rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz #1431937

Browse Source 
- Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+
- ## JSS 4.4.0 includes the following patches ported from downstream:
- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS
- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings
- Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS an
  CS interface
- Mozilla Bugzilla #1307993 - Expose updated certificate verification functi
  in JSS
- Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to b
  pointer arithmetic
- Mozilla Bugzilla #1308001 - Verification should fail when a revoked
  certificate is added
- Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build
- Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode
  (HSM + NSS)
- Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan
- Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PK
- Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping
  unwrapping keys should be done in the token
- Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for
  manufacturer identifier
- Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in
  JSS 4.2.6
- Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and
  TLS v1.2 via NSS through JSS
- Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up ex
  error from NSS
- Mozilla Bugzilla #1308027 - Merge pki-symkey into jss
- Mozilla Bugzilla #1308029 - Resolve Javadoc build issues
- Mozilla Bugzilla #1308047 - support ECC encryption key archival and recove
- Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed
  PKCS#11 bypass support
- Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on toke
- Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA H
  in FIPS Mode and ECC algorithms
- Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID
  functions
- Mozilla Bugzilla #1346410 - Load JSS libraries appropriately
- ## JSS 4.4.0 includes the following changes for building and testing:
- Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test
- Mozilla Bugzilla #1346420 - Document steps required to use the proper
  libjss4.so when running certain HMAC Algorithms tests
This commit is contained in:
Matthew Harmsen 2017-03-14 00:32:36 -06:00
parent 4404ece120
commit 35b26e7d85
36 changed files with 16 additions and 8076 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
jss-4.2.6.tar.gz
/jss-4.2.6.tar.gz
/jss-4.4.0.tar.gz

62
jss-ECC-HSM-FIPS.patch
View File

@ -1,62 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700
@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
/* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG},
/* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
/* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
+/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
/* REMEMBER TO UPDATE NUM_ALGS!!! */
};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700
@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
JSS_AlgType type;
} JSS_AlgInfo;
-#define NUM_ALGS 50
+#define NUM_ALGS 51
extern JSS_AlgInfo JSS_AlgTable[];
extern CK_ULONG JSS_symkeyUsage[];
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700
@@ -232,5 +232,6 @@ public class Algorithm {
protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700
@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al
DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA");
public static final Algorithm
- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC");
+
+// To support both ECDSA and ECDH, it is best to provide two EC Families;
+// However, since there is no token that does only CKM_DERIVE to
+// date, we will just do ECDSA for now as it is sufficient enough today.
+// This fix will support tokens that do not do ECDH
+ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC");
public static final KeyPairAlgorithm
RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily);
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700
@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends
* operates on its input, which should be a hash.
*/
public static final SignatureAlgorithm
- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
"EC",
null, null, ANSI_X962_OID.subBranch(2).subBranch(1) );

451
jss-ECC-Phase2KeyArchivalRecovery.patch
View File

@ -1,451 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl
--- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700
+++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700
@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm
org.mozilla.jss.crypto.EncryptionAlgorithm
org.mozilla.jss.crypto.PQGParams
org.mozilla.jss.crypto.SecretDecoderRing
+org.mozilla.jss.asn1.ASN1Util
org.mozilla.jss.pkcs11.CertProxy
org.mozilla.jss.pkcs11.CipherContextProxy
org.mozilla.jss.pkcs11.PK11Module
diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk
--- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700
@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \
../org/mozilla/jss/SecretDecoderRing \
../org/mozilla/jss \
../org/mozilla/jss/pkcs11 \
+ ../org/mozilla/jss/asn1 \
../org/mozilla/jss/ssl \
../org/mozilla/jss/util \
../org/mozilla/jss/provider/java/security \
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700
@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk
--- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700
@@ -41,6 +41,7 @@ release_sanitize::
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700
@@ -0,0 +1,97 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape Security Services for Java.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#include "_jni/org_mozilla_jss_asn1_ASN1Util.h"
+#include <pk11func.h>
+#include <nspr.h>
+#include <seccomon.h>
+#include <key.h>
+#include <secitem.h>
+
+#include <jssutil.h>
+#include <java_ids.h>
+#include <jss_exceptions.h>
+#include <Algorithm.h>
+
+/***********************************************************************
+ *
+ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid
+ * retrieves OID description by NSS's OID Tag identifier
+ * the OID byte array is expected to be without the OID Tag (6) and size
+ * (together 2 bytes)
+ */
+JNIEXPORT jstring JNICALL
+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA)
+{
+ SECItem *oid = NULL;
+ SECOidTag oidTag = SEC_OID_UNKNOWN;
+ char *oidDesc = NULL;
+ jstring description= "";
+
+ if (oidBA == NULL) {
+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
+ "JSS getTagDescriptionByOid: oidBA null");
+ goto finish;
+ } else {
+ /**************************************************
+ * Setup the parameters
+ *************************************************/
+ oid = JSS_ByteArrayToSECItem(env, oidBA);
+ if (oid == NULL) {
+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
+ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed");
+ goto finish;
+ }
+
+ /*
+ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match
+ */
+ oidTag = SECOID_FindOIDTag(oid);
+ if (oidTag == SEC_OID_UNKNOWN) {
+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
+ "JSS getTagDescriptionByOid: OID UNKNOWN");
+ goto finish;
+ }
+
+ oidDesc = SECOID_FindOIDTagDescription(oidTag);
+ if (oidDesc == NULL) {
+ oidDesc = "";
+ }
+ description = (*env)->NewStringUTF(env, oidDesc);
+ }
+
+finish:
+ return description;
+}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700
@@ -36,6 +36,8 @@
package org.mozilla.jss.asn1;
import java.io.*;
+import java.util.Arrays;
+
import org.mozilla.jss.asn1.InvalidBERException;
import org.mozilla.jss.util.Assert;
@@ -114,4 +116,71 @@ public class ASN1Util {
numRead += nr;
}
}
+
+ /**
+ * returns the ECC curve byte array given the X509 public key byte array
+ *
+ * @param X509PubKeyBytes byte array of an X509PubKey
+ * @param withHeader tells if the return byes should inclulde the tag and size header or not
+ */
+ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes,
+ boolean withHeader)
+ throws IllegalArgumentException, ArrayIndexOutOfBoundsException,
+ NullPointerException
+ {
+ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) {
+ throw new IllegalArgumentException("X509PubKeyBytes null");
+ }
+
+ /* EC public key OID complete with tag and size */
+ byte[] EC_PubOIDBytes_full =
+ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID);
+
+ /* EC public key OID without tag and size */
+ byte[] EC_PubOIDBytes =
+ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length);
+
+ int curveBeginIndex = 0;
+ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) {
+ byte[] tmp =
+ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length);
+ if (Arrays.equals(tmp, EC_PubOIDBytes)) {
+ curveBeginIndex = idx+ EC_PubOIDBytes.length;
+ break;
+ }
+ }
+
+ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1];
+
+ if (withHeader) {
+ /* actual curve with tag and size */
+ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2);
+ return curve;
+ } else {
+ /* actual curve without tag and size */
+ byte curve[] =
+ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2,
+ curveBeginIndex + 2 + curveByteArraySize);
+ return curve;
+ }
+ }
+
+ /**
+ * getOIDdescription() returns a text description of the OID
+ * from OID byte array
+ * the OID byte array is expected to be without the OID Tag (6) and size
+ * (together 2 bytes)
+ */
+ public static String
+ getOIDdescription(byte[] oidBA) {
+ return getTagDescriptionByOid(oidBA);
+ }
+
+ /**
+ * get OID description JNI method
+ */
+ private native static String
+ getTagDescriptionByOid(byte[] oidBA);
+
+
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700
@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
-#include config.mk
+include config.mk
#######################################################################
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700
@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement
///////////////////////////////////////////////////////////////////////
/**
+ * The OID space for EC
+ */
+ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID =
+ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} );
+
+ /**
* The OID space for RSA Data Security, Inc.
*/
public static final OBJECT_IDENTIFIER RSADSI =
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700
@@ -0,0 +1,41 @@
+#
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape Security Services for Java.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1998-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+TARGETS=$(LIBRARY)
+SHARED_LIBRARY=
+IMPORT_LIBRARY=
+
+NO_MD_RELEASE = 1
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700
@@ -41,6 +41,8 @@ MODULE = jss
NS_USE_JDK = 1
+REQUIRES = nspr20 nss
+
PACKAGE = org/mozilla/jss/asn1
CLASSES = \
@@ -112,3 +114,9 @@ JSRCS = \
UTCTime.java \
UTF8String.java \
$(NULL)
+
+CSRCS = \
+ ASN1Util.c \
+ $(NULL)
+
+LIBRARY_NAME = jssasn1
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700
@@ -48,6 +48,7 @@ DIRS = \
crypto \
SecretDecoderRing \
pkcs11 \
+ asn1 \
ssl \
provider \
$(NULL)
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700
@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten
// }
// }
//
-// public BigInteger getW() {
-// try {
-// return new BigInteger( getWByteArray() );
-// } catch(NumberFormatException e) {
-// Assert.notReached("Unable to decode DSA public value");
-// return null;
-// }
-// }
-//
-// private native byte[] getCurveByteArray();
-// private native byte[] getWByteArray();
+
+ public BigInteger getCurve() {
+ try {
+ return new BigInteger( getCurveByteArray() );
+ } catch(NumberFormatException e) {
+ Assert.notReached("Unable to decode EC curve");
+ return null;
+ }
+ }
+
+ public byte[] getCurveBA() {
+ return getCurveByteArray();
+ }
+
+ public BigInteger getW() {
+ try {
+ return new BigInteger( getWByteArray() );
+ } catch(NumberFormatException e) {
+ Assert.notReached("Unable to decode EC public value");
+ return null;
+ }
+ }
+
+ private native byte[] getCurveByteArray();
+ private native byte[] getWByteArray();
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700
@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
numAttribs = 4;
}
break;
+ case CKK_EC:
+ numAttribs = 1;
+ attribs[0] = CKA_SIGN;
+ if (isExtractable) {
+ attribs[1] = CKA_EXTRACTABLE;
+ numAttribs = 2;
+ }
+ break;
case CKK_DSA:
attribs[0] = CKA_SIGN;
numAttribs = 1;
@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
attribs[0] = CKA_DERIVE;
numAttribs = 1;
break;
- case CKK_EC:
- attribs[0] = CKA_SIGN;
- attribs[1] = CKA_DERIVE;
- numAttribs = 2;
- break;
default:
/* unknown key type */
PR_ASSERT(PR_FALSE);
@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
attribs, numAttribs, NULL /*wincx*/);
if( privk == NULL ) {
char err[256] = {0};
- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
+ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
JSS_throwMsg(env, TOKEN_EXCEPTION, err);
goto finish;
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700
@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke
if( type == PrivateKey.RSA ) {
if( !(publicKey instanceof RSAPublicKey)) {
throw new InvalidKeyException("Type of public key does not "+
- "match type of private key");
+ "match type of private key which is RSA");
}
return ((RSAPublicKey)publicKey).getModulus().toByteArray();
+ } else if(type == PrivateKey.EC) {
+ if( !(publicKey instanceof PK11ECPublicKey) ) {
+ throw new InvalidKeyException("Type of public key does not "+
+ "match type of private key which is EC");
+ }
+ return ((PK11ECPublicKey)publicKey).getW().toByteArray();
} else if(type == PrivateKey.DSA) {
if( !(publicKey instanceof DSAPublicKey) ) {
throw new InvalidKeyException("Type of public key does not "+
- "match type of private key");
+ "match type of private key which is DSA");
}
return ((DSAPublicKey)publicKey).getY().toByteArray();
} else {

29
jss-ECC-pop.patch
View File

@ -1,29 +0,0 @@
diff -rupN jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2004-04-25 08:02:26.000000000 -0700
+++ jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2009-07-27 13:38:38.197422000 -0700
@@ -130,6 +130,16 @@ public class CertReqMsg implements ASN1V
///////////////////////////////////////////////////////////////////////
public void verify() throws SignatureException,
+ InvalidKeyFormatException, NoSuchAlgorithmException,
+ org.mozilla.jss.CryptoManager.NotInitializedException,
+ TokenException, java.security.InvalidKeyException, IOException{
+
+ CryptoToken token = CryptoManager.getInstance()
+ .getInternalCryptoToken();
+ verify(token);
+ }
+
+ public void verify(CryptoToken token) throws SignatureException,
InvalidKeyFormatException, NoSuchAlgorithmException,
org.mozilla.jss.CryptoManager.NotInitializedException,
TokenException, java.security.InvalidKeyException, IOException{
@@ -149,8 +159,6 @@ public class CertReqMsg implements ASN1V
pubkey = (PublicKey) spi.toPublicKey();
}
- CryptoToken token = CryptoManager.getInstance()
- .getInternalCryptoToken();
SignatureAlgorithm sigAlg =
SignatureAlgorithm.fromOID(alg.getOID());
Signature sig = token.getSignatureContext(sigAlg);

