From 35b26e7d854378d34e6d17620d252bb5ba3ee710 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 14 Mar 2017 00:32:36 -0600 Subject: [PATCH] Resolves: rhbz #1431937 - Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+ - ## JSS 4.4.0 includes the following patches ported from downstream: - Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS - Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings - Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS an CS interface - Mozilla Bugzilla #1307993 - Expose updated certificate verification functi in JSS - Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to b pointer arithmetic - Mozilla Bugzilla #1308001 - Verification should fail when a revoked certificate is added - Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build - Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode (HSM + NSS) - Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan - Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PK - Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping unwrapping keys should be done in the token - Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for manufacturer identifier - Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in JSS 4.2.6 - Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and TLS v1.2 via NSS through JSS - Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up ex error from NSS - Mozilla Bugzilla #1308027 - Merge pki-symkey into jss - Mozilla Bugzilla #1308029 - Resolve Javadoc build issues - Mozilla Bugzilla #1308047 - support ECC encryption key archival and recove - Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed PKCS#11 bypass support - Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on toke - Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA H in FIPS Mode and ECC algorithms - Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID functions - Mozilla Bugzilla #1346410 - Load JSS libraries appropriately - ## JSS 4.4.0 includes the following changes for building and testing: - Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test - Mozilla Bugzilla #1346420 - Document steps required to use the proper libjss4.so when running certain HMAC Algorithms tests --- .gitignore | 1 + jss-ECC-HSM-FIPS.patch | 62 - jss-ECC-Phase2KeyArchivalRecovery.patch | 451 ---- jss-ECC-pop.patch | 29 - jss-ECC_keygen_byCurveName.patch | 490 ----- jss-Fixed-build-failures.patch | 349 ---- jss-HSM-manufacturerID.patch | 62 - jss-PBE-PKCS5-V2-secure-P12.patch | 328 --- jss-PKCS12-FIPS.patch | 80 - jss-RC4-strengh-verify.patch | 12 - jss-SHA-OID-fix.patch | 12 - jss-VerifyCertificate-enhancement.patch | 204 -- jss-VerifyCertificate.patch | 220 -- jss-VerifyCertificateReturnCU.patch | 227 -- jss-WindowsCompileFix.patch | 32 - jss-WindowsLoadLibrary.patch | 30 - jss-bad-error-string-pointer.patch | 27 - jss-crmf-envelopedData.patch | 33 - jss-eliminate-java-compiler-warnings.patch | 641 ------ jss-eliminate-native-compiler-warnings.patch | 621 ------ jss-eliminate-native-coverity-defects.patch | 253 --- jss-fixed-build-issue-on-F17-or-newer.patch | 23 - jss-ipv6.patch | 623 ------ jss-javadocs-param.patch | 13 - jss-key_pair_usage_with_op_flags.patch | 544 ----- jss-loadlibrary.patch | 29 - jss-lunasaUnwrap.patch | 12 - jss-ocspSettings.patch | 106 - jss-support-TLS1_1-TLS1_2.patch | 345 --- jss-symkey-enhancements.patch | 1855 ----------------- ...undo-BadPaddingException-deprecation.patch | 13 - jss-undo-JCA-deprecations.patch | 171 -- jss-unwrap-AES-sym-keys-on-token.patch | 14 - jss-wrapInToken.patch | 158 -- jss.spec | 20 +- sources | 2 +- 36 files changed, 16 insertions(+), 8076 deletions(-) delete mode 100644 jss-ECC-HSM-FIPS.patch delete mode 100644 jss-ECC-Phase2KeyArchivalRecovery.patch delete mode 100644 jss-ECC-pop.patch delete mode 100644 jss-ECC_keygen_byCurveName.patch delete mode 100644 jss-Fixed-build-failures.patch delete mode 100644 jss-HSM-manufacturerID.patch delete mode 100644 jss-PBE-PKCS5-V2-secure-P12.patch delete mode 100644 jss-PKCS12-FIPS.patch delete mode 100644 jss-RC4-strengh-verify.patch delete mode 100644 jss-SHA-OID-fix.patch delete mode 100644 jss-VerifyCertificate-enhancement.patch delete mode 100644 jss-VerifyCertificate.patch delete mode 100644 jss-VerifyCertificateReturnCU.patch delete mode 100644 jss-WindowsCompileFix.patch delete mode 100644 jss-WindowsLoadLibrary.patch delete mode 100644 jss-bad-error-string-pointer.patch delete mode 100644 jss-crmf-envelopedData.patch delete mode 100644 jss-eliminate-java-compiler-warnings.patch delete mode 100644 jss-eliminate-native-compiler-warnings.patch delete mode 100644 jss-eliminate-native-coverity-defects.patch delete mode 100644 jss-fixed-build-issue-on-F17-or-newer.patch delete mode 100644 jss-ipv6.patch delete mode 100644 jss-javadocs-param.patch delete mode 100644 jss-key_pair_usage_with_op_flags.patch delete mode 100644 jss-loadlibrary.patch delete mode 100644 jss-lunasaUnwrap.patch delete mode 100644 jss-ocspSettings.patch delete mode 100644 jss-support-TLS1_1-TLS1_2.patch delete mode 100644 jss-symkey-enhancements.patch delete mode 100644 jss-undo-BadPaddingException-deprecation.patch delete mode 100644 jss-undo-JCA-deprecations.patch delete mode 100644 jss-unwrap-AES-sym-keys-on-token.patch delete mode 100644 jss-wrapInToken.patch diff --git a/.gitignore b/.gitignore index 3dc4274..0332477 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ jss-4.2.6.tar.gz /jss-4.2.6.tar.gz +/jss-4.4.0.tar.gz diff --git a/jss-ECC-HSM-FIPS.patch b/jss-ECC-HSM-FIPS.patch deleted file mode 100644 index 739c930..0000000 --- a/jss-ECC-HSM-FIPS.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700 -@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG}, - /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, - /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, -+/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 50 -+#define NUM_ALGS 51 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700 -@@ -232,5 +232,6 @@ public class Algorithm { - protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; -+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; - - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700 -@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al - DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA"); - - public static final Algorithm -- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC"); -+ -+// To support both ECDSA and ECDH, it is best to provide two EC Families; -+// However, since there is no token that does only CKM_DERIVE to -+// date, we will just do ECDSA for now as it is sufficient enough today. -+// This fix will support tokens that do not do ECDH -+ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC"); - - public static final KeyPairAlgorithm - RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily); -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700 -@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends - * operates on its input, which should be a hash. - */ - public static final SignatureAlgorithm -- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, -+ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, - "EC", - null, null, ANSI_X962_OID.subBranch(2).subBranch(1) ); - diff --git a/jss-ECC-Phase2KeyArchivalRecovery.patch b/jss-ECC-Phase2KeyArchivalRecovery.patch deleted file mode 100644 index 1bcc238..0000000 --- a/jss-ECC-Phase2KeyArchivalRecovery.patch +++ /dev/null @@ -1,451 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl ---- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700 -@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm - org.mozilla.jss.crypto.EncryptionAlgorithm - org.mozilla.jss.crypto.PQGParams - org.mozilla.jss.crypto.SecretDecoderRing -+org.mozilla.jss.asn1.ASN1Util - org.mozilla.jss.pkcs11.CertProxy - org.mozilla.jss.pkcs11.CipherContextProxy - org.mozilla.jss.pkcs11.PK11Module -diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk ---- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700 -@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \ - ../org/mozilla/jss/SecretDecoderRing \ - ../org/mozilla/jss \ - ../org/mozilla/jss/pkcs11 \ -+ ../org/mozilla/jss/asn1 \ - ../org/mozilla/jss/ssl \ - ../org/mozilla/jss/util \ - ../org/mozilla/jss/provider/java/security \ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700 -@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; -+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk ---- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700 -@@ -41,6 +41,7 @@ release_sanitize:: - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) -+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) -@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) -+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700 -@@ -0,0 +1,97 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+#include "_jni/org_mozilla_jss_asn1_ASN1Util.h" -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+/*********************************************************************** -+ * -+ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid -+ * retrieves OID description by NSS's OID Tag identifier -+ * the OID byte array is expected to be without the OID Tag (6) and size -+ * (together 2 bytes) -+ */ -+JNIEXPORT jstring JNICALL -+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA) -+{ -+ SECItem *oid = NULL; -+ SECOidTag oidTag = SEC_OID_UNKNOWN; -+ char *oidDesc = NULL; -+ jstring description= ""; -+ -+ if (oidBA == NULL) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: oidBA null"); -+ goto finish; -+ } else { -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ oid = JSS_ByteArrayToSECItem(env, oidBA); -+ if (oid == NULL) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed"); -+ goto finish; -+ } -+ -+ /* -+ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match -+ */ -+ oidTag = SECOID_FindOIDTag(oid); -+ if (oidTag == SEC_OID_UNKNOWN) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: OID UNKNOWN"); -+ goto finish; -+ } -+ -+ oidDesc = SECOID_FindOIDTagDescription(oidTag); -+ if (oidDesc == NULL) { -+ oidDesc = ""; -+ } -+ description = (*env)->NewStringUTF(env, oidDesc); -+ } -+ -+finish: -+ return description; -+} -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700 -@@ -36,6 +36,8 @@ - package org.mozilla.jss.asn1; - - import java.io.