From 2bdd1199972bb28747b6f73ff140285e727a5c16 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 4 Mar 2020 11:33:04 -0500
Subject: [PATCH] Rebase to JSS v4.6.3

Also fixes three additional issues found since v4.6.3 rebase.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
 .gitignore                                    |  1 +
 0001-Fix-NativeProxy-reference-tracker.patch  | 53 ------------
 0001-Fix-base64-encoding-of-CSRs.patch        | 39 +++++++++
 ...Fix-swapped-parameter-names-with-PBE.patch | 80 +++++++++++++++++++
 ...-Use-specified-algorithm-for-KeyWrap.patch | 60 ++++++++++++++
 ...-Use-specified-algorithm-for-KeyWrap.patch | 60 ++++++++++++++
 jss.spec                                      | 14 +++-
 sources                                       |  2 +-
 8 files changed, 252 insertions(+), 57 deletions(-)
 delete mode 100644 0001-Fix-NativeProxy-reference-tracker.patch
 create mode 100644 0001-Fix-base64-encoding-of-CSRs.patch
 create mode 100644 0002-Fix-swapped-parameter-names-with-PBE.patch
 create mode 100644 0003-Use-specified-algorithm-for-KeyWrap.patch
 create mode 100644 0008-Use-specified-algorithm-for-KeyWrap.patch