490
jss-ECC_keygen_byCurveName.patch
View File

@ -1,490 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix 2010-10-20 09:54:35.189680000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2010-10-20 10:54:53.154835000 -0700
@@ -196,7 +196,10 @@ public class KeyPairGenerator {
engine.setKeyPairUsages(usages,usages_mask);
}
-
+ public int getCurveCodeByName(String curveName)
+ throws InvalidParameterException {
+ return engine.getCurveCodeByName(curveName);
+ }
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix 2010-10-20 09:54:52.393628000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2010-10-20 10:55:39.441698000 -0700
@@ -94,4 +94,6 @@ public abstract class KeyPairGeneratorSp
public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
KeyPairGeneratorSpi.Usage[] usages_mask);
+
+ public abstract int getCurveCodeByName(String curveName) throws InvalidParameterException;
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix 2010-10-15 10:30:57.832196000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2010-10-20 11:09:30.523208000 -0700
@@ -44,6 +44,7 @@ import java.security.*;
import java.security.SecureRandom;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.DSAParameterSpec;
+import java.util.Hashtable;
/**
@@ -55,6 +56,246 @@ public final class PK11KeyPairGenerator
extends org.mozilla.jss.crypto.KeyPairGeneratorSpi
{
+ // curve code for getting the actual EC curve
+ private enum ECCurve_Code {
+ // NIST, SEC2 Prime curves
+ secp521r1 , // == nistp521
+ nistp521 ,
+ secp384r1 , // == nistp384
+ nistp384 ,
+ secp256r1 , // == nistp256
+ nistp256 ,
+ secp256k1 ,
+ secp224r1 , // == nistp224
+ nistp224 ,
+ secp224k1 ,
+ secp192r1 , // == nistp192
+ nistp192 ,
+ secp192k1 ,
+ secp160r2 ,
+ secp160r1 ,
+ secp160k1 ,
+ secp128r2 ,
+ secp128r1 ,
+ secp112r2 ,
+ secp112r1 ,
+ // NIST, SEC2 Binary curves
+ sect571r1 , // == nistb571
+ nistb571 ,
+ sect571k1 , // == nistk571
+ nistk571 ,
+ sect409r1 , // == nistb409
+ nistb409 ,
+ sect409k1 , // == nistk409
+ nistk409 ,
+ sect283r1 , // == nistb283
+ nistb283 ,
+ sect283k1 , // == nistk283
+ nistk283 ,
+ sect239k1 ,
+ sect233r1 , // == nistb233
+ nistb233 ,
+ sect233k1 , // == nistk233
+ nistk233 ,
+ sect193r2 ,
+ sect193r1 ,
+ nistb163 ,
+ sect163r2 , // == nistb163
+ sect163r1 ,
+ sect163k1 , // == nistk163
+ nistk163 ,
+ sect131r2 ,
+ sect131r1 ,
+ sect113r2 ,
+ sect113r1 ,
+ // ANSI X9.62 Prime curves
+ prime239v3 ,
+ prime239v2 ,
+ prime239v1 ,
+ prime192v3 ,
+ prime192v2 ,
+ prime192v1 , // == nistp192
+ // prime256v1 == nistp256
+ // ANSI X9.62 Binary curves
+ c2pnb163v1 ,
+ c2pnb163v2 ,
+ c2pnb163v3 ,
+ c2pnb176v1 ,
+ c2tnb191v1 ,
+ c2tnb191v2 ,
+ c2tnb191v3 ,
+ //c2onb191v4 ,
+ //c2onb191v5 ,
+ c2pnb208w1 ,
+ c2tnb239v1 ,
+ c2tnb239v2 ,
+ c2tnb239v3 ,
+ //c2onb239v4 ,
+ //c2onb239v5 ,
+ c2pnb272w1 ,
+ c2pnb304w1 ,
+ c2tnb359v1 ,
+ c2pnb368w1 ,
+ c2tnb431r1
+ // no WTLS curves fo now
+ };
+
+ private static Hashtable ECCurve_NameToCode = new Hashtable();
+ static {
+ // NIST, SEC2 Prime curves
+ ECCurve_NameToCode.put(
+ "secp521r1", ECCurve_Code.secp521r1);
+ ECCurve_NameToCode.put(
+ "nistp521", ECCurve_Code.nistp521);
+ ECCurve_NameToCode.put(
+ "secp384r1", ECCurve_Code.secp384r1);
+ ECCurve_NameToCode.put(
+ "nistp384", ECCurve_Code.nistp384);
+ ECCurve_NameToCode.put(
+ "secp256r1", ECCurve_Code.secp256r1);
+ ECCurve_NameToCode.put(
+ "nistp256", ECCurve_Code.nistp256);
+ ECCurve_NameToCode.put(
+ "secp256k1", ECCurve_Code.secp256k1);
+ ECCurve_NameToCode.put(
+ "secp224r1", ECCurve_Code.secp224r1);
+ ECCurve_NameToCode.put(
+ "nistp224", ECCurve_Code.nistp224);
+ ECCurve_NameToCode.put(
+ "secp224k1", ECCurve_Code.secp224k1);
+ ECCurve_NameToCode.put(
+ "secp192r1", ECCurve_Code.secp192r1);
+ ECCurve_NameToCode.put(
+ "nistp192", ECCurve_Code.nistp192);
+ ECCurve_NameToCode.put(
+ "secp192k1", ECCurve_Code.secp192k1);
+ ECCurve_NameToCode.put(
+ "secp160r2", ECCurve_Code.secp160r2);
+ ECCurve_NameToCode.put(
+ "secp160r1", ECCurve_Code.secp160r1);
+ ECCurve_NameToCode.put(
+ "secp160k1", ECCurve_Code.secp160k1);
+ ECCurve_NameToCode.put(
+ "secp128r2", ECCurve_Code.secp128r2);
+ ECCurve_NameToCode.put(
+ "secp128r1", ECCurve_Code.secp128r1);
+ ECCurve_NameToCode.put(
+ "secp112r2", ECCurve_Code.secp112r2);
+ ECCurve_NameToCode.put(
+ "secp112r1", ECCurve_Code.secp112r1);
+ // NIST, SEC2 Binary curves
+ ECCurve_NameToCode.put(
+ "sect571r1", ECCurve_Code.sect571r1);
+ ECCurve_NameToCode.put(
+ "nistb571", ECCurve_Code.nistb571);
+ ECCurve_NameToCode.put(
+ "sect571k1", ECCurve_Code.sect571k1);
+ ECCurve_NameToCode.put(
+ "nistk571", ECCurve_Code.nistk571);
+ ECCurve_NameToCode.put(
+ "sect409r1", ECCurve_Code.sect409r1);
+ ECCurve_NameToCode.put(
+ "nistb409", ECCurve_Code.nistb409);
+ ECCurve_NameToCode.put(
+ "sect409k1", ECCurve_Code.sect409k1);
+ ECCurve_NameToCode.put(
+ "nistk409", ECCurve_Code.nistk409);
+ ECCurve_NameToCode.put(
+ "sect283r1", ECCurve_Code.sect283r1);
+ ECCurve_NameToCode.put(
+ "nistb283", ECCurve_Code.nistb283);
+ ECCurve_NameToCode.put(
+ "sect283k1", ECCurve_Code.sect283k1);
+ ECCurve_NameToCode.put(
+ "nistk283", ECCurve_Code.nistk283);
+ ECCurve_NameToCode.put(
+ "sect239k1", ECCurve_Code.sect239k1);
+ ECCurve_NameToCode.put(
+ "sect233r1", ECCurve_Code.sect233r1);
+ ECCurve_NameToCode.put(
+ "nistb233", ECCurve_Code.nistb233);
+ ECCurve_NameToCode.put(
+ "sect233k1", ECCurve_Code.sect233k1);
+ ECCurve_NameToCode.put(
+ "nistk233", ECCurve_Code.nistk233);
+ ECCurve_NameToCode.put(
+ "sect193r2", ECCurve_Code.sect193r2);
+ ECCurve_NameToCode.put(
+ "sect193r1", ECCurve_Code.sect193r1);
+ ECCurve_NameToCode.put(
+ "nistb163", ECCurve_Code.nistb163);
+ ECCurve_NameToCode.put(
+ "sect163r2", ECCurve_Code.sect163r2);
+ ECCurve_NameToCode.put(
+ "sect163r1", ECCurve_Code.sect163r1);
+ ECCurve_NameToCode.put(
+ "sect163k1", ECCurve_Code.sect163k1);
+ ECCurve_NameToCode.put(
+ "nistk163", ECCurve_Code.nistk163);
+ ECCurve_NameToCode.put(
+ "sect131r2", ECCurve_Code.sect131r2);
+ ECCurve_NameToCode.put(
+ "sect131r1", ECCurve_Code.sect131r1);
+ ECCurve_NameToCode.put(
+ "sect113r2", ECCurve_Code.sect113r2);
+ ECCurve_NameToCode.put(
+ "sect113r1", ECCurve_Code.sect113r1);
+ // ANSI Prime curves
+ ECCurve_NameToCode.put(
+ "prime239v3", ECCurve_Code.prime239v3);
+ ECCurve_NameToCode.put(
+ "prime239v2", ECCurve_Code.prime239v2);
+ ECCurve_NameToCode.put(
+ "prime239v1", ECCurve_Code.prime239v1);
+ ECCurve_NameToCode.put(
+ "prime192v3", ECCurve_Code.prime192v3);
+ ECCurve_NameToCode.put(
+ "prime192v2", ECCurve_Code.prime192v2);
+ ECCurve_NameToCode.put(
+ "prime192v1", ECCurve_Code.prime192v1);
+ // ANSI Binary curves
+ ECCurve_NameToCode.put(
+ "c2pnb163v1", ECCurve_Code.c2pnb163v1);
+ ECCurve_NameToCode.put(
+ "c2pnb163v2", ECCurve_Code.c2pnb163v2);
+ ECCurve_NameToCode.put(
+ "c2pnb163v3", ECCurve_Code.c2pnb163v3);
+ ECCurve_NameToCode.put(
+ "c2pnb176v1", ECCurve_Code.c2pnb176v1);
+ ECCurve_NameToCode.put(
+ "c2tnb191v1", ECCurve_Code.c2tnb191v1);
+ ECCurve_NameToCode.put(
+ "c2tnb191v2", ECCurve_Code.c2tnb191v2);
+ ECCurve_NameToCode.put(
+ "c2tnb191v3", ECCurve_Code.c2tnb191v3);
+ //ECCurve_NameToCode.put(
+ // "c2onb191v4", ECCurve_Code.c2onb191v4);
+ //ECCurve_NameToCode.put(
+ // "c2onb191v5", ECCurve_Code.c2onb191v5);
+ ECCurve_NameToCode.put(
+ "c2pnb208w1", ECCurve_Code.c2pnb208w1);
+ ECCurve_NameToCode.put(
+ "c2tnb239v1", ECCurve_Code.c2tnb239v1);
+ ECCurve_NameToCode.put(
+ "c2tnb239v2", ECCurve_Code.c2tnb239v2);
+ ECCurve_NameToCode.put(
+ "c2tnb239v3", ECCurve_Code.c2tnb239v3);
+ //ECCurve_NameToCode.put(
+ // "c2onb239v4", ECCurve_Code.c2onb239v4);
+ //ECCurve_NameToCode.put(
+ // "c2onb239v5", ECCurve_Code.c2onb239v5);
+ ECCurve_NameToCode.put(
+ "c2pnb272w1", ECCurve_Code.c2pnb272w1);
+ ECCurve_NameToCode.put(
+ "c2pnb304w1", ECCurve_Code.c2pnb304w1);
+ ECCurve_NameToCode.put(
+ "c2tnb359v1", ECCurve_Code.c2tnb359v1);
+ ECCurve_NameToCode.put(
+ "c2pnb368w1", ECCurve_Code.c2pnb368w1);
+ ECCurve_NameToCode.put(
+ "c2tnb431r1", ECCurve_Code.c2tnb431r1);
+ }
+
// opFlag constants: each of these flags specifies a crypto operation
// the key will support. Their values must match the same-named C
// preprocessor macros defined in the PKCS #11 header pkcs11t.h.
@@ -165,7 +406,15 @@ public final class PK11KeyPairGenerator
}
} else {
Assert._assert( algorithm == KeyPairAlgorithm.EC );
- params = getCurve(strength);
+ if (strength < 112) {
+ // for EC, "strength" is actually a code for curves defined in
+ // ECCurve_Code
+ params = getECCurve(strength);
+ } else {
+ // this is the old method of strength to curve mapping,
+ // which is somewhat defective
+ params = getCurve(strength);
+ }
}
}
@@ -642,6 +891,189 @@ public final class PK11KeyPairGenerator
static final OBJECT_IDENTIFIER CURVE_SECG_T571R1
= SECG_EC_CURVE.subBranch(39);
+ // the EC curvecode to oid hash table
+ private static Hashtable mECCurve_CodeToCurve = new Hashtable();
+ static {
+ // SEG Prime curves
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp521r1.ordinal(), (Object) CURVE_SECG_P521R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistp521.ordinal(), (Object) CURVE_SECG_P521R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp384r1.ordinal(), (Object) CURVE_SECG_P384R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistp384.ordinal(), (Object) CURVE_SECG_P384R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp256r1.ordinal(), (Object) CURVE_ANSI_P256V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistp256.ordinal(), (Object) CURVE_ANSI_P256V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp256k1.ordinal(), (Object) CURVE_SECG_P256K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp224r1.ordinal(), (Object) CURVE_SECG_P224R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistp224.ordinal(), (Object) CURVE_SECG_P224R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp224k1.ordinal(), (Object) CURVE_SECG_P224K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp192r1.ordinal(), (Object) CURVE_ANSI_P192V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistp192.ordinal(), (Object) CURVE_ANSI_P192V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp192k1.ordinal(), (Object) CURVE_SECG_P192K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp160r2.ordinal(), (Object) CURVE_SECG_P160R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp160r1.ordinal(), (Object) CURVE_SECG_P160R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp160k1.ordinal(), (Object) CURVE_SECG_P160K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp128r2.ordinal(), (Object) CURVE_SECG_P128R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp128r1.ordinal(), (Object) CURVE_SECG_P128R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp112r2.ordinal(), (Object) CURVE_SECG_P112R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.secp112r1.ordinal(), (Object) CURVE_SECG_P112R1);
+ // SEG Binary curves
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect571r1.ordinal(), (Object) CURVE_SECG_T571R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistb571.ordinal(), (Object) CURVE_SECG_T571R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect571k1.ordinal(), (Object) CURVE_SECG_T571K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistk571.ordinal(), (Object) CURVE_SECG_T571K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect409r1.ordinal(), (Object) CURVE_SECG_T409R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistb409.ordinal(), (Object) CURVE_SECG_T409R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect409k1.ordinal(), (Object) CURVE_SECG_T409K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistk409.ordinal(), (Object) CURVE_SECG_T409K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect283r1.ordinal(), (Object) CURVE_SECG_T283R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistb283.ordinal(), (Object) CURVE_SECG_T283R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect283k1.ordinal(), (Object) CURVE_SECG_T283K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistk283.ordinal(), (Object) CURVE_SECG_T283K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect239k1.ordinal(), (Object) CURVE_SECG_T239K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect233r1.ordinal(), (Object) CURVE_SECG_T233R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistb233.ordinal(), (Object) CURVE_SECG_T233R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect233k1.ordinal(), (Object) CURVE_SECG_T233K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistk233.ordinal(), (Object) CURVE_SECG_T233K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect193r2.ordinal(), (Object) CURVE_SECG_T193R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect193r1.ordinal(), (Object) CURVE_SECG_T193R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistb163.ordinal(), (Object) CURVE_SECG_T163K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect163r2.ordinal(), (Object) CURVE_SECG_T163R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect163r1.ordinal(), (Object) CURVE_SECG_T163R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect163k1.ordinal(), (Object) CURVE_SECG_T163K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.nistk163.ordinal(), (Object) CURVE_SECG_T163K1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect131r2.ordinal(), (Object) CURVE_SECG_T131R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect131r1.ordinal(), (Object) CURVE_SECG_T131R1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect113r2.ordinal(), (Object) CURVE_SECG_T113R2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.sect113r1.ordinal(), (Object) CURVE_SECG_T113R1);
+ // ANSI Prime curves
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime239v3.ordinal(), (Object) CURVE_ANSI_P239V3);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime239v2.ordinal(), (Object) CURVE_ANSI_P239V2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime239v1.ordinal(), (Object) CURVE_ANSI_P239V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime192v3.ordinal(), (Object) CURVE_ANSI_P192V3);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime192v2.ordinal(), (Object) CURVE_ANSI_P192V2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.prime192v1.ordinal(), (Object) CURVE_ANSI_P192V1);
+ // ANSI Binary curves
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb163v1.ordinal(), (Object) CURVE_ANSI_PNB163V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb163v2.ordinal(), (Object) CURVE_ANSI_PNB163V2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb163v3.ordinal(), (Object) CURVE_ANSI_PNB163V3);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb176v1.ordinal(), (Object) CURVE_ANSI_PNB176V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb191v1.ordinal(), (Object) CURVE_ANSI_TNB191V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb191v2.ordinal(), (Object) CURVE_ANSI_TNB191V2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb191v3.ordinal(), (Object) CURVE_ANSI_TNB191V3);
+ //mECCurve_CodeToCurve.put(
+ // ECCurve_Code.c2onb191v4.ordinal(), (Object) CURVE_ANSI_ONB191V4);
+ //mECCurve_CodeToCurve.put(
+ // ECCurve_Code.c2onb191v5.ordinal(), (Object) CURVE_ANSI_ONB191V5);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb208w1.ordinal(), (Object) CURVE_ANSI_PNB208W1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb239v1.ordinal(), (Object) CURVE_ANSI_TNB239V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb239v2.ordinal(), (Object) CURVE_ANSI_TNB239V2);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb239v3.ordinal(), (Object) CURVE_ANSI_TNB239V3);
+ //mECCurve_CodeToCurve.put(
+ // ECCurve_Code.c2onb239v4.ordinal(), (Object) CURVE_ANSI_ONB239V4);
+ //mECCurve_CodeToCurve.put(
+ // ECCurve_Code.c2onb239v5.ordinal(), (Object) CURVE_ANSI_ONB239V5);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb272w1.ordinal(), (Object) CURVE_ANSI_PNB272W1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb304w1.ordinal(), (Object) CURVE_ANSI_PNB304W1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb359v1.ordinal(), (Object) CURVE_ANSI_TNB359V1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2pnb368w1.ordinal(), (Object) CURVE_ANSI_PNB368W1);
+ mECCurve_CodeToCurve.put(
+ ECCurve_Code.c2tnb431r1.ordinal(), (Object) CURVE_ANSI_TNB431R1);
+ }
+
+ public int getCurveCodeByName(String curveName)
+ throws InvalidParameterException {
+ if (curveName == null)
+ throw new InvalidParameterException();
+ ECCurve_Code c = (ECCurve_Code) ECCurve_NameToCode.get(curveName);
+ if (c == null)
+ throw new InvalidParameterException(curveName);
+ return c.ordinal();
+ }
+
+ /*
+ * getECCurve
+ * maps curvecode to the actual oid of the curve and
+ * returns the PK11ParameterSpec
+ */
+ private AlgorithmParameterSpec getECCurve(int curvecode)
+ throws InvalidParameterException
+ {
+ OBJECT_IDENTIFIER oid;
+
+ oid = (OBJECT_IDENTIFIER) mECCurve_CodeToCurve.get(curvecode);
+ if (oid == null)
+ throw new IllegalArgumentException("curvecode ="+curvecode);
+ return new PK11ParameterSpec(ASN1Util.encode(oid));
+ }
+
private AlgorithmParameterSpec getCurve(int strength)
throws InvalidParameterException
{

349
jss-Fixed-build-failures.patch
View File

@ -1,349 +0,0 @@
From 22092d1bde94dc8a1f6e8198fa2fcc597c36c32f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 9 Dec 2015 00:30:50 +0100
Subject: [PATCH] Fixed build failures.
The Javadoc on various classes have been modified to fix build
failures on F23 and Rawhide due to stringent requirements on
those platforms.
The Debug_debug.jnot has been renamed to Debug.java to fix build
failure in Eclipse.
https://bugzilla.redhat.com/show_bug.cgi?id=1289799
---
.classpath | 7 +++++++
.project | 17 +++++++++++++++++
mozilla/security/jss/build_java.pl | 2 +-
mozilla/security/jss/org/mozilla/jss/CryptoManager.java | 14 +++++++-------
.../security/jss/org/mozilla/jss/asn1/ASN1Header.java | 2 +-
.../security/jss/org/mozilla/jss/pkcs11/PK11Token.java | 2 +-
.../security/jss/org/mozilla/jss/pkcs12/CertBag.java | 1 +
.../security/jss/org/mozilla/jss/pkcs7/ContentInfo.java | 1 -
.../security/jss/org/mozilla/jss/pkcs7/SignerInfo.java | 17 ++++++++++-------
.../jss/org/mozilla/jss/pkix/cms/ContentInfo.java | 1 -
.../jss/org/mozilla/jss/pkix/cms/SignerInfo.java | 17 ++++++++++-------
.../jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java | 2 +-
.../jss/org/mozilla/jss/ssl/SSLServerSocket.java | 3 ---
.../mozilla/jss/util/{Debug_debug.jnot => Debug.java} | 0
14 files changed, 56 insertions(+), 30 deletions(-)
create mode 100644 .classpath
create mode 100644 .project
rename mozilla/security/jss/org/mozilla/jss/util/{Debug_debug.jnot => Debug.java} (100%)
diff --git a/.classpath b/.classpath
new file mode 100644
index 0000000000000000000000000000000000000000..df092d3f7d8df936b753bea75c11bf4003e1a77f
--- /dev/null
+++ b/.classpath
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+ <classpathentry excluding="samples/" kind="src" path="mozilla/security/jss"/>
+ <classpathentry kind="src" path="mozilla/security/jss/samples"/>
+ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
+ <classpathentry kind="output" path="bin"/>
+</classpath>
diff --git a/.project b/.project
new file mode 100644
index 0000000000000000000000000000000000000000..c0b616e95c7512076c9976374bda14e11d7cdd8c
--- /dev/null
+++ b/.project
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+ <name>jss-4.2</name>
+ <comment></comment>
+ <projects>
+ </projects>
+ <buildSpec>
+ <buildCommand>
+ <name>org.eclipse.jdt.core.javabuilder</name>
+ <arguments>
+ </arguments>
+ </buildCommand>
+ </buildSpec>
+ <natures>
+ <nature>org.eclipse.jdt.core.javanature</nature>
+ </natures>
+</projectDescription>
diff --git a/mozilla/security/jss/build_java.pl b/mozilla/security/jss/build_java.pl
index c34473e0eec883323b6b100e671018a9edafe442..379a5e05dbc0599c95d2228bd14f659d3e493d0b 100644
--- a/mozilla/security/jss/build_java.pl
+++ b/mozilla/security/jss/build_java.pl
@@ -137,7 +137,7 @@ sub setup_vars {
$class_jar = "$dist_dir/$cmdline_vars{XPCLASS_DBG_JAR}";
$class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DBG_DIR}";
$javac_opt_flag = "-g";
- $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot";
+ $debug_source_file = "org/mozilla/jss/util/Debug.java";
}
$jni_header_dir = "$dist_dir/private/jss/_jni";
diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
index 08aad8fe3c3a62ae8e233fc1035723690adf4581..6ef0256a3b777db48461f19da0fa64ec7857ed6b 100644
--- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
@@ -600,7 +600,7 @@ public final class CryptoManager implements TokenSupplier
* loaded cryptographic modules for the token.
*
* @param name The name of the token.
- * @exception org.mozilla.jss.crypto.NoSuchTokenException If no token
+ * @exception NoSuchTokenException If no token
* is found with the given name.
*/
public synchronized CryptoToken getTokenByName(String name)
@@ -855,9 +855,9 @@ public final class CryptoManager implements TokenSupplier
* <code>initialize()</code>.
*
* @param configDir The directory containing the security databases.
- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
+ * @exception KeyDatabaseException Unable to open
* the key database, or it was currupted.
- * @exception org.mozilla.jss.util.CertDatabaseException Unable
+ * @exception CertDatabaseException Unable
* to open the certificate database, or it was currupted.
**/
public static synchronized void initialize( String configDir )
@@ -878,9 +878,9 @@ public final class CryptoManager implements TokenSupplier
* <code>initialize()</code>.
*
* @param values The options with which to initialize CryptoManager.
- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
+ * @exception KeyDatabaseException Unable to open
* the key database, or it was currupted.
- * @exception org.mozilla.jss.util.CertDatabaseException Unable
+ * @exception CertDatabaseException Unable
* to open the certificate database, or it was currupted.
**/
public static synchronized void initialize( InitializationValues values )
@@ -1021,7 +1021,7 @@ public final class CryptoManager implements TokenSupplier
* @return The leaf certificate from the chain.
* @exception CertificateEncodingException If the package encoding
* was not recognized.
- * @exception CertificateNicknameConflictException If the leaf certificate
+ * @exception NicknameConflictException If the leaf certificate
* is a user certificate, and another certificate already has the
* given nickname.
* @exception UserCertConflictException If the leaf certificate
@@ -1059,7 +1059,7 @@ public final class CryptoManager implements TokenSupplier
* @return The leaf certificate from the chain.
* @exception CertificateEncodingException If the package encoding
* was not recognized.
- * @exception CertificateNicknameConflictException If the leaf certificate
+ * @exception NicknameConflictException If the leaf certificate
* another certificate already has the given nickname.
* @exception UserCertConflictException If the leaf certificate
* has already been imported.
diff --git a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
index bfa37c9f5eba1c5df9bb275cad16c1bf57c9c65d..d15be4922b52d16a25e3212b2b25809cd7ddf3b6 100644
--- a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
+++ b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
@@ -259,7 +259,7 @@ public class ASN1Header {
/**
* This constructor is to be called when we are constructing an ASN1Value
* rather than decoding it.
- * @param contentLength Must be >=0. Although indefinite length
+ * @param contentLength Must be &gt;=0. Although indefinite length
* <i>decoding</i> is supported, indefinite length <i>encoding</i>
* is not.
*/
diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
index e521b6108b90daeb7035413bba50a41e9b20ec49..98e93f0e858b09402364b4dc89c36a63e7ef0f7b 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
@@ -236,7 +236,7 @@ public final class PK11Token implements CryptoToken {
*
* @param ssopwcb The security officer's current password callback.
* @param userpwcb The user's new password callback.
- * @exception IncorrectPinException If the security officer PIN is
+ * @exception IncorrectPasswordException If the security officer PIN is
* incorrect.
* @exception TokenException If the PIN was already initialized,
* or there was an unspecified error in the token.
diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
index a1b08d2e9ee9dfcb4ee809e101f3074611664384..61ad979d65d5ecc6659281218c58e8ec9a48211c 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
@@ -91,6 +91,7 @@ public class CertBag implements ASN1Value {
* <li>If the type is <code>SDSI_CERT_TYPE</code>, returns
* an IA5String.
* <li>For all other types, returns an ANY.
+ * </ul>
*
* @exception InvalidBERException If the cert is not encoded correctly.
*/
diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
index 4db7a42c75cc21d71841e20dcb9a4c1494ff08c2..4578e9bcd8abdb4e7b6717b07aee932dd887d675 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
@@ -169,7 +169,6 @@ public class ContentInfo implements ASN1Value {
* an OCTET_STRING will be returned.
* <p>If the contentType is <b>not</b> one of the six standard types,
* the returned object will be an ANY.
- * </ul>
*/
public ASN1Value getInterpretedContent() throws InvalidBERException {
if(contentType.equals(DATA)) {
diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
index 300e993cffd9dcadaf996609abeebf8627eafde8..c49107c80543ec94fbb3117a1a9a1088f851a6b3 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
@@ -129,7 +129,7 @@ public class SignerInfo implements ASN1Value {
/**
* Retrieves the DigestAlgorithm used in this SignerInfo.
*
- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
*/
public DigestAlgorithm getDigestAlgorithm()
throws NoSuchAlgorithmException
@@ -402,10 +402,12 @@ public class SignerInfo implements ASN1Value {
/**
* Verifies that this SignerInfo contains a valid signature of the
* given message digest. If any authenticated attributes are present,
- * they are also validated. The verification algorithm is as follows:<ul>
- * <p>Note that this does <b>not</b> verify the validity of the
- * the certificate itself, only the signature.
+ * they are also validated. The verification algorithm is as follows:
*
+ * Note that this does <b>not</b> verify the validity of the
+ * the certificate itself, only the signature.
+ *
+ * <ul>
* <li>If no authenticated attributes are present, the content type is
* verified to be <i>data</i>. Then it is verified that the message
* digest passed
@@ -413,24 +415,25 @@ public class SignerInfo implements ASN1Value {
* digest in the SignerInfo.
*
* <li>If authenticated attributes are present,
- * two particular attributes must be present: <ul>
+ * two particular attributes must be present:
+ * <ul>
* <li>PKCS #9 Content-Type, the type of content that is being signed.
* This must match the contentType parameter.
* <li>PKCS #9 Message-Digest, the digest of the content that is being
* signed. This must match the messageDigest parameter.
* </ul>
+ *
* After these two attributes are verified to be both present and correct,
* the encryptedDigest field of the SignerInfo is verified to be the
* signature of the contents octets of the DER encoding of the
* authenticatedAttributes field.
- *
* </ul>
*
* @param messageDigest The hash of the content that is signed by this
* SignerInfo.
* @param contentType The type of the content that is signed by this
* SignerInfo.
- * @exception NoSuchObjectException If no certificate matching the
+ * @exception ObjectNotFoundException If no certificate matching the
* the issuer name and serial number can be found.
*/
public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
index 91ae770c94b3a8817c13e4cb86609c432ef682b8..9f61e605b416dffc38525ccec4dcce9f380c7dcc 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
@@ -168,7 +168,6 @@ public class ContentInfo implements ASN1Value {
* an OCTET_STRING will be returned.
* <p>If the contentType is <b>not</b> one of the six standard types,
* the returned object will be an ANY.
- * </ul>
*/
public ASN1Value getInterpretedContent() throws InvalidBERException {
if(contentType.equals(DATA)) {
diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
index ff34a554e4d5f43b6ce18acfac01899858d62117..e7feb934dc0a78fbc40a6ff7d8db87f0af9177fe 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
@@ -130,7 +130,7 @@ public class SignerInfo implements ASN1Value {
/**
* Retrieves the DigestAlgorithm used in this SignerInfo.
*
- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
*/
public DigestAlgorithm getDigestAlgorithm()
throws NoSuchAlgorithmException
@@ -403,10 +403,12 @@ public class SignerInfo implements ASN1Value {
/**
* Verifies that this SignerInfo contains a valid signature of the
* given message digest. If any signed attributes are present,
- * they are also validated. The verification algorithm is as follows:<ul>
- * <p>Note that this does <b>not</b> verify the validity of the
- * the certificate itself, only the signature.
+ * they are also validated. The verification algorithm is as follows:
*
+ * Note that this does <b>not</b> verify the validity of the
+ * the certificate itself, only the signature.
+ *
+ * <ul>
* <li>If no signed attributes are present, the content type is
* verified to be <i>data</i>. Then it is verified that the message
* digest passed
@@ -414,24 +416,25 @@ public class SignerInfo implements ASN1Value {
* digest in the SignerInfo.
*
* <li>If signed attributes are present,
- * two particular attributes must be present: <ul>
+ * two particular attributes must be present:
+ * <ul>
* <li>PKCS #9 Content-Type, the type of content that is being signed.
* This must match the contentType parameter.
* <li>PKCS #9 Message-Digest, the digest of the content that is being
* signed. This must match the messageDigest parameter.
* </ul>
+ *
* After these two attributes are verified to be both present and correct,
* the encryptedDigest field of the SignerInfo is verified to be the
* signature of the contents octets of the DER encoding of the
* signedAttributes field.
- *
* </ul>
*
* @param messageDigest The hash of the content that is signed by this
* SignerInfo.
* @param contentType The type of the content that is signed by this
* SignerInfo.
- * @exception NoSuchObjectException If no certificate matching the
+ * @exception ObjectNotFoundException If no certificate matching the
* the issuer name and serial number can be found.
*/
public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
index 53d162b69673caeed3e998dc9c2e221b95dfc6db..c6637039c87043f36dd1a1e449a819edbcc816e3 100644
--- a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
+++ b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
@@ -112,7 +112,7 @@ public class CertReqMsg implements ASN1Value {
/**
* Constructs a <i>CertReqmsg</i> from a <i>CertRequest</i> and, optionally,
- * a <i>pop>/i> and a <i>regInfo</i>.
+ * a <i>pop</i> and a <i>regInfo</i>.
* @param pop May be NULL.
* @param regInfo May be NULL.
*/
diff --git a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
index 2043a598cf3e8d023287c0f7142045c1e4f68e4d..58d14496e5ad92aa91a966e119e14f470da4fd4a 100644
--- a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
+++ b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
@@ -174,9 +174,6 @@ public class SSLServerSocket extends java.net.ServerSocket {
* @return java.net.Socket Local socket for client communication
*
* @throws IOException If an input or output exception occurred
- * @throws SocketTimeoutException If the socket timesout trying to connect
- * @throws InterruptedIOException If an input or output is interrupted
- * @throws SSLSocketException JSS subclass of java.net.SocketException
*/
public Socket accept() throws IOException {
synchronized (acceptLock) {
diff --git a/mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot b/mozilla/security/jss/org/mozilla/jss/util/Debug.java
similarity index 100%
rename from mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot
rename to mozilla/security/jss/org/mozilla/jss/util/Debug.java
--
2.4.3

