diff --git a/0002-Fix-swapped-parameter-names-with-PBE.patch b/0002-Fix-swapped-parameter-names-with-PBE.patch new file mode 100644 index 0000000..c535f6e --- /dev/null +++ b/0002-Fix-swapped-parameter-names-with-PBE.patch @@ -0,0 +1,80 @@ +From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 28 Feb 2020 14:10:32 -0500 +Subject: [PATCH 7/8] Fix swapped parameter names with PBE + +Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression +related to extracting the parameter classes during PBE operations: +previously, the classes of the underlying encryption algorithm were +iterated over, instead of the classes of the PBE class itself. However, +this commit iterated over the PBE parameter classes; no PBE algorithm +accepts a IvParameterSpec, resulting in a null parameter passed to the +later encryption or key wrap operation. This resulted in stack traces +like the following: + +Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter + at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225) + at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89) + at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57) + at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342) + +Resolves: rh-bz#1807371 + +Signed-off-by: Alexander Scheel +--- + org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +- + org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +- + org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java +index 084752c3..0344b14d 100644 +--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java ++++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java +@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value { + // generate IV + EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); + AlgorithmParameterSpec params=null; +- Class [] paramClasses = pbeAlg.getParameterClasses(); ++ Class [] paramClasses = encAlg.getParameterClasses(); + for (int i = 0; i < paramClasses.length; i ++) { + if ( paramClasses[i].equals( + javax.crypto.spec.IvParameterSpec.class ) ) { +diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java +index a4709070..d85eb0d3 100644 +--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java ++++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java +@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value { + // generate IV + EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); + AlgorithmParameterSpec params=null; +- Class [] paramClasses = pbeAlg.getParameterClasses(); ++ Class [] paramClasses = encAlg.getParameterClasses(); + for (int i = 0; i < paramClasses.length; i ++) { + if ( paramClasses[i].equals( IVParameterSpec.class ) ) { + params = new IVParameterSpec( kg.generatePBE_IV() ); +diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +index b35714e3..ebd269f3 100644 +--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { + // generate IV + EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); + AlgorithmParameterSpec params=null; +- Class [] paramClasses = pbeAlg.getParameterClasses(); ++ Class [] paramClasses = encAlg.getParameterClasses(); + for (int i = 0; i < paramClasses.length; i ++) { + if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) { + params = new IVParameterSpec( kg.generatePBE_IV() ); +@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { + // generate IV + EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); + AlgorithmParameterSpec params=null; +- Class [] paramClasses = pbeAlg.getParameterClasses(); ++ Class [] paramClasses = encAlg.getParameterClasses(); + for (int i = 0; i < paramClasses.length; i ++) { + if ( paramClasses[i].equals( + javax.crypto.spec.IvParameterSpec.class ) ) { +-- +2.24.1 + diff --git a/0003-Use-specified-algorithm-for-KeyWrap.patch b/0003-Use-specified-algorithm-for-KeyWrap.patch new file mode 100644 index 0000000..d75534a --- /dev/null +++ b/0003-Use-specified-algorithm-for-KeyWrap.patch @@ -0,0 +1,60 @@ +From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 28 Feb 2020 14:39:29 -0500 +Subject: [PATCH 8/8] Use specified algorithm for KeyWrap + +When the token-specified from of EncryptedPrivateKeyInfo.createPBE is +called, it would always request DES3_CBC_PAD as the key wrapping +algorithm, regardless of the input PBE key type. However, the other form +(with an implicit token) was correctly handling this case. + +Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER +instead of having to convert to/from a String form. + +Signed-off-by: Alexander Scheel +--- + org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++- + org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java +index 3113f614..3a106977 100644 +--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java ++++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java +@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm { + + public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException { + OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); ++ return fromOID(oid); ++ } + ++ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException { + if (oid.equals(AES_KEY_WRAP_PAD_OID)) + return AES_KEY_WRAP_PAD; + +@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm { + if (oid.equals(DES_CBC_PAD_OID)) + return DES_CBC_PAD; + +- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID); ++ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid); + } + } +diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +index ebd269f3..abfc39a7 100644 +--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { + } + } + +- KeyWrapper wrapper = token.getKeyWrapper( +- KeyWrapAlgorithm.DES3_CBC_PAD); ++ // wrap the key ++ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID())); + wrapper.initWrap(key, params); + byte encrypted[] = wrapper.wrap(pri); + +-- +2.24.1 + diff --git a/jss.spec b/jss.spec index 536e1db..da423a5 100644 --- a/jss.spec +++ b/jss.spec @@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ Version: 4.6.2 -Release: 3%{?_timestamp}%{?_commit_id}%{?dist} +Release: 4%{?_timestamp}%{?_commit_id}%{?dist} # global _phase -a1 # To generate the source tarball: @@ -25,7 +25,9 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas # \ # > jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch -Patch: 0001-Fix-NativeProxy-reference-tracker.patch +Patch0: 0001-Fix-NativeProxy-reference-tracker.patch +Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch +Patch2: 0003-Use-specified-algorithm-for-KeyWrap.patch ################################################################################ # Build Dependencies @@ -160,6 +162,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Wed Mar 04 2020 Dogtag PKI Team - 4.6.2-4 +- Fix for PBE errors + * Tue Jan 28 2020 Dogtag PKI Team - 4.6.2-3 - Rebuild with new NSS to fix rhbz#1794814