import jss-4.9.0-0.2.alpha2.module+el8.5.0+11409+03d10e24

This commit is contained in:
CentOS Sources 2021-06-19 05:10:50 +00:00 committed by Andrew Lukoshko
parent e5b59c7064
commit 0c734326e4
4 changed files with 63 additions and 149 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/jss-4.8.1.tar.gz
SOURCES/jss-4.9.0-alpha2.tar.gz

View File

@ -1 +1 @@
5bf724d866e8fd7e577ffdecb06dbb679b113ce3 SOURCES/jss-4.8.1.tar.gz
3af27626d1238104b594aeea6979a6347df9804b SOURCES/jss-4.9.0-alpha2.tar.gz

View File

@ -1,105 +0,0 @@
From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Fri, 12 Mar 2021 20:41:51 -0500
Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678)
NSS doesn't generally allow keys to be imported in FIPS mode. However,
for portability with other JCA providers, we sometimes need to import
keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
encrypt and then unwrap using the same key. This lets us effectively
"import" a key into a token, if the token supports using the given
mechanism for both encryption and unwrapping operations. Some HSMs are
getting stricter about this and forbid using the same key for encrypt
and unwrap operations.
Resolves: #334
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++-
1 file changed, 60 insertions(+), 2 deletions(-)
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
index f39a3796..e8e9da16 100644
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
@@ -712,6 +712,61 @@ finish:
return keyObj;
}
+PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags,
+ PRBool isPerm, void *wincx)
+{
+ PK11SymKey *result = NULL;
+ PK11SymKey *wrapper = NULL;
+ SECStatus ret = SECFailure;
+ unsigned int wrapped_len = 0;
+ unsigned int wrapped_max = key->len + 64;
+ unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char));
+ SECItem wrapped_item = { siBuffer, wrapped_key, 0 };
+ SECItem *param = NULL;
+
+ /* Steps:
+ * 1. Generate a temporary key to encrypt and unwrap with,
+ * 2. Encrypt our key to import using the wrapping key,
+ * 3. Unwrap into the token using the wrapping key.
+ */
+
+#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN
+#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD
+
+ wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx);
+ if (wrapper == NULL) {
+ goto done;
+ }
+
+ param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper);
+ if (param == NULL) {
+ goto done;
+ }
+
+ ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param,
+ wrapped_key, &wrapped_len, wrapped_max,
+ key->data, key->len);
+ if (ret != SECSuccess) {
+ goto done;
+ }
+
+ wrapped_item.len = wrapped_len;
+
+ result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO,
+ param, &wrapped_item, type, operation, key->len, flags,
+ isPerm);
+
+done:
+ free(wrapped_key);
+ SECITEM_FreeItem(param, PR_TRUE);
+ if (wrapper != NULL) {
+ PK11_DeleteTokenSymKey(wrapper);
+ PK11_FreeSymKey(wrapper);
+ }
+ return result;
+}
+
/***********************************************************************
*
* PK11KeyWrapper.nativeUnwrapSymPlaintext
@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
}
/* pull in the key */
- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
- operation, wrappedKey, flags, isPerm, NULL);
+ if (PK11_IsFIPS()) {
+ symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL);
+ } else {
+ symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL);
+ }
if( symKey == NULL ) {
JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key");
goto finish;
--
2.26.2

View File

@ -6,9 +6,11 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.8.1
Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 4.9.0
Release: 0.2.alpha2%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -alpha2
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
@ -25,14 +27,34 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \
# > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch
Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
################################################################################
# Java
################################################################################
%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
%define java_devel java-1.8.0-openjdk-devel
%define java_headless java-1.8.0-openjdk-headless
%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
%else
%define java_devel java-11-openjdk-devel
%define java_headless java-11-openjdk-headless
%define java_home /usr/lib/jvm/jre-11-openjdk
%endif
################################################################################
# Build Options
################################################################################
# By default the build will execute unit tests unless --without test
# option is specified.
%bcond_without test
################################################################################
# Build Dependencies
################################################################################
# autosetup
BuildRequires: git
BuildRequires: make
BuildRequires: cmake >= 3.14
BuildRequires: zip
@ -42,29 +64,21 @@ BuildRequires: gcc-c++
BuildRequires: nspr-devel >= 4.13.1
BuildRequires: nss-devel >= 3.44
BuildRequires: nss-tools >= 3.44
BuildRequires: java-devel
BuildRequires: %{java_devel}
BuildRequires: jpackage-utils
BuildRequires: slf4j
BuildRequires: glassfish-jaxb-api
%if 0%{?rhel} && 0%{?rhel} <= 7
# no slf4j-jdk14
%else
BuildRequires: slf4j-jdk14
%endif
BuildRequires: apache-commons-lang3
BuildRequires: junit
Requires: nss >= 3.44
Requires: java-headless
Requires: %{java_headless}
Requires: jpackage-utils
Requires: slf4j
Requires: glassfish-jaxb-api
%if 0%{?rhel} && 0%{?rhel} <= 7
# no slf4j-jdk14
%else
Requires: slf4j-jdk14
%endif
Requires: apache-commons-lang3
Conflicts: ldapjdk < 4.20
@ -90,15 +104,13 @@ This package contains the API documentation for JSS.
################################################################################
%prep
%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git
%autosetup -n %{name}-%{version}%{?_phase} -p 1
################################################################################
%build
%set_build_flags
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
# Enable compiler optimizations
export BUILD_OPT=1
@ -111,39 +123,43 @@ modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENA
# The Makefile is not thread-safe
%cmake \
-DVERSION=%{version} \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \
-B %{_vpath_builddir}
cd %{_vpath_builddir}
%{__make} all
%{__make} javadoc
%{__make} \
VERBOSE=%{?_verbose} \
CMAKE_NO_VERBOSE=1 \
--no-print-directory \
all
%{__make} \
VERBOSE=%{?_verbose} \
CMAKE_NO_VERBOSE=1 \
--no-print-directory \
javadoc
%if %{with test}
ctest --output-on-failure
%endif
################################################################################
%install
# There is no install target so we'll do it by hand
cd %{_vpath_builddir}
# jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
%{__make} \
VERBOSE=%{?_verbose} \
CMAKE_NO_VERBOSE=1 \
DESTDIR=%{buildroot} \
INSTALL="install -p" \
--no-print-directory \
install
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar
popd
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
# No ldconfig is required since this library is loaded by Java itself.
################################################################################
%files
@ -161,8 +177,11 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
* Tue Mar 16 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-2
- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error
* Fri Jun 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.2
- Rebase to JSS 4.9.0-alpha2
* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.1
- Rebase to JSS 4.9.0-alpha1
* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
- Rebase to upstream JSS v4.8.1