62
jss-HSM-manufacturerID.patch
View File

@ -1,62 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800
@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE
}
PR_GetErrorText(errBuf);
}
- msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
+ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s",
+ PR_GetError(),
errLength>0? errBuf : "");
if(errLength>0) {
PR_Free(errBuf);
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800
@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
PRBool isExtractable = PR_FALSE;
/* special case nethsm and lunasa*/
- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
+ const int numManufacturerIDchars = 7;
+ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'};
+ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'};
PRBool isNethsm = PR_TRUE;
PRBool isLunasa = PR_TRUE;
+ tokenInfo.manufacturerID[0] = 0;
+
if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
/* exception was thrown */
goto finish;
}
- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
+ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) &&
+ (tokenInfo.manufacturerID[0] != 0)) {
int ix = 0;
- for(ix=0; ix < 4; ix++) {
- if (tokenInfo.label[ix] != nethsmLabel[ix]) {
+
+ for(ix=0; ix < numManufacturerIDchars; ix++) {
+ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) {
isNethsm = PR_FALSE;
break;
}
}
- ix = 0;
- for(ix=0; ix < 4; ix++) {
- if (tokenInfo.label[ix] != lunasaLabel[ix]) {
+
+ for(ix=0; ix < numManufacturerIDchars; ix++) {
+ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) {
isLunasa = PR_FALSE;
break;
}
}
-
} else {
isNethsm = PR_FALSE;
isLunasa = PR_FALSE;

328
jss-PBE-PKCS5-V2-secure-P12.patch
View File

@ -1,328 +0,0 @@
diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700
@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
/* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
/* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
+/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG},
+/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG},
+/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
/* REMEMBER TO UPDATE NUM_ALGS!!! */
};
diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700
@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
JSS_AlgType type;
} JSS_AlgInfo;
-#define NUM_ALGS 51
+#define NUM_ALGS 54
extern JSS_AlgInfo JSS_AlgTable[];
extern CK_ULONG JSS_symkeyUsage[];
diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700
@@ -233,5 +233,9 @@ public class Algorithm {
protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
+ //PKCS5 V2
+ protected static final short SEC_OID_PKCS5_PBKDF2=51;
+ protected static final short SEC_OID_PKCS5_PBES2=52;
+ protected static final short SEC_OID_PKCS5_PBMAC1=53;
}
diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java
--- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700
@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen
///////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////
+ // PKCS 5 v2
+ public static final PBEAlgorithm
+ PBE_PKCS5_PBKDF2 = new PBEAlgorithm(
+ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128,
+ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 );
+
+ //////////////////////////////////////////////////////////////
+ // PKCS 5 v2
+ public static final PBEAlgorithm
+ PBE_PKCS5_PBES2 = new PBEAlgorithm(
+ SEC_OID_PKCS5_PBES2, "PBES2", 128,
+ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 );
+
+ //////////////////////////////////////////////////////////////
+ // PKCS 5 v2
+ public static final PBEAlgorithm
+ PBE_PKCS5_PBMAC1 = new PBEAlgorithm(
+ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128,
+ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 );
+
+ //////////////////////////////////////////////////////////////
public static final PBEAlgorithm
PBE_MD2_DES_CBC = new PBEAlgorithm(
SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56,
diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700
@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
}
/* print_secitem(pwitem); */
-
mech = JSS_getPK11MechFromAlg(env, alg);
if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) {
@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
PR_ASSERT(oidTag != SEC_OID_UNKNOWN);
/* create algid */
- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt);
+ algid = PK11_CreatePBEV2AlgorithmID(
+ oidTag,
+ SEC_OID_DES_EDE3_CBC,
+ SEC_OID_HMAC_SHA1,
+ 168/8,
+ iterationCount,
+ salt);
+
if( algid == NULL ) {
JSS_throwMsg(env, TOKEN_EXCEPTION,
"Unable to process PBE parameters");
diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700
@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL;
SECItem label; /* empty secitem, doesn't need to be freed */
PRBool token;
- CK_ATTRIBUTE_TYPE attribs[4];
- int numAttribs;
+ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0};
+ int numAttribs = 0;
+ CK_TOKEN_INFO tokenInfo;
+
+ PRBool isSensitive = PR_TRUE;
+ PRBool isExtractable = PR_FALSE;
+ /* special case nethsm*/
+ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
+ PRBool isNethsm = PR_TRUE;
if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
/* exception was thrown */
goto finish;
}
+ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
+ int ix = 0;
+ for(ix=0; ix < 4; ix++) {
+ if (tokenInfo.label[ix] != nethsmLabel[ix]) {
+ isNethsm = PR_FALSE;
+ break;
+ }
+ }
+
+ } else {
+ isNethsm = PR_FALSE;
+ }
+
/* get unwrapping key */
if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey)
!= PR_SUCCESS) {
@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
}
keyType = PK11_GetKeyType(keyTypeMech, 0);
+ if( isNethsm ) {
+ isSensitive = PR_FALSE;
+ isExtractable = PR_FALSE;
+ }
+
+setAttrs:
/* figure out which operations to enable for this key */
switch (keyType) {
case CKK_RSA:
attribs[0] = CKA_SIGN;
- attribs[1] = CKA_DECRYPT;
- attribs[2] = CKA_SIGN_RECOVER;
- attribs[3] = CKA_UNWRAP;
- numAttribs = 4;
+ attribs[1] = CKA_SIGN_RECOVER;
+ attribs[2] = CKA_UNWRAP;
+ if (isExtractable) {
+ attribs[3] = CKA_EXTRACTABLE;
+ numAttribs = 4;
+ } else {
+ numAttribs = 3;
+ }
break;
case CKK_DSA:
attribs[0] = CKA_SIGN;
@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
/* perform the unwrap */
privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped,
- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType,
+ &label, pubValue, token, isSensitive /*sensitive*/, keyType,
attribs, numAttribs, NULL /*wincx*/);
if( privk == NULL ) {
JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700
@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
- if( ! (key instanceof PK11SymKey) ) {
- throw new InvalidKeyException("Key is not a PKCS #11 key");
- }
try {
+ if( ! key.getOwningToken().equals(token) ) {
+ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
+ key.getOwningToken().getName());
+ }
+ if( ! (key instanceof PK11SymKey) ) {
+ throw new InvalidKeyException("Key is not a PKCS #11 key");
+ }
if( ((PK11SymKey)key).getKeyType() !=
- KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
- throw new InvalidKeyException("Key is not the right type for"+
+ KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
+ throw new InvalidKeyException("Key is not the right type for"+
" this algorithm");
}
} catch( NoSuchAlgorithmException e ) {
Assert.notReached("Unknown algorithm");
+ } catch (Exception e) {
+ Assert.notReached("Exception:"+ e.toString());
}
}
diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700
@@ -106,10 +106,13 @@ public final class PK11Token implements
getKeyGenerator(KeyGenAlgorithm algorithm)
throws NoSuchAlgorithmException, TokenException
{
+/* NSS is capable of finding the right token to do algorithm,
+ so this call is prematurely bailing
if( ! doesAlgorithm(algorithm) ) {
throw new NoSuchAlgorithmException(
algorithm+" is not supported by this token");
}
+*/
return new PK11KeyGenerator(this, algorithm);
}
diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
--- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700
+++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700
@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert;
import java.security.*;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.util.Password;
+import org.mozilla.jss.crypto.PrivateKey;
import java.security.spec.AlgorithmParameterSpec;
/**
@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp
return null;
}
+
+ /**
+ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted
+ * with a password-based key-
+ * with wrapping/unwrapping happening on token.
+ *
+ * @param keyGenAlg The algorithm for generating a symmetric key from
+ * a password, salt, and iteration count.
+ * @param password The password to use in generating the key.
+ * @param salt The salt to use in generating the key.
+ * @param iterationCount The number of hashing iterations to perform
+ * while generating the key.
+ * @param charToByteConverter The mechanism for converting the characters
+ * in the password into bytes. If null, the default mechanism
+ * will be used, which is UTF8.
+ * @param pri The PrivateKey to be encrypted and stored in the
+ * EncryptedContentInfo.
+ */
+ public static EncryptedPrivateKeyInfo
+ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt,
+ int iterationCount,
+ KeyGenerator.CharToByteConverter charToByteConverter,
+ PrivateKey pri, CryptoToken token)
+ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
+ InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
+ CharConversionException
+ {
+ try {
+
+ // check key gen algorithm
+
+ if( ! (keyGenAlg instanceof PBEAlgorithm) ) {
+ throw new NoSuchAlgorithmException("Key generation algorithm"+
+ " is not a PBE algorithm");
+ }
+
+ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg;
+
+ // generate key
+
+ KeyGenerator kg = token.getKeyGenerator( keyGenAlg );
+ PBEKeyGenParams pbekgParams = new PBEKeyGenParams(
+ password, salt, iterationCount);
+ if( charToByteConverter != null ) {
+ kg.setCharToByteConverter( charToByteConverter );
+ }
+ kg.initialize(pbekgParams);
+ kg.temporaryKeys(true);
+ SymmetricKey key = kg.generate();
+
+ // generate IV
+ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
+ AlgorithmParameterSpec params=null;
+ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) {
+ params = new IVParameterSpec( kg.generatePBE_IV() );
+ }
+
+ KeyWrapper wrapper = token.getKeyWrapper(
+ KeyWrapAlgorithm.DES3_CBC);
+ wrapper.initWrap(key, params);
+ byte encrypted[] = wrapper.wrap(pri);
+
+ // make encryption algorithm identifier
+ PBEParameter pbeParam = new PBEParameter( salt, iterationCount );
+ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier(
+ keyGenAlg.toOID(), pbeParam);
+
+ // create EncryptedPrivateKeyInfo
+ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo (
+ encAlgID,
+ new OCTET_STRING(encrypted) );
+
+ return epki;
+
+ } catch (Exception e) {
+ Assert.notReached("EncryptedPrivateKeyInfo exception:"
+ +".createPBE");
+ }
+
+ return null;
+ }
+
+
/**
* Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE
* algorithm. The algorithm and its parameters are extracted from

80
jss-PKCS12-FIPS.patch
View File

@ -1,80 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700
@@ -239,40 +239,47 @@ print_secitem(SECItem *item) {
* TokenException if an error occurs.
*/
static PK11SymKey*
-constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt,
+constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt,
int iterationCount)
{
- PBEBitGenContext* pbeCtxt=NULL;
- SECItem *keyBits=NULL;
PK11SymKey *key=NULL;
- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey,
- pwitem, salt, 160 /* SHA1 key length */, iterationCount);
- if( pbeCtxt == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context");
+ unsigned char ivData[8];
+ SECItem mechItem;
+ CK_PBE_PARAMS pbe_params;
+
+ if( pwitem == NULL ) {
+ JSS_throwMsg(env, TOKEN_EXCEPTION,
+ "constructSHA1PAKey:"
+ " pwitem NULL");
goto finish;
}
-
- keyBits = PBE_GenerateBits(pbeCtxt);
- if( keyBits == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from"
- "PBE context");
+ if( salt == NULL ) {
+ JSS_throwMsg(env, TOKEN_EXCEPTION,
+ "constructSHA1PAKey:"
+ " salt NULL");
goto finish;
}
- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1,
- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL);
+ pbe_params.pInitVector = ivData;
+ pbe_params.pPassword = pwitem->data;
+ pbe_params.ulPasswordLen = pwitem->len;
+ pbe_params.pSalt = salt->data;
+ pbe_params.ulSaltLen = salt->len;
+ pbe_params.ulIteration = iterationCount;
+ mechItem.data = (unsigned char *) &pbe_params;
+ mechItem.len = sizeof(pbe_params);
+
+ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL);
+
if( key == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from"
- " PBA-generated bits");
+ JSS_throwMsg(env, TOKEN_EXCEPTION,
+ "PK11_RawPBEKeyGen:"
+ " failed to generate key");
goto finish;
}
finish:
- if( pbeCtxt ) {
- PBE_DestroyContext(pbeCtxt);
- }
- /* keyBits == pbeCtxt, so we don't need to free it */
return key;
}
@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
/* special case, construct key by hand. Bug #336587 */
- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount);
+ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount);
if( skey==NULL ) {
/* exception was thrown */
goto finish;

12
jss-RC4-strengh-verify.patch
View File

@ -1,12 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved 2014-09-26 14:40:03.452845047 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java 2014-09-26 14:41:02.101598146 -0700
@@ -127,7 +127,7 @@ public class KeyGenAlgorithm extends Alg
RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4",
new KeyStrengthValidator() {
public boolean isValidKeyStrength(int strength) {
- return true;
+ return strength>=40 && strength <= (256*8);
}
}, null, null);

12
jss-SHA-OID-fix.patch
View File

@ -1,12 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn 2014-09-10 09:21:52.663959115 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2014-09-10 09:22:38.662788747 -0700
@@ -117,7 +117,7 @@ public class OBJECT_IDENTIFIER implement
* The OID space for FIPS-180-2 SHA256/SHA384/SHA512 standardized algorithms.
*/
public static final OBJECT_IDENTIFIER HASH_ALGORITHM =
- new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4 } );
+ new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4, 2 } );
/**

204
jss-VerifyCertificate-enhancement.patch
View File

@ -1,204 +0,0 @@
From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 9 Dec 2015 00:30:50 +0100
Subject: [PATCH] Added verifyCertificate() method.
A new CryptoManager.verifyCertificate() method has been added as
an alternative to isCertValid(). If there is a certificate
validation problem, the method will throw a CertificateValidation
exception that contains the NSS error message and code. The
exception will also provide a stack trace to help troubleshoot
validation issues.
https://fedorahosted.org/pki/ticket/850
---
.../jss/org/mozilla/jss/CryptoManager.java | 54 ++++++++------
mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 83 +++++++++++++++++++---
.../jss/org/mozilla/jss/util/jss_exceptions.h | 2 +
3 files changed, 110 insertions(+), 29 deletions(-)
diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644
--- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier
CertificateUsage certificateUsage)
throws ObjectNotFoundException, InvalidNicknameException
{
- if (nickname==null) {
- throw new InvalidNicknameException("Nickname must be non-null");
- }
- // 0 certificate usage will get current usage
- // should call isCertValid() call above that returns certificate usage
- if ((certificateUsage == null) ||
- (certificateUsage == CertificateUsage.CheckAllUsages)){
- int currCertificateUsage = 0x0000;
- currCertificateUsage = verifyCertificateNowCUNative(nickname,
- checkSig);
+ try {
+ verifyCertificate(nickname, checkSig, certificateUsage);
+ return true;
+
+ } catch (ObjectNotFoundException | InvalidNicknameException e) {
+ throw e;
- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
- // cert is good for nothing
- return false;
- } else
- return true;
- } else {
- return verifyCertificateNowNative(nickname, checkSig,
- certificateUsage.getUsage());
+ } catch (CertificateException e) {
+ return false;
}
}
- private native boolean verifyCertificateNowNative(String nickname,
- boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
+ /**
+ * Verify a certificate that exists in the given cert database,
+ * check if it's valid and that we trust the issuer. Verify time
+ * against now.
+ * @param nickname nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
+ * @param certificateUsage see certificate usage defined to verify certificate
+ *
+ * @exception InvalidNicknameException If the nickname is null.
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ * @exception CertificateException If certificate is invalid.
+ */
+ public void verifyCertificate(String nickname,
+ boolean checkSig,
+ CertificateUsage certificateUsage)
+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException {
+ int usage = certificateUsage == null ? 0 : certificateUsage.getUsage();
+ verifyCertificateNowNative(nickname, checkSig, usage);
+ }
+
+ private native void verifyCertificateNowNative(
+ String nickname,
+ boolean checkSig,
+ int certificateUsage)
+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException;
/**
* note: this method calls obsolete function in NSS
diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644
--- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
/***********************************************************************
* CryptoManager.verifyCertificateNowNative
*
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ * Verify a certificate that exists in the given cert database,
+ * check if it's valid and that we trust the issuer. Verify time
+ * against now.
+ * @param nickname nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
+ * @param certificateUsage see certificate usage defined to verify certificate
+ *
+ * @exception InvalidNicknameException If the nickname is null.
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ * @exception CertificateException If certificate is invalid.
*/
-JNIEXPORT jboolean JNICALL
+JNIEXPORT void JNICALL
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+ jobject self, jstring nickString, jboolean checkSig, jint certificateUsage)
{
- SECStatus rv = SECFailure;
SECCertificateUsage currUsage = 0x0000;
+ SECStatus rv = SECFailure;
+ CERTCertificate *cert = NULL;
+ char *nickname = NULL;
- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
+ if (nickString == NULL) {
+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
+ goto finish;
+ }
- if( rv == SECSuccess) {
- return JNI_TRUE;
- } else {
- return JNI_FALSE;
+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
+
+ if (nickname == NULL) {
+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
+ goto finish;
+ }
+
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+ if (cert == NULL) {
+ char *msgBuf;
+ msgBuf = PR_smprintf("Certificate not found: %s", nickname);
+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf);
+ PR_Free(msgBuf);
+ goto finish;
+ }
+
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
+ * retrieve the current valid usage into currUsage
+ */
+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
+ checkSig, certificateUsage, NULL, &currUsage);
+
+ if (rv != SECSuccess) {
+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate");
+ goto finish;
+ }
+
+ if ((certificateUsage == 0x0000) &&
+ (currUsage ==
+ ( certUsageUserCertImport |
+ certUsageVerifyCA |
+ certUsageProtectedObjectSigner |
+ certUsageAnyCA ))) {
+
+ /* The certificate is good for nothing.
+ * The following usages cannot be verified:
+ * certUsageAnyCA
+ * certUsageProtectedObjectSigner
+ * certUsageUserCertImport
+ * certUsageVerifyCA
+ * (0x0b80)
+ */
+
+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate");
+ goto finish;
+ }
+
+finish:
+ if (nickname != NULL) {
+ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
+ }
+ if (cert != NULL) {
+ CERT_DestroyCertificate(cert);
}
}
diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644
--- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
+++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C
#define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException"
+#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException"
+
#define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException"
#define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException"
--
2.5.0

