rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Add fixes for KRA issues

Browse Source 
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2020-03-04 12:01:29 -05:00
parent 3cc21a363a
commit 01ab6695c1
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
3 changed files with 147 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
0002-Fix-swapped-parameter-names-with-PBE.patch Normal file
View File

@ -0,0 +1,80 @@
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:10:32 -0500
Subject: [PATCH 7/8] Fix swapped parameter names with PBE
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
Resolves: rh-bz#1807371
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
index 084752c3..0344b14d 100644
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
index a4709070..d85eb0d3 100644
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index b35714e3..ebd269f3 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
--
2.24.1

60
0003-Use-specified-algorithm-for-KeyWrap.patch Normal file
View File

@ -0,0 +1,60 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

9
jss.spec
View File

@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.2 Version: 4.6.2
Release: 3%{?_timestamp}%{?_commit_id}%{?dist} Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1 # global _phase -a1
# To generate the source tarball: # To generate the source tarball:
@ -25,7 +25,9 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \ # <version tag> \
# > jss-VERSION-RELEASE.patch # > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch
Patch: 0001-Fix-NativeProxy-reference-tracker.patch Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
Patch2: 0003-Use-specified-algorithm-for-KeyWrap.patch
################################################################################ ################################################################################
# Build Dependencies # Build Dependencies
@ -160,6 +162,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################ ################################################################################
%changelog %changelog
* Wed Mar 04 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-4
- Fix for PBE errors
* Tue Jan 28 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-3 * Tue Jan 28 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-3
- Rebuild with new NSS to fix rhbz#1794814 - Rebuild with new NSS to fix rhbz#1794814