*; -+import java.util.Arrays; -+ - import org.mozilla.jss.asn1.InvalidBERException; - import org.mozilla.jss.util.Assert; - -@@ -114,4 +116,71 @@ public class ASN1Util { - numRead += nr; - } - } -+ -+ /** -+ * returns the ECC curve byte array given the X509 public key byte array -+ * -+ * @param X509PubKeyBytes byte array of an X509PubKey -+ * @param withHeader tells if the return byes should inclulde the tag and size header or not -+ */ -+ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes, -+ boolean withHeader) -+ throws IllegalArgumentException, ArrayIndexOutOfBoundsException, -+ NullPointerException -+ { -+ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) { -+ throw new IllegalArgumentException("X509PubKeyBytes null"); -+ } -+ -+ /* EC public key OID complete with tag and size */ -+ byte[] EC_PubOIDBytes_full = -+ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID); -+ -+ /* EC public key OID without tag and size */ -+ byte[] EC_PubOIDBytes = -+ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length); -+ -+ int curveBeginIndex = 0; -+ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) { -+ byte[] tmp = -+ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length); -+ if (Arrays.equals(tmp, EC_PubOIDBytes)) { -+ curveBeginIndex = idx+ EC_PubOIDBytes.length; -+ break; -+ } -+ } -+ -+ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1]; -+ -+ if (withHeader) { -+ /* actual curve with tag and size */ -+ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2); -+ return curve; -+ } else { -+ /* actual curve without tag and size */ -+ byte curve[] = -+ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2, -+ curveBeginIndex + 2 + curveByteArraySize); -+ return curve; -+ } -+ } -+ -+ /** -+ * getOIDdescription() returns a text description of the OID -+ * from OID byte array -+ * the OID byte array is expected to be without the OID Tag (6) and size -+ * (together 2 bytes) -+ */ -+ public static String -+ getOIDdescription(byte[] oidBA) { -+ return getTagDescriptionByOid(oidBA); -+ } -+ -+ /** -+ * get OID description JNI method -+ */ -+ private native static String -+ getTagDescriptionByOid(byte[] oidBA); -+ -+ - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700 -@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c - ####################################################################### - # (4) Include "local" platform-dependent assignments (OPTIONAL). # - ####################################################################### --#include config.mk -+include config.mk - - - ####################################################################### -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700 -@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement - /////////////////////////////////////////////////////////////////////// - - /** -+ * The OID space for EC -+ */ -+ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID = -+ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} ); -+ -+ /** - * The OID space for RSA Data Security, Inc. - */ - public static final OBJECT_IDENTIFIER RSADSI = -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700 -@@ -0,0 +1,41 @@ -+# -+# ***** BEGIN LICENSE BLOCK ***** -+# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+# -+# The contents of this file are subject to the Mozilla Public License Version -+# 1.1 (the "License"); you may not use this file except in compliance with -+# the License. You may obtain a copy of the License at -+# http://www.mozilla.org/MPL/ -+# -+# Software distributed under the License is distributed on an "AS IS" basis, -+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+# for the specific language governing rights and limitations under the -+# License. -+# -+# The Original Code is the Netscape Security Services for Java. -+# -+# The Initial Developer of the Original Code is -+# Netscape Communications Corporation. -+# Portions created by the Initial Developer are Copyright (C) 1998-2000 -+# the Initial Developer. All Rights Reserved. -+# -+# Contributor(s): -+# -+# Alternatively, the contents of this file may be used under the terms of -+# either the GNU General Public License Version 2 or later (the "GPL"), or -+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+# in which case the provisions of the GPL or the LGPL are applicable instead -+# of those above. If you wish to allow use of your version of this file only -+# under the terms of either the GPL or the LGPL, and not to allow others to -+# use your version of this file under the terms of the MPL, indicate your -+# decision by deleting the provisions above and replace them with the notice -+# and other provisions required by the GPL or the LGPL. If you do not delete -+# the provisions above, a recipient may use your version of this file under -+# the terms of any one of the MPL, the GPL or the LGPL. -+# -+# ***** END LICENSE BLOCK ***** -+TARGETS=$(LIBRARY) -+SHARED_LIBRARY= -+IMPORT_LIBRARY= -+ -+NO_MD_RELEASE = 1 -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700 -@@ -41,6 +41,8 @@ MODULE = jss - - NS_USE_JDK = 1 - -+REQUIRES = nspr20 nss -+ - PACKAGE = org/mozilla/jss/asn1 - - CLASSES = \ -@@ -112,3 +114,9 @@ JSRCS = \ - UTCTime.java \ - UTF8String.java \ - $(NULL) -+ -+CSRCS = \ -+ ASN1Util.c \ -+ $(NULL) -+ -+LIBRARY_NAME = jssasn1 -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700 -@@ -48,6 +48,7 @@ DIRS = \ - crypto \ - SecretDecoderRing \ - pkcs11 \ -+ asn1 \ - ssl \ - provider \ - $(NULL) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700 -@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten - // } - // } - // --// public BigInteger getW() { --// try { --// return new BigInteger( getWByteArray() ); --// } catch(NumberFormatException e) { --// Assert.notReached("Unable to decode DSA public value"); --// return null; --// } --// } --// --// private native byte[] getCurveByteArray(); --// private native byte[] getWByteArray(); -+ -+ public BigInteger getCurve() { -+ try { -+ return new BigInteger( getCurveByteArray() ); -+ } catch(NumberFormatException e) { -+ Assert.notReached("Unable to decode EC curve"); -+ return null; -+ } -+ } -+ -+ public byte[] getCurveBA() { -+ return getCurveByteArray(); -+ } -+ -+ public BigInteger getW() { -+ try { -+ return new BigInteger( getWByteArray() ); -+ } catch(NumberFormatException e) { -+ Assert.notReached("Unable to decode EC public value"); -+ return null; -+ } -+ } -+ -+ private native byte[] getCurveByteArray(); -+ private native byte[] getWByteArray(); - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700 -@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - numAttribs = 4; - } - break; -+ case CKK_EC: -+ numAttribs = 1; -+ attribs[0] = CKA_SIGN; -+ if (isExtractable) { -+ attribs[1] = CKA_EXTRACTABLE; -+ numAttribs = 2; -+ } -+ break; - case CKK_DSA: - attribs[0] = CKA_SIGN; - numAttribs = 1; -@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - attribs[0] = CKA_DERIVE; - numAttribs = 1; - break; -- case CKK_EC: -- attribs[0] = CKA_SIGN; -- attribs[1] = CKA_DERIVE; -- numAttribs = 2; -- break; - default: - /* unknown key type */ - PR_ASSERT(PR_FALSE); -@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { - char err[256] = {0}; -- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); -+ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType); - JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700 -@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke - if( type == PrivateKey.RSA ) { - if( !(publicKey instanceof RSAPublicKey)) { - throw new InvalidKeyException("Type of public key does not "+ -- "match type of private key"); -+ "match type of private key which is RSA"); - } - return ((RSAPublicKey)publicKey).getModulus().toByteArray(); -+ } else if(type == PrivateKey.EC) { -+ if( !(publicKey instanceof PK11ECPublicKey) ) { -+ throw new InvalidKeyException("Type of public key does not "+ -+ "match type of private key which is EC"); -+ } -+ return ((PK11ECPublicKey)publicKey).getW().toByteArray(); - } else if(type == PrivateKey.DSA) { - if( !(publicKey instanceof DSAPublicKey) ) { - throw new InvalidKeyException("Type of public key does not "+ -- "match type of private key"); -+ "match type of private key which is DSA"); - } - return ((DSAPublicKey)publicKey).getY().toByteArray(); - } else { diff --git a/jss-ECC-pop.patch b/jss-ECC-pop.patch deleted file mode 100644 index 48da89d..0000000 --- a/jss-ECC-pop.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -rupN jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2004-04-25 08:02:26.000000000 -0700 -+++ jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2009-07-27 13:38:38.197422000 -0700 -@@ -130,6 +130,16 @@ public class CertReqMsg implements ASN1V - /////////////////////////////////////////////////////////////////////// - - public void verify() throws SignatureException, -+ InvalidKeyFormatException, NoSuchAlgorithmException, -+ org.mozilla.jss.CryptoManager.NotInitializedException, -+ TokenException, java.security.InvalidKeyException, IOException{ -+ -+ CryptoToken token = CryptoManager.getInstance() -+ .getInternalCryptoToken(); -+ verify(token); -+ } -+ -+ public void verify(CryptoToken token) throws SignatureException, - InvalidKeyFormatException, NoSuchAlgorithmException, - org.mozilla.jss.CryptoManager.NotInitializedException, - TokenException, java.security.InvalidKeyException, IOException{ -@@ -149,8 +159,6 @@ public class CertReqMsg implements ASN1V - pubkey = (PublicKey) spi.toPublicKey(); - } - -- CryptoToken token = CryptoManager.getInstance() -- .getInternalCryptoToken(); - SignatureAlgorithm sigAlg = - SignatureAlgorithm.fromOID(alg.getOID()); - Signature sig = token.getSignatureContext(sigAlg); diff --git a/jss-ECC_keygen_byCurveName.patch b/jss-ECC_keygen_byCurveName.patch deleted file mode 100644 index 0617183..0000000 --- a/jss-ECC_keygen_byCurveName.patch +++ /dev/null @@ -1,490 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix 2010-10-20 09:54:35.189680000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2010-10-20 10:54:53.154835000 -0700 -@@ -196,7 +196,10 @@ public class KeyPairGenerator { - engine.setKeyPairUsages(usages,usages_mask); - } - -- -+ public int getCurveCodeByName(String curveName) -+ throws InvalidParameterException { -+ return engine.getCurveCodeByName(curveName); -+ } - - - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix 2010-10-20 09:54:52.393628000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2010-10-20 10:55:39.441698000 -0700 -@@ -94,4 +94,6 @@ public abstract class KeyPairGeneratorSp - - public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, - KeyPairGeneratorSpi.Usage[] usages_mask); -+ -+ public abstract int getCurveCodeByName(String curveName) throws InvalidParameterException; - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix 2010-10-15 10:30:57.832196000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2010-10-20 11:09:30.523208000 -0700 -@@ -44,6 +44,7 @@ import java.security.