- Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS

2010-11-02 15:40:11 -07:00 · 2010-11-02 15:40:11 -07:00 · 0447399904
commit 0447399904
parent 6722db77ab
2 changed files with 226 additions and 1 deletions
--- a/jss-VerifyCertificate.patch
+++ b/jss-VerifyCertificate.patch
@ -0,0 +1,220 @@
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix	2010-10-20 09:53:10.288935000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def	2010-10-29 10:29:48.664212000 -0700
+@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
+ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
+ Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ ;+    local:
+ ;+       *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix	2010-10-28 16:44:46.366082000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java	2010-10-31 17:30:25.502670000 -0700
+@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
+ public final class CryptoManager implements TokenSupplier
+ {
+     /**
+     * note: this is obsolete in NSS
+      * CertUsage options for validation
+      */
+     public final static class CertUsage {
+@@ -86,8 +87,6 @@ public final class CryptoManager impleme
+             return name;
+         }
+ 
+-
+-
+         // certUsage, these must be kept in sync with nss/lib/certdb/certt.h
+         public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
+         public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
+@@ -103,6 +102,63 @@ public final class CryptoManager impleme
+         public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
+     }
+ 
+    /**
+     * CertificateUsage options for validation
+     */
+    public final static class CertificateUsage {
+        private int usage;
+        private String name;
+
+        // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
+        private static final int certificateUsageCheckAllUsages = 0x0000;
+        private static final int certificateUsageSSLClient = 0x0001;
+        private static final int certificateUsageSSLServer = 0x0002;
+        private static final int certificateUsageSSLServerWithStepUp = 0x0004;
+        private static final int certificateUsageSSLCA = 0x0008;
+        private static final int certificateUsageEmailSigner = 0x0010;
+        private static final int certificateUsageEmailRecipient = 0x0020;
+        private static final int certificateUsageObjectSigner = 0x0040;
+        private static final int certificateUsageUserCertImport = 0x0080;
+        private static final int certificateUsageVerifyCA = 0x0100;
+        private static final int certificateUsageProtectedObjectSigner = 0x0200;
+        private static final int certificateUsageStatusResponder = 0x0400;
+        private static final int certificateUsageAnyCA = 0x0800;
+
+        static private ArrayList list = new ArrayList();
+        private CertificateUsage() {};
+        private CertificateUsage(int usage, String name) {
+            this.usage = usage;
+            this.name =  name;
+            this.list.add(this);
+
+        }
+        public int getUsage() {
+            return usage;
+        }
+
+        static public Iterator getCertificateUsages() {
+            return list.iterator();
+
+        }
+        public String toString() {
+            return name;
+        }
+
+        public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
+        public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
+        public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
+        public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
+        public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
+        public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
+        public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
+        public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
+        public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
+        public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
+        public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
+        public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
+        public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
+    }
+
+     public final static class NotInitializedException extends Exception {}
+     public final static class NicknameConflictException extends Exception {}
+     public final static class UserCertConflictException extends Exception {}
+@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
+         }
+         return tok;
+     }
+
+     /////////////////////////////////////////////////////////////
+     // isCertValid
+     /////////////////////////////////////////////////////////////
+@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
+      * against Now.
+      * @param nickname The nickname of the certificate to verify.
+      * @param checkSig verify the signature of the certificate
+     * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
+     * @return true for success; false otherwise
+     *
+     * @exception InvalidNicknameException If the nickname is null
+     * @exception ObjectNotFoundException If no certificate could be found
+     *      with the given nickname.
+     */
+
+    public boolean isCertValid(String nickname, boolean checkSig,
+            CertificateUsage certificateUsage)
+        throws ObjectNotFoundException, InvalidNicknameException
+    {
+        if (nickname==null) {
+            throw new InvalidNicknameException("Nickname must be non-null");
+        }
+        // 0 certificate usage was supposed to get current usage, however,
+        // it is not exposed at this point
+        return verifyCertificateNowNative(nickname,
+              checkSig,
+              (certificateUsage == null) ? 0:certificateUsage.getUsage());
+    }
+
+    private native boolean verifyCertificateNowNative(String nickname,
+        boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
+
+    /**
+     * note: this method calls obsolete function in NSS
+     *
+     * Verify a certificate that exists in the given cert database,
+     * check if is valid and that we trust the issuer. Verify time
+     * against Now.
+     * @param nickname The nickname of the certificate to verify.
+     * @param checkSig verify the signature of the certificate
+      * @param certUsage see exposed certUsage defines to verify Certificate
+      * @return true for success; false otherwise
+      *
+@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
+         return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
+     }
+ 
+    /*
+     * Obsolete in NSS
+     */
+     private native boolean verifyCertNowNative(String nickname,
+         boolean checkSig, int cUsage) throws ObjectNotFoundException;
+ 
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix	2010-10-28 16:45:46.501899000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c	2010-10-31 17:25:53.575482000 -0700
+@@ -1575,11 +1575,62 @@ finish:
+ }
+ 
+ /***********************************************************************
+- * CryptoManager.verifyCertNowNative
+ * CryptoManager.verifyCertificateNowNative
+  *
+  * Returns JNI_TRUE if success, JNI_FALSE otherwise
+  */
+ JNIEXPORT jboolean JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+        jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+{
+    SECStatus         rv    = SECFailure;
+    SECCertificateUsage      certificateUsage;
+    SECCertificateUsage      currUsage;  /* unexposed for now */
+    CERTCertificate   *cert=NULL;
+    char *nickname=NULL;
+
+    nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
+    if( nickname == NULL ) {
+         goto finish;
+    }
+
+    certificateUsage = required_certificateUsage;
+
+    cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+    if (cert == NULL) {
+        JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+        goto finish;
+    } else {
+    /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
+     * just get the current usage (which we are not passing back for now
+     * but will bypass the certificate usage check
+     */
+        rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
+            checkSig, certificateUsage, NULL, &currUsage );
+    }
+
+finish:
+    if(nickname != NULL) {
+      (*env)->ReleaseStringUTFChars(env, nickString, nickname);
+    }
+    if(cert != NULL) {
+       CERT_DestroyCertificate(cert);
+    }
+    if( rv == SECSuccess) {
+        return JNI_TRUE;
+    } else {
+        return JNI_FALSE;
+    }
+}
+
+
+/***********************************************************************
+ * CryptoManager.verifyCertNowNative
+ * note: this calls obsolete NSS function
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+JNIEXPORT jboolean JNICALL
+ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
+         jobject self, jstring nickString, jboolean checkSig, jint cUsage)
+ {
--- a/jss.spec
+++ b/jss.spec
@ -1,6 +1,6 @@
 Name:           jss
 Version:        4.2.6
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Java Security Services (JSS)

 Group:          System Environment/Libraries
@ -29,6 +29,7 @@ Patch4:         jss-ECC-pop.patch
 Patch5:         jss-loadlibrary.patch
 Patch6:         jss-ocspSettings.patch
 Patch7:         jss-ECC_keygen_byCurveName.patch
+Patch8:         jss-VerifyCertificate.patch


 %description
@ -53,6 +54,7 @@ This package contains the API documentation for JSS.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1

 %build
 [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@ -148,6 +150,9 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Mon Nov 1 2010 Christina Fu <cfu@redhat.com> 4.2.6-8
+- Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS
+
 * Wed Oct 20 2010 Christina Fu <cfu@redhat.com> 4.2.6-7
 - Bugzilla Bug # 638833 - rfe ecc - add ec curve name support in JSS and CS
 - Bugzilla Bug # 529945 - expose NSS calls for OCSP settings