220
jss-VerifyCertificate.patch
View File

@ -1,220 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700
@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700
@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
public final class CryptoManager implements TokenSupplier
{
/**
+ * note: this is obsolete in NSS
* CertUsage options for validation
*/
public final static class CertUsage {
@@ -86,8 +87,6 @@ public final class CryptoManager impleme
return name;
}
-
-
// certUsage, these must be kept in sync with nss/lib/certdb/certt.h
public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
@@ -103,6 +102,63 @@ public final class CryptoManager impleme
public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
}
+ /**
+ * CertificateUsage options for validation
+ */
+ public final static class CertificateUsage {
+ private int usage;
+ private String name;
+
+ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
+ private static final int certificateUsageCheckAllUsages = 0x0000;
+ private static final int certificateUsageSSLClient = 0x0001;
+ private static final int certificateUsageSSLServer = 0x0002;
+ private static final int certificateUsageSSLServerWithStepUp = 0x0004;
+ private static final int certificateUsageSSLCA = 0x0008;
+ private static final int certificateUsageEmailSigner = 0x0010;
+ private static final int certificateUsageEmailRecipient = 0x0020;
+ private static final int certificateUsageObjectSigner = 0x0040;
+ private static final int certificateUsageUserCertImport = 0x0080;
+ private static final int certificateUsageVerifyCA = 0x0100;
+ private static final int certificateUsageProtectedObjectSigner = 0x0200;
+ private static final int certificateUsageStatusResponder = 0x0400;
+ private static final int certificateUsageAnyCA = 0x0800;
+
+ static private ArrayList list = new ArrayList();
+ private CertificateUsage() {};
+ private CertificateUsage(int usage, String name) {
+ this.usage = usage;
+ this.name = name;
+ this.list.add(this);
+
+ }
+ public int getUsage() {
+ return usage;
+ }
+
+ static public Iterator getCertificateUsages() {
+ return list.iterator();
+
+ }
+ public String toString() {
+ return name;
+ }
+
+ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
+ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
+ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
+ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
+ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
+ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
+ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
+ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
+ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
+ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
+ }
+
public final static class NotInitializedException extends Exception {}
public final static class NicknameConflictException extends Exception {}
public final static class UserCertConflictException extends Exception {}
@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
}
return tok;
}
+
/////////////////////////////////////////////////////////////
// isCertValid
/////////////////////////////////////////////////////////////
@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
* against Now.
* @param nickname The nickname of the certificate to verify.
* @param checkSig verify the signature of the certificate
+ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
+ * @return true for success; false otherwise
+ *
+ * @exception InvalidNicknameException If the nickname is null
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ */
+
+ public boolean isCertValid(String nickname, boolean checkSig,
+ CertificateUsage certificateUsage)
+ throws ObjectNotFoundException, InvalidNicknameException
+ {
+ if (nickname==null) {
+ throw new InvalidNicknameException("Nickname must be non-null");
+ }
+ // 0 certificate usage was supposed to get current usage, however,
+ // it is not exposed at this point
+ return verifyCertificateNowNative(nickname,
+ checkSig,
+ (certificateUsage == null) ? 0:certificateUsage.getUsage());
+ }
+
+ private native boolean verifyCertificateNowNative(String nickname,
+ boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
+
+ /**
+ * note: this method calls obsolete function in NSS
+ *
+ * Verify a certificate that exists in the given cert database,
+ * check if is valid and that we trust the issuer. Verify time
+ * against Now.
+ * @param nickname The nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
* @param certUsage see exposed certUsage defines to verify Certificate
* @return true for success; false otherwise
*
@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
}
+ /*
+ * Obsolete in NSS
+ */
private native boolean verifyCertNowNative(String nickname,
boolean checkSig, int cUsage) throws ObjectNotFoundException;
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700
@@ -1575,11 +1575,62 @@ finish:
}
/***********************************************************************
- * CryptoManager.verifyCertNowNative
+ * CryptoManager.verifyCertificateNowNative
*
* Returns JNI_TRUE if success, JNI_FALSE otherwise
*/
JNIEXPORT jboolean JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+{
+ SECStatus rv = SECFailure;
+ SECCertificateUsage certificateUsage;
+ SECCertificateUsage currUsage; /* unexposed for now */
+ CERTCertificate *cert=NULL;
+ char *nickname=NULL;
+
+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
+ if( nickname == NULL ) {
+ goto finish;
+ }
+
+ certificateUsage = required_certificateUsage;
+
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+ if (cert == NULL) {
+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+ goto finish;
+ } else {
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
+ * just get the current usage (which we are not passing back for now
+ * but will bypass the certificate usage check
+ */
+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
+ checkSig, certificateUsage, NULL, &currUsage );
+ }
+
+finish:
+ if(nickname != NULL) {
+ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
+ }
+ if(cert != NULL) {
+ CERT_DestroyCertificate(cert);
+ }
+ if( rv == SECSuccess) {
+ return JNI_TRUE;
+ } else {
+ return JNI_FALSE;
+ }
+}
+
+
+/***********************************************************************
+ * CryptoManager.verifyCertNowNative
+ * note: this calls obsolete NSS function
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+JNIEXPORT jboolean JNICALL
Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
jobject self, jstring nickString, jboolean checkSig, jint cUsage)
{

227
jss-VerifyCertificateReturnCU.patch
View File

@ -1,227 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
@@ -157,6 +157,19 @@ public final class CryptoManager impleme
public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
+
+ /*
+ The folllowing usages cannot be verified:
+ certUsageAnyCA
+ certUsageProtectedObjectSigner
+ certUsageUserCertImport
+ certUsageVerifyCA
+ */
+ public static final int basicCertificateUsages = /*0x0b80;*/
+ certificateUsageUserCertImport |
+ certificateUsageVerifyCA |
+ certificateUsageProtectedObjectSigner |
+ certificateUsageAnyCA ;
}
public final static class NotInitializedException extends Exception {}
@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
* against Now.
* @param nickname The nickname of the certificate to verify.
* @param checkSig verify the signature of the certificate
- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
- * @return true for success; false otherwise
+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
*
* @exception InvalidNicknameException If the nickname is null
* @exception ObjectNotFoundException If no certificate could be found
* with the given nickname.
*/
+ public int isCertValid(String nickname, boolean checkSig)
+ throws ObjectNotFoundException, InvalidNicknameException
+ {
+ if (nickname==null) {
+ throw new InvalidNicknameException("Nickname must be non-null");
+ }
+ int currCertificateUsage = 0x0000; // initialize it to 0
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
+ checkSig);
+ return currCertificateUsage;
+ }
+
+ private native int verifyCertificateNowCUNative(String nickname,
+ boolean checkSig) throws ObjectNotFoundException;
+ /////////////////////////////////////////////////////////////
+ // isCertValid
+ /////////////////////////////////////////////////////////////
+ /**
+ * Verify a certificate that exists in the given cert database,
+ * check if is valid and that we trust the issuer. Verify time
+ * against Now.
+ * @param nickname The nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
+ * @return true for success; false otherwise
+ *
+ * @exception InvalidNicknameException If the nickname is null
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ */
public boolean isCertValid(String nickname, boolean checkSig,
CertificateUsage certificateUsage)
throws ObjectNotFoundException, InvalidNicknameException
@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
if (nickname==null) {
throw new InvalidNicknameException("Nickname must be non-null");
}
- // 0 certificate usage was supposed to get current usage, however,
- // it is not exposed at this point
- return verifyCertificateNowNative(nickname,
- checkSig,
- (certificateUsage == null) ? 0:certificateUsage.getUsage());
+ // 0 certificate usage will get current usage
+ // should call isCertValid() call above that returns certificate usage
+ if ((certificateUsage == null) ||
+ (certificateUsage == CertificateUsage.CheckAllUsages)){
+ int currCertificateUsage = 0x0000;
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
+ checkSig);
+
+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
+ // cert is good for nothing
+ return false;
+ } else
+ return true;
+ } else {
+ return verifyCertificateNowNative(nickname, checkSig,
+ certificateUsage.getUsage());
+ }
}
private native boolean verifyCertificateNowNative(String nickname,
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
@@ -1574,18 +1574,16 @@ finish:
}
}
+
/***********************************************************************
- * CryptoManager.verifyCertificateNowNative
- *
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ * CryptoManager.verifyCertificateNow
*/
-JNIEXPORT jboolean JNICALL
-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
+ jboolean checkSig, jint required_certificateUsage,
+ SECCertificateUsage *currUsage)
{
SECStatus rv = SECFailure;
SECCertificateUsage certificateUsage;
- SECCertificateUsage currUsage; /* unexposed for now */
CERTCertificate *cert=NULL;
char *nickname=NULL;
@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
goto finish;
} else {
- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
- * just get the current usage (which we are not passing back for now
- * but will bypass the certificate usage check
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
+ * retrieve the current valid usage into currUsage
*/
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
- checkSig, certificateUsage, NULL, &currUsage );
+ checkSig, certificateUsage, NULL, currUsage );
+ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
+ if (*currUsage ==
+ ( certUsageUserCertImport |
+ certUsageVerifyCA |
+ certUsageProtectedObjectSigner |
+ certUsageAnyCA )) {
+
+ /* the cert is good for nothing
+ The folllowing usages cannot be verified:
+ certUsageAnyCA
+ certUsageProtectedObjectSigner
+ certUsageUserCertImport
+ certUsageVerifyCA
+ (0x0b80) */
+ rv =SECFailure;
+ }
+ }
}
finish:
@@ -1617,6 +1631,49 @@ finish:
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
+
+ return rv;
+}
+
+/***********************************************************************
+ * CryptoManager.verifyCertificateNowCUNative
+ *
+ * Returns jint which contains bits in SECCertificateUsage that reflects
+ * the cert usage(s) that the cert is good for
+ * if the cert is good for nothing, returned value is
+ * (0x0b80):
+ * certUsageUserCertImport |
+ * certUsageVerifyCA |
+ * certUsageProtectedObjectSigner |
+ * certUsageAnyCA
+ */
+JNIEXPORT jint JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig)
+{
+ SECStatus rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
+
+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
+ /* rv is ignored */
+
+ return currUsage;
+}
+
+/***********************************************************************
+ * CryptoManager.verifyCertificateNowNative
+ *
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+JNIEXPORT jboolean JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+{
+ SECStatus rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
+
+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
+
if( rv == SECSuccess) {
return JNI_TRUE;
} else {
@@ -1624,7 +1681,6 @@ finish:
}
}
-
/***********************************************************************
* CryptoManager.verifyCertNowNative
* note: this calls obsolete NSS function

32
jss-WindowsCompileFix.patch
View File

@ -1,32 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu 2015-04-23 13:25:45.104249135 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-23 13:39:29.958813779 -0700
@@ -49,10 +49,12 @@
#ifdef WINNT
#include <private/pprio.h>
+#define AF_INET6 23
#endif
#ifdef WIN32
#include <winsock.h>
+#define AF_INET6 23
#endif
@@ -66,6 +68,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
{
SECStatus status;
SSLVersionRange vrange;
+ SSLVersionRange supported_range;
if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
min <0 || min >= JSSL_enums_size ||
@@ -80,7 +83,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
vrange.max = JSSL_enums[max];
/* get supported range */
- SSLVersionRange supported_range;
status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
&supported_range);
if( status != SECSuccess ) {

30
jss-WindowsLoadLibrary.patch
View File

@ -1,30 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu 2015-07-08 12:02:13.192000000 +0200
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2015-07-08 12:04:56.213000000 +0200
@@ -1404,17 +1404,23 @@ public final class CryptoManager impleme
synchronized static void loadNativeLibraries()
{
if( ! mNativeLibrariesLoaded ) {
- try {
+ try { // 64 bit rhel/fedora
System.load( "/usr/lib64/jss/libjss4.so" );
Debug.trace(Debug.VERBOSE, "jss library loaded");
mNativeLibrariesLoaded = true;
} catch( UnsatisfiedLinkError e ) {
- try {
+ try { // 32 bit rhel/fedora
System.load( "/usr/lib/jss/libjss4.so" );
Debug.trace(Debug.VERBOSE, "jss library loaded");
mNativeLibrariesLoaded = true;
} catch( UnsatisfiedLinkError f ) {
- Debug.trace(Debug.VERBOSE, "jss library load failed");
+ try {// possibly other platforms
+ System.loadLibrary( "jss4" );
+ Debug.trace(Debug.VERBOSE, "jss library loaded");
+ mNativeLibrariesLoaded = true;
+ } catch( UnsatisfiedLinkError g ) {
+ Debug.trace(Debug.VERBOSE, "jss library load failed");
+ }
}
}
}

27
jss-bad-error-string-pointer.patch
View File

@ -1,27 +0,0 @@
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-17 18:54:56.000000000 -0500
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-18 09:46:34.000000000 -0500
@@ -124,20 +124,16 @@
/* Clean up after PR_interrupt. */
PR_NT_CancelIo(sock->fd);
#endif
- JSSL_throwSSLSocketException(env,
- "Accept operation interrupted with error code " + err);
+ JSSL_throwSSLSocketException(env, "Accept operation interrupted");
} else if( err == PR_IO_TIMEOUT_ERROR ) {
#ifdef WINNT
PR_NT_CancelIo(sock->fd);
#endif
- JSSL_throwSSLSocketException(env,
- "Accept operation timed out with error code " + err);
+ JSSL_throwSSLSocketException(env, "Accept operation timed out");
} else if( err == PR_IO_ERROR ) {
- JSSL_throwSSLSocketException(env,
- "Accept operation received IO error with error code " + err);
+ JSSL_throwSSLSocketException(env, "Accept operation received IO error");
} else {
- JSSL_throwSSLSocketException(env,
- "Accept operation failed with error code " + err);
+ JSSL_throwSSLSocketException(env, "Accept operation failed");
}
goto finish;
}

33
jss-crmf-envelopedData.patch
View File

@ -1,33 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh 2016-06-24 14:51:48.929122053 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java 2016-06-24 14:52:29.487027005 -0700
@@ -127,7 +127,8 @@ public class EncryptedKey implements ASN
} else {
Assert._assert(type == ENVELOPED_DATA);
Assert._assert(envelopedData != null);
- envelopedData.encode(implicitTag, ostream);
+ EXPLICIT explicit = new EXPLICIT( new Tag(0), envelopedData );
+ explicit.encode(tag, ostream);
}
}
@@ -147,7 +148,9 @@ public class EncryptedKey implements ASN
choicet = new CHOICE.Template();
choicet.addElement( EncryptedValue.getTemplate() );
- choicet.addElement( new Tag(0), ANY.getTemplate() );
+ choicet.addElement( new EXPLICIT.Template(
+ new Tag(0),
+ ANY.getTemplate() ));
}
public boolean tagMatch(Tag tag) {
@@ -164,7 +167,7 @@ public class EncryptedKey implements ASN
return new EncryptedKey( (EncryptedValue) choice.getValue() );
} else {
Assert._assert( choice.getTag().equals(new Tag(0)) );
- return new EncryptedKey( (ANY) choice.getValue() );
+ return new EncryptedKey( (ANY) ((EXPLICIT) choice.getValue()).getContent() );
}
} catch(InvalidBERException e) {