*; - import java.security.SecureRandom; - import java.security.spec.AlgorithmParameterSpec; - import java.security.spec.DSAParameterSpec; -+import java.util.Hashtable; - - - /** -@@ -55,6 +56,246 @@ public final class PK11KeyPairGenerator - extends org.mozilla.jss.crypto.KeyPairGeneratorSpi - { - -+ // curve code for getting the actual EC curve -+ private enum ECCurve_Code { -+ // NIST, SEC2 Prime curves -+ secp521r1 , // == nistp521 -+ nistp521 , -+ secp384r1 , // == nistp384 -+ nistp384 , -+ secp256r1 , // == nistp256 -+ nistp256 , -+ secp256k1 , -+ secp224r1 , // == nistp224 -+ nistp224 , -+ secp224k1 , -+ secp192r1 , // == nistp192 -+ nistp192 , -+ secp192k1 , -+ secp160r2 , -+ secp160r1 , -+ secp160k1 , -+ secp128r2 , -+ secp128r1 , -+ secp112r2 , -+ secp112r1 , -+ // NIST, SEC2 Binary curves -+ sect571r1 , // == nistb571 -+ nistb571 , -+ sect571k1 , // == nistk571 -+ nistk571 , -+ sect409r1 , // == nistb409 -+ nistb409 , -+ sect409k1 , // == nistk409 -+ nistk409 , -+ sect283r1 , // == nistb283 -+ nistb283 , -+ sect283k1 , // == nistk283 -+ nistk283 , -+ sect239k1 , -+ sect233r1 , // == nistb233 -+ nistb233 , -+ sect233k1 , // == nistk233 -+ nistk233 , -+ sect193r2 , -+ sect193r1 , -+ nistb163 , -+ sect163r2 , // == nistb163 -+ sect163r1 , -+ sect163k1 , // == nistk163 -+ nistk163 , -+ sect131r2 , -+ sect131r1 , -+ sect113r2 , -+ sect113r1 , -+ // ANSI X9.62 Prime curves -+ prime239v3 , -+ prime239v2 , -+ prime239v1 , -+ prime192v3 , -+ prime192v2 , -+ prime192v1 , // == nistp192 -+ // prime256v1 == nistp256 -+ // ANSI X9.62 Binary curves -+ c2pnb163v1 , -+ c2pnb163v2 , -+ c2pnb163v3 , -+ c2pnb176v1 , -+ c2tnb191v1 , -+ c2tnb191v2 , -+ c2tnb191v3 , -+ //c2onb191v4 , -+ //c2onb191v5 , -+ c2pnb208w1 , -+ c2tnb239v1 , -+ c2tnb239v2 , -+ c2tnb239v3 , -+ //c2onb239v4 , -+ //c2onb239v5 , -+ c2pnb272w1 , -+ c2pnb304w1 , -+ c2tnb359v1 , -+ c2pnb368w1 , -+ c2tnb431r1 -+ // no WTLS curves fo now -+ }; -+ -+ private static Hashtable ECCurve_NameToCode = new Hashtable(); -+ static { -+ // NIST, SEC2 Prime curves -+ ECCurve_NameToCode.put( -+ "secp521r1", ECCurve_Code.secp521r1); -+ ECCurve_NameToCode.put( -+ "nistp521", ECCurve_Code.nistp521); -+ ECCurve_NameToCode.put( -+ "secp384r1", ECCurve_Code.secp384r1); -+ ECCurve_NameToCode.put( -+ "nistp384", ECCurve_Code.nistp384); -+ ECCurve_NameToCode.put( -+ "secp256r1", ECCurve_Code.secp256r1); -+ ECCurve_NameToCode.put( -+ "nistp256", ECCurve_Code.nistp256); -+ ECCurve_NameToCode.put( -+ "secp256k1", ECCurve_Code.secp256k1); -+ ECCurve_NameToCode.put( -+ "secp224r1", ECCurve_Code.secp224r1); -+ ECCurve_NameToCode.put( -+ "nistp224", ECCurve_Code.nistp224); -+ ECCurve_NameToCode.put( -+ "secp224k1", ECCurve_Code.secp224k1); -+ ECCurve_NameToCode.put( -+ "secp192r1", ECCurve_Code.secp192r1); -+ ECCurve_NameToCode.put( -+ "nistp192", ECCurve_Code.nistp192); -+ ECCurve_NameToCode.put( -+ "secp192k1", ECCurve_Code.secp192k1); -+ ECCurve_NameToCode.put( -+ "secp160r2", ECCurve_Code.secp160r2); -+ ECCurve_NameToCode.put( -+ "secp160r1", ECCurve_Code.secp160r1); -+ ECCurve_NameToCode.put( -+ "secp160k1", ECCurve_Code.secp160k1); -+ ECCurve_NameToCode.put( -+ "secp128r2", ECCurve_Code.secp128r2); -+ ECCurve_NameToCode.put( -+ "secp128r1", ECCurve_Code.secp128r1); -+ ECCurve_NameToCode.put( -+ "secp112r2", ECCurve_Code.secp112r2); -+ ECCurve_NameToCode.put( -+ "secp112r1", ECCurve_Code.secp112r1); -+ // NIST, SEC2 Binary curves -+ ECCurve_NameToCode.put( -+ "sect571r1", ECCurve_Code.sect571r1); -+ ECCurve_NameToCode.put( -+ "nistb571", ECCurve_Code.nistb571); -+ ECCurve_NameToCode.put( -+ "sect571k1", ECCurve_Code.sect571k1); -+ ECCurve_NameToCode.put( -+ "nistk571", ECCurve_Code.nistk571); -+ ECCurve_NameToCode.put( -+ "sect409r1", ECCurve_Code.sect409r1); -+ ECCurve_NameToCode.put( -+ "nistb409", ECCurve_Code.nistb409); -+ ECCurve_NameToCode.put( -+ "sect409k1", ECCurve_Code.sect409k1); -+ ECCurve_NameToCode.put( -+ "nistk409", ECCurve_Code.nistk409); -+ ECCurve_NameToCode.put( -+ "sect283r1", ECCurve_Code.sect283r1); -+ ECCurve_NameToCode.put( -+ "nistb283", ECCurve_Code.nistb283); -+ ECCurve_NameToCode.put( -+ "sect283k1", ECCurve_Code.sect283k1); -+ ECCurve_NameToCode.put( -+ "nistk283", ECCurve_Code.nistk283); -+ ECCurve_NameToCode.put( -+ "sect239k1", ECCurve_Code.sect239k1); -+ ECCurve_NameToCode.put( -+ "sect233r1", ECCurve_Code.sect233r1); -+ ECCurve_NameToCode.put( -+ "nistb233", ECCurve_Code.nistb233); -+ ECCurve_NameToCode.put( -+ "sect233k1", ECCurve_Code.sect233k1); -+ ECCurve_NameToCode.put( -+ "nistk233", ECCurve_Code.nistk233); -+ ECCurve_NameToCode.put( -+ "sect193r2", ECCurve_Code.sect193r2); -+ ECCurve_NameToCode.put( -+ "sect193r1", ECCurve_Code.sect193r1); -+ ECCurve_NameToCode.put( -+ "nistb163", ECCurve_Code.nistb163); -+ ECCurve_NameToCode.put( -+ "sect163r2", ECCurve_Code.sect163r2); -+ ECCurve_NameToCode.put( -+ "sect163r1", ECCurve_Code.sect163r1); -+ ECCurve_NameToCode.put( -+ "sect163k1", ECCurve_Code.sect163k1); -+ ECCurve_NameToCode.put( -+ "nistk163", ECCurve_Code.nistk163); -+ ECCurve_NameToCode.put( -+ "sect131r2", ECCurve_Code.sect131r2); -+ ECCurve_NameToCode.put( -+ "sect131r1", ECCurve_Code.sect131r1); -+ ECCurve_NameToCode.put( -+ "sect113r2", ECCurve_Code.sect113r2); -+ ECCurve_NameToCode.put( -+ "sect113r1", ECCurve_Code.sect113r1); -+ // ANSI Prime curves -+ ECCurve_NameToCode.put( -+ "prime239v3", ECCurve_Code.prime239v3); -+ ECCurve_NameToCode.put( -+ "prime239v2", ECCurve_Code.prime239v2); -+ ECCurve_NameToCode.put( -+ "prime239v1", ECCurve_Code.prime239v1); -+ ECCurve_NameToCode.put( -+ "prime192v3", ECCurve_Code.prime192v3); -+ ECCurve_NameToCode.put( -+ "prime192v2", ECCurve_Code.prime192v2); -+ ECCurve_NameToCode.put( -+ "prime192v1", ECCurve_Code.prime192v1); -+ // ANSI Binary curves -+ ECCurve_NameToCode.put( -+ "c2pnb163v1", ECCurve_Code.c2pnb163v1); -+ ECCurve_NameToCode.put( -+ "c2pnb163v2", ECCurve_Code.c2pnb163v2); -+ ECCurve_NameToCode.put( -+ "c2pnb163v3", ECCurve_Code.c2pnb163v3); -+ ECCurve_NameToCode.put( -+ "c2pnb176v1", ECCurve_Code.c2pnb176v1); -+ ECCurve_NameToCode.put( -+ "c2tnb191v1", ECCurve_Code.c2tnb191v1); -+ ECCurve_NameToCode.put( -+ "c2tnb191v2", ECCurve_Code.c2tnb191v2); -+ ECCurve_NameToCode.put( -+ "c2tnb191v3", ECCurve_Code.c2tnb191v3); -+ //ECCurve_NameToCode.put( -+ // "c2onb191v4", ECCurve_Code.c2onb191v4); -+ //ECCurve_NameToCode.put( -+ // "c2onb191v5", ECCurve_Code.c2onb191v5); -+ ECCurve_NameToCode.put( -+ "c2pnb208w1", ECCurve_Code.c2pnb208w1); -+ ECCurve_NameToCode.put( -+ "c2tnb239v1", ECCurve_Code.c2tnb239v1); -+ ECCurve_NameToCode.put( -+ "c2tnb239v2", ECCurve_Code.c2tnb239v2); -+ ECCurve_NameToCode.put( -+ "c2tnb239v3", ECCurve_Code.c2tnb239v3); -+ //ECCurve_NameToCode.put( -+ // "c2onb239v4", ECCurve_Code.c2onb239v4); -+ //ECCurve_NameToCode.put( -+ // "c2onb239v5", ECCurve_Code.c2onb239v5); -+ ECCurve_NameToCode.put( -+ "c2pnb272w1", ECCurve_Code.c2pnb272w1); -+ ECCurve_NameToCode.put( -+ "c2pnb304w1", ECCurve_Code.c2pnb304w1); -+ ECCurve_NameToCode.put( -+ "c2tnb359v1", ECCurve_Code.c2tnb359v1); -+ ECCurve_NameToCode.put( -+ "c2pnb368w1", ECCurve_Code.c2pnb368w1); -+ ECCurve_NameToCode.put( -+ "c2tnb431r1", ECCurve_Code.c2tnb431r1); -+ } -+ - // opFlag constants: each of these flags specifies a crypto operation - // the key will support. Their values must match the same-named C - // preprocessor macros defined in the PKCS #11 header pkcs11t.h. -@@ -165,7 +406,15 @@ public final class PK11KeyPairGenerator - } - } else { - Assert._assert( algorithm == KeyPairAlgorithm.EC ); -- params = getCurve(strength); -+ if (strength < 112) { -+ // for EC, "strength" is actually a code for curves defined in -+ // ECCurve_Code -+ params = getECCurve(strength); -+ } else { -+ // this is the old method of strength to curve mapping, -+ // which is somewhat defective -+ params = getCurve(strength); -+ } - } - } - -@@ -642,6 +891,189 @@ public final class PK11KeyPairGenerator - static final OBJECT_IDENTIFIER CURVE_SECG_T571R1 - = SECG_EC_CURVE.subBranch(39); - -+ // the EC curvecode to oid hash table -+ private static Hashtable mECCurve_CodeToCurve = new Hashtable(); -+ static { -+ // SEG Prime curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp521r1.ordinal(), (Object) CURVE_SECG_P521R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp521.ordinal(), (Object) CURVE_SECG_P521R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp384r1.ordinal(), (Object) CURVE_SECG_P384R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp384.ordinal(), (Object) CURVE_SECG_P384R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp256r1.ordinal(), (Object) CURVE_ANSI_P256V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp256.ordinal(), (Object) CURVE_ANSI_P256V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp256k1.ordinal(), (Object) CURVE_SECG_P256K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp224r1.ordinal(), (Object) CURVE_SECG_P224R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp224.ordinal(), (Object) CURVE_SECG_P224R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp224k1.ordinal(), (Object) CURVE_SECG_P224K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp192r1.ordinal(), (Object) CURVE_ANSI_P192V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp192.ordinal(), (Object) CURVE_ANSI_P192V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp192k1.ordinal(), (Object) CURVE_SECG_P192K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160r2.ordinal(), (Object) CURVE_SECG_P160R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160r1.ordinal(), (Object) CURVE_SECG_P160R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160k1.ordinal(), (Object) CURVE_SECG_P160K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp128r2.ordinal(), (Object) CURVE_SECG_P128R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp128r1.ordinal(), (Object) CURVE_SECG_P128R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp112r2.ordinal(), (Object) CURVE_SECG_P112R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp112r1.ordinal(), (Object) CURVE_SECG_P112R1); -+ // SEG Binary curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect571r1.ordinal(), (Object) CURVE_SECG_T571R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb571.ordinal(), (Object) CURVE_SECG_T571R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect571k1.ordinal(), (Object) CURVE_SECG_T571K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk571.ordinal(), (Object) CURVE_SECG_T571K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect409r1.ordinal(), (Object) CURVE_SECG_T409R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb409.ordinal(), (Object) CURVE_SECG_T409R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect409k1.ordinal(), (Object) CURVE_SECG_T409K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk409.ordinal(), (Object) CURVE_SECG_T409K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect283r1.ordinal(), (Object) CURVE_SECG_T283R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb283.ordinal(), (Object) CURVE_SECG_T283R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect283k1.ordinal(), (Object) CURVE_SECG_T283K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk283.ordinal(), (Object) CURVE_SECG_T283K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect239k1.ordinal(), (Object) CURVE_SECG_T239K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect233r1.ordinal(), (Object) CURVE_SECG_T233R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb233.ordinal(), (Object) CURVE_SECG_T233R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect233k1.ordinal(), (Object) CURVE_SECG_T233K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk233.ordinal(), (Object) CURVE_SECG_T233K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect193r2.ordinal(), (Object) CURVE_SECG_T193R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect193r1.ordinal(), (Object) CURVE_SECG_T193R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb163.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163r2.ordinal(), (Object) CURVE_SECG_T163R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163r1.ordinal(), (Object) CURVE_SECG_T163R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163k1.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk163.