rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to JSS v4.6.3

Browse Source 
Also fixes three additional issues found since v4.6.3 rebase.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2020-03-04 11:33:04 -05:00
parent 7e749ce678
commit 2bdd119997
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
8 changed files with 252 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -23,3 +23,4 @@ jss-4.2.6.tar.gz
/jss-4.5.3.tar.gz /jss-4.5.3.tar.gz
/jss-4.6.1.tar.gz /jss-4.6.1.tar.gz
/jss-4.6.2.tar.gz /jss-4.6.2.tar.gz
/jss-4.6.3.tar.gz

53
0001-Fix-NativeProxy-reference-tracker.patch
View File

@ -1,53 +0,0 @@
From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 29 Oct 2019 10:43:56 -0400
Subject: [PATCH] Fix NativeProxy reference tracker
In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
setting mPointer after trying to add NativeProxy to the registry. In
most instances this won't matter, however, if another instance exists in
the HashSet with the same hash value, the equals comparator will be
used, triggering a NPE.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
index 1c6d1aa5..a0811f76 100644
--- a/org/mozilla/jss/util/NativeProxy.java
+++ b/org/mozilla/jss/util/NativeProxy.java
@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
*/
public NativeProxy(byte[] pointer) {
assert(pointer!=null);
- registry.add(this);
mPointer = pointer;
+ registry.add(this);
if (saveStacktraces) {
mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
if( ! (obj instanceof NativeProxy) ) {
return false;
}
- if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
+ if (((NativeProxy)obj).mPointer == null) {
+ /* If mPointer is null, we have no way to compare the values
+ * of the pointers, so assume they're unequal. */
return false;
}
- for(int i=0; i < mPointer.length; i++) {
- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
- return false;
- }
- }
- return true;
+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
}
/**
--
2.21.0

39
0001-Fix-base64-encoding-of-CSRs.patch Normal file
View File

@ -0,0 +1,39 @@
From 18efce236af6a1affebb274838318ba715114218 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 25 Feb 2020 09:14:47 -0500
Subject: [PATCH 3/8] Fix base64-encoding of CSRs
In 8de4440c5652f6f1af5b4b923a15730ba84f29e1, the base64 encoder was
changed from apache-commons-codec to the Java standard library to drop
a dependency. However, the behavior changed as a result: the Java
standard library doesn't include a final line separator, whereas
apache-commons-codec did. This results in malformed CSRs:
> YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST-----
Resolves: https://pagure.io/freeipa/issue/8199
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/netscape/security/util/Utils.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/org/mozilla/jss/netscape/security/util/Utils.java b/org/mozilla/jss/netscape/security/util/Utils.java
index 19f3b1f9..e6e56ce4 100644
--- a/org/mozilla/jss/netscape/security/util/Utils.java
+++ b/org/mozilla/jss/netscape/security/util/Utils.java
@@ -378,7 +378,10 @@ public class Utils {
* @return base-64 encoded data
*/
public static String base64encodeMultiLine(byte[] bytes) {
- return Base64.getMimeEncoder().encodeToString(bytes);
+ // When switching from apache-commons-codec to the standard library,
+ // the standard library does not include a final line separator at
+ // the end of the encoded data. This results in malformed CSRs.
+ return Base64.getMimeEncoder().encodeToString(bytes) + "\r\n";
}
--
2.24.1

80
0002-Fix-swapped-parameter-names-with-PBE.patch Normal file
View File

@ -0,0 +1,80 @@
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:10:32 -0500
Subject: [PATCH 7/8] Fix swapped parameter names with PBE
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
Resolves: rh-bz#1807371
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
index 084752c3..0344b14d 100644
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
index a4709070..d85eb0d3 100644
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index b35714e3..ebd269f3 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
--
2.24.1

60
0003-Use-specified-algorithm-for-KeyWrap.patch Normal file
View File

@ -0,0 +1,60 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

60
0008-Use-specified-algorithm-for-KeyWrap.patch Normal file
View File

@ -0,0 +1,60 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 8/8] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

14
jss.spec
View File

@ -6,8 +6,8 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.2 Version: 4.6.3
Release: 3%{?_timestamp}%{?_commit_id}%{?dist} Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1 # global _phase -a1
# To generate the source tarball: # To generate the source tarball:
@ -25,7 +25,9 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \ # <version tag> \
# > jss-VERSION-RELEASE.patch # > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch
Patch: 0001-Fix-NativeProxy-reference-tracker.patch Patch0: 0001-Fix-base64-encoding-of-CSRs.patch
Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
Patch2: 0003-Use-specified-algorithm-for-KeyWrap.patch
################################################################################ ################################################################################
# Build Dependencies # Build Dependencies
@ -160,6 +162,12 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################ ################################################################################
%changelog %changelog
* Wed Mar 4 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.3-1
- Rebase to JSS 4.6.3
- Fixes base64 encoding of CSRs
- Fixes swapped parameter names in PBE
- Use specified algorithms for KeyWrap in PBE
* Tue Jan 28 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-3 * Tue Jan 28 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.6.2-3
- Rebuild with new NSS to fix rhbz#1794814 - Rebuild with new NSS to fix rhbz#1794814

2
sources
View File

@ -1 +1 @@
SHA512 (jss-4.6.2.tar.gz) = 53c12822b980f6dcaf5616366834fe4eaee07d84feae53096aa0ea142146e90d375910456d8192068cde5e63c3b60ded87862af50ea89c6b64224e8c105e00dd SHA512 (jss-4.6.3.tar.gz) = 6c45b67c40737ee7bbc9ad1db8a5ed233b050697f9c048e1a49cc541de889416afd36b2c9bcdc44a52d10b0c75f036e22155a5ee95869fdf31772683637a27b1