Import rpm: ddb4609f0491e1d990a0899de9de481e20ef96a1

2022-08-08 13:56:14 -04:00 · 2022-08-08 13:56:14 -04:00 · 0727152d89
commit 0727152d89
12 changed files with 458 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/jss-4.9.4.tar.gz
--- a/copr-build.sh
+++ b/copr-build.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+REPO=$1
+
+if [ "$REPO" == "" ]; then
+    REPO="pki-10.6"
+fi
+
+fedpkg copr-build --nowait $REPO
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+# recipients: rhcs-team
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/jss.rpmlintrc
+++ b/jss.rpmlintrc
@ -0,0 +1,5 @@
+addFilter('W: spelling-error')
+addFilter('W: dangling-symlink')
+addFilter('W: no-manual-page-for-binary')
+addFilter('W: log-files-without-logrotate')
+
--- a/jss.spec
+++ b/jss.spec
@ -0,0 +1,296 @@
+################################################################################
+Name:           jss
+################################################################################
+
+%global         major_version 4
+%global         minor_version 9
+%global         update_version 4
+
+Summary:        Java Security Services (JSS)
+URL:            http://www.dogtagpki.org/wiki/JSS
+License:        MPLv1.1 or GPLv2+ or LGPLv2+
+
+# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
+# For official (i.e. supported) releases, use x.y.z-r where r >=1.
+Version:        %{major_version}.%{minor_version}.%{update_version}
+Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
+#global         _phase -alpha1
+
+# To generate the source tarball:
+# $ git clone https://github.com/dogtagpki/jss.git
+# $ cd jss
+# $ git tag v4.5.<z>
+# $ git push origin v4.5.<z>
+# Then go to https://github.com/dogtagpki/jss/releases and download the source
+# tarball.
+Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phase}/%{name}-%{version}%{?_phase}.tar.gz
+
+# To create a patch for all changes since a version tag:
+# $ git format-patch \
+#     --stdout \
+#     <version tag> \
+#     > jss-VERSION-RELEASE.patch
+# Patch: jss-VERSION-RELEASE.patch
+
+################################################################################
+# Java
+################################################################################
+
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
+%else
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
+%endif
+
+################################################################################
+# Build Options
+################################################################################
+
+# By default the build will execute unit tests unless --without test
+# option is specified.
+
+%bcond_without test
+
+################################################################################
+# Build Dependencies
+################################################################################
+
+BuildRequires:  make
+BuildRequires:  cmake >= 3.14
+BuildRequires:  zip
+BuildRequires:  unzip
+
+BuildRequires:  gcc-c++
+BuildRequires:  nss-devel >= 3.44
+BuildRequires:  nss-tools >= 3.44
+BuildRequires:  %{java_devel}
+BuildRequires:  jpackage-utils
+BuildRequires:  slf4j
+BuildRequires:  glassfish-jaxb-api
+BuildRequires:  slf4j-jdk14
+BuildRequires:  apache-commons-lang3
+
+BuildRequires:  junit
+
+Requires:       nss >= 3.44
+Requires:       %{java_headless}
+Requires:       jpackage-utils
+Requires:       slf4j
+Requires:       glassfish-jaxb-api
+Requires:       slf4j-jdk14
+Requires:       apache-commons-lang3
+
+Provides:       jss = %{major_version}.%{minor_version}
+
+Conflicts:      ldapjdk < 4.20
+Conflicts:      idm-console-framework < 1.2
+Conflicts:      tomcatjss < 7.6.0
+Conflicts:      pki-base < 10.10.0
+
+%description
+Java Security Services (JSS) is a java native interface which provides a bridge
+for java-based applications to use native Network Security Services (NSS).
+This only works with gcj. Other JREs require that JCE providers be signed.
+
+################################################################################
+%package javadoc
+################################################################################
+
+Summary:        Java Security Services (JSS) Javadocs
+
+Provides:       javadoc = %{major_version}.%{minor_version}
+
+%description javadoc
+This package contains the API documentation for JSS.
+
+################################################################################
+%prep
+
+%autosetup -n %{name}-%{version}%{?_phase} -p 1
+
+################################################################################
+%build
+
+%set_build_flags
+
+# Enable compiler optimizations
+export BUILD_OPT=1
+
+# Generate symbolic info for debuggers
+CFLAGS="-g $RPM_OPT_FLAGS"
+export CFLAGS
+
+# Check if we're in FIPS mode
+modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+
+# The Makefile is not thread-safe
+%cmake \
+    -DVERSION=%{version} \
+    -DJAVA_HOME=%{java_home} \
+    -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
+    -DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \
+    -B %{_vpath_builddir}
+
+cd %{_vpath_builddir}
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    all
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    javadoc
+
+%if %{with test}
+ctest --output-on-failure
+%endif
+
+################################################################################
+%install
+
+cd %{_vpath_builddir}
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    DESTDIR=%{buildroot} \
+    INSTALL="install -p" \
+    --no-print-directory \
+    install
+
+################################################################################
+%files
+
+%defattr(-,root,root,-)
+%doc jss.html
+%license MPL-1.1.txt gpl.txt lgpl.txt
+%{_libdir}/*
+%{_jnidir}/*
+
+################################################################################
+%files javadoc
+
+%defattr(-,root,root,-)
+%{_javadocdir}/%{name}-%{version}/
+
+################################################################################
+%changelog
+* Wed Jun 01 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.4-1
+- Rebase to JSS 4.9.4
+- Bug 2013674 - JSS cannot be properly initialized after using another NSS-backed security provider
+
+* Tue Feb 15 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.3-1
+- Rebase to JSS 4.9.3
+- Bug 2046022 - CVE-2021-4213 pki-core:10.6/jss: memory leak in TLS connection leads to OOM [rhel-8]