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect131r2.ordinal(), (Object) CURVE_SECG_T131R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect131r1.ordinal(), (Object) CURVE_SECG_T131R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect113r2.ordinal(), (Object) CURVE_SECG_T113R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect113r1.ordinal(), (Object) CURVE_SECG_T113R1); -+ // ANSI Prime curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v3.ordinal(), (Object) CURVE_ANSI_P239V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v2.ordinal(), (Object) CURVE_ANSI_P239V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v1.ordinal(), (Object) CURVE_ANSI_P239V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v3.ordinal(), (Object) CURVE_ANSI_P192V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v2.ordinal(), (Object) CURVE_ANSI_P192V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v1.ordinal(), (Object) CURVE_ANSI_P192V1); -+ // ANSI Binary curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v1.ordinal(), (Object) CURVE_ANSI_PNB163V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v2.ordinal(), (Object) CURVE_ANSI_PNB163V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v3.ordinal(), (Object) CURVE_ANSI_PNB163V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb176v1.ordinal(), (Object) CURVE_ANSI_PNB176V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v1.ordinal(), (Object) CURVE_ANSI_TNB191V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v2.ordinal(), (Object) CURVE_ANSI_TNB191V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v3.ordinal(), (Object) CURVE_ANSI_TNB191V3); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb191v4.ordinal(), (Object) CURVE_ANSI_ONB191V4); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb191v5.ordinal(), (Object) CURVE_ANSI_ONB191V5); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb208w1.ordinal(), (Object) CURVE_ANSI_PNB208W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v1.ordinal(), (Object) CURVE_ANSI_TNB239V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v2.ordinal(), (Object) CURVE_ANSI_TNB239V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v3.ordinal(), (Object) CURVE_ANSI_TNB239V3); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb239v4.ordinal(), (Object) CURVE_ANSI_ONB239V4); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb239v5.ordinal(), (Object) CURVE_ANSI_ONB239V5); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb272w1.ordinal(), (Object) CURVE_ANSI_PNB272W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb304w1.ordinal(), (Object) CURVE_ANSI_PNB304W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb359v1.ordinal(), (Object) CURVE_ANSI_TNB359V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb368w1.ordinal(), (Object) CURVE_ANSI_PNB368W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb431r1.ordinal(), (Object) CURVE_ANSI_TNB431R1); -+ } -+ -+ public int getCurveCodeByName(String curveName) -+ throws InvalidParameterException { -+ if (curveName == null) -+ throw new InvalidParameterException(); -+ ECCurve_Code c = (ECCurve_Code) ECCurve_NameToCode.get(curveName); -+ if (c == null) -+ throw new InvalidParameterException(curveName); -+ return c.ordinal(); -+ } -+ -+ /* -+ * getECCurve -+ * maps curvecode to the actual oid of the curve and -+ * returns the PK11ParameterSpec -+ */ -+ private AlgorithmParameterSpec getECCurve(int curvecode) -+ throws InvalidParameterException -+ { -+ OBJECT_IDENTIFIER oid; -+ -+ oid = (OBJECT_IDENTIFIER) mECCurve_CodeToCurve.get(curvecode); -+ if (oid == null) -+ throw new IllegalArgumentException("curvecode ="+curvecode); -+ return new PK11ParameterSpec(ASN1Util.encode(oid)); -+ } -+ - private AlgorithmParameterSpec getCurve(int strength) - throws InvalidParameterException - { diff --git a/jss-Fixed-build-failures.patch b/jss-Fixed-build-failures.patch deleted file mode 100644 index af11010..0000000 --- a/jss-Fixed-build-failures.patch +++ /dev/null @@ -1,349 +0,0 @@ -From 22092d1bde94dc8a1f6e8198fa2fcc597c36c32f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 9 Dec 2015 00:30:50 +0100 -Subject: [PATCH] Fixed build failures. - -The Javadoc on various classes have been modified to fix build -failures on F23 and Rawhide due to stringent requirements on -those platforms. - -The Debug_debug.jnot has been renamed to Debug.java to fix build -failure in Eclipse. - -https://bugzilla.redhat.com/show_bug.cgi?id=1289799 ---- - .classpath | 7 +++++++ - .project | 17 +++++++++++++++++ - mozilla/security/jss/build_java.pl | 2 +- - mozilla/security/jss/org/mozilla/jss/CryptoManager.java | 14 +++++++------- - .../security/jss/org/mozilla/jss/asn1/ASN1Header.java | 2 +- - .../security/jss/org/mozilla/jss/pkcs11/PK11Token.java | 2 +- - .../security/jss/org/mozilla/jss/pkcs12/CertBag.java | 1 + - .../security/jss/org/mozilla/jss/pkcs7/ContentInfo.java | 1 - - .../security/jss/org/mozilla/jss/pkcs7/SignerInfo.java | 17 ++++++++++------- - .../jss/org/mozilla/jss/pkix/cms/ContentInfo.java | 1 - - .../jss/org/mozilla/jss/pkix/cms/SignerInfo.java | 17 ++++++++++------- - .../jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java | 2 +- - .../jss/org/mozilla/jss/ssl/SSLServerSocket.java | 3 --- - .../mozilla/jss/util/{Debug_debug.jnot => Debug.java} | 0 - 14 files changed, 56 insertions(+), 30 deletions(-) - create mode 100644 .classpath - create mode 100644 .project - rename mozilla/security/jss/org/mozilla/jss/util/{Debug_debug.jnot => Debug.java} (100%) - -diff --git a/.classpath b/.classpath -new file mode 100644 -index 0000000000000000000000000000000000000000..df092d3f7d8df936b753bea75c11bf4003e1a77f ---- /dev/null -+++ b/.classpath -@@ -0,0 +1,7 @@ -+ -+ -+ -+ -+ -+ -+ -diff --git a/.project b/.project -new file mode 100644 -index 0000000000000000000000000000000000000000..c0b616e95c7512076c9976374bda14e11d7cdd8c ---- /dev/null -+++ b/.project -@@ -0,0 +1,17 @@ -+ -+ -+ jss-4.2 -+ -+ -+ -+ -+ -+ org.eclipse.jdt.core.javabuilder -+ -+ -+ -+ -+ -+ org.eclipse.jdt.core.javanature -+ -+ -diff --git a/mozilla/security/jss/build_java.pl b/mozilla/security/jss/build_java.pl -index c34473e0eec883323b6b100e671018a9edafe442..379a5e05dbc0599c95d2228bd14f659d3e493d0b 100644 ---- a/mozilla/security/jss/build_java.pl -+++ b/mozilla/security/jss/build_java.pl -@@ -137,7 +137,7 @@ sub setup_vars { - $class_jar = "$dist_dir/$cmdline_vars{XPCLASS_DBG_JAR}"; - $class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DBG_DIR}"; - $javac_opt_flag = "-g"; -- $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot"; -+ $debug_source_file = "org/mozilla/jss/util/Debug.java"; - } - $jni_header_dir = "$dist_dir/private/jss/_jni"; - -diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -index 08aad8fe3c3a62ae8e233fc1035723690adf4581..6ef0256a3b777db48461f19da0fa64ec7857ed6b 100644 ---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -@@ -600,7 +600,7 @@ public final class CryptoManager implements TokenSupplier - * loaded cryptographic modules for the token. - * - * @param name The name of the token. -- * @exception org.mozilla.jss.crypto.NoSuchTokenException If no token -+ * @exception NoSuchTokenException If no token - * is found with the given name. - */ - public synchronized CryptoToken getTokenByName(String name) -@@ -855,9 +855,9 @@ public final class CryptoManager implements TokenSupplier - * initialize(). - * - * @param configDir The directory containing the security databases. -- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open -+ * @exception KeyDatabaseException Unable to open - * the key database, or it was currupted. -- * @exception org.mozilla.jss.util.CertDatabaseException Unable -+ * @exception CertDatabaseException Unable - * to open the certificate database, or it was currupted. - **/ - public static synchronized void initialize( String configDir ) -@@ -878,9 +878,9 @@ public final class CryptoManager implements TokenSupplier - * initialize(). - * - * @param values The options with which to initialize CryptoManager. -- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open -+ * @exception KeyDatabaseException Unable to open - * the key database, or it was currupted. -- * @exception org.mozilla.jss.util.CertDatabaseException Unable -+ * @exception CertDatabaseException Unable - * to open the certificate database, or it was currupted. - **/ - public static synchronized void initialize( InitializationValues values ) -@@ -1021,7 +1021,7 @@ public final class CryptoManager implements TokenSupplier - * @return The leaf certificate from the chain. - * @exception CertificateEncodingException If the package encoding - * was not recognized. -- * @exception CertificateNicknameConflictException If the leaf certificate -+ * @exception NicknameConflictException If the leaf certificate - * is a user certificate, and another certificate already has the - * given nickname. - * @exception UserCertConflictException If the leaf certificate -@@ -1059,7 +1059,7 @@ public final class CryptoManager implements TokenSupplier - * @return The leaf certificate from the chain. - * @exception CertificateEncodingException If the package encoding - * was not recognized. -- * @exception CertificateNicknameConflictException If the leaf certificate -+ * @exception NicknameConflictException If the leaf certificate - * another certificate already has the given nickname. - * @exception UserCertConflictException If the leaf certificate - * has already been imported. -diff --git a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -index bfa37c9f5eba1c5df9bb275cad16c1bf57c9c65d..d15be4922b52d16a25e3212b2b25809cd7ddf3b6 100644 ---- a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -+++ b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -@@ -259,7 +259,7 @@ public class ASN1Header { - /** - * This constructor is to be called when we are constructing an ASN1Value - * rather than decoding it. -- * @param contentLength Must be >=0. Although indefinite length -+ * @param contentLength Must be >=0. Although indefinite length - * decoding is supported, indefinite length encoding - * is not. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -index e521b6108b90daeb7035413bba50a41e9b20ec49..98e93f0e858b09402364b4dc89c36a63e7ef0f7b 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -@@ -236,7 +236,7 @@ public final class PK11Token implements CryptoToken { - * - * @param ssopwcb The security officer's current password callback. - * @param userpwcb The user's new password callback. -- * @exception IncorrectPinException If the security officer PIN is -+ * @exception IncorrectPasswordException If the security officer PIN is - * incorrect. - * @exception TokenException If the PIN was already initialized, - * or there was an unspecified error in the token. -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -index a1b08d2e9ee9dfcb4ee809e101f3074611664384..61ad979d65d5ecc6659281218c58e8ec9a48211c 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -@@ -91,6 +91,7 @@ public class CertBag implements ASN1Value { - *
  • If the type is SDSI_CERT_TYPE, returns - * an IA5String. - *
  • For all other types, returns an ANY. -+ * - * - * @exception InvalidBERException If the cert is not encoded correctly. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -index 4db7a42c75cc21d71841e20dcb9a4c1494ff08c2..4578e9bcd8abdb4e7b6717b07aee932dd887d675 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -@@ -169,7 +169,6 @@ public class ContentInfo implements ASN1Value { - * an OCTET_STRING will be returned. - *

