rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to latest upstream version 4.7.0-b2

Browse Source 
Also, remove unused patch files

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
This commit is contained in:
Dinesh Prasanth M K 2020-06-10 15:40:00 -04:00
parent c7f3ad477f
commit 03671f7edf
No known key found for this signature in database
GPG Key ID: 0D4491AB07D86AB0
6 changed files with 17 additions and 190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -25,3 +25,4 @@ jss-4.2.6.tar.gz
/jss-4.6.2.tar.gz
/jss-4.6.3.tar.gz
/jss-4.6.4.tar.gz
/jss-4.7.0-b2.tar.gz

39
0001-Fix-base64-encoding-of-CSRs.patch
View File

@ -1,39 +0,0 @@
From 18efce236af6a1affebb274838318ba715114218 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 25 Feb 2020 09:14:47 -0500
Subject: [PATCH 3/8] Fix base64-encoding of CSRs
In 8de4440c5652f6f1af5b4b923a15730ba84f29e1, the base64 encoder was
changed from apache-commons-codec to the Java standard library to drop
a dependency. However, the behavior changed as a result: the Java
standard library doesn't include a final line separator, whereas
apache-commons-codec did. This results in malformed CSRs:
> YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST-----
Resolves: https://pagure.io/freeipa/issue/8199
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/netscape/security/util/Utils.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/org/mozilla/jss/netscape/security/util/Utils.java b/org/mozilla/jss/netscape/security/util/Utils.java
index 19f3b1f9..e6e56ce4 100644
--- a/org/mozilla/jss/netscape/security/util/Utils.java
+++ b/org/mozilla/jss/netscape/security/util/Utils.java
@@ -378,7 +378,10 @@ public class Utils {
* @return base-64 encoded data
*/
public static String base64encodeMultiLine(byte[] bytes) {
- return Base64.getMimeEncoder().encodeToString(bytes);
+ // When switching from apache-commons-codec to the standard library,
+ // the standard library does not include a final line separator at
+ // the end of the encoded data. This results in malformed CSRs.
+ return Base64.getMimeEncoder().encodeToString(bytes) + "\r\n";
}
--
2.24.1

80
0002-Fix-swapped-parameter-names-with-PBE.patch
View File

@ -1,80 +0,0 @@
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:10:32 -0500
Subject: [PATCH 7/8] Fix swapped parameter names with PBE
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
Resolves: rh-bz#1807371
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
index 084752c3..0344b14d 100644
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
index a4709070..d85eb0d3 100644
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index b35714e3..ebd269f3 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
--
2.24.1

60
0003-Use-specified-algorithm-for-KeyWrap.patch
View File

@ -1,60 +0,0 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

25
jss.spec
View File

@ -6,9 +6,9 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.4
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
Version: 4.7.0
Release: 0.2%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -b2
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
@ -34,11 +34,13 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
BuildRequires: git
BuildRequires: make
BuildRequires: cmake
BuildRequires: zip
BuildRequires: unzip
BuildRequires: gcc-c++
BuildRequires: nspr-devel >= 4.13.1
BuildRequires: nss-devel >= 3.30
BuildRequires: nss-tools >= 3.30
BuildRequires: nss-devel >= 3.44
BuildRequires: nss-tools >= 3.44
BuildRequires: java-devel
BuildRequires: jpackage-utils
BuildRequires: slf4j
@ -49,11 +51,10 @@ BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j-jdk14
%endif
BuildRequires: apache-commons-lang
BuildRequires: apache-commons-codec
BuildRequires: junit
Requires: nss >= 3.30
Requires: nss >= 3.44
Requires: java-headless
Requires: jpackage-utils
Requires: slf4j
@ -64,7 +65,6 @@ Requires: glassfish-jaxb-api
Requires: slf4j-jdk14
%endif
Requires: apache-commons-lang
Requires: apache-commons-codec
Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2
@ -116,7 +116,7 @@ rm -rf build && mkdir -p build && cd build
..
%{__make} all
%{__make} javadoc || true
%{__make} javadoc
ctest --output-on-failure
################################################################################
@ -147,7 +147,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
%files
%defattr(-,root,root,-)
%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
%doc jss.html
%license MPL-1.1.txt gpl.txt lgpl.txt
%{_libdir}/*
%{_jnidir}/*
@ -159,6 +160,10 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
* Wed Jun 10 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.7.0-0.2
- Rebase to latest upstream JSS 4.7.0
- JSS Provided SSLEngine
* Mon Apr 27 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.4-1
- Rebase to JSS 4.6.4
- Fixes memory leak present since v4.6.2

2
sources
View File

@ -1 +1 @@
SHA512 (jss-4.6.4.tar.gz) = c0adc950e1ce5e0f3d846dcb158d831575be84176ded3eec7ce3569cfd96c872a2089a2eede249c5924e1eee58d88574accd3403623910343130cf90b504b348
SHA512 (jss-4.7.0-b2.tar.gz) = 6bd5fd4823ea4b14bfd53dc64796b6fcb7018a6118b943b46be7a5caf874a386802f1e6e0e542743be505d73f2b9625b0f1d479b1292c7364ac62d8cee3e4e52