+
+* Mon Nov 15 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.2-1
+- Rebase to JSS 4.9.2
+
+* Tue Sep 21 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.1-1
+- Rebase to JSS 4.9.1
+
+* Mon Jul 26 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-1
+- Rebase to JSS 4.9.0
+
+* Fri Jun 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.2
+- Rebase to JSS 4.9.0-alpha2
+
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.1
+- Rebase to JSS 4.9.0-alpha1
+
+* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
+- Rebase to upstream JSS v4.8.1
+- Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class
+- Red Hat Bugilla #1489256 - [RFE] jss should support RSA with OAEP padding
+
+* Wed Nov 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-2
+- Only check PKCS11Constants on beta builds
+- Bump tomcatjss, pki-core conflicts due to lang3
+
+* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-1
+- Rebase to upstream JSS v4.8.0
+
+* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-0.1
+- Rebase to upstream JSS v4.8.0-b1
+
+* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
+- Rebase to upstream stable release JSS v4.7.3
+- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
+- Rebase to upstream stable release JSS v4.7.2
+- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
+- Rebase to upstream stable release JSS v4.7.1
+
+* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
+- Rebase to upstream stable release JSS v4.7.0
+- Fixed TestSSLEngine
+
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
+- Rebased to JSS 4.7.0-b4
+
+* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
+- Rebased to JSS 4.7.0-b3
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
+- Rebased to JSS 4.7.0-b1
+
+* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
+- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
+
+* Mon Mar 02 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-3
+- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
+
+* Tue Oct 29 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-2
+- Red Hat Bugzilla #1730767 - JSS: Wrap NSS CMAC + KDF implementations
+- Rebased to JSS 4.6.2
+
+* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
+- Red Hat Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
+
+* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
+- Red Hat Bugzilla #1698059 - pki-core implements crypto
+
+* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
+- Red Hat Bugzilla #1721135 - JSS - LD_FLAGS support
+
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
+- Minor updates to release
+
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-1
+- Rebased to JSS 4.6.0
+
+* Thu Apr 25 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.3-1
+- Rebased to JSS 4.5.3
+
+* Fri Aug 10 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-1
+- Rebased to JSS 4.5.0
+
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.6
+- Rebased to JSS 4.5.0-b1
+
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.5
+- Red Hat Bugzilla #1612063 - Do not override system crypto policy (support TLS 1.3)
+
+* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.4
+- Rebased to JSS 4.5.0-a4
+- Red Hat Bugzilla #1604462 - jss: FTBFS in Fedora rawhide
+
+* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.3
+- Rebased to JSS 4.5.0-a3
+
+* Fri Jun 22 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.2
+- Rebased to JSS 4.5.0-a2
+
+* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.1
+- Rebased to JSS 4.5.0-a1
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA1 (jss-4.9.4.tar.gz) = b99d8fd7a9296f7cf480ca92a097dcf18c41eb53
--- a/sources-update.sh
+++ b/sources-update.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+SOURCE=$1
+TARGET=`basename $1`
+
+cp $SOURCE $TARGET
+sha512sum --tag $TARGET > sources
--- a/tests/roles/Test_Setup/files/ca.cfg
+++ b/tests/roles/Test_Setup/files/ca.cfg
@ -0,0 +1,25 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
--- a/tests/roles/Test_Setup/files/ds-create.sh
+++ b/tests/roles/Test_Setup/files/ds-create.sh
@ -0,0 +1,24 @@
+#!/bin/bash -ex
+
+# This command needs to be executed as it pulls the machine name
+# dynamically.
+dscreate create-template /tmp/test_dir/ds.inf
+
+sed -i \
+    -e "s/;instance_name = .*/instance_name = localhost/g" \
+    -e "s/;root_password = .*/root_password = Secret.123/g" \
+    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
+    -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
+    /tmp/test_dir/ds.inf
+
+dscreate from-file /tmp/test_dir/ds.inf
+
+ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
+dn: dc=example,dc=com
+objectClass: domain
+dc: example
+
+dn: dc=pki,dc=example,dc=com
+objectClass: domain
+dc: pki
+EOF
--- a/tests/roles/Test_Setup/files/kra.cfg
+++ b/tests/roles/Test_Setup/files/kra.cfg
@ -0,0 +1,27 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
--- a/tests/roles/Test_Setup/tasks/main.yml
+++ b/tests/roles/Test_Setup/tasks/main.yml
@ -0,0 +1,26 @@
+---
+
+- name: Install jss
+  dnf:
+    name: >
+      jss
+
+- name: Install required packages
+  dnf:
+    name: >
+      389-ds-base, pki-ca, pki-kra
+
+- name: Creates directory
+  file: path=/tmp/test_files state=directory
+
+- name: Copying templates to /tmp folder
+  copy : src=.  dest=/tmp/test_dir
+
+- name: Setup DS Service
+  shell: sh /tmp/test_dir/ds-create.sh
+
+- name: Install CA subsystem
+  shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v
+
+- name: Install KRA subsystem
+  shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,30 @@
+- hosts: localhost
+  remote_user: root
+  tags:
+    - classic
+  roles:
+  - role: Test_Setup
+  - role: standard-test-basic
+    tests:
+    - verify_spawn_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'"
+    - verify_spawn_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'"
+    - destroy_kra:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
+    - verify_destroy_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
+    - destroy_ca:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s CA"
+    - verify_destroy_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus  &> testfile.log || true && grep 'Connection refused' testfile.log"
+    required_packages:
+    - jss
+    - pki-ca
+    - pki-kra
				`@ -0,0 +1 @@`
				`SHA1 (jss-4.9.4.tar.gz) = b99d8fd7a9296f7cf480ca92a097dcf18c41eb53`