diff --git a/.gitignore b/.gitignore
index 5981ea6..77527dc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ jss-4.2.6.tar.gz
 /jss-4.5.3.tar.gz
 /jss-4.6.1.tar.gz
 /jss-4.6.2.tar.gz
+/jss-4.6.3.tar.gz
diff --git a/0001-Fix-NativeProxy-reference-tracker.patch b/0001-Fix-NativeProxy-reference-tracker.patch
deleted file mode 100644
index 529b576..0000000
--- a/0001-Fix-NativeProxy-reference-tracker.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 29 Oct 2019 10:43:56 -0400
-Subject: [PATCH] Fix NativeProxy reference tracker
-
-In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
-setting mPointer after trying to add NativeProxy to the registry. In
-most instances this won't matter, however, if another instance exists in
-the HashSet with the same hash value, the equals comparator will be
-used, triggering a NPE.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index 1c6d1aa5..a0811f76 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public NativeProxy(byte[] pointer) {
- 		assert(pointer!=null);
--        registry.add(this);
-         mPointer = pointer;
-+        registry.add(this);
- 
-         if (saveStacktraces) {
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
-         if( ! (obj instanceof NativeProxy) ) {
-             return false;
-         }
--        if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
-+        if (((NativeProxy)obj).mPointer == null) {
-+            /* If mPointer is null, we have no way to compare the values
-+             * of the pointers, so assume they're unequal. */
-             return false;
-         }
--        for(int i=0; i < mPointer.length; i++) {
--            if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
--                return false;
--            }
--        }
--        return true;
-+        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-     }
- 
-     /**
--- 
-2.21.0
-
diff --git a/0001-Fix-base64-encoding-of-CSRs.patch b/0001-Fix-base64-encoding-of-CSRs.patch
new file mode 100644
index 0000000..f898ed1
--- /dev/null
+++ b/0001-Fix-base64-encoding-of-CSRs.patch
@@ -0,0 +1,39 @@
+From 18efce236af6a1affebb274838318ba715114218 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Tue, 25 Feb 2020 09:14:47 -0500
+Subject: [PATCH 3/8] Fix base64-encoding of CSRs
+
+In 8de4440c5652f6f1af5b4b923a15730ba84f29e1, the base64 encoder was
+changed from apache-commons-codec to the Java standard library to drop
+a dependency. However, the behavior changed as a result: the Java
+standard library doesn't include a final line separator, whereas
+apache-commons-codec did. This results in malformed CSRs:
+
+> YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST-----
+
+Resolves: https://pagure.io/freeipa/issue/8199
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/netscape/security/util/Utils.java | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/org/mozilla/jss/netscape/security/util/Utils.java b/org/mozilla/jss/netscape/security/util/Utils.java
+index 19f3b1f9..e6e56ce4 100644
+--- a/org/mozilla/jss/netscape/security/util/Utils.java
++++ b/org/mozilla/jss/netscape/security/util/Utils.java
+@@ -378,7 +378,10 @@ public class Utils {
+      * @return base-64 encoded data
+      */
+     public static String base64encodeMultiLine(byte[] bytes) {
+-        return Base64.getMimeEncoder().encodeToString(bytes);
++        // When switching from apache-commons-codec to the standard library,
++        // the standard library does not include a final line separator at
++        // the end of the encoded data. This results in malformed CSRs.
++        return Base64.getMimeEncoder().encodeToString(bytes) + "\r\n";
+     }
+ 
+ 
+-- 
+2.24.1
+
diff --git a/0002-Fix-swapped-parameter-names-with-PBE.patch b/0002-Fix-swapped-parameter-names-with-PBE.patch
new file mode 100644
index 0000000..c535f6e
--- /dev/null
+++ b/0002-Fix-swapped-parameter-names-with-PBE.patch
@@ -0,0 +1,80 @@
+From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Feb 2020 14:10:32 -0500
+Subject: [PATCH 7/8] Fix swapped parameter names with PBE
+
+Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
+related to extracting the parameter classes during PBE operations:
+previously, the classes of the underlying encryption algorithm were
+iterated over, instead of the classes of the PBE class itself. However,
+this commit iterated over the PBE parameter classes; no PBE algorithm
+accepts a IvParameterSpec, resulting in a null parameter passed to the
+later encryption or key wrap operation. This resulted in stack traces
+like the following:
+
+Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
+	at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
+	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
+	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
+	at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
+
+Resolves: rh-bz#1807371
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/pkcs7/EncryptedContentInfo.java             | 2 +-
+ org/mozilla/jss/pkix/cms/EncryptedContentInfo.java          | 2 +-
+ org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+index 084752c3..0344b14d 100644
+--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
++++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
+         // generate IV
+         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
+         AlgorithmParameterSpec params=null;
+-        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
++        Class<?> [] paramClasses = encAlg.getParameterClasses();
+         for (int i = 0; i < paramClasses.length; i ++) {
+             if ( paramClasses[i].equals(
+                       javax.crypto.spec.IvParameterSpec.class ) ) {
+diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+index a4709070..d85eb0d3 100644
+--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
++++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
+         // generate IV
+         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
+         AlgorithmParameterSpec params=null;
+-        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
++        Class<?> [] paramClasses = encAlg.getParameterClasses();
+         for (int i = 0; i < paramClasses.length; i ++) {
+             if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
+                 params = new IVParameterSpec( kg.generatePBE_IV() );
+diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+index b35714e3..ebd269f3 100644
+--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
+         // generate IV
+         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
+         AlgorithmParameterSpec params=null;
+-        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
++        Class<?> [] paramClasses = encAlg.getParameterClasses();
+         for (int i = 0; i < paramClasses.length; i ++) {
+             if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
+                 params = new IVParameterSpec( kg.generatePBE_IV() );
+@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
+         // generate IV
+         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
+         AlgorithmParameterSpec params=null;
+-        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
++        Class<?> [] paramClasses = encAlg.getParameterClasses();
+         for (int i = 0; i < paramClasses.length; i ++) {
+             if ( paramClasses[i].equals(
+                       javax.crypto.spec.IvParameterSpec.class ) ) {
+-- 
+2.24.1
+
diff --git a/0003-Use-specified-algorithm-for-KeyWrap.patch b/0003-Use-specified-algorithm-for-KeyWrap.patch
new file mode 100644
index 0000000..d75534a
--- /dev/null
+++ b/0003-Use-specified-algorithm-for-KeyWrap.patch
@@ -0,0 +1,60 @@
+From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Feb 2020 14:39:29 -0500
+Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
+
+When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
+called, it would always request DES3_CBC_PAD as the key wrapping
+algorithm, regardless of the input PBE key type. However, the other form
+(with an implicit token) was correctly handling this case.
+
+Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
+instead of having to convert to/from a String form.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/crypto/KeyWrapAlgorithm.java                | 5 ++++-
+ org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+index 3113f614..3a106977 100644
+--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
++++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
+ 
+     public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
+         OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
++        return fromOID(oid);
++    }
+ 
++    public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
+         if (oid.equals(AES_KEY_WRAP_PAD_OID))
+             return AES_KEY_WRAP_PAD;
+ 
+@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
+         if (oid.equals(DES_CBC_PAD_OID))
+             return DES_CBC_PAD;
+ 
+-        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
++        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
+     }
+ }
+diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+index ebd269f3..abfc39a7 100644
+--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
+             }
+         }
+ 
+-        KeyWrapper wrapper = token.getKeyWrapper(
+-                KeyWrapAlgorithm.DES3_CBC_PAD);
++        // wrap the key
++        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
+         wrapper.initWrap(key, params);
+         byte encrypted[] = wrapper.wrap(pri);
+ 
+-- 
+2.24.1
+
diff --git a/0008-Use-specified-algorithm-for-KeyWrap.patch b/0008-Use-specified-algorithm-for-KeyWrap.patch
new file mode 100644
index 0000000..d75534a
--- /dev/null
+++ b/0008-Use-specified-algorithm-for-KeyWrap.patch
@@ -0,0 +1,60 @@
+From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Fri, 28 Feb 2020 14:39:29 -0500
+Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
+
+When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
+called, it would always request DES3_CBC_PAD as the key wrapping
+algorithm, regardless of the input PBE key type. However, the other form
+(with an implicit token) was correctly handling this case.
+
+Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
+instead of having to convert to/from a String form.
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ org/mozilla/jss/crypto/KeyWrapAlgorithm.java                | 5 ++++-
+ org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+index 3113f614..3a106977 100644
+--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
++++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
+ 
+     public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
+         OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
++        return fromOID(oid);
++    }
+ 
++    public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
+         if (oid.equals(AES_KEY_WRAP_PAD_OID))
+             return AES_KEY_WRAP_PAD;
+ 
+@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
+         if (oid.equals(DES_CBC_PAD_OID))
+             return DES_CBC_PAD;
+ 
+-        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
++        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
+     }
+ }
+diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+index ebd269f3..abfc39a7 100644
+--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
+             }
+         }
+ 
+-        KeyWrapper wrapper = token.getKeyWrapper(
+-                KeyWrapAlgorithm.DES3_CBC_PAD);
++        // wrap the key
++        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
+         wrapper.initWrap(key, params);
+         byte encrypted[] = wrapper.wrap(pri);
+ 
+-- 
+2.24.1
+
diff --git a/jss.spec b/jss.spec
index 536e1db..c58e687 100644
--- a/jss.spec
+++ b/jss.spec
@@ -6,8 +6,8 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.6.2
-Release:        3%{?_timestamp}%{?_commit_id}%{?dist}
+Version:        4.6.3
+Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
 # global         _phase -a1
 