641
jss-eliminate-java-compiler-warnings.patch
View File

@ -1,641 +0,0 @@
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700
@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme
* Imports a single certificate into the permanent certificate
* database.
*
- * @param derCert the certificate you want to add
+ * @param cert the certificate you want to add
* @param nickname the nickname you want to refer to the certificate as
* (must not be null)
*/
@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme
public static final String
JAR_JDK_VERSION = "JDK_VERSION = N/A";
public static final String
- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM";
+ JAR_NSS_VERSION = "NSS_VERSION = N/A";
public static final String
JAR_DBM_VERSION = "DBM_VERSION = N/A";
public static final String
- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM";
+ JAR_NSPR_VERSION = "NSPR_VERSION = N/A";
/**
* Loads the JSS dynamic library if necessary.
@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme
* this thread's token to <tt>null</tt> will also cause the
* InternalKeyStorageToken to be used.
*
- * @param The token to use for crypto operations. Specifying <tt>null</tt>
- * will cause the InternalKeyStorageToken to be used.
+ * @param token The token to use for crypto operations. Specifying
+ * <tt>null</tt> will cause the InternalKeyStorageToken to be used.
*/
public void setThreadToken(CryptoToken token) {
if( token != null ) {
@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme
* Verify a certificate in memory. Check if
* valid and that we trust the issuer. Verify time
* against Now.
- * @param certificate in memory
+ * @param certPackage certificate in memory
* @param checkSig verify the signature of the certificate
* @param certUsage see exposed certUsage defines to verify Certificate
* @return true for success; false otherwise
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700
@@ -51,7 +51,7 @@ public final class JSSProvider extends j
private static int JSS_MAJOR_VERSION = 4;
private static int JSS_MINOR_VERSION = 2;
- private static int JSS_PATCH_VERSION = 5;
+ private static int JSS_PATCH_VERSION = 6;
private static double JSS_VERSION = JSS_MAJOR_VERSION +
(JSS_MINOR_VERSION * 100 +
JSS_PATCH_VERSION)/10000.0;
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700
@@ -144,8 +144,8 @@ public abstract class Cipher {
* <i>B</i> is the block size, the padding string consists of
* <i>B</i> - (<i>M</i> mod <i>B</i>) octets, each having the value
* <i>B</i> - (<i>M</i> mod <i>B</i>).
- * @param The block size of the encryption algorithm. Must be greater
- * than zero.
+ * @param blockSize The block size of the encryption algorithm.
+ * Must be greater than zero.
* @see #unPad
*/
public static byte[]
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700
@@ -194,7 +194,7 @@ public interface CryptoToken {
* Login to the token. If a token is logged in, it will not trigger
* password callbacks.
*
- * @param password The password for this token.
+ * @param pwcb The password callback for this token.
* @exception IncorrectPasswordException If the supplied password is
* incorrect.
* @see #setLoginMode
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700
@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest {
* Completes digestion.
*
* @return The, ahem, output of the digest operation.
- * @param If an error occurs while digesting.
+ * @exception DigestException If an error occurs while digesting.
*/
public byte[] digest() throws DigestException {
byte[] output = new byte[getOutputSize()];
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700
@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements
* Must not be null. It is the responsibility of the caller to
* use the right salt length for the algorithm. Most algorithms
* use 8 bytes of salt.
- * @param The iteration count for the PBE algorithm.
+ * @param iterations The iteration count for the PBE algorithm.
*/
public PBEKeyGenParams(Password pass, byte[] salt, int iterations) {
if(pass==null || salt==null) {
@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements
* Must not be null. It is the responsibility of the caller to
* use the right salt length for the algorithm. Most algorithms
* use 8 bytes of salt.
- * @param The iteration count for the PBE algorithm.
+ * @param iterations The iteration count for the PBE algorithm.
*/
public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) {
if(pass==null || salt==null) {
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700
@@ -228,8 +228,8 @@ public final class PK11Token implements
* Initialize PIN. This sets the user's new PIN, using the current
* security officer PIN for authentication.
*
- * @param ssopw The security officer's current password.
- * @param userpw The user's new password.
+ * @param ssopwcb The security officer's current password callback.
+ * @param userpwcb The user's new password callback.
* @exception IncorrectPinException If the security officer PIN is
* incorrect.
* @exception TokenException If the PIN was already initialized,
@@ -322,8 +322,8 @@ public final class PK11Token implements
* Change password. This changes the user's PIN after it has already
* been initialized.
*
- * @param oldPIN The user's old PIN.
- * @param newPIN The new PIN.
+ * @param oldPINcb The user's old PIN callback.
+ * @param newPINcb The new PIN callback.
* @exception IncorrectPasswordException If the old PIN is incorrect.
* @exception TokenException If some other error occurs on the token.
*
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700
@@ -288,7 +288,7 @@ public final class SafeBag implements AS
* as the nickname of the associated cert.
* @param localKeyID The localKeyID for the key; should be the same as
* the localKeyID of the associated cert.
- * @param The password used to encrypt the private key.
+ * @param password The password used to encrypt the private key.
*/
public static SafeBag
createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName,
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700
@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V
* SignerInfo.
* @param contentType The type of the content that is signed by this
* SignerInfo.
- * @param pubkey The public key to use to verify the signature.
* @exception NoSuchObjectException If no certificate matching the
* the issuer name and serial number can be found.
*/
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700
@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS
* @param status A CMCStatus constant.
* @param bodyList The sequence of bodyPartID.
* @param statusString A String.
- * @param OtherInfo The OtherInfo choice.
+ * @param otherInfo The OtherInfo choice.
*/
public CMCStatusInfo(int status, SEQUENCE bodyList, String
statusString, OtherInfo otherInfo) {
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700
@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS
/**
* Create a PKIStatusInfo with no failure info.
* @param status A PKIStatus constant.
- * @param failInfo The bitwise AND of the PKIFailureInfo constants.
*/
public PKIStatusInfo(int status) {
this.status = new INTEGER(status);
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700
@@ -115,10 +115,6 @@ public class DirectoryString implements
/**
* Converts an ASN.1 DirectoryString to a Java string.
- *
- * @param dirstr An ANY containing a BER-encoded DirectoryString.
- * @exception InvalidBERException If the encoding does not contain a
- * valid DirectoryString.
*/
public String toString() {
return asn1String.toString();
@@ -176,6 +172,8 @@ public class DirectoryString implements
/**
* @param implicitTag <b>This paramter is ignored</b>, because
* DirectoryStrings (being CHOICEs) cannot have implicit tags.
+ * @exception InvalidBERException If the encoding does not contain a
+ * valid DirectoryString.
*/
public ASN1Value decode(Tag implicitTag, InputStream istream)
throws IOException, InvalidBERException
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700
@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec
// versions is to use the reflection API.
Class specClass = spec.getClass();
try {
- Method getSaltMethod = specClass.getMethod("getSalt", null);
+ Method getSaltMethod = specClass.getMethod("getSalt",
+ (java.lang.Class) null);
Method getIterationMethod =
- specClass.getMethod("getIterationCount", null);
+ specClass.getMethod("getIterationCount",
+ (java.lang.Class) null);
- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null);
+ byte[] salt = (byte[]) getSaltMethod.invoke(spec,
+ (java.lang.Class) null);
Integer itCountObj =
- (Integer) getIterationMethod.invoke(spec,null);
+ (Integer) getIterationMethod.invoke(spec,
+ (java.lang.Class) null);
int iterationCount = itCountObj.intValue();
Password pass = new Password(spec.getPassword());
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700
@@ -182,11 +182,11 @@ public class SSLSocket extends java.net.
}
/**
- * Creates an SSL client socket and connects to the specified host and
+ * Creates an SSL client socket and connects to the specified address and
* port. Binds to the given local address and port. Installs the given
* callbacks for certificate approval and client certificate selection.
*
- * @param host The hostname to connect to.
+ * @param address The IP address to connect to.
* @param port The port to connect to.
* @param localAddr The local address to bind to. It can be null, in which
* case an unspecified local address will be chosen.
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700
@@ -96,7 +96,7 @@ public class HMACTest {
/**
* Main test method.
- * @params args[]
+ * @param argv
*/
public static void main(String []argv) {
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700
@@ -116,9 +116,9 @@ public class JCASymKeyGen {
}
/**
*
- * @param key
- * @param kg
- * @return
+ * @param keyType
+ * @param provider
+ * @return javax.crypto.SecretKey key
*/
public javax.crypto.SecretKey genSecretKey(String keyType, String provider){
javax.crypto.SecretKey key = null;
@@ -155,7 +155,7 @@ public class JCASymKeyGen {
*
* @param keyType
* @param provider
- * @return
+ * @return javax.crypto.SecretKey key
*/
public javax.crypto.SecretKey genPBESecretKey(String keyType,
String provider){
@@ -197,8 +197,10 @@ public class JCASymKeyGen {
/**
*
* @param sKey
- * @param AlgType
- * @param provider
+ * @param algFamily
+ * @param algType
+ * @param providerForEncrypt
+ * @param providerForDecrypt
*/
public void testCipher(javax.crypto.SecretKey sKey, String algFamily,
String algType, String providerForEncrypt, String providerForDecrypt)
@@ -304,8 +306,10 @@ public class JCASymKeyGen {
/**
*
* @param sKey
- * @param AlgType
- * @param provider
+ * @param algFamily
+ * @param algType
+ * @param providerForEncrypt
+ * @param providerForDecrypt
*/
public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily,
String algType, String providerForEncrypt, String providerForDecrypt)
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700
@@ -78,7 +78,7 @@ public class JSSE_SSLClient {
/**
* Set the protocol type and revision
- * @param String sslRevision
+ * @param fSslRevision
*/
public void setSslRevision(String fSslRevision) {
@@ -91,7 +91,7 @@ public class JSSE_SSLClient {
/**
* Set the host name to connect to.
- * @param String hostname
+ * @param fHost
*/
public void setHost(String fHost) {
this.host = fHost;
@@ -99,7 +99,7 @@ public class JSSE_SSLClient {
/**
* Set the port number to connect to.
- * @param int portnumber
+ * @param fPort
*/
public void setPort(int fPort) {
this.port = fPort;
@@ -107,7 +107,7 @@ public class JSSE_SSLClient {
/**
* Set the cipher suite name to use.
- * @param String cipherSuiteName
+ * @param fCipherSuite
*/
public void setCipherSuite(String fCipherSuite) {
this.cipherName = fCipherSuite;
@@ -115,7 +115,7 @@ public class JSSE_SSLClient {
/**
* Set the location of rsa.pfx
- * @param String fKeystoreLoc
+ * @param fKeystoreLoc
*/
public void setKeystoreLoc(String fKeystoreLoc) {
keystoreLoc = fKeystoreLoc + "/" + keystoreLoc;
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700
@@ -75,7 +75,7 @@ public class JSSE_SSLServer {
/**
* Set the provider to use.
- * @param String p
+ * @param p
*/
public void setProvider(String p) {
provider = p;
@@ -90,7 +90,7 @@ public class JSSE_SSLServer {
}
/**
* Set the location of keystore file.
- * @param String fconfigDir
+ * @param fconfigDir
*/
public void setKeystore(String fconfigDir) {
configDir = fconfigDir;
@@ -117,7 +117,7 @@ public class JSSE_SSLServer {
/**
* Start SSLServer and accept connections.
- * @param args[]
+ * @param args
*/
public void startSSLServer(String[] args) throws Exception {
String configDir = "";
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700
@@ -79,7 +79,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the desired cipher to be set
* on the socket.
- * @param int Cipher
+ * @param aCipher
*/
public void setCipher(int aCipher) {
fCipher = aCipher;
@@ -87,7 +87,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the hostname to run the server
- * @param String ServerName
+ * @param aHostName
*/
public void setHostName(String aHostName) {
serverHost = aHostName;
@@ -95,7 +95,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the port to run the server
- * @param int port
+ * @param aPort
*/
public void setPort(int aPort) {
port = aPort;
@@ -103,7 +103,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the passwords file name
- * @param String passwords
+ * @param aPasswordFile
*/
public void setPasswordFile(String aPasswordFile) {
fPasswordFile = aPasswordFile;
@@ -111,7 +111,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the cert db path name
- * @param String CertDbPath
+ * @param aCertDbPath
*/
public void setCertDbPath(String aCertDbPath) {
fCertDbPath = aCertDbPath;
@@ -120,7 +120,7 @@ public class JSS_FileUploadClient {
/**
* Initialize the name of the file to
* be used for testing along with full path.
- * @param String UploadFile
+ * @param aUploadFile
*/
public void setUploadFile(String aUploadFile) {
fUploadFile = aUploadFile;
@@ -128,7 +128,7 @@ public class JSS_FileUploadClient {
/**
* Enable/disable Test Cert Callback.
- * @param boolean
+ * @param aTestCertCallback
*/
public void setTestCertCallback(boolean aTestCertCallback) {
TestCertCallBack = aTestCertCallback;
@@ -136,7 +136,7 @@ public class JSS_FileUploadClient {
/**
* Set client certificate
- * @param String Certificate Nick Name
+ * @param aClientCertNick Certificate Nick Name
*/
public void setClientCertNick(String aClientCertNick) {
clientCertNick = aClientCertNick;
@@ -170,7 +170,7 @@ public class JSS_FileUploadClient {
/**
* Set EOF for closinng server socket
- * @param null for closing server socket
+ * @param fEof null for closing server socket
*/
public void setEOF(String fEof) {
this.EOF = fEof;
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700
@@ -99,7 +99,7 @@ public class JSS_SSLClient {
/**
* Initialize the desired cipher to be set
* on the socket.
- * @param int Cipher
+ * @param aCipher
*/
public void setCipher(int aCipher) {
fCipher = aCipher;
@@ -107,7 +107,7 @@ public class JSS_SSLClient {
/**
* Initialize the hostname to run the server
- * @param String ServerName
+ * @param aHostName
*/
public void setHostName(String aHostName) {
serverHost = aHostName;
@@ -115,7 +115,7 @@ public class JSS_SSLClient {
/**
* Initialize the port to run the server
- * @param int port
+ * @param aPort
*/
public void setPort(int aPort) {
port = aPort;
@@ -123,7 +123,7 @@ public class JSS_SSLClient {
/**
* Initialize the passwords file name
- * @param String passwords
+ * @param aPasswordFile
*/
public void setPasswordFile(String aPasswordFile) {
fPasswordFile = aPasswordFile;
@@ -131,7 +131,7 @@ public class JSS_SSLClient {
/**
* Initialize the cert db path name
- * @param String CertDbPath
+ * @param aCertDbPath
*/
public static void setCertDbPath(String aCertDbPath) {
fCertDbPath = aCertDbPath;
@@ -147,7 +147,7 @@ public class JSS_SSLClient {
/**
* Enable/disable Test Cert Callback.
- * @param boolean
+ * @param bypass
*/
public void setBypass(boolean bypass) {
testBypass = bypass;
@@ -155,7 +155,7 @@ public class JSS_SSLClient {
/**
* Enable/disable Test Cert Callback.
- * @param boolean
+ * @param aTestCertCallback
*/
public void setTestCertCallback(boolean aTestCertCallback) {
TestCertCallBack = aTestCertCallback;
@@ -163,7 +163,7 @@ public class JSS_SSLClient {
/**
* Set client certificate
- * @param String Certificate Nick Name
+ * @param aClientCertNick Certificate Nick Name
*/
public void setClientCertNick(String aClientCertNick) {
clientCertNick = aClientCertNick;
@@ -197,7 +197,7 @@ public class JSS_SSLClient {
/**
* Set EOF for closinng server socket
- * @param null for closing server socket
+ * @param fEof null for closing server socket
*/
public void setEOF(String fEof) {
this.EOF = fEof;
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700
@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen
/**
* Initialize the desired ciphersuite to be set
* on the socket.
- * @param int Cipher
+ * @param aCipher
*/
public void setCipher(int aCipher) {
@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen
/**
* Initialize the hostname to run the server
- * @param String ServerName
+ * @param aHostName
*/
public void setHostName(String aHostName) {
serverHost = aHostName;
@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen
/**
* Initialize the port to run the server
- * @param int port
+ * @param aPort
*/
public void setPort(int aPort) {
port = aPort;
@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen
/**
* Initialize the passwords file name
- * @param String passwords
+ * @param aPasswordFile
*/
public void setPasswordFile(String aPasswordFile) {
fPasswordFile = aPasswordFile;
@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen
/**
* Initialize the cert db path name
- * @param String CertDbPath
+ * @param aCertDbPath
*/
public void setCertDbPath(String aCertDbPath) {
fCertDbPath = aCertDbPath;
@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen
/**
* Enable/disable Test Cert Callback.
- * @param boolean
+ * @param aTestCertCallback
*/
public void setTestCertCallback(boolean aTestCertCallback) {
TestCertCallBack = aTestCertCallback;
@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen
/**
* Set client certificate
- * @param String Certificate Nick Name
+ * @param aClientCertNick Certificate Nick Name
*/
public void setClientCertNick(String aClientCertNick) {
clientCertNick = aClientCertNick;
diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java
--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700
+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700
@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru
* @param rand
* @param extensions
* @throws java.lang.Exception
- * @return
+ * @return Certificate
*/
public static Certificate makeCert(String issuerName, String subjectName,
int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand,

621
jss-eliminate-native-compiler-warnings.patch
View File

@ -1,621 +0,0 @@
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700
@@ -55,7 +55,7 @@
#include "pk11util.h"
-#if defined(AIX) || defined(HPUX) || defined(LINUX)
+#if defined(AIX) || defined(HPUX)
#include <signal.h>
#endif
@@ -90,11 +90,11 @@ const char * jss_sccsid() {
/********************************************************************/
/* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */
-static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
+static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
/* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */
-static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
/* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */
-static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
@@ -106,13 +106,13 @@ static char*
getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg);
/*************************************************************
- * AIX, HP, and Linux signal handling madness
+ * AIX and HP signal handling madness
*
* In order for the JVM, kernel, and NSPR to work together, we setup
* a signal handler for SIGCHLD that does nothing. This is only done
- * on AIX, HP, and Linux.
+ * on AIX and HP.
*************************************************************/
-#if defined(AIX) || defined(HPUX) || defined(LINUX)
+#if defined(AIX) || defined(HPUX)
static PRStatus
handleSigChild(JNIEnv *env) {
@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi
jboolean initializeJavaOnly )
{
SECStatus rv = SECFailure;
- JavaVM *VMs[5];
- jint numVMs;
char *szConfigDir = NULL;
char *szCertPrefix = NULL;
char *szKeyPrefix = NULL;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700
@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative
(JNIEnv *env, jobject this, jobject Cert)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
CERTCertificate *cert;
PK11SlotInfo *slot;
SECKEYPrivateKey *privKey=NULL;
@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL
Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
(JNIEnv *env, jobject this, jobject leafCert)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
CERTCertificate *leaf;
jobjectArray chainArray=NULL;
CERTCertDBHandle *certdb;
@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor
SECItem *derCerts=NULL;
int certi= -1;
SECItem theDerCert;
- int numCerts;
+ int numCerts = 0;
jbyte *packageBytes=NULL;
jsize packageLen;
SECStatus status;
@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor
CERTSignedCrl *crl = NULL;
SECItem *packageItem = NULL;
int status = SECFailure;
- char *url;
+ char *url = NULL;
char *errmsg = NULL;
/***************************************************
@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
jobject self, jstring nickString, jboolean checkSig)
{
- SECStatus rv = SECFailure;
+ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure;
SECCertificateUsage currUsage = 0x0000;
rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif
SECStatus rv = SECFailure;
SECCertUsage certUsage;
SECItem *derCerts[2];
- SECStatus status;
CERTCertificate **certArray = NULL;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700
@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K
{
PK11SlotInfo *slot = NULL;
PK11SymKey *symk = NULL;
- SECStatus status;
/* get the slot */
if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) {
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700
@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa
/***********************************************************************
* Perform the verification.
*/
- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) {
+ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) {
JSS_throw(env, OUT_OF_MEMORY_ERROR);
goto finish;
}
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700
@@ -62,7 +62,7 @@
JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded
(JNIEnv *env, jobject this)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
CERTCertificate *cert;
SECItem *derCert;
jbyteArray derArray=NULL;
@@ -118,9 +118,9 @@ finish:
JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion
(JNIEnv *env, jobject this)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
CERTCertificate *cert;
- long lVersion;
+ long lVersion = 0;
pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL);
PR_ASSERT(pThread != NULL);
@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get
{
CERTCertificate *cert;
SECKEYPublicKey *pubk=NULL;
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
jobject pubKey=NULL;
PR_ASSERT(env!=NULL && this!=NULL);
@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re
(JNIEnv *env, jobject this)
{
CERTCertificate *cert;
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
PR_ASSERT(env!=NULL && this!=NULL);
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700
@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i
SECItem *iv=NULL;
PK11Context *context=NULL;
CK_ATTRIBUTE_TYPE op;
- jobject contextObj;
+ jobject contextObj = NULL;
PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL);
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700
@@ -207,7 +207,7 @@ finish:
}
#endif
-static void
+static void FUNCTION_MAY_NOT_BE_USED
print_secitem(SECItem *item) {
int i;
int online;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700
@@ -450,7 +450,7 @@ DumpItem(SECItem *item)
for (i=0; i < item->len; i++) {
printf(" %02x",data[i]);
}
- printf(" : 0x%08x %d\n", data, item->len);
+ printf(" : %8p %d\n", data, item->len);
}
/**********************************************************************
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700
@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
jint keyLen, jbyteArray ivBA, jint usageEnum)
{
PK11SymKey *symKey=NULL;
- CK_MECHANISM_TYPE wrappingMech, keyTypeMech;
+ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0;
SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL;
jobject keyObj=NULL;
SECKEYPrivateKey *wrappingKey=NULL;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700
@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
PK11Context *context = NULL;
CK_MECHANISM_TYPE mech;
SECItem param;
- PK11SlotInfo *slot=NULL;
jobject contextObj=NULL;
mech = JSS_getPK11MechFromAlg(env, algObj);
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700
@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_
{
SECMODModule *module;
- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) {
+ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) {
ASSERT_OUTOFMEM(env);
goto finish;
}
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700
@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType
(JNIEnv *env, jobject this)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
SECKEYPrivateKey *privk;
KeyType keyType;
char* keyTypeFieldName;
@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr
(JNIEnv *env, jobject this)
{
SECKEYPrivateKey *privk;
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
PR_ASSERT(env!=NULL && this!=NULL);
@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_
(JNIEnv *env, jobject this)
{
SECKEYPrivateKey *key = NULL;
- PK11SlotInfo *slot = NULL;
SECItem *idItem = NULL;
jbyteArray byteArray = NULL;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700
@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_
(JNIEnv *env, jobject this)
{
SECKEYPublicKey *pubk;
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
PR_ASSERT(env!=NULL && this!=NULL);
@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL
Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken
(JNIEnv *env, jobject this, jobject token)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
SECKEYPublicKey *key = NULL;
PK11SlotInfo *slot = NULL;
PK11SlotInfo *keySlot = NULL;
@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType
(JNIEnv *env, jobject this)
{
- PRThread *pThread;
+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
SECKEYPublicKey *pubk;
KeyType keyType;
char* keyTypeFieldName;
@@ -454,7 +454,7 @@ get_public_key_info
{
SECKEYPublicKey *pubk;
jbyteArray byteArray=NULL;
- SECItem *item;
+ SECItem *item=NULL;
PR_ASSERT(env!=NULL && this!=NULL);
@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ
{
jobject pubkObj=NULL;
SECKEYPublicKey *pubk=NULL;
- SECStatus rv;
SECItem *pubkDER=NULL;
/* validate args */
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700
@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
* "C" data members
*/
- PRThread* pThread = NULL;
+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
SECStatus status = PR_FALSE;
PK11SlotInfo* slot = NULL;
@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
* "C" data members
*/
- PRThread* pThread = NULL;
+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
SECStatus status = PR_FALSE;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700
@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
(JNIEnv *env, jobject this, jobject certObject)
{
CERTCertificate *cert;
- SECStatus status;
+ SECStatus VARIABLE_MAY_NOT_BE_USED status;
PR_ASSERT(env!=NULL && this!=NULL);
if(certObject == NULL) {
@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
(JNIEnv *env, jobject this, jobject certObject)
{
CERTCertificate *cert;
- SECStatus status;
+ SECStatus VARIABLE_MAY_NOT_BE_USED status;
PR_ASSERT(env!=NULL && this!=NULL);
if(certObject == NULL) {
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700
@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g
jfieldID typeField=NULL;
jobject typeObject=NULL;
- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) {
+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) {
ASSERT_OUTOFMEM(env);
goto finish;
}
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700
@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil
jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G)
{
PK11SlotInfo *slot;
- const char* c_subject;
+ const char* c_subject=NULL;
jboolean isCopy;
- unsigned char *b64request;
+ unsigned char *b64request=NULL;
SECItem p, q, g;
PQGParams *dsaParams=NULL;
const char* c_keyType;
@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env,
SECStatus rv;
PRArenaPool *arena;
SECItem result_der, result;
- SECItem *blob;
+ SECItem * VARIABLE_MAY_NOT_BE_USED blob;
CK_MECHANISM_TYPE signMech;
CK_MECHANISM_TYPE keygenMech;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700
@@ -89,7 +89,6 @@ traverseTokenObjects
SECKEYPublicKeyList* pubkList = NULL;
PK11SymKey *symKey = NULL;
CERTCertList *certList = NULL;
- SECStatus secstat;
/*
* Get all private keys
@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec
{
PK11SlotInfo *slot;
EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
- jbyteArray derCertBA = NULL;
PRStatus status = PR_FAILURE;
if( alias == NULL ) goto finish;
@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur
PK11SlotInfo *slot;
EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
jboolean retVal = JNI_FALSE;
- SECKEYPrivateKey *privk = NULL;
if( alias == NULL ) goto finish;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700
@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo
{
PRSocketOptionData sockOptions;
JSSL_SocketData *sock = NULL;
- jint retval;
+ jint retval=-1;
PRStatus status;
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable(
JNIEnv *env, jobject self)
{
- jint available;
+ jint available=0;
JSSL_SocketData *sock = NULL;
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700
@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env
jmethodID excepCons;
jobject excepObj;
jstring msgString;
- jint result;
+ jint VARIABLE_MAY_NOT_BE_USED result;
/*
* get the error code and error string
@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
jbyteArray sdArray = NULL;
JSSL_SocketData *sockdata = NULL;
SECStatus status;
- PRFileDesc *newFD;
- PRFileDesc *tmpFD;
+ PRFileDesc *newFD = NULL;
+ PRFileDesc *tmpFD = NULL;
PRFilePrivate *priv = NULL;
int socketFamily = 0;
@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS
SECStatus status = SECSuccess;
PRBool bOption = PR_FALSE;
- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) {
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
goto finish;
}
@@ -649,7 +649,7 @@ JSSL_getSockAddr
(JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer)
{
JSSL_SocketData *sock = NULL;
- PRStatus status;
+ PRStatus status=PR_FAILURE;
/* get my fd */
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P
finish:
if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) {
- int ret = (*env)->Throw(env, currentExcep);
+ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep);
PR_ASSERT(ret == 0);
}
}
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700
@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
jmethodID getOutputStream, writeMethod;
jclass sockClass, osClass;
jobject outputStream;
- jint arrayLen;
+ jint arrayLen=-1;
PRInt32 retval;
/*
@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe
jobject sockObj;
JNIEnv *env;
jbyteArray outbufArray;
- PRInt32 retval;
+ PRInt32 retval=-1;
if( GET_ENV(fd->secret->javaVM, env) ) goto finish;
@@ -500,7 +500,7 @@ static PRInt32
jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount,
PRIntn flags, PRIntervalTime timeout)
{
- PRInt32 retval;
+ PRInt32 retval=-1;
JNIEnv *env;
jobject sockObj;
jbyteArray byteArray;
@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock
{
jclass sockClass;
jmethodID method;
- jint retval;
+ jint retval=0;
sockClass = (*env)->GetObjectClass(env, sock);
if( sockClass == NULL ) goto finish;
@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods =
(PRReservedFN) invalidInt
};
-static const PRIOMethods*
-getJsockMethods()
-{
- return &jsockMethods;
-}
-
static void
jsockDestructor(PRFileDesc *fd)
{
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700
@@ -115,7 +115,7 @@ void
JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) {
jclass throwableClass;
- jint result;
+ jint VARIABLE_MAY_NOT_BE_USED result;
/* validate arguments */
PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL);
@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl
jclass throwableClass;
jobject throwable;
jmethodID constructor;
- jint result;
+ jint VARIABLE_MAY_NOT_BE_USED result;
PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL );
@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl
PRStatus
JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr)
{
+#ifdef DEBUG
jclass nativeProxyClass;
+#endif
jclass proxyClass;
jfieldID byteArrayField;
jbyteArray byteArray;
@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char
void
JSS_assertOutOfMem(JNIEnv *env)
{
- jclass memErrClass;
+ jclass VARIABLE_MAY_NOT_BE_USED memErrClass;
jthrowable excep;
PR_ASSERT(env != NULL);
@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI
goto finish;
}
- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data);
+ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data);
finish:
return array;
diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h
--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700
+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700
@@ -36,6 +36,19 @@
#ifndef JSS_NATIVE_UTIL_H
#define JSS_NATIVE_UTIL_H
+/* The following #defines are used to suppress undesired compiler warnings
+ * that have been deemed inappropriate.
+ *
+ * IMPORTANT: These are ONLY used on an "as-needed" basis!
+ */
+#ifdef __GNUC__
+#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused))
+#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused))
+#else
+#define FUNCTION_MAY_NOT_BE_USED
+#define VARIABLE_MAY_NOT_BE_USED
+#endif
+
/* Need to include these first.
* #include <nspr.h>
* #include <jni.h>