    If the contentType is not one of the six standard types, - * the returned object will be an ANY. -- * - */ - public ASN1Value getInterpretedContent() throws InvalidBERException { - if(contentType.equals(DATA)) { -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -index 300e993cffd9dcadaf996609abeebf8627eafde8..c49107c80543ec94fbb3117a1a9a1088f851a6b3 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -@@ -129,7 +129,7 @@ public class SignerInfo implements ASN1Value { - /** - * Retrieves the DigestAlgorithm used in this SignerInfo. - * -- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS. -+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS. - */ - public DigestAlgorithm getDigestAlgorithm() - throws NoSuchAlgorithmException -@@ -402,10 +402,12 @@ public class SignerInfo implements ASN1Value { - /** - * Verifies that this SignerInfo contains a valid signature of the - * given message digest. If any authenticated attributes are present, -- * they are also validated. The verification algorithm is as follows:

      -- *

      Note that this does not verify the validity of the -- * the certificate itself, only the signature. -+ * they are also validated. The verification algorithm is as follows: - * -+ * Note that this does not verify the validity of the -+ * the certificate itself, only the signature. -+ * -+ *

        - *
      • If no authenticated attributes are present, the content type is - * verified to be data. Then it is verified that the message - * digest passed -@@ -413,24 +415,25 @@ public class SignerInfo implements ASN1Value { - * digest in the SignerInfo. - * - *
      • If authenticated attributes are present, -- * two particular attributes must be present:
          -+ * two particular attributes must be present: -+ *
            - *
          • PKCS #9 Content-Type, the type of content that is being signed. - * This must match the contentType parameter. - *
          • PKCS #9 Message-Digest, the digest of the content that is being - * signed. This must match the messageDigest parameter. - *
          -+ * - * After these two attributes are verified to be both present and correct, - * the encryptedDigest field of the SignerInfo is verified to be the - * signature of the contents octets of the DER encoding of the - * authenticatedAttributes field. -- * - *
        - * - * @param messageDigest The hash of the content that is signed by this - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @exception NoSuchObjectException If no certificate matching the -+ * @exception ObjectNotFoundException If no certificate matching the - * the issuer name and serial number can be found. - */ - public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType) -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -index 91ae770c94b3a8817c13e4cb86609c432ef682b8..9f61e605b416dffc38525ccec4dcce9f380c7dcc 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -@@ -168,7 +168,6 @@ public class ContentInfo implements ASN1Value { - * an OCTET_STRING will be returned. - *

        If the contentType is not one of the six standard types, - * the returned object will be an ANY. -- *

      - */ - public ASN1Value getInterpretedContent() throws InvalidBERException { - if(contentType.equals(DATA)) { -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -index ff34a554e4d5f43b6ce18acfac01899858d62117..e7feb934dc0a78fbc40a6ff7d8db87f0af9177fe 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -@@ -130,7 +130,7 @@ public class SignerInfo implements ASN1Value { - /** - * Retrieves the DigestAlgorithm used in this SignerInfo. - * -- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS. -+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS. - */ - public DigestAlgorithm getDigestAlgorithm() - throws NoSuchAlgorithmException -@@ -403,10 +403,12 @@ public class SignerInfo implements ASN1Value { - /** - * Verifies that this SignerInfo contains a valid signature of the - * given message digest. If any signed attributes are present, -- * they are also validated. The verification algorithm is as follows:
        -- *

        Note that this does not verify the validity of the -- * the certificate itself, only the signature. -+ * they are also validated. The verification algorithm is as follows: - * -+ * Note that this does not verify the validity of the -+ * the certificate itself, only the signature. -+ * -+ *

          - *
        • If no signed attributes are present, the content type is - * verified to be data. Then it is verified that the message - * digest passed -@@ -414,24 +416,25 @@ public class SignerInfo implements ASN1Value { - * digest in the SignerInfo. - * - *
        • If signed attributes are present, -- * two particular attributes must be present:
            -+ * two particular attributes must be present: -+ *
              - *
            • PKCS #9 Content-Type, the type of content that is being signed. - * This must match the contentType parameter. - *
            • PKCS #9 Message-Digest, the digest of the content that is being - * signed. This must match the messageDigest parameter. - *
            -+ * - * After these two attributes are verified to be both present and correct, - * the encryptedDigest field of the SignerInfo is verified to be the - * signature of the contents octets of the DER encoding of the - * signedAttributes field. -- * - *
          - * - * @param messageDigest The hash of the content that is signed by this - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @exception NoSuchObjectException If no certificate matching the -+ * @exception ObjectNotFoundException If no certificate matching the - * the issuer name and serial number can be found. - */ - public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType) -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -index 53d162b69673caeed3e998dc9c2e221b95dfc6db..c6637039c87043f36dd1a1e449a819edbcc816e3 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -@@ -112,7 +112,7 @@ public class CertReqMsg implements ASN1Value { - - /** - * Constructs a CertReqmsg from a CertRequest and, optionally, -- * a pop>/i> and a regInfo. -+ * a pop and a regInfo. - * @param pop May be NULL. - * @param regInfo May be NULL. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -index 2043a598cf3e8d023287c0f7142045c1e4f68e4d..58d14496e5ad92aa91a966e119e14f470da4fd4a 100644 ---- a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -+++ b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -@@ -174,9 +174,6 @@ public class SSLServerSocket extends java.net.ServerSocket { - * @return java.net.Socket Local socket for client communication - * - * @throws IOException If an input or output exception occurred -- * @throws SocketTimeoutException If the socket timesout trying to connect -- * @throws InterruptedIOException If an input or output is interrupted -- * @throws SSLSocketException JSS subclass of java.net.SocketException - */ - public Socket accept() throws IOException { - synchronized (acceptLock) { -diff --git a/mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot b/mozilla/security/jss/org/mozilla/jss/util/Debug.java -similarity index 100% -rename from mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot -rename to mozilla/security/jss/org/mozilla/jss/util/Debug.java --- -2.4.3 - diff --git a/jss-HSM-manufacturerID.patch b/jss-HSM-manufacturerID.patch deleted file mode 100644 index 2a7bdff..0000000 --- a/jss-HSM-manufacturerID.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800 -@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE - } - PR_GetErrorText(errBuf); - } -- msgBuf = PR_smprintf("Keypair Generation failed on token: %s", -+ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s", -+ PR_GetError(), - errLength>0? errBuf : ""); - if(errLength>0) { - PR_Free(errBuf); -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800 -@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - PRBool isExtractable = PR_FALSE; - - /* special case nethsm and lunasa*/ -- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; -+ const int numManufacturerIDchars = 7; -+ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'}; -+ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'}; - PRBool isNethsm = PR_TRUE; - PRBool isLunasa = PR_TRUE; - -+ tokenInfo.manufacturerID[0] = 0; -+ - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; - } - -- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { -+ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) && -+ (tokenInfo.manufacturerID[0] != 0)) { - int ix = 0; -- for(ix=0; ix < 4; ix++) { -- if (tokenInfo.label[ix] != nethsmLabel[ix]) { -+ -+ for(ix=0; ix < numManufacturerIDchars; ix++) { -+ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) { - isNethsm = PR_FALSE; - break; - } - } -- ix = 0; -- for(ix=0; ix < 4; ix++) { -- if (tokenInfo.label[ix] != lunasaLabel[ix]) { -+ -+ for(ix=0; ix < numManufacturerIDchars; ix++) { -+ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) { - isLunasa = PR_FALSE; - break; - } - } -- - } else { - isNethsm = PR_FALSE; - isLunasa = PR_FALSE; diff --git a/jss-PBE-PKCS5-V2-secure-P12.patch b/jss-PBE-PKCS5-V2-secure-P12.patch deleted file mode 100644 index 068e4d7..0000000 --- a/jss-PBE-PKCS5-V2-secure-P12.patch +++ /dev/null @@ -1,328 +0,0 @@ -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700 -@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, - /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, - /* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, -+/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG}, -+/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG}, -+/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 51 -+#define NUM_ALGS 54 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700 -@@ -233,5 +233,9 @@ public class Algorithm { - protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; - protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; -+ //PKCS5 V2 -+ protected static final short SEC_OID_PKCS5_PBKDF2=51; -+ protected static final short SEC_OID_PKCS5_PBES2=52; -+ protected static final short SEC_OID_PKCS5_PBMAC1=53; - - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700 -@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen - /////////////////////////////////////////////////////////////////////// - - ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBKDF2 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128, -+ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBES2 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBES2, "PBES2", 128, -+ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBMAC1 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128, -+ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// - public static final PBEAlgorithm - PBE_MD2_DES_CBC = new PBEAlgorithm( - SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56, -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700 -@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - } - /* print_secitem(pwitem); */ - -- - mech = JSS_getPK11MechFromAlg(env, alg); - - if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) { -@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - PR_ASSERT(oidTag != SEC_OID_UNKNOWN); - - /* create algid */ -- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt); -+ algid = PK11_CreatePBEV2AlgorithmID( -+ oidTag, -+ SEC_OID_DES_EDE3_CBC, -+ SEC_OID_HMAC_SHA1, -+ 168/8, -+ iterationCount, -+ salt); -+ - if( algid == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, - "Unable to process PBE parameters"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700 -@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL; - SECItem label; /* empty secitem, doesn't need to be freed */ - PRBool token; -- CK_ATTRIBUTE_TYPE attribs[4]; -- int numAttribs; -+ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0}; -+ int numAttribs = 0; -+ CK_TOKEN_INFO tokenInfo; -+ -+ PRBool isSensitive = PR_TRUE; -+ PRBool isExtractable = PR_FALSE; -+ /* special case nethsm*/ -+ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -+ PRBool isNethsm = PR_TRUE; - - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; - } - -+ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { -+ int ix = 0; -+ for(ix=0; ix < 4; ix++) { -+ if (tokenInfo.label[ix] != nethsmLabel[ix]) { -+ isNethsm = PR_FALSE; -+ break; -+ } -+ } -+ -+ } else { -+ isNethsm = PR_FALSE; -+ } -+ - /* get unwrapping key */ - if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey) - != PR_SUCCESS) { -@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - } - keyType = PK11_GetKeyType(keyTypeMech, 0); - -+ if( isNethsm ) { -+ isSensitive = PR_FALSE; -+ isExtractable = PR_FALSE; -+ } -+ -+setAttrs: - /* figure out which operations to enable for this key */ - switch (keyType) { - case CKK_RSA: - attribs[0] = CKA_SIGN; -- attribs[1] = CKA_DECRYPT; -- attribs[2] = CKA_SIGN_RECOVER; -- attribs[3] = CKA_UNWRAP; -- numAttribs = 4; -+ attribs[1] = CKA_SIGN_RECOVER; -+ attribs[2] = CKA_UNWRAP; -+ if (isExtractable) { -+ attribs[3] = CKA_EXTRACTABLE; -+ numAttribs = 4; -+ } else { -+ numAttribs = 3; -+ } - break; - case CKK_DSA: - attribs[0] = CKA_SIGN; -@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - - /* perform the unwrap */ - privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped, -- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType, -+ &label, pubValue, token, isSensitive /*sensitive*/, keyType, - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700 -@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke - if( key==null ) { - throw new InvalidKeyException("Key is null"); - } -- if( ! key.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("Key does not reside on the "+ -- "current token"); -- } -- if( ! (key instanceof PK11SymKey) ) { -- throw new InvalidKeyException("Key is not a PKCS #11 key"); -- } - try { -+ if( ! key.getOwningToken().equals(token) ) { -+ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+ -+ key.getOwningToken().getName()); -+ } -+ if( ! (key instanceof PK11SymKey) ) { -+ throw new InvalidKeyException("Key is not a PKCS #11 key"); -+ } - if( ((PK11SymKey)key).getKeyType() != -- KeyType.getKeyTypeFromAlgorithm(algorithm) ) { -- throw new InvalidKeyException("Key is not the right type for"+ -+ KeyType.getKeyTypeFromAlgorithm(algorithm) ) { -+ throw new InvalidKeyException("Key is not the right type for"+ - " this algorithm"); - } - } catch( NoSuchAlgorithmException e ) { - Assert.notReached("Unknown algorithm"); -+ } catch (Exception e) { -+ Assert.notReached("Exception:"+ e.toString()); - } - } - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700 -@@ -106,10 +106,13 @@ public final class PK11Token implements - getKeyGenerator(KeyGenAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException - { -+/* NSS is capable of finding the right token to do algorithm, -+ so this call is prematurely bailing - if( ! doesAlgorithm(algorithm) ) { - throw new NoSuchAlgorithmException( - algorithm+" is not supported by this token"); - } -+*/ - return new PK11KeyGenerator(this, algorithm); - } - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ---- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700 -@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert; - import java.security.*; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.util.Password; -+import org.mozilla.jss.crypto.PrivateKey; - import java.security.spec.AlgorithmParameterSpec; - - /** -@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp - return null; - } - -+ -+ /** -+ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted -+ * with a password-based key- -+ * with wrapping/unwrapping happening on token. -+ * -+ * @param keyGenAlg The algorithm for generating a symmetric key from -+ * a password, salt, and iteration count. -+ * @param password The password to use in generating the key. -+ * @param salt The salt to use in generating the key. -+ * @param iterationCount The number of hashing iterations to perform -+ * while generating the key. -+ * @param charToByteConverter The mechanism for converting the characters -+ * in the password into bytes. If null, the default mechanism -+ * will be used, which is UTF8. -+ * @param pri The PrivateKey to be encrypted and stored in the -+ * EncryptedContentInfo. -+ */ -+ public static EncryptedPrivateKeyInfo -+ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt, -+ int iterationCount, -+ KeyGenerator.CharToByteConverter charToByteConverter, -+ PrivateKey pri, CryptoToken token) -+ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, -+ InvalidKeyException, InvalidAlgorithmParameterException, TokenException, -+ CharConversionException -+ { -+ try { -+ -+ // check key gen algorithm -+ -+ if( ! (keyGenAlg instanceof PBEAlgorithm) ) { -+ throw new NoSuchAlgorithmException("Key generation algorithm"+ -+ " is not a PBE algorithm"); -+ } -+ -+ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg; -+ -+ // generate key -+ -+ KeyGenerator kg = token.getKeyGenerator( keyGenAlg ); -+ PBEKeyGenParams pbekgParams = new PBEKeyGenParams( -+ password, salt, iterationCount); -+ if( charToByteConverter != null ) { -+ kg.setCharToByteConverter( charToByteConverter ); -+ } -+ kg.initialize(pbekgParams); -+ kg.temporaryKeys(true); -+ SymmetricKey key = kg.generate(); -+ -+ // generate IV -+ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); -+ AlgorithmParameterSpec params=null; -+ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) { -+ params = new IVParameterSpec( kg.generatePBE_IV() ); -+ } -+ -+ KeyWrapper wrapper = token.getKeyWrapper( -+ KeyWrapAlgorithm.DES3_CBC); -+ wrapper.initWrap(key, params); -+ byte encrypted[] = wrapper.wrap(pri); -+ -+ // make encryption algorithm identifier -+ PBEParameter pbeParam = new PBEParameter( salt, iterationCount ); -+ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier( -+ keyGenAlg.toOID(), pbeParam); -+ -+ // create EncryptedPrivateKeyInfo -+ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo ( -+ encAlgID, -+ new OCTET_STRING(encrypted) ); -+ -+ return epki; -+ -+ } catch (Exception e) { -+ Assert.notReached("EncryptedPrivateKeyInfo exception:" -+ +".createPBE"); -+ } -+ -+ return null; -+ } -+ -+ - /** - * Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE - * algorithm. The algorithm and its parameters are extracted from diff --git a/jss-PKCS12-FIPS.patch b/jss-PKCS12-FIPS.patch deleted file mode 100644 index b2aa854..0000000 --- a/jss-PKCS12-FIPS.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700 -@@ -239,40 +239,47 @@ print_secitem(SECItem *item) { - * TokenException if an error occurs. - */ - static PK11SymKey* --constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt, -+constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt, - int iterationCount) - { -- PBEBitGenContext* pbeCtxt=NULL; -- SECItem *keyBits=NULL; - PK11SymKey *key=NULL; - -- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey, -- pwitem, salt, 160 /* SHA1 key length */, iterationCount); -- if( pbeCtxt == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context"); -+ unsigned char ivData[8]; -+ SECItem mechItem; -+ CK_PBE_PARAMS pbe_params; -+ -+ if( pwitem == NULL ) { -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "constructSHA1PAKey:" -+ " pwitem NULL"); - goto finish; - } -- -- keyBits = PBE_GenerateBits(pbeCtxt); -- if( keyBits == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from" -- "PBE context"); -+ if( salt == NULL ) { -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "constructSHA1PAKey:" -+ " salt NULL"); - goto finish; - } - -- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1, -- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL); -+ pbe_params.pInitVector = ivData; -+ pbe_params.pPassword = pwitem->data; -+ pbe_params.ulPasswordLen = pwitem->len; -+ pbe_params.pSalt = salt->data; -+ pbe_params.ulSaltLen = salt->len; -+ pbe_params.ulIteration = iterationCount; -+ mechItem.data = (unsigned char *) &pbe_params; -+ mechItem.len = sizeof(pbe_params); -+ -+ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL); -+ - if( key == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from" -- " PBA-generated bits"); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "PK11_RawPBEKeyGen:" -+ " failed to generate key"); - goto finish; - } - - finish: -- if( pbeCtxt ) { -- PBE_DestroyContext(pbeCtxt); -- } -- /* keyBits == pbeCtxt, so we don't need to free it */ - return key; - } - -@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - - /* special case, construct key by hand. Bug #336587 */ - -- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount); -+ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount); - if( skey==NULL ) { - /* exception was thrown */ - goto finish; diff --git a/jss-RC4-strengh-verify.patch b/jss-RC4-strengh-verify.patch deleted file mode 100644 index 59b6577..0000000 --- a/jss-RC4-strengh-verify.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved 2014-09-26 14:40:03.452845047 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java 2014-09-26 14:41:02.101598146 -0700 -@@ -127,7 +127,7 @@ public class KeyGenAlgorithm extends Alg - RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4", - new KeyStrengthValidator() { - public boolean isValidKeyStrength(int strength) { -- return true; -+ return strength>=40 && strength <= (256*8); - } - }, null, null); - diff --git a/jss-SHA-OID-fix.patch b/jss-SHA-OID-fix.patch deleted file mode 100644 index fdda50f..0000000 --- a/jss-SHA-OID-fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn 2014-09-10 09:21:52.663959115 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2014-09-10 09:22:38.662788747 -0700 -@@ -117,7 +117,7 @@ public class OBJECT_IDENTIFIER implement - * The OID space for FIPS-180-2 SHA256/SHA384/SHA512 standardized algorithms. - */ - public static final OBJECT_IDENTIFIER HASH_ALGORITHM = -- new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4 } ); -+ new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4, 2 } ); - - - /** diff --git a/jss-VerifyCertificate-enhancement.patch b/jss-VerifyCertificate-enhancement.patch deleted file mode 100644 index 6582b41..0000000 --- a/jss-VerifyCertificate-enhancement.