 # To generate the source tarball:
@@ -25,7 +25,9 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
 # Patch: jss-VERSION-RELEASE.patch
-Patch: 0001-Fix-NativeProxy-reference-tracker.patch
+Patch0: 0001-Fix-base64-encoding-of-CSRs.patch
+Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
+Patch2: 0003-Use-specified-algorithm-for-KeyWrap.patch
 
 ################################################################################
 # Build Dependencies
@@ -160,6 +162,12 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
+* Wed Mar 4 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.3-1
+- Rebase to JSS 4.6.3
+- Fixes base64 encoding of CSRs
+- Fixes swapped parameter names in PBE
+- Use specified algorithms for KeyWrap in PBE
+
 * Tue Jan 28 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-3
 - Rebuild with new NSS to fix rhbz#1794814
 
diff --git a/sources b/sources
index 32f2840..c883e35 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (jss-4.6.2.tar.gz) = 53c12822b980f6dcaf5616366834fe4eaee07d84feae53096aa0ea142146e90d375910456d8192068cde5e63c3b60ded87862af50ea89c6b64224e8c105e00dd
+SHA512 (jss-4.6.3.tar.gz) = 6c45b67c40737ee7bbc9ad1db8a5ed233b050697f9c048e1a49cc541de889416afd36b2c9bcdc44a52d10b0c75f036e22155a5ee95869fdf31772683637a27b1