import jss-4.9.0-0.2.alpha2.module+el8.5.0+11409+03d10e24

.gitignore

@@ -1 +1 @@
-SOURCES/jss-4.8.1.tar.gz
+SOURCES/jss-4.9.0-alpha2.tar.gz

.jss.metadata

@@ -1 +1 @@
-5bf724d866e8fd7e577ffdecb06dbb679b113ce3 SOURCES/jss-4.8.1.tar.gz
+3af27626d1238104b594aeea6979a6347df9804b SOURCES/jss-4.9.0-alpha2.tar.gz

SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch

@@ -1,105 +0,0 @@
-From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <alexander.m.scheel@gmail.com>
-Date: Fri, 12 Mar 2021 20:41:51 -0500
-Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678)
-
-NSS doesn't generally allow keys to be imported in FIPS mode. However,
-for portability with other JCA providers, we sometimes need to import
-keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
-encrypt and then unwrap using the same key. This lets us effectively
-"import" a key into a token, if the token supports using the given
-mechanism for both encryption and unwrapping operations. Some HSMs are
-getting stricter about this and forbid using the same key for encrypt
-and unwrap operations.
-
-Resolves: #334
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
-Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
----
- org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++-
- 1 file changed, 60 insertions(+), 2 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
-index f39a3796..e8e9da16 100644
---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
-+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
-@@ -712,6 +712,61 @@ finish:
-     return keyObj;
- }
- 
-+PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
-+        CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags,
-+        PRBool isPerm, void *wincx)
-+{
-+    PK11SymKey *result = NULL;
-+    PK11SymKey *wrapper = NULL;
-+    SECStatus ret = SECFailure;
-+    unsigned int wrapped_len = 0;
-+    unsigned int wrapped_max = key->len + 64;
-+    unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char));
-+    SECItem wrapped_item = { siBuffer, wrapped_key, 0 };
-+    SECItem *param = NULL;
-+
-+    /* Steps:
-+     * 1. Generate a temporary key to encrypt and unwrap with,
-+     * 2. Encrypt our key to import using the wrapping key,
-+     * 3. Unwrap into the token using the wrapping key.
-+     */
-+
-+#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN
-+#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD
-+
-+    wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx);
-+    if (wrapper == NULL) {
-+        goto done;
-+    }
-+
-+    param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper);
-+    if (param == NULL) {
-+        goto done;
-+    }
-+
-+    ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param,
-+            wrapped_key, &wrapped_len, wrapped_max,
-+            key->data, key->len);
-+    if (ret != SECSuccess) {
-+        goto done;
-+    }
-+
-+    wrapped_item.len = wrapped_len;
-+
-+    result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO,
-+            param, &wrapped_item, type, operation, key->len, flags,
-+            isPerm);
-+
-+done:
-+    free(wrapped_key);
-+    SECITEM_FreeItem(param, PR_TRUE);
-+    if (wrapper != NULL) {
-+        PK11_DeleteTokenSymKey(wrapper);
-+        PK11_FreeSymKey(wrapper);
-+    }
-+    return result;
-+}
-+
- /***********************************************************************
-  *
-  * PK11KeyWrapper.nativeUnwrapSymPlaintext
-@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
-     }
- 
-     /* pull in the key */
--    symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
--        operation, wrappedKey, flags, isPerm, NULL);
-+    if (PK11_IsFIPS()) {
-+        symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL);
-+    } else {
-+        symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL);
-+    }
-     if( symKey == NULL ) {
-         JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key");
-         goto finish;
--- 
-2.26.2
-

SPECS/jss.spec

@@ -6,9 +6,11 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.8.1
+# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
-Release:        2%{?_timestamp}%{?_commit_id}%{?dist}
+# For official (i.e. supported) releases, use x.y.z-r where r >=1.
-#global         _phase -a1
+Version:        4.9.0
+Release:        0.2.alpha2%{?_timestamp}%{?_commit_id}%{?dist}
+%global         _phase -alpha2
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@@ -25,14 +27,34 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
 # Patch: jss-VERSION-RELEASE.patch
-Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
+
+################################################################################
+# Java
+################################################################################
+
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
+%else
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
+%endif
+
+################################################################################
+# Build Options
+################################################################################
+
+# By default the build will execute unit tests unless --without test
+# option is specified.
+
+%bcond_without test
 
 ################################################################################
 # Build Dependencies
 ################################################################################
 
-# autosetup
-BuildRequires:  git
 BuildRequires:  make
 BuildRequires:  cmake >= 3.14
 BuildRequires:  zip
@@ -42,29 +64,21 @@ BuildRequires:  gcc-c++
 BuildRequires:  nspr-devel >= 4.13.1
 BuildRequires:  nss-devel >= 3.44
 BuildRequires:  nss-tools >= 3.44
-BuildRequires:  java-devel
+BuildRequires:  %{java_devel}
 BuildRequires:  jpackage-utils
 BuildRequires:  slf4j
 BuildRequires:  glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
 BuildRequires:  slf4j-jdk14
-%endif
 BuildRequires:  apache-commons-lang3
 
 BuildRequires:  junit
 
 Requires:       nss >= 3.44
-Requires:       java-headless
+Requires:       %{java_headless}
 Requires:       jpackage-utils
 Requires:       slf4j
 Requires:       glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
 Requires:       slf4j-jdk14
-%endif
 Requires:       apache-commons-lang3
 
 Conflicts:      ldapjdk < 4.20
@@ -90,15 +104,13 @@ This package contains the API documentation for JSS.
 ################################################################################
 %prep
 
-%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git
+%autosetup -n %{name}-%{version}%{?_phase} -p 1
 
 ################################################################################
 %build
 
 %set_build_flags
 
-[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
-
 # Enable compiler optimizations
 export BUILD_OPT=1
 
@@ -111,39 +123,43 @@ modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENA
 
 # The Makefile is not thread-safe
 %cmake \
+    -DVERSION=%{version} \
     -DJAVA_HOME=%{java_home} \
     -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
+    -DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \
     -B %{_vpath_builddir}
 
 cd %{_vpath_builddir}
-%{__make} all
+
-%{__make} javadoc
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    all
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    javadoc
+
+%if %{with test}
 ctest --output-on-failure
+%endif
 
 ################################################################################
 %install
 
-# There is no install target so we'll do it by hand
+cd %{_vpath_builddir}
 
-# jars
+%{__make} \
-install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
+    VERBOSE=%{?_verbose} \
-install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+    CMAKE_NO_VERBOSE=1 \
+    DESTDIR=%{buildroot} \
+    INSTALL="install -p" \
+    --no-print-directory \
+    install
 
-# We have to use the name libjss4.so because this is dynamically
-# loaded by the jar file.
-install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
-pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
-    ln -fs %{_jnidir}/jss4.jar jss4.jar
-popd
-
-# javadoc
-install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-
-# No ldconfig is required since this library is loaded by Java itself.
 ################################################################################
 %files
 
@@ -161,8 +177,11 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
-* Tue Mar 16 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-2
+* Fri Jun 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.2
-- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error
+- Rebase to JSS 4.9.0-alpha2
+
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.1
+- Rebase to JSS 4.9.0-alpha1
 
 * Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
 - Rebase to upstream JSS v4.8.1