253
jss-eliminate-native-coverity-defects.patch
View File

@ -1,253 +0,0 @@
diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c
--- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700
+++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700
@@ -275,9 +275,11 @@ diagnosePath(const char * path)
rv = readlink(myPath, buf, sizeof buf);
if (rv < 0) {
perror("readlink");
- buf[0] = 0;
- } else {
+ buf[0] = 0;
+ } else if ( rv < BUFSIZ ) {
buf[rv] = 0;
+ } else {
+ buf[BUFSIZ-1] = 0;
}
fprintf(stderr, "%s is a link to %s\n", myPath, buf);
} else if (S_ISDIR(sb.st_mode)) {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700
@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR
}
finish:
- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
#ifdef DEBUG
+ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
jclass giveupClass;
jmethodID printStackTrace;
jclass excepClass;
-#endif
+
(*env)->ExceptionClear(env);
-#ifdef DEBUG
+
giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION);
PR_ASSERT(giveupClass != NULL);
if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) {
@@ -746,8 +746,12 @@ finish:
PR_ASSERT( PR_FALSE );
}
PR_ASSERT(returnchars==NULL);
-#endif
}
+#else
+ if( ((*env)->ExceptionOccurred(env)) != NULL) {
+ (*env)->ExceptionClear(env);
+ }
+#endif
return returnchars;
}
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700
@@ -768,6 +768,10 @@ static int find_leaf_cert(
int *linked = NULL;
linked = PR_Malloc( sizeof(int) * numCerts );
+ if (linked == NULL) {
+ status = 0;
+ goto finish;
+ }
/* initialize the bitmap */
for (i = 0; i < numCerts; i++) {
@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif
{
SECStatus rv = SECFailure;
SECCertUsage certUsage;
- SECItem *derCerts[2];
+ SECItem *derCerts[2] = { NULL, NULL };
CERTCertificate **certArray = NULL;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif
}
PR_ASSERT(certdb != NULL);
- derCerts[0] = NULL;
derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
derCerts[1] = NULL;
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700
@@ -235,7 +235,7 @@ static PRStatus
getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info)
{
jint index;
- PRStatus status;
+ PRStatus status = PR_FAILURE;
PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL);
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700
@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
PK11Context *context=NULL;
jbyte *bytes=NULL;
SECStatus status;
- unsigned int outLen;
+ unsigned int outLen = 0;
if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) {
/* exception was thrown */
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700
@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g
break;
case keaKey:
keyTypeFieldName = KEA_KEYTYPE_FIELD;
+ break;
default:
PR_ASSERT(PR_FALSE);
keyTypeFieldName = NULL_KEYTYPE_FIELD;
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700
@@ -390,12 +390,6 @@ importPrivateKey
SECStatus status;
SECItem nickname;
- keyType = JSS_PK11_getKeyType(env, keyTypeObj);
- if( keyType == nullKey ) {
- /* exception was thrown */
- goto finish;
- }
-
/*
* initialize so we can goto finish
*/
@@ -403,6 +397,12 @@ importPrivateKey
derPK.len = 0;
+ keyType = JSS_PK11_getKeyType(env, keyTypeObj);
+ if( keyType == nullKey ) {
+ /* exception was thrown */
+ goto finish;
+ }
+
PR_ASSERT(env!=NULL && this!=NULL);
if(keyArray == NULL) {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700
@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil
{
PK11SlotInfo *slot;
const char* c_subject=NULL;
- jboolean isCopy;
+ jboolean isCopy = JNI_FALSE;
unsigned char *b64request=NULL;
SECItem p, q, g;
PQGParams *dsaParams=NULL;
const char* c_keyType;
- jboolean k_isCopy;
+ jboolean k_isCopy = JNI_FALSE;
SECOidTag signType = SEC_OID_UNKNOWN;
PK11RSAGenParams rsaParams;
void *params = NULL;
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700
@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
goto finish;
}
- if( addrBAelems == NULL ) {
- ASSERT_OUTOFMEM(env);
- goto finish;
- }
-
if(addrBALen != 4 && addrBALen != 16) {
JSSL_throwSSLSocketException(env, "Invalid address in connect!");
goto finish;
@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi
{
JSSL_SocketData *sock=NULL;
SECStatus status;
- PRBool enabled;
+ PRBool enabled = PR_FAILURE;
/* get the fd */
if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700
@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P
* Now check the name field in the cert against the desired hostname.
* NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
*/
- if( peerCert == NULL ) {
- rv = SECFailure;
+ char* hostname = NULL;
+ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
+ if (hostname && hostname[0]) {
+ rv = CERT_VerifyCertName(peerCert, hostname);
+ PORT_Free(hostname);
} else {
- char* hostname = NULL;
- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
- if (hostname && hostname[0]) {
- rv = CERT_VerifyCertName(peerCert, hostname);
- PORT_Free(hostname);
- } else {
- rv = SECFailure;
- }
+ rv = SECFailure;
}
}
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700
@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
jint arrayLen=-1;
PRInt32 retval;
+ if( env == NULL ) {
+ goto finish;
+ }
+
/*
* get the OutputStream
*/
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700
@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo
#endif
key.native = nativeErrcode;
+ key.java = -1;
target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode),
errcodeCompare );
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700
@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array)
*/
static char* getPWFromConsole()
{
- char c;
+ int c;
char *ret;
int i;
char buf[200]; /* no buffer overflow: we bail after 200 chars */

23
jss-fixed-build-issue-on-F17-or-newer.patch
View File

@ -1,23 +0,0 @@
diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/config.mk jss-4.2.6/mozilla/security/coreconf/config.mk
--- jss-4.2.6.orig/mozilla/security/coreconf/config.mk 2007-05-03 23:54:05.000000000 -0700
+++ jss-4.2.6/mozilla/security/coreconf/config.mk 2013-07-22 18:42:19.000000000 -0700
@@ -68,8 +68,19 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD Open
ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
else
+ifeq ($(OS_TARGET), Linux)
+OS_RELEASE_VER_MAJOR := $(shell echo $(OS_RELEASE) | cut -f1 -d.)
+OS_RELEASE_VER_MINOR := $(shell echo $(OS_RELEASE) | cut -f2 -d.)
+OS_RELEASE_GT_2_6 := $(shell [ $(OS_RELEASE_VER_MAJOR) -ge 2 -o \( $(OS_RELEASE_VER_MAJOR) -eq 2 -a $(OS_RELEASE_VER_MINOR) -ge 6 \) ] && echo true)
+ifeq ($(OS_RELEASE_GT_2_6),true)
+include $(CORE_DEPTH)/coreconf/Linux2.6.mk
+else
include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
endif
+else
+include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
+endif
+endif
#######################################################################
# [4.0] Master "Core Components" source and release <platform> tags #

623
jss-ipv6.patch
View File

@ -1,623 +0,0 @@
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def 2009-06-24 17:08:59.784371000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-06-19 17:56:00.000000000 -0700
@@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket
Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake;
Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive;
Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative;
+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative;
Java_org_mozilla_jss_ssl_SSLSocket_getPort;
Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize;
Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize;
@@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
Java_org_mozilla_jss_ssl_SSLSocket_socketWrite;
Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative;
Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative;
+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative;
Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative;
Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative;
Java_org_mozilla_jss_ssl_SocketBase_setSSLOption;
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2007-03-20 15:39:28.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2009-06-24 13:46:49.000000000 -0700
@@ -36,7 +36,8 @@
package org.mozilla.jss.ssl;
-import java.net.InetAddress;
+import java.util.*;
+import java.net.*;
import java.io.IOException;
import java.net.Socket;
import java.net.SocketException;
@@ -138,34 +139,34 @@ public class SSLServerSocket extends jav
super.close();
// create the socket
+
+ int socketFamily = SocketBase.SSL_AF_INET;
+ if(SocketBase.supportsIPV6()) {
+ socketFamily = SocketBase.SSL_AF_INET6;
+ }
+
sockProxy = new SocketProxy(
- base.socketCreate(this, certApprovalCallback, null) );
+ base.socketCreate(this, certApprovalCallback, null,socketFamily) );
base.setProxy(sockProxy);
setReuseAddress(reuseAddr);
- // bind it to the local address and port
- if( bindAddr == null ) {
- bindAddr = anyLocalAddr;
- }
byte[] bindAddrBA = null;
if( bindAddr != null ) {
bindAddrBA = bindAddr.getAddress();
}
base.socketBind(bindAddrBA, port);
+
+ String hostName = null;
+ if(bindAddr != null) {
+ hostName = bindAddr.getCanonicalHostName();
+ }
socketListen(backlog);
}
private native void socketListen(int backlog) throws SocketException;
- private static InetAddress anyLocalAddr;
- static {
- try {
- anyLocalAddr = InetAddress.getByName("0.0.0.0");
- } catch (java.net.UnknownHostException e) { }
- }
-
/**
* Accepts a connection. This call will block until a connection is made
* or the timeout is reached.
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-08 18:40:14.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2009-06-24 13:27:15.000000000 -0700
@@ -460,10 +460,15 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
JSSL_SocketData *sock;
PRNetAddr addr;
jbyte *addrBAelems = NULL;
+ int addrBALen = 0;
PRStatus status;
int stat;
const char *hostnameStr=NULL;
+ jmethodID supportsIPV6ID;
+ jclass socketBaseClass;
+ jboolean supportsIPV6 = 0;
+
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
/* exception was thrown */
goto finish;
@@ -472,16 +477,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
/*
* setup the PRNetAddr structure
*/
- addr.inet.family = AF_INET;
- addr.inet.port = htons(port);
- PR_ASSERT(sizeof(addr.inet.ip) == 4);
- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4);
+
+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME);
+ if( socketBaseClass == NULL ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass,
+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG);
+
+ if( supportsIPV6ID == NULL ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+
+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass,
+ supportsIPV6ID);
+
addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL);
+ addrBALen = (*env)->GetArrayLength(env, addrBA);
+
+ PR_ASSERT(addrBALen != 0);
+
if( addrBAelems == NULL ) {
ASSERT_OUTOFMEM(env);
goto finish;
}
- memcpy(&addr.inet.ip, addrBAelems, 4);
/*
* Tell SSL the URL we think we want to connect to.
@@ -495,6 +516,38 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
goto finish;
}
+ if( addrBAelems == NULL ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+
+ if(addrBALen != 4 && addrBALen != 16) {
+ JSSL_throwSSLSocketException(env, "Invalid address in connect!");
+ goto finish;
+ }
+
+ if( addrBALen == 4) {
+ addr.inet.family = AF_INET;
+ addr.inet.port = PR_htons(port);
+ memcpy(&addr.inet.ip, addrBAelems, 4);
+
+ if(supportsIPV6) {
+ addr.ipv6.family = AF_INET6;
+ addr.ipv6.port = PR_htons(port);
+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip);
+ }
+
+ } else { /* Must be 16 and ipv6 */
+ if(supportsIPV6) {
+ addr.ipv6.family = AF_INET6;
+ addr.ipv6.port = PR_htons(port);
+ memcpy(&addr.ipv6.ip,addrBAelems, 16);
+ } else {
+ JSSL_throwSSLSocketException(env, "Invalid address in connect!");
+ goto finish;
+ }
+ }
+
/*
* make the connect call
*/
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2007-05-08 18:40:14.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2009-06-24 13:45:59.000000000 -0700
@@ -243,11 +243,16 @@ public class SSLSocket extends java.net.
SSLClientCertificateSelectionCallback clientCertSelectionCallback)
throws IOException
{
+
+ int socketFamily = SocketBase.SSL_AF_INET;
+ if(SocketBase.supportsIPV6()) {
+ socketFamily = SocketBase.SSL_AF_INET6;
+ }
// create the socket
sockProxy =
new SocketProxy(
base.socketCreate(
- this, certApprovalCallback, clientCertSelectionCallback) );
+ this, certApprovalCallback, clientCertSelectionCallback,socketFamily) );
base.setProxy(sockProxy);
@@ -288,7 +293,7 @@ public class SSLSocket extends java.net.
new SocketProxy(
base.socketCreate(
this, certApprovalCallback, clientCertSelectionCallback,
- s, host ) );
+ s, host,SocketBase.SSL_AF_INET ) );
base.setProxy(sockProxy);
resetHandshake();
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2007-03-20 15:39:28.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2009-06-24 13:50:32.000000000 -0700
@@ -70,16 +70,16 @@ class SocketBase {
native byte[] socketCreate(Object socketObject,
SSLCertificateApprovalCallback certApprovalCallback,
SSLClientCertificateSelectionCallback clientCertSelectionCallback,
- java.net.Socket javaSock, String host)
+ java.net.Socket javaSock, String host,int family)
throws SocketException;
byte[] socketCreate(Object socketObject,
SSLCertificateApprovalCallback certApprovalCallback,
- SSLClientCertificateSelectionCallback clientCertSelectionCallback)
+ SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family)
throws SocketException
{
return socketCreate(socketObject, certApprovalCallback,
- clientCertSelectionCallback, null, null);
+ clientCertSelectionCallback, null, null,family);
}
native void socketBind(byte[] addrBA, int port) throws SocketException;
@@ -115,6 +115,10 @@ class SocketBase {
static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
static final int SSL_REQUIRE_NO_ERROR = 21;
+
+ static final int SSL_AF_INET = 50;
+ static final int SSL_AF_INET6 = 51;
+
void close() throws IOException {
socketClose();
}
@@ -281,13 +285,25 @@ class SocketBase {
return in;
}
+ private native byte[] getLocalAddressByteArrayNative() throws SocketException;
+ private native byte[] getPeerAddressByteArrayNative() throws SocketException;
/**
* @return the InetAddress of the peer end of the socket.
*/
InetAddress getInetAddress()
{
try {
- return convertIntToInetAddress( getPeerAddressNative() );
+ byte[] address = getPeerAddressByteArrayNative();
+
+ InetAddress iAddr = null;
+
+ try {
+
+ iAddr = InetAddress.getByAddress(address);
+ } catch(UnknownHostException e) {
+ }
+
+ return iAddr;
} catch(SocketException e) {
return null;
}
@@ -299,7 +315,17 @@ class SocketBase {
*/
InetAddress getLocalAddress() {
try {
- return convertIntToInetAddress( getLocalAddressNative() );
+ byte[] address = getLocalAddressByteArrayNative();
+
+ InetAddress lAddr = null;
+
+ try {
+
+ lAddr = InetAddress.getByAddress(address);
+ } catch(UnknownHostException e) {
+ }
+
+ return lAddr;
} catch(SocketException e) {
return null;
}
@@ -378,4 +404,45 @@ class SocketBase {
return topException;
}
}
+
+ static private int supportsIPV6 = -1;
+ static boolean supportsIPV6() {
+
+ if(supportsIPV6 >= 0) {
+ if(supportsIPV6 > 0) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ Enumeration netInter;
+ try {
+ netInter = NetworkInterface.getNetworkInterfaces();
+ } catch (SocketException e) {
+
+ return false;
+ }
+ while ( netInter.hasMoreElements() )
+ {
+ NetworkInterface ni = (NetworkInterface)netInter.nextElement();
+ Enumeration addrs = ni.getInetAddresses();
+ while ( addrs.hasMoreElements() )
+ {
+ Object o = addrs.nextElement();
+ if ( o.getClass() == InetAddress.class ||
+ o.getClass() == Inet4Address.class ||
+ o.getClass() == Inet6Address.class )
+ {
+ InetAddress iaddr = (InetAddress) o;
+ if(o.getClass() == Inet6Address.class) {
+ supportsIPV6 = 1;
+ return true;
+ }
+ }
+ }
+ }
+ supportsIPV6 = 0;
+ return false;
+ }
}
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2007-04-24 11:34:58.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2009-06-24 14:22:02.000000000 -0700
@@ -33,7 +33,6 @@
* the terms of any one of the MPL, the GPL or the LGPL.
*
* ***** END LICENSE BLOCK ***** */
-
#include <nspr.h>
#include <jni.h>
#include <pk11func.h>
@@ -51,6 +50,9 @@
#include <winsock.h>
#endif
+#define SSL_AF_INET 50
+#define SSL_AF_INET6 51
+
void
JSSL_throwSSLSocketException(JNIEnv *env, char *message)
{
@@ -142,7 +144,7 @@ finish:
JNIEXPORT jbyteArray JNICALL
Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self,
jobject sockObj, jobject certApprovalCallback,
- jobject clientCertSelectionCallback, jobject javaSock, jstring host)
+ jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family)
{
jbyteArray sdArray = NULL;
JSSL_SocketData *sockdata = NULL;
@@ -150,10 +152,21 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
PRFileDesc *newFD;
PRFileDesc *tmpFD;
PRFilePrivate *priv = NULL;
+ int socketFamily = 0;
+
+ if (family != SSL_AF_INET6 && family != SSL_AF_INET) {
+ JSSL_throwSSLSocketException(env,
+ "socketCreate() Invalid family!");
+ goto finish;
+ }
+ if( family == SSL_AF_INET)
+ socketFamily = PR_AF_INET;
+ else
+ socketFamily = PR_AF_INET6;
if( javaSock == NULL ) {
/* create a TCP socket */
- newFD = PR_NewTCPSocket();
+ newFD = PR_OpenTCPSocket(socketFamily);
if( newFD == NULL ) {
JSSL_throwSSLSocketException(env,
"PR_NewTCPSocket() returned NULL");
@@ -394,10 +407,10 @@ PRInt32 JSSL_enums[] = {
SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
-
0
};
+
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SocketBase_socketBind
(JNIEnv *env, jobject self, jbyteArray addrBA, jint port)
@@ -405,8 +418,13 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
JSSL_SocketData *sock;
PRNetAddr addr;
jbyte *addrBAelems = NULL;
+ int addrBALen = 0;
PRStatus status;
+ jmethodID supportsIPV6ID;
+ jclass socketBaseClass;
+ jboolean supportsIPV6 = 0;
+
if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
/* exception was thrown */
goto finish;
@@ -415,19 +433,72 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
/*
* setup the PRNetAddr structure
*/
- addr.inet.family = AF_INET;
- addr.inet.port = htons(port);
+
+ /*
+ * Do we support IPV6?
+ */
+
+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME);
+ if( socketBaseClass == NULL ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass,
+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG);
+
+ if( supportsIPV6ID == NULL ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+
+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass,
+ supportsIPV6ID);
+
+ memset( &addr, 0, sizeof( PRNetAddr ));
+
if( addrBA != NULL ) {
- PR_ASSERT(sizeof(addr.inet.ip) == 4);
- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4);
addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL);
+ addrBALen = (*env)->GetArrayLength(env, addrBA);
+
if( addrBAelems == NULL ) {
ASSERT_OUTOFMEM(env);
goto finish;
}
- memcpy(&addr.inet.ip, addrBAelems, 4);
+
+ if(addrBALen != 4 && addrBALen != 16) {
+ JSS_throwMsgPrErr(env, BIND_EXCEPTION,
+ "Invalid address in bind!");
+ goto finish;
+ }
+
+ if( addrBALen == 4) {
+ addr.inet.family = PR_AF_INET;
+ addr.inet.port = PR_htons(port);
+ memcpy(&addr.inet.ip, addrBAelems, 4);
+
+ if(supportsIPV6) {
+ addr.inet.family = PR_AF_INET6;
+ addr.ipv6.port = PR_htons(port);
+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip);
+ }
+
+ } else { /* Must be 16 and ipv6 */
+ if(supportsIPV6) {
+ addr.ipv6.family = PR_AF_INET6;
+ addr.ipv6.port = PR_htons(port);
+ memcpy(&addr.ipv6.ip,addrBAelems, 16);
+ } else {
+ JSS_throwMsgPrErr(env, BIND_EXCEPTION,
+ "Invalid address in bind!");
+ goto finish;
+ }
+ }
} else {
- addr.inet.ip = PR_htonl(INADDR_ANY);
+ if(supportsIPV6) {
+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr);
+ } else {
+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr);
+ }
}
/* do the bind() call */
@@ -601,6 +672,78 @@ finish:
return status;
}
+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative
+ (JNIEnv *env, jobject self)
+{
+ jbyteArray byteArray=NULL;
+ PRNetAddr addr;
+ jbyte *address=NULL;
+ int size=4;
+
+ if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) {
+ goto finish;
+ }
+
+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) {
+ size = 16;
+ address = (jbyte *) &addr.ipv6.ip;
+ } else {
+ address = (jbyte *) &addr.inet.ip;
+ }
+
+ byteArray = (*env)->NewByteArray(env,size);
+ if(byteArray == NULL) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+ (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address);
+ if( (*env)->ExceptionOccurred(env) != NULL) {
+ PR_ASSERT(PR_FALSE);
+ goto finish;
+ }
+
+finish:
+ return byteArray;
+}
+
+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative
+ (JNIEnv *env, jobject self)
+{
+ jbyteArray byteArray=NULL;
+ PRNetAddr addr;
+ jbyte *address=NULL;
+ int size=4;
+
+ if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) {
+ goto finish;
+ }
+
+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) {
+ size = 16;
+ address = (jbyte *) &addr.ipv6.ip;
+ } else {
+ address = (jbyte *) &addr.inet.ip;
+ }
+
+ byteArray = (*env)->NewByteArray(env,size);
+ if(byteArray == NULL) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+ (*env)->SetByteArrayRegion(env, byteArray, 0,size,address);
+ if( (*env)->ExceptionOccurred(env) != NULL) {
+ PR_ASSERT(PR_FALSE);
+ goto finish;
+ }
+
+finish:
+ return byteArray;
+}
+
+/* Leave the original versions of these functions for compatibility */
+
JNIEXPORT jint JNICALL
Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative
(JNIEnv *env, jobject self)
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 11:34:58.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2009-06-24 13:43:13.000000000 -0700
@@ -290,6 +290,7 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
jobject inetAddress;
jbyteArray addrByteArray;
jint port;
+ int addrBALen = 0;
if( GET_ENV(fd->secret->javaVM, env) ) goto finish;
@@ -377,8 +378,9 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
memset(addr, 0, sizeof(PRNetAddr));
- /* we only handle IPV4 */
- PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 );
+ addrBALen = (*env)->GetArrayLength(env, addrByteArray);
+
+ PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) );
/* make sure you release them later */
addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL);
@@ -388,9 +390,16 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
}
/* ip field is in network byte order */
- memcpy( (void*) &addr->inet.ip, addrBytes, 4);
- addr->inet.family = PR_AF_INET;
- addr->inet.port = port;
+
+ if (addrBALen == 4) {
+ memcpy( (void*) &addr->inet.ip, addrBytes, 4);
+ addr->inet.family = PR_AF_INET;
+ addr->inet.port = port;
+ } else {
+ memcpy( (void*) &addr->ipv6.ip,addrBytes, 16);
+ addr->inet.family = PR_AF_INET6;
+ addr->inet.port = port;
+ }
(*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes,
JNI_ABORT);
diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h
--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2006-02-22 17:21:52.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2009-06-19 17:56:00.000000000 -0700
@@ -312,6 +312,8 @@ PR_BEGIN_EXTERN_C
#define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase"
#define PROCESS_EXCEPTIONS_NAME "processExceptions"
#define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;"
+#define SUPPORTS_IPV6_NAME "supportsIPV6"
+#define SUPPORTS_IPV6_SIG "()Z"
/*
* SSLCertificateApprovalCallback

13
jss-javadocs-param.patch
View File

@ -1,13 +0,0 @@
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java.orig 2008-01-18 16:39:46.000000000 -0500
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2009-06-05 11:08:54.000000000 -0400
@@ -116,7 +116,9 @@
}
/**
*
- * @param
+ * @param key
+ * @param kg
+ * @return
*/
public javax.crypto.SecretKey genSecretKey(String keyType, String provider){
javax.crypto.SecretKey key = null;

544
jss-key_pair_usage_with_op_flags.patch
View File

@ -1,544 +0,0 @@
diff -rupN jss-4.2.5/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.5/mozilla/security/jss/lib/jss.def 2007-05-08 18:40:14.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-05-30 01:57:48.000000000 -0700
@@ -316,3 +316,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_isFip
;+ local:
;+ *;
;+};
+;+JSS_4.2.6 { # JSS 4.2.6 release
+;+ global:
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags;
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags;
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
+;+ local:
+;+ *;
+;+};
+
diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2005-11-14 14:15:06.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2009-05-22 07:40:14.000000000 -0700
@@ -81,7 +81,6 @@ public class KeyPairGenerator {
genKeyPair() throws TokenException {
return engine.generateKeyPair();
}
-
/**
* @return The type of key that this generator generates.
*/
@@ -192,6 +191,15 @@ public class KeyPairGenerator {
engine.extractablePairs(extractable);
}
+ public void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
+ KeyPairGeneratorSpi.Usage[] usages_mask) {
+ engine.setKeyPairUsages(usages,usages_mask);
+ }
+
+
+
+
+
protected KeyPairAlgorithm algorithm;
protected KeyPairGeneratorSpi engine;
}
diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java
--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2005-11-14 14:15:06.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2009-05-30 03:24:31.000000000 -0700
@@ -60,4 +60,38 @@ public abstract class KeyPairGeneratorSp
public abstract void extractablePairs(boolean extractable);
public abstract boolean keygenOnInternalToken();
+
+ /**
+ * In PKCS #11, each keypair can be marked with the operations it will
+ * be used to perform. Some tokens require that a key be marked for
+ * an operation before the key can be used to perform that operation;
+ * other tokens don't care. NSS provides a way to specify a set of
+ * flags and a corresponding mask for these flags. If a specific usage
+ * is desired set the value for that usage. If it is not set, let NSS
+ * behave in it's default fashion. If a behavior is desired, also set
+ * that behavior in the mask as well as the flags.
+ *
+ */
+ public final static class Usage {
+ private Usage() { }
+ private Usage(int val) { this.val = val;}
+ private int val;
+
+ public int getVal() { return val; }
+
+ // these enums must match the
+ // and the opFlagForUsage list in PK11KeyPairGenerator.java
+ public static final Usage ENCRYPT = new Usage(0);
+ public static final Usage DECRYPT = new Usage(1);
+ public static final Usage SIGN = new Usage(2);
+ public static final Usage SIGN_RECOVER = new Usage(3);
+ public static final Usage VERIFY = new Usage(4);
+ public static final Usage VERIFY_RECOVER = new Usage(5);
+ public static final Usage WRAP = new Usage(6);
+ public static final Usage UNWRAP = new Usage(7);
+ public static final Usage DERIVE = new Usage(8);
+ }
+
+ public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
+ KeyPairGeneratorSpi.Usage[] usages_mask);
}
diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2006-02-22 17:21:42.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2009-06-02 10:36:46.819581000 -0700
@@ -120,13 +120,11 @@ finish:
int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int);
-/*
- * make a common key gen function for both this file and PK11Token.c
- */
SECStatus
-JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
+JSS_PK11_generateKeyPairWithOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
- void *params, PRBool temporary, jint sensitive, jint extractable)
+ void *params, PRBool temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask)
{
PK11AttrFlags attrFlags = 0;
*privk=NULL;
@@ -173,12 +171,16 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK
} else {
attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
}
- *privk = PK11_GenerateKeyPairWithFlags(slot,
+
+ *privk = PK11_GenerateKeyPairWithOpFlags(slot,
mechanism,
params,
pubk,
attrFlags,
+ (CK_FLAGS) op_flags,
+ (CK_FLAGS) op_flags_mask/* the ones we don't want*/,
NULL /* default PW callback */ );
+
if( *privk == NULL ) {
int errLength;
char *errBuf;
@@ -217,13 +219,28 @@ finish:
return SECFailure;
}
+/*
+ * make a common key gen function for both this file and PK11Token.c
+ */
+SECStatus
+JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
+ void *params, PRBool temporary, jint sensitive, jint extractable)
+{
+
+ return JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, pubk, privk, params, temporary, sensitive, extractable, 0, 0);
+}
+
+
/**********************************************************************
- * Local generic helper
+ * Local generic helpers
*/
+
static jobject
-PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token,
+PK11KeyPairGeneratorWithOpFlags(JNIEnv *env, jobject this, jobject token,
CK_MECHANISM_TYPE mechanism, void *params,
- jboolean temporary, jint sensitive, jint extractable)
+ jboolean temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask)
{
PK11SlotInfo* slot;
SECKEYPrivateKey *privk=NULL;
@@ -242,8 +259,8 @@ PK11KeyPairGenerator(JNIEnv *env, jobjec
}
PR_ASSERT(slot != NULL);
- rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk,
- params, temporary, sensitive, extractable);
+ rv = JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, &pubk, &privk,
+ params, temporary, sensitive, extractable, op_flags, op_flags_mask);
if (rv != SECSuccess) {
goto finish;
}
@@ -267,6 +284,16 @@ finish:
return keyPair;
}
+static jobject
+PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token,
+ CK_MECHANISM_TYPE mechanism, void *params,
+ jboolean temporary, jint sensitive, jint extractable)
+{
+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, mechanism, params, temporary, sensitive, extractable, 0, 0);
+}
+
+
+
/**********************************************************************
* PK11KeyPairGenerator.generateRSAKeyPair
*/
@@ -289,6 +316,30 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
&params, temporary, sensitive, extractable);
}
+/**********************************************************************
+ * PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags
+ */
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags
+ (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent,
+ jboolean temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask)
+{
+ PK11RSAGenParams params;
+
+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL);
+
+ /**************************************************
+ * setup parameters
+ *************************************************/
+ params.keySizeInBits = keySize;
+ params.pe = publicExponent;
+
+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &params, temporary, sensitive, extractable, op_flags, op_flags_mask);
+}
+
+
#define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;}
/**********************************************************************
@@ -339,6 +390,57 @@ finish:
return keyPair;
}
+/**********************************************************************
+ *
+ * PK11KeyPairGenerator.generateDSAKeyPair
+ *
+ */
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags
+ (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q,
+ jbyteArray G, jboolean temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask)
+{
+ SECItem p, q, g;
+ PQGParams *params=NULL;
+ jobject keyPair=NULL;
+
+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL
+ && G!=NULL);
+
+ /* zero these so we can free them indiscriminately later */
+ ZERO_SECITEM(p);
+ ZERO_SECITEM(q);
+ ZERO_SECITEM(g);
+
+ /**************************************************
+ * Setup the parameters
+ *************************************************/
+ if( JSS_ByteArrayToOctetString(env, P, &p) ||
+ JSS_ByteArrayToOctetString(env, Q, &q) ||
+ JSS_ByteArrayToOctetString(env, G, &g) )
+ {
+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+ goto finish;
+ }
+ params = PK11_PQG_NewParams(&p, &q, &g);
+ if(params == NULL) {
+ JSS_throw(env, OUT_OF_MEMORY_ERROR);
+ goto finish;
+ }
+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_DSA_KEY_PAIR_GEN,
+ params, temporary, sensitive, extractable,
+ op_flags, op_flags_mask);
+
+finish:
+ SECITEM_FreeItem(&p, PR_FALSE);
+ SECITEM_FreeItem(&q, PR_FALSE);
+ SECITEM_FreeItem(&g, PR_FALSE);
+ PK11_PQG_DestroyParams(params);
+ return keyPair;
+}
+
+
void
DumpItem(SECItem *item)
{
@@ -361,6 +463,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
(JNIEnv *env, jobject this, jobject token, jbyteArray Curve,
jboolean temporary, jint sensitive, jint extractable)
{
+
SECItem curve;
jobject keyPair=NULL;
@@ -385,3 +488,39 @@ finish:
SECITEM_FreeItem(&curve, PR_FALSE);
return keyPair;
}
+
+/**********************************************************************
+ *
+ * PK11KeyPairGenerator.generateECKeyPairWithOpFlags
+ *
+ */
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags
+ (JNIEnv *env, jobject this, jobject token, jbyteArray Curve,
+ jboolean temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask)
+{
+ SECItem curve;
+ jobject keyPair=NULL;
+
+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL );
+
+ /* zero these so we can free them indiscriminately later */
+ ZERO_SECITEM(curve);
+
+ /**************************************************
+ * Setup the parameters
+ *************************************************/
+ if( JSS_ByteArrayToOctetString(env, Curve, &curve))
+ {
+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+ goto finish;
+ }
+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_EC_KEY_PAIR_GEN,
+ &curve, temporary, sensitive, extractable,
+ op_flags, op_flags_mask);
+
+finish:
+ SECITEM_FreeItem(&curve, PR_FALSE);
+ return keyPair;
+}
diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java
--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2006-02-22 17:21:42.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2009-05-30 05:30:25.000000000 -0700
@@ -55,6 +55,39 @@ public final class PK11KeyPairGenerator
extends org.mozilla.jss.crypto.KeyPairGeneratorSpi
{
+ // opFlag constants: each of these flags specifies a crypto operation
+ // the key will support. Their values must match the same-named C
+ // preprocessor macros defined in the PKCS #11 header pkcs11t.h.
+ private static final int CKF_ENCRYPT = 0x00000100;
+ private static final int CKF_DECRYPT = 0x00000200;
+ private static final int CKF_SIGN = 0x00000800;
+ private static final int CKF_SIGN_RECOVER = 0x00001000;
+ private static final int CKF_VERIFY = 0x00002000;
+ private static final int CKF_VERIFY_RECOVER = 0x00004000;
+ private static final int CKF_WRAP = 0x00020000;
+ private static final int CKF_UNWRAP = 0x00040000;
+ private static final int CKF_DERIVE = 0x00080000;
+
+ // A table for mapping SymmetricKey.Usage to opFlag. This must be
+ // synchronized with SymmetricKey.Usage.
+ private static final int opFlagForUsage[] = {
+ CKF_ENCRYPT, /* 0 */
+ CKF_DECRYPT, /* 1 */
+ CKF_SIGN, /* 2 */
+ CKF_SIGN_RECOVER, /* 3 */
+ CKF_VERIFY, /* 4 */
+ CKF_VERIFY_RECOVER, /* 5 */
+ CKF_WRAP, /* 6 */
+ CKF_UNWRAP, /* 7 */
+ CKF_DERIVE /* 8 */
+ };
+
+ // The crypto operations the key will support. It is the logical OR
+ // of the opFlag constants, each specifying a supported operation.
+ private int opFlags = 0;
+ private int opFlagsMask = 0;
+
+
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Constructors
@@ -189,41 +222,45 @@ public final class PK11KeyPairGenerator
* Generates a key pair on a token. Uses parameters if they were passed
* in through a call to <code>initialize</code>, otherwise uses defaults.
*/
+
public KeyPair generateKeyPair()
throws TokenException
{
if(algorithm == KeyPairAlgorithm.RSA) {
if(params != null) {
RSAParameterSpec rsaparams = (RSAParameterSpec)params;
- return generateRSAKeyPair(
+ return generateRSAKeyPairWithOpFlags(
token,
rsaparams.getKeySize(),
rsaparams.getPublicExponent().longValue(),
temporaryPairMode,
sensitivePairMode,
- extractablePairMode);
+ extractablePairMode,
+ opFlags, opFlagsMask);
} else {
- return generateRSAKeyPair(
+ return generateRSAKeyPairWithOpFlags(
token,
DEFAULT_RSA_KEY_SIZE,
DEFAULT_RSA_PUBLIC_EXPONENT.longValue(),
temporaryPairMode,
sensitivePairMode,
- extractablePairMode);
+ extractablePairMode,
+ opFlags, opFlagsMask);
}
} else if(algorithm == KeyPairAlgorithm.DSA ) {
if(params==null) {
params = PQG1024;
}
DSAParameterSpec dsaParams = (DSAParameterSpec)params;
- return generateDSAKeyPair(
+ return generateDSAKeyPairWithOpFlags(
token,
PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getP()),
PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getQ()),
PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getG()),
temporaryPairMode,
sensitivePairMode,
- extractablePairMode);
+ extractablePairMode,
+ opFlags, opFlagsMask);
} else {
Assert._assert( algorithm == KeyPairAlgorithm.EC );
// requires JAVA 1.5 for ECParameters.
@@ -233,12 +270,14 @@ public final class PK11KeyPairGenerator
// ecParams.init(params);
PK11ParameterSpec ecParams = (PK11ParameterSpec) params;
- return generateECKeyPair(
+ return generateECKeyPairWithOpFlags(
token,
ecParams.getEncoded(), /* curve */
temporaryPairMode,
sensitivePairMode,
- extractablePairMode);
+ extractablePairMode,
+ opFlags,
+ opFlagsMask);
}
}
@@ -266,6 +305,17 @@ public final class PK11KeyPairGenerator
throws TokenException;
/**
+ * Generates an RSA key pair with the given size and public exponent.
+ * Adds the ability to specify a set of flags and masks
+ * to control how NSS generates the key pair.
+ */
+ private native KeyPair
+ generateRSAKeyPairWithOpFlags(PK11Token token, int keySize, long publicExponent,
+ boolean temporary, int sensitive, int extractable,
+ int op_flags, int op_flags_mask)
+ throws TokenException;
+
+ /**
* Generates a DSA key pair with the given P, Q, and G values.
* P, Q, and G are stored as big-endian twos-complement octet strings.
*/
@@ -275,6 +325,19 @@ public final class PK11KeyPairGenerator
throws TokenException;
/**
+ * Generates a DSA key pair with the given P, Q, and G values.
+ * P, Q, and G are stored as big-endian twos-complement octet strings.
+ * Adds the ability to specify a set of flags and masks
+ * to control how NSS generates the key pair.
+ */
+ private native KeyPair
+ generateDSAKeyPairWithOpFlags(PK11Token token, byte[] P, byte[] Q, byte[] G,
+ boolean temporary, int sensitive, int extractable,
+ int op_flags, int op_flags_mask)
+ throws TokenException;
+
+
+ /**
* Generates a EC key pair with the given a curve.
* Curves are stored as DER Encoded Parameters.
*/
@@ -282,6 +345,18 @@ public final class PK11KeyPairGenerator
generateECKeyPair(PK11Token token, byte[] Curve,
boolean temporary, int sensitive, int extractable)
throws TokenException;
+ /**
+ * Generates a EC key pair with the given a curve.
+ * Curves are stored as DER Encoded Parameters.
+ * Adds the ability to specify a set of flags and masks
+ * to control how NSS generates the key pair.
+ */
+
+ private native KeyPair
+ generateECKeyPairWithOpFlags(PK11Token token, byte[] Curve,
+ boolean temporary, int sensitive, int extractable,
+ int op_flags, int op_flags_mask)
+ throws TokenException;
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
@@ -397,6 +472,38 @@ public final class PK11KeyPairGenerator
extractablePairMode = extractable ? 1 : 0;
}
+ /**
+ * Sets the requested key usages desired for the
+ * generated key pair.
+ * This allows the caller to suggest how NSS generates the key pair.
+ * @param usages List of desired key usages.
+ * @param usages_mask Corresponding mask for the key usages.
+ * if a usages is desired, make sure it is in the mask as well.
+ */
+
+ public void setKeyPairUsages(org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages,
+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages_mask) {
+
+ this.opFlags = 0;
+ this.opFlagsMask = 0;
+
+ if(usages != null) {
+ for( int i = 0; i < usages.length; i++ ) {
+ if( usages[i] != null ) {
+ this.opFlags |= opFlagForUsage[usages[i].getVal()];
+ }
+ }
+ }
+
+ if(usages_mask != null) {
+ for( int i = 0; i < usages_mask.length; i++ ) {
+ if( usages_mask[i] != null ) {
+ this.opFlagsMask |= opFlagForUsage[usages_mask[i].getVal()];
+ }
+ }
+ }
+ }
+
//
// requires JAVA 1.5
//
diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h
--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2006-02-22 17:21:42.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2009-05-29 08:34:24.000000000 -0700
@@ -157,6 +157,12 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK
PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK,
void *params, PRBool temporary, jint senstive, jint extractable);
+SECStatus
+JSS_PK11_generateKeyPair_withOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
+ void *params, PRBool temporary, jint sensitive, jint extractable,
+ jint op_flags, jint op_flags_mask);
+
/*=====================================================================
C E R T I F I C A T E S
=====================================================================*/

29
jss-loadlibrary.patch
View File

@ -1,29 +0,0 @@
diff -uN --recursive jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2008-01-31 17:29:16.000000000 -0500
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-01-07 10:47:04.000000000 -0500
@@ -1334,11 +1334,20 @@
*/
synchronized static void loadNativeLibraries()
{
- if( ! mNativeLibrariesLoaded )
- {
- System.loadLibrary("jss4");
- Debug.trace(Debug.VERBOSE, "jss library loaded");
- mNativeLibrariesLoaded = true;
+ if( ! mNativeLibrariesLoaded ) {
+ try {
+ System.load( "/usr/lib64/jss/libjss4.so" );
+ Debug.trace(Debug.VERBOSE, "jss library loaded");
+ mNativeLibrariesLoaded = true;
+ } catch( UnsatisfiedLinkError e ) {
+ try {
+ System.load( "/usr/lib/jss/libjss4.so" );
+ Debug.trace(Debug.VERBOSE, "jss library loaded");
+ mNativeLibrariesLoaded = true;
+ } catch( UnsatisfiedLinkError f ) {
+ Debug.trace(Debug.VERBOSE, "jss library load failed");
+ }
+ }
}
}
static private boolean mNativeLibrariesLoaded = false;

12
jss-lunasaUnwrap.patch
View File

@ -1,12 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700
@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
isSensitive = PR_FALSE;
isExtractable = PR_FALSE;
} else if ( isLunasa) {
- isSensitive = PR_FALSE;
+ isSensitive = PR_TRUE;
isExtractable = PR_TRUE;
}