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 9 Dec 2015 00:30:50 +0100 -Subject: [PATCH] Added verifyCertificate() method. - -A new CryptoManager.verifyCertificate() method has been added as -an alternative to isCertValid(). If there is a certificate -validation problem, the method will throw a CertificateValidation -exception that contains the NSS error message and code. The -exception will also provide a stack trace to help troubleshoot -validation issues. - -https://fedorahosted.org/pki/ticket/850 ---- - .../jss/org/mozilla/jss/CryptoManager.java | 54 ++++++++------ - mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 83 +++++++++++++++++++--- - .../jss/org/mozilla/jss/util/jss_exceptions.h | 2 + - 3 files changed, 110 insertions(+), 29 deletions(-) - -diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644 ---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier - CertificateUsage certificateUsage) - throws ObjectNotFoundException, InvalidNicknameException - { -- if (nickname==null) { -- throw new InvalidNicknameException("Nickname must be non-null"); -- } -- // 0 certificate usage will get current usage -- // should call isCertValid() call above that returns certificate usage -- if ((certificateUsage == null) || -- (certificateUsage == CertificateUsage.CheckAllUsages)){ -- int currCertificateUsage = 0x0000; -- currCertificateUsage = verifyCertificateNowCUNative(nickname, -- checkSig); -+ try { -+ verifyCertificate(nickname, checkSig, certificateUsage); -+ return true; -+ -+ } catch (ObjectNotFoundException | InvalidNicknameException e) { -+ throw e; - -- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ -- // cert is good for nothing -- return false; -- } else -- return true; -- } else { -- return verifyCertificateNowNative(nickname, checkSig, -- certificateUsage.getUsage()); -+ } catch (CertificateException e) { -+ return false; - } - } - -- private native boolean verifyCertificateNowNative(String nickname, -- boolean checkSig, int certificateUsage) throws ObjectNotFoundException; -+ /** -+ * Verify a certificate that exists in the given cert database, -+ * check if it's valid and that we trust the issuer. Verify time -+ * against now. -+ * @param nickname nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificate usage defined to verify certificate -+ * -+ * @exception InvalidNicknameException If the nickname is null. -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ * @exception CertificateException If certificate is invalid. -+ */ -+ public void verifyCertificate(String nickname, -+ boolean checkSig, -+ CertificateUsage certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException { -+ int usage = certificateUsage == null ? 0 : certificateUsage.getUsage(); -+ verifyCertificateNowNative(nickname, checkSig, usage); -+ } -+ -+ private native void verifyCertificateNowNative( -+ String nickname, -+ boolean checkSig, -+ int certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException; - - /** - * note: this method calls obsolete function in NSS -diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644 ---- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -+++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, - /*********************************************************************** - * CryptoManager.verifyCertificateNowNative - * -- * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ * Verify a certificate that exists in the given cert database, -+ * check if it's valid and that we trust the issuer. Verify time -+ * against now. -+ * @param nickname nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificate usage defined to verify certificate -+ * -+ * @exception InvalidNicknameException If the nickname is null. -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ * @exception CertificateException If certificate is invalid. - */ --JNIEXPORT jboolean JNICALL -+JNIEXPORT void JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+ jobject self, jstring nickString, jboolean checkSig, jint certificateUsage) - { -- SECStatus rv = SECFailure; - SECCertificateUsage currUsage = 0x0000; -+ SECStatus rv = SECFailure; -+ CERTCertificate *cert = NULL; -+ char *nickname = NULL; - -- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); -+ if (nickString == NULL) { -+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); -+ goto finish; -+ } - -- if( rv == SECSuccess) { -- return JNI_TRUE; -- } else { -- return JNI_FALSE; -+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); -+ -+ if (nickname == NULL) { -+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); -+ goto finish; -+ } -+ -+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); -+ -+ if (cert == NULL) { -+ char *msgBuf; -+ msgBuf = PR_smprintf("Certificate not found: %s", nickname); -+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf); -+ PR_Free(msgBuf); -+ goto finish; -+ } -+ -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will -+ * retrieve the current valid usage into currUsage -+ */ -+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -+ checkSig, certificateUsage, NULL, &currUsage); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate"); -+ goto finish; -+ } -+ -+ if ((certificateUsage == 0x0000) && -+ (currUsage == -+ ( certUsageUserCertImport | -+ certUsageVerifyCA | -+ certUsageProtectedObjectSigner | -+ certUsageAnyCA ))) { -+ -+ /* The certificate is good for nothing. -+ * The following usages cannot be verified: -+ * certUsageAnyCA -+ * certUsageProtectedObjectSigner -+ * certUsageUserCertImport -+ * certUsageVerifyCA -+ * (0x0b80) -+ */ -+ -+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate"); -+ goto finish; -+ } -+ -+finish: -+ if (nickname != NULL) { -+ (*env)->ReleaseStringUTFChars(env, nickString, nickname); -+ } -+ if (cert != NULL) { -+ CERT_DestroyCertificate(cert); - } - } - -diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644 ---- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -+++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C - - #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException" - -+#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException" -+ - #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException" - - #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException" --- -2.5.0 - diff --git a/jss-VerifyCertificate.patch b/jss-VerifyCertificate.patch deleted file mode 100644 index a017b77..0000000 --- a/jss-VerifyCertificate.patch +++ /dev/null @@ -1,220 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700 -@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; - Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700 -@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec - public final class CryptoManager implements TokenSupplier - { - /** -+ * note: this is obsolete in NSS - * CertUsage options for validation - */ - public final static class CertUsage { -@@ -86,8 +87,6 @@ public final class CryptoManager impleme - return name; - } - -- -- - // certUsage, these must be kept in sync with nss/lib/certdb/certt.h - public static final CertUsage SSLClient = new CertUsage(0, "SSLClient"); - public static final CertUsage SSLServer = new CertUsage(1, "SSLServer"); -@@ -103,6 +102,63 @@ public final class CryptoManager impleme - public static final CertUsage AnyCA = new CertUsage(11, "AnyCA"); - } - -+ /** -+ * CertificateUsage options for validation -+ */ -+ public final static class CertificateUsage { -+ private int usage; -+ private String name; -+ -+ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h -+ private static final int certificateUsageCheckAllUsages = 0x0000; -+ private static final int certificateUsageSSLClient = 0x0001; -+ private static final int certificateUsageSSLServer = 0x0002; -+ private static final int certificateUsageSSLServerWithStepUp = 0x0004; -+ private static final int certificateUsageSSLCA = 0x0008; -+ private static final int certificateUsageEmailSigner = 0x0010; -+ private static final int certificateUsageEmailRecipient = 0x0020; -+ private static final int certificateUsageObjectSigner = 0x0040; -+ private static final int certificateUsageUserCertImport = 0x0080; -+ private static final int certificateUsageVerifyCA = 0x0100; -+ private static final int certificateUsageProtectedObjectSigner = 0x0200; -+ private static final int certificateUsageStatusResponder = 0x0400; -+ private static final int certificateUsageAnyCA = 0x0800; -+ -+ static private ArrayList list = new ArrayList(); -+ private CertificateUsage() {}; -+ private CertificateUsage(int usage, String name) { -+ this.usage = usage; -+ this.name = name; -+ this.list.add(this); -+ -+ } -+ public int getUsage() { -+ return usage; -+ } -+ -+ static public Iterator getCertificateUsages() { -+ return list.iterator(); -+ -+ } -+ public String toString() { -+ return name; -+ } -+ -+ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages"); -+ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient"); -+ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer"); -+ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp"); -+ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA"); -+ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner"); -+ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient"); -+ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner"); -+ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport"); -+ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA"); -+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); -+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); -+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); -+ } -+ - public final static class NotInitializedException extends Exception {} - public final static class NicknameConflictException extends Exception {} - public final static class UserCertConflictException extends Exception {} -@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme - } - return tok; - } -+ - ///////////////////////////////////////////////////////////// - // isCertValid - ///////////////////////////////////////////////////////////// -@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme - * against Now. - * @param nickname The nickname of the certificate to verify. - * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check -+ * @return true for success; false otherwise -+ * -+ * @exception InvalidNicknameException If the nickname is null -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ */ -+ -+ public boolean isCertValid(String nickname, boolean checkSig, -+ CertificateUsage certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException -+ { -+ if (nickname==null) { -+ throw new InvalidNicknameException("Nickname must be non-null"); -+ } -+ // 0 certificate usage was supposed to get current usage, however, -+ // it is not exposed at this point -+ return verifyCertificateNowNative(nickname, -+ checkSig, -+ (certificateUsage == null) ? 