_prepare_v2(db, select_str, -1, &select_sql, NULL) == 0) {
+     if(getObjectClass(select_sql, oHandle) == CKO_PRIVATE_KEY && getKeyType(select_sql, oHandle) == CKK_RSA) {
+       Botan::BigInt bigN = getBigIntAttribute(select_sql, oHandle, CKA_MODULUS);
+@@ -1477,7 +1508,7 @@ Botan::Private_Key* getPrivKey(char *dbP
+       Botan::BigInt bigQ = getBigIntAttribute(select_sql, oHandle, CKA_PRIME_2);
+ 
+       Botan::AutoSeeded_RNG *rng = new Botan::AutoSeeded_RNG();
+-      
++
+       try {
+         privKey = new Botan::RSA_PrivateKey(*rng, bigP, bigQ, bigE, bigD, bigN);
+       }