106
jss-ocspSettings.patch
View File

@ -1,106 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.orig jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.orig 2009-11-04 14:26:26.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-11-04 14:11:05.000000000 -0800
@@ -329,6 +329,8 @@ Java_org_mozilla_jss_pkcs11_PK11Token_ne
Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags;
Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags;
Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig 2009-11-04 14:20:43.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2009-11-05 10:48:32.590000000 -0800
@@ -976,3 +976,45 @@ Java_org_mozilla_jss_CryptoManager_confi
}
}
+
+/**********************************************************************
+* OCSPCacheSettingsNative
+*
+* Allows configuration of the OCSP responder cache during runtime.
+*/
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative(
+ JNIEnv *env, jobject this,
+ jint ocsp_cache_size,
+ jint ocsp_min_cache_entry_duration,
+ jint ocsp_max_cache_entry_duration)
+{
+ SECStatus rv = SECFailure;
+
+ rv = CERT_OCSPCacheSettings(
+ ocsp_cache_size, ocsp_min_cache_entry_duration,
+ ocsp_max_cache_entry_duration);
+
+ if (rv != SECSuccess) {
+ JSS_throwMsgPrErr(env,
+ GENERAL_SECURITY_EXCEPTION,
+ "Failed to set OCSP cache: error "+ PORT_GetError());
+ }
+}
+
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative(
+ JNIEnv *env, jobject this,
+ jint ocsp_timeout )
+{
+ SECStatus rv = SECFailure;
+
+ rv = CERT_SetOCSPTimeout(ocsp_timeout);
+
+ if (rv != SECSuccess) {
+ JSS_throwMsgPrErr(env,
+ GENERAL_SECURITY_EXCEPTION,
+ "Failed to set OCSP timeout: error "+ PORT_GetError());
+ }
+}
+
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig 2009-11-04 14:20:33.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2009-11-05 10:48:59.415001000 -0800
@@ -1479,4 +1479,41 @@ public final class CryptoManager impleme
String ocspResponderCertNickname )
throws GeneralSecurityException;
+ /**
+ * change OCSP cache settings
+ * * @param ocsp_cache_size max cache entries
+ * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt
+ * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt
+ */
+ public void OCSPCacheSettings(
+ int ocsp_cache_size,
+ int ocsp_min_cache_entry_duration,
+ int ocsp_max_cache_entry_duration)
+ throws GeneralSecurityException
+ {
+ OCSPCacheSettingsNative(ocsp_cache_size,
+ ocsp_min_cache_entry_duration,
+ ocsp_max_cache_entry_duration);
+ }
+
+ private native void OCSPCacheSettingsNative(
+ int ocsp_cache_size,
+ int ocsp_min_cache_entry_duration,
+ int ocsp_max_cache_entry_duration)
+ throws GeneralSecurityException;
+
+ /**
+ * set OCSP timeout value
+ * * @param ocspTimeout OCSP timeout in seconds
+ */
+ public void setOCSPTimeout(
+ int ocsp_timeout )
+ throws GeneralSecurityException
+ {
+ setOCSPTimeoutNative( ocsp_timeout);
+ }
+
+ private native void setOCSPTimeoutNative(
+ int ocsp_timeout )
+ throws GeneralSecurityException;
}

345
jss-support-TLS1_1-TLS1_2.patch
View File

@ -1,345 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved 2014-09-29 14:12:27.560206348 -0700
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2014-09-29 14:12:34.376194464 -0700
@@ -334,6 +334,8 @@ Java_org_mozilla_jss_CryptoManager_setOC
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange;
+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved 2014-09-29 14:12:27.565206339 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2014-09-29 14:13:33.222091053 -0700
@@ -56,6 +56,105 @@
#endif
+/*
+ * support TLS v1.1 and v1.2
+ * sets default SSL version range for sockets created after this call
+ */
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env,
+ jclass clazz, jint ssl_variant, jint min, jint max)
+{
+ SECStatus status;
+ SSLVersionRange vrange;
+
+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
+ min <0 || min >= JSSL_enums_size ||
+ max <0 || max >= JSSL_enums_size) {
+ char buf[128];
+ PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size);
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ vrange.min = JSSL_enums[min];
+ vrange.max = JSSL_enums[max];
+
+ /* get supported range */
+ SSLVersionRange supported_range;
+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
+ &supported_range);
+ if( status != SECSuccess ) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+ /* now check the min and max */
+ if (vrange.min < supported_range.min ||
+ vrange.max > supported_range.max) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ /* set the default SSL Version Range */
+ status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant],
+ &vrange);
+ if( status != SECSuccess ) {
+ char buf[128];
+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError());
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+finish:
+ return;
+}
+
+/*
+ * support TLS v1.1 and v1.2
+ * sets SSL version range for this socket
+ */
+JNIEXPORT void JNICALL
+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange
+ (JNIEnv *env, jobject self, jint min, jint max)
+{
+ SECStatus status;
+ JSSL_SocketData *sock = NULL;
+ SSLVersionRange vrange;
+
+ if ( min <0 || min >= JSSL_enums_size ||
+ max <0 || max >= JSSL_enums_size) {
+ char buf[128];
+ PR_snprintf(buf, 128, "JSS setSSLVersionRange(): for max=%d failed - out of range for array JSSL_enums size: %d", min, max, JSSL_enums_size);
+ JSSL_throwSSLSocketException(env, buf);
+ goto finish;
+ }
+
+ /* get my fd */
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+ goto finish;
+ }
+
+ vrange.min = JSSL_enums[min];
+ vrange.max = JSSL_enums[max];
+
+ /*
+ * set the SSL Version Range
+ * The validity of the range will be checked by this NSS call
+ */
+ status = SSL_VersionRangeSet(sock->fd, &vrange);
+ if( status != SECSuccess ) {
+ JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed");
+ goto finish;
+ }
+
+finish:
+ EXCEPTION_CHECK(env, sock)
+ return;
+}
+
JNIEXPORT void JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env,
jclass clazz, jint joption, jint on)
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved 2014-09-29 14:12:27.566206338 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2014-09-29 14:12:34.377194462 -0700
@@ -36,6 +36,7 @@
package org.mozilla.jss.ssl;
+import java.lang.IllegalArgumentException;
import java.net.*;
import java.net.SocketException;
import java.net.SocketTimeoutException;
@@ -948,6 +949,63 @@ public class SSLSocket extends java.net.
setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b);
}
+ /*
+ * _min_enum and _max_enum should be one of the following:
+ * SocketBase.SSL_LIBRARY_VERSION_3_0
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1
+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2
+ */
+ public static class SSLVersionRange {
+ private int _min_enum;
+ private int _max_enum;
+ public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0;
+ public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0;
+ public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1;
+ public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2;
+ public SSLVersionRange(int min_enum, int max_enum)
+ throws IllegalArgumentException {
+ if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) &&
+ (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) &&
+ (min_enum <= max_enum)) {
+ _min_enum = min_enum;
+ _max_enum = max_enum;
+ } else {
+ throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range");
+ }
+ }
+
+ int getMinEnum() { return _min_enum; }
+ int getMaxEnum() { return _max_enum; }
+
+ }
+
+ public static class SSLProtocolVariant {
+ private int _enum;
+ private SSLProtocolVariant(int val) { _enum = val; }
+
+ int getEnum() { return _enum; }
+
+ public static final SSLProtocolVariant STREAM =
+ new SSLProtocolVariant(SocketBase.SSL_Variant_Stream);
+ public static final SSLProtocolVariant DATA_GRAM =
+ new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram);
+
+ }
+
+ public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range)
+ throws SocketException
+ {
+ if (range == null)
+ throw new SocketException("setSSLVersionRangeDefault: range null");
+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum());
+ }
+
+ /**
+ * Sets SSL Version Range Default
+ */
+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max)
+ throws SocketException;
private static void setSSLDefaultOption(int option, boolean on)
throws SocketException
@@ -1221,6 +1279,8 @@ public class SSLSocket extends java.net.
public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
// New TLS cipher suites in NSS 3.4
public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
@@ -1236,6 +1296,10 @@ public class SSLSocket extends java.net.
public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B;
+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
+
public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
@@ -1251,6 +1315,12 @@ public class SSLSocket extends java.net.
public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
+ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+
+ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
+ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
+ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
+
public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
@@ -1281,5 +1351,13 @@ public class SSLSocket extends java.net.
public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023;
+ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027;
+
+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B;
+ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D;
+ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F;
+ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031;
+
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved 2014-09-29 14:12:27.564206341 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2014-09-29 14:12:34.378194460 -0700
@@ -114,6 +114,15 @@ class SocketBase {
static final int SSL_REQUIRE_ALWAYS = 19;
static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
static final int SSL_REQUIRE_NO_ERROR = 21;
+ /* ssl/sslproto.h for supporting SSLVersionRange */
+ static final int SSL_LIBRARY_VERSION_2 = 22;
+ static final int SSL_LIBRARY_VERSION_3_0 = 23;
+ static final int SSL_LIBRARY_VERSION_TLS_1_0 = 24;
+ static final int SSL_LIBRARY_VERSION_TLS_1_1 = 25;
+ static final int SSL_LIBRARY_VERSION_TLS_1_2 = 26;
+ /* ssl/sslt.h */
+ static final int SSL_Variant_Stream = 27;
+ static final int SSL_Variant_Datagram = 28;
static final int SSL_AF_INET = 50;
@@ -190,6 +199,18 @@ class SocketBase {
native void setSSLOption(int option, int on)
throws SocketException;
+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
+ throws SocketException
+ {
+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
+ }
+
+ /**
+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
+ */
+ native void setSSLVersionRange(int min, int max)
+ throws SocketException;
+
/**
* Sets the SSL option setting mode value use for options
* that have more values than just enable/diasable.
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved 2014-09-29 14:12:27.562206345 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2014-09-29 14:12:34.378194460 -0700
@@ -38,6 +38,7 @@
#include <pk11func.h>
#include <ssl.h>
#include <sslerr.h>
+#include <sslproto.h>
#include <jssutil.h>
#include <jss_exceptions.h>
@@ -407,8 +408,16 @@ PRInt32 JSSL_enums[] = {
SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
+ SSL_LIBRARY_VERSION_2, /* 22 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_3_0, /* 23 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_0, /* 24 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_1, /* 25 */ /* sslproto.h */
+ SSL_LIBRARY_VERSION_TLS_1_2, /* 26 */ /* sslproto.h */
+ ssl_variant_stream, /* 27 */ /* sslt.h */
+ ssl_variant_datagram, /* 28 */ /* sslt.h */
0
};
+
JNIEXPORT void JNICALL
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved 2014-09-29 14:12:27.563206343 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h 2014-09-29 14:13:59.605044228 -0700
@@ -111,6 +111,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL
extern PRInt32 JSSL_enums[];
+#define JSSL_enums_size 29
JSSL_SocketData*
JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved 2014-09-29 14:12:27.567206336 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java 2014-09-29 14:12:34.379194458 -0700
@@ -149,6 +149,21 @@ public interface Constants {
/*52*/ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"),
/*53*/ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"),
/*54*/ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"),
+/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"),
+/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"),
+/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"),
+/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"),
+/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"),
+/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"),
+/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"),
+/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"),
+/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"),
+/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"),
+/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"),
+/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
+/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"),
+/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
+/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256")
};
/** Cipher supported by JSSE (JDK 1.5.x) */

1855
jss-symkey-enhancements.patch
View File

File diff suppressed because it is too large Load Diff

13
jss-undo-BadPaddingException-deprecation.patch
View File

@ -1,13 +0,0 @@
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700
@@ -35,9 +35,6 @@
* ***** END LICENSE BLOCK ***** */
package org.mozilla.jss.crypto;
-/**
- * @deprecated Use javax.crypto.BadPaddingException.
- */
public class BadPaddingException extends Exception {
public BadPaddingException() {
super();

171
jss-undo-JCA-deprecations.patch
View File

@ -1,171 +0,0 @@
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700
@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert;
* it is not necessary to call <code>update</code> if all of the data is
* available at once. In this case, all of the input can be processed with one
* call to <code>doFinal</code>.
- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
*/
public abstract class Cipher {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700
@@ -60,7 +60,6 @@ public interface CryptoToken {
* @param algorithm The algorithm used for the signing/verification.
* @exception java.security.NoSuchAlgorithmException If the given
* algorithm is not supported by this provider.
- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
*/
public abstract org.mozilla.jss.crypto.Signature
getSignatureContext(SignatureAlgorithm algorithm)
@@ -73,7 +72,6 @@ public interface CryptoToken {
* @param algorithm The algorithm used for digesting.
* @exception java.security.NoSuchAlgorithmException If this provider
* does not support the given algorithm.
- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
*/
public abstract JSSMessageDigest
getDigestContext(DigestAlgorithm algorithm)
@@ -89,15 +87,11 @@ public interface CryptoToken {
* @param algorithm The algorithm used for encryption/decryption.
* @exception java.security.NoSuchAlgorithmException If this provider
* does not support the given algorithm.
- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
*/
public abstract Cipher
getCipherContext(EncryptionAlgorithm algorithm)
throws java.security.NoSuchAlgorithmException, TokenException;
- /**
- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
- */
public abstract KeyWrapper
getKeyWrapper(KeyWrapAlgorithm algorithm)
throws java.security.NoSuchAlgorithmException, TokenException;
@@ -123,7 +117,6 @@ public interface CryptoToken {
* @param algorithm The algorithm that the keys will be used with.
* @exception java.security.NoSuchAlgorithmException If this token does not
* support the given algorithm.
- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
*/
public abstract KeyGenerator
getKeyGenerator(KeyGenAlgorithm algorithm)
@@ -136,7 +129,6 @@ public interface CryptoToken {
* cannot be extracted from the current token.
* @exception InvalidKeyException If the owning token cannot process
* the key to be cloned.
- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory})
*/
public SymmetricKey cloneKey(SymmetricKey key)
throws SymmetricKey.NotExtractableException,
@@ -151,7 +143,6 @@ public interface CryptoToken {
* DSA, EC, etc.)
* @exception java.security.NoSuchAlgorithmException If this token does
* not support the given algorithm.
- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
*/
public abstract KeyPairGenerator
getKeyPairGenerator(KeyPairAlgorithm algorithm)
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700
@@ -41,7 +41,6 @@ import java.security.InvalidKeyException
/**
* A class for performing message digesting (hashing) and MAC operations.
- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
*/
public abstract class JSSMessageDigest {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700
@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto;
/**
* An interface for secure random numbers.
- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom})
*/
public interface JSSSecureRandom {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700
@@ -43,7 +43,6 @@ import java.io.CharConversionException;
/**
* Generates symmetric keys for encryption and decryption.
- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
*/
public interface KeyGenerator {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700
@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam
* <code>keygenOnInternalToken</code> to find out if this is happening.
*
* @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator
- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
*/
public class KeyPairGenerator {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700
@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar
import java.security.PublicKey;
import java.security.InvalidKeyException;
-/**
- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
- */
public interface KeyWrapper {
public void initWrap(SymmetricKey wrappingKey,
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700
@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam
* Instances of this class can be obtain from <code>CryptoToken</code>s.
*
* @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext
- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
*/
public class Signature {
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700
@@ -37,15 +37,10 @@
/* This program demonstrates how to sign data with keys from JSS
*
- * Most of this code is deprecated look at JCASigTest.java
- *
* The token name can be either the name of a hardware token, or
* one of the internal tokens:
* Internal Crypto Services Token
* Internal Key Storage Token (keys stored in key3.db)
- *
- * @see org.mozilla.jss.tests.JCASigTest
- * @deprecated Use the JCA interface instead
*/
package org.mozilla.jss.tests;
diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl
--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700
@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature "
$command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
run_test($testname, $command);
+$testname = "Mozilla-JSS NSS Signature ";
+$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
+run_test($testname, $command);
+
$testname = "Secret Decoder Ring";
$command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
run_test($testname, $command);

14
jss-unwrap-AES-sym-keys-on-token.patch
View File

@ -1,14 +0,0 @@
diff -up ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes 2017-01-03 17:14:57.642278989 -0800
+++ ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2017-01-03 17:44:03.220626460 -0800
@@ -617,7 +617,9 @@ final class PK11KeyWrapper implements Ke
return EncryptionAlgorithm.DES3_ECB;
} else if( type == SymmetricKey.RC4 ) {
return EncryptionAlgorithm.RC4;
- } else {
+ } else if( type == SymmetricKey.AES ) {
+ return EncryptionAlgorithm.AES_128_ECB;
+ } else {
Assert._assert( type == SymmetricKey.RC2 );
return EncryptionAlgorithm.RC2_CBC;
}

158
jss-wrapInToken.patch
View File

@ -1,158 +0,0 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700
@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param,
&wrapped, NULL /* wincx */ );
if(status != SECSuccess) {
- JSS_throwMsg(env, TOKEN_EXCEPTION,
- "Wrapping operation failed on token");
+ char err[256] = {0};
+ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError());
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
goto finish;
}
PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL);
@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
int numAttribs = 0;
CK_TOKEN_INFO tokenInfo;
+ /* ideal defaults */
PRBool isSensitive = PR_TRUE;
PRBool isExtractable = PR_FALSE;
- /* special case nethsm*/
+
+ /* special case nethsm and lunasa*/
CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
+ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
PRBool isNethsm = PR_TRUE;
+ PRBool isLunasa = PR_TRUE;
if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
/* exception was thrown */
@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
break;
}
}
+ ix = 0;
+ for(ix=0; ix < 4; ix++) {
+ if (tokenInfo.label[ix] != lunasaLabel[ix]) {
+ isLunasa = PR_FALSE;
+ break;
+ }
+ }
} else {
isNethsm = PR_FALSE;
+ isLunasa = PR_FALSE;
}
/* get unwrapping key */
@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
}
keyType = PK11_GetKeyType(keyTypeMech, 0);
+ /* special case nethsm and lunasa*/
if( isNethsm ) {
isSensitive = PR_FALSE;
isExtractable = PR_FALSE;
+ } else if ( isLunasa) {
+ isSensitive = PR_FALSE;
+ isExtractable = PR_TRUE;
}
-setAttrs:
/* figure out which operations to enable for this key */
switch (keyType) {
case CKK_RSA:
+ numAttribs = 3;
attribs[0] = CKA_SIGN;
attribs[1] = CKA_SIGN_RECOVER;
attribs[2] = CKA_UNWRAP;
if (isExtractable) {
attribs[3] = CKA_EXTRACTABLE;
numAttribs = 4;
- } else {
- numAttribs = 3;
}
break;
case CKK_DSA:
@@ -459,7 +474,9 @@ setAttrs:
&label, pubValue, token, isSensitive /*sensitive*/, keyType,
attribs, numAttribs, NULL /*wincx*/);
if( privk == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
+ char err[256] = {0};
+ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
goto finish;
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700
@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
+/* NSS is capable of moving keys appropriately,
+ so this call is prematurely bailing
if( ! symKey.getOwningToken().equals(token) ) {
throw new InvalidKeyException("key to be wrapped does not live"+
" on the same token as the wrapping key");
}
+*/
}
/**
@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
+/* NSS is capable of moving keys appropriately,
+ so this call is prematurely bailing
if( ! privKey.getOwningToken().equals(token) ) {
throw new InvalidKeyException("key to be wrapped does not live"+
" on the same token as the wrapping key");
}
+*/
}
/**
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700
@@ -135,10 +135,13 @@ public final class PK11Token implements
getKeyWrapper(KeyWrapAlgorithm algorithm)
throws NoSuchAlgorithmException, TokenException
{
+/* NSS is capable of finding the right token to do algorithm,
+ so this call is prematurely bailing
if( ! doesAlgorithm(algorithm) ) {
throw new NoSuchAlgorithmException(
algorithm+" is not supported by this token");
}
+*/
return new PK11KeyWrapper(this, algorithm);
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700
@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp
}
KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC);
+ KeyWrapAlgorithm.DES3_CBC_PAD);
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp
return epki;
} catch (Exception e) {
+ System.out.println("createPBE: exception:"+e.toString());
Assert.notReached("EncryptedPrivateKeyInfo exception:"
+".createPBE");
}

20
jss.spec
View File

@ -11,6 +11,7 @@ License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/jss/
# The source for this package was pulled from upstream's hg. Use the
# following commands to generate the tarball:
#
# hg clone --rev JSS_4_4_0_RTM https://hg.mozilla.org/projects/jss jss-4.4.0/jss
# rm -rf jss-4.4.0/jss/.hg
# if the tarball is Beta, set this define in 'org/mozilla/jss/util/jssver.h':
@ -19,9 +20,16 @@ URL: http://www.mozilla.org/projects/security/pki/jss/
# #define JSS_BETA PR_FALSE
# tar -czvf jss-4.4.0.tar.gz jss-4.4.0
#
# For now util the JSS_4_4_0_RTM tag is created I actually used:
# hg clone --rev b1c6660e7e71 https://hg.mozilla.org/projects/jss jss-4.4.0/jss
# This is from upstream tip
# For now until the JSS_4_4_0_RTM tag is created I actually used:
# hg clone --rev d48f63b92b05 https://hg.mozilla.org/projects/jss jss-4.4.0/jss
# This is from upstream tip as of Mon, 13 Mar 2017 11:49:51 -0700
# https://hg.mozilla.org/projects/jss/rev/d48f63b92b0538e47e867122c475cfbc1334f7c9
#
# Alternatively (if using 'default' hg tip):
#
# hg clone https://hg.mozilla.org/projects/jss
# cd jss
# hg archive --prefix jss-4.4.0/jss/ ../jss-4.4.0.tar.gz
#
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/%{name}-%{version}.tar.gz
Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/MPL-1.1.txt
@ -114,7 +122,7 @@ cp -p %{SOURCE3} .
# jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_debug.jar
# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_dbg.jar
install -m 644 dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically
@ -149,8 +157,8 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Sat Mar 11 2017 Elio Maldonado <emaldona@redhat.com> - 4.4.0-0.1
- Experimental build to rebase to jss-4.4.0
* Mon Mar 13 2017 Elio Maldonado <emaldona@redhat.com> - 4.4.0-1
- Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+
- ## JSS 4.4.0 includes the following patches ported from downstream:
- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS
- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings

2
sources
View File

@ -1 +1 @@
SHA512 (jss-4.2.6.tar.gz) = 5827c0fd192f0ec52798df2304619367c67366bfe19e8dc7bd0aa882efa6c62afbc5e9ae576d168f9666a9af1de66334995c9411f0f60623e752af5fe1194915
SHA512 (jss-4.4.0.tar.gz) = 2a3c6c3a5f0b3fe5b0a503a04ce0fa3475e5e79f5f34ab4318384f22c4f0689d183585b861624200143161e4ff5c7a6dead81ed2824e39bd7df74804dbcace21