0:certificateUsage.getUsage()); -+ } -+ -+ private native boolean verifyCertificateNowNative(String nickname, -+ boolean checkSig, int certificateUsage) throws ObjectNotFoundException; -+ -+ /** -+ * note: this method calls obsolete function in NSS -+ * -+ * Verify a certificate that exists in the given cert database, -+ * check if is valid and that we trust the issuer. Verify time -+ * against Now. -+ * @param nickname The nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate - * @param certUsage see exposed certUsage defines to verify Certificate - * @return true for success; false otherwise - * -@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme - return verifyCertNowNative(nickname, checkSig, certUsage.getUsage()); - } - -+ /* -+ * Obsolete in NSS -+ */ - private native boolean verifyCertNowNative(String nickname, - boolean checkSig, int cUsage) throws ObjectNotFoundException; - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700 -@@ -1575,11 +1575,62 @@ finish: - } - - /*********************************************************************** -- * CryptoManager.verifyCertNowNative -+ * CryptoManager.verifyCertificateNowNative - * - * Returns JNI_TRUE if success, JNI_FALSE otherwise - */ - JNIEXPORT jboolean JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage certificateUsage; -+ SECCertificateUsage currUsage; /* unexposed for now */ -+ CERTCertificate *cert=NULL; -+ char *nickname=NULL; -+ -+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); -+ if( nickname == NULL ) { -+ goto finish; -+ } -+ -+ certificateUsage = required_certificateUsage; -+ -+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); -+ -+ if (cert == NULL) { -+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); -+ goto finish; -+ } else { -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to -+ * just get the current usage (which we are not passing back for now -+ * but will bypass the certificate usage check -+ */ -+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -+ checkSig, certificateUsage, NULL, &currUsage ); -+ } -+ -+finish: -+ if(nickname != NULL) { -+ (*env)->ReleaseStringUTFChars(env, nickString, nickname); -+ } -+ if(cert != NULL) { -+ CERT_DestroyCertificate(cert); -+ } -+ if( rv == SECSuccess) { -+ return JNI_TRUE; -+ } else { -+ return JNI_FALSE; -+ } -+} -+ -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertNowNative -+ * note: this calls obsolete NSS function -+ * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ */ -+JNIEXPORT jboolean JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, - jobject self, jstring nickString, jboolean checkSig, jint cUsage) - { diff --git a/jss-VerifyCertificateReturnCU.patch b/jss-VerifyCertificateReturnCU.patch deleted file mode 100644 index 7d220ef..0000000 --- a/jss-VerifyCertificateReturnCU.patch +++ /dev/null @@ -1,227 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800 -@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800 -@@ -157,6 +157,19 @@ public final class CryptoManager impleme - public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); - public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); - public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); -+ -+ /* -+ The folllowing usages cannot be verified: -+ certUsageAnyCA -+ certUsageProtectedObjectSigner -+ certUsageUserCertImport -+ certUsageVerifyCA -+ */ -+ public static final int basicCertificateUsages = /*0x0b80;*/ -+ certificateUsageUserCertImport | -+ certificateUsageVerifyCA | -+ certificateUsageProtectedObjectSigner | -+ certificateUsageAnyCA ; - } - - public final static class NotInitializedException extends Exception {} -@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme - * against Now. - * @param nickname The nickname of the certificate to verify. - * @param checkSig verify the signature of the certificate -- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check -- * @return true for success; false otherwise -+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage - * - * @exception InvalidNicknameException If the nickname is null - * @exception ObjectNotFoundException If no certificate could be found - * with the given nickname. - */ -+ public int isCertValid(String nickname, boolean checkSig) -+ throws ObjectNotFoundException, InvalidNicknameException -+ { -+ if (nickname==null) { -+ throw new InvalidNicknameException("Nickname must be non-null"); -+ } -+ int currCertificateUsage = 0x0000; // initialize it to 0 -+ currCertificateUsage = verifyCertificateNowCUNative(nickname, -+ checkSig); -+ return currCertificateUsage; -+ } -+ -+ private native int verifyCertificateNowCUNative(String nickname, -+ boolean checkSig) throws ObjectNotFoundException; - -+ ///////////////////////////////////////////////////////////// -+ // isCertValid -+ ///////////////////////////////////////////////////////////// -+ /** -+ * Verify a certificate that exists in the given cert database, -+ * check if is valid and that we trust the issuer. Verify time -+ * against Now. -+ * @param nickname The nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above -+ * @return true for success; false otherwise -+ * -+ * @exception InvalidNicknameException If the nickname is null -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ */ - public boolean isCertValid(String nickname, boolean checkSig, - CertificateUsage certificateUsage) - throws ObjectNotFoundException, InvalidNicknameException -@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme - if (nickname==null) { - throw new InvalidNicknameException("Nickname must be non-null"); - } -- // 0 certificate usage was supposed to get current usage, however, -- // it is not exposed at this point -- return verifyCertificateNowNative(nickname, -- checkSig, -- (certificateUsage == null) ? 0:certificateUsage.getUsage()); -+ // 0 certificate usage will get current usage -+ // should call isCertValid() call above that returns certificate usage -+ if ((certificateUsage == null) || -+ (certificateUsage == CertificateUsage.CheckAllUsages)){ -+ int currCertificateUsage = 0x0000; -+ currCertificateUsage = verifyCertificateNowCUNative(nickname, -+ checkSig); -+ -+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ -+ // cert is good for nothing -+ return false; -+ } else -+ return true; -+ } else { -+ return verifyCertificateNowNative(nickname, checkSig, -+ certificateUsage.getUsage()); -+ } - } - - private native boolean verifyCertificateNowNative(String nickname, -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800 -@@ -1574,18 +1574,16 @@ finish: - } - } - -+ - /*********************************************************************** -- * CryptoManager.verifyCertificateNowNative -- * -- * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ * CryptoManager.verifyCertificateNow - */ --JNIEXPORT jboolean JNICALL --Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, -+ jboolean checkSig, jint required_certificateUsage, -+ SECCertificateUsage *currUsage) - { - SECStatus rv = SECFailure; - SECCertificateUsage certificateUsage; -- SECCertificateUsage currUsage; /* unexposed for now */ - CERTCertificate *cert=NULL; - char *nickname=NULL; - -@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif - JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); - goto finish; - } else { -- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to -- * just get the current usage (which we are not passing back for now -- * but will bypass the certificate usage check -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will -+ * retrieve the current valid usage into currUsage - */ - rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -- checkSig, certificateUsage, NULL, &currUsage ); -+ checkSig, certificateUsage, NULL, currUsage ); -+ if ((rv == SECSuccess) && certificateUsage == 0x0000) { -+ if (*currUsage == -+ ( certUsageUserCertImport | -+ certUsageVerifyCA | -+ certUsageProtectedObjectSigner | -+ certUsageAnyCA )) { -+ -+ /* the cert is good for nothing -+ The folllowing usages cannot be verified: -+ certUsageAnyCA -+ certUsageProtectedObjectSigner -+ certUsageUserCertImport -+ certUsageVerifyCA -+ (0x0b80) */ -+ rv =SECFailure; -+ } -+ } - } - - finish: -@@ -1617,6 +1631,49 @@ finish: - if(cert != NULL) { - CERT_DestroyCertificate(cert); - } -+ -+ return rv; -+} -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertificateNowCUNative -+ * -+ * Returns jint which contains bits in SECCertificateUsage that reflects -+ * the cert usage(s) that the cert is good for -+ * if the cert is good for nothing, returned value is -+ * (0x0b80): -+ * certUsageUserCertImport | -+ * certUsageVerifyCA | -+ * certUsageProtectedObjectSigner | -+ * certUsageAnyCA -+ */ -+JNIEXPORT jint JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage currUsage = 0x0000; -+ -+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); -+ /* rv is ignored */ -+ -+ return currUsage; -+} -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertificateNowNative -+ * -+ * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ */ -+JNIEXPORT jboolean JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage currUsage = 0x0000; -+ -+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); -+ - if( rv == SECSuccess) { - return JNI_TRUE; - } else { -@@ -1624,7 +1681,6 @@ finish: - } - } - -- - /*********************************************************************** - * CryptoManager.verifyCertNowNative - * note: this calls obsolete NSS function diff --git a/jss-WindowsCompileFix.patch b/jss-WindowsCompileFix.patch deleted file mode 100644 index 20e2ea3..0000000 --- a/jss-WindowsCompileFix.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu 2015-04-23 13:25:45.104249135 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-23 13:39:29.958813779 -0700 -@@ -49,10 +49,12 @@ - - #ifdef WINNT - #include -+#define AF_INET6 23 - #endif - - #ifdef WIN32 - #include -+#define AF_INET6 23 - #endif - - -@@ -66,6 +68,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS - { - SECStatus status; - SSLVersionRange vrange; -+ SSLVersionRange supported_range; - - if (ssl_variant <0 || ssl_variant >= JSSL_enums_size|| - min <0 || min >= JSSL_enums_size || -@@ -80,7 +83,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS - vrange.max = JSSL_enums[max]; - - /* get supported range */ -- SSLVersionRange supported_range; - status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant], - &supported_range); - if( status != SECSuccess ) { diff --git a/jss-WindowsLoadLibrary.patch b/jss-WindowsLoadLibrary.patch deleted file mode 100644 index 23b8913..0000000 --- a/jss-WindowsLoadLibrary.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu 2015-07-08 12:02:13.192000000 +0200 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2015-07-08 12:04:56.213000000 +0200 -@@ -1404,17 +1404,23 @@ public final class CryptoManager impleme - synchronized static void loadNativeLibraries() - { - if( ! mNativeLibrariesLoaded ) { -- try { -+ try { // 64 bit rhel/fedora - System.load( "/usr/lib64/jss/libjss4.so" ); - Debug.trace(Debug.VERBOSE, "jss library loaded"); - mNativeLibrariesLoaded = true; - } catch( UnsatisfiedLinkError e ) { -- try { -+ try { // 32 bit rhel/fedora - System.load( "/usr/lib/jss/libjss4.so" ); - Debug.trace(Debug.VERBOSE, "jss library loaded"); - mNativeLibrariesLoaded = true; - } catch( UnsatisfiedLinkError f ) { -- Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ try {// possibly other platforms -+ System.loadLibrary( "jss4" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError g ) { -+ Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ } - } - } - } diff --git a/jss-bad-error-string-pointer.patch b/jss-bad-error-string-pointer.patch deleted file mode 100644 index 05244c3..0000000 --- a/jss-bad-error-string-pointer.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-17 18:54:56.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-18 09:46:34.000000000 -0500 -@@ -124,20 +124,16 @@ - /* Clean up after PR_interrupt. */ - PR_NT_CancelIo(sock->fd); - #endif -- JSSL_throwSSLSocketException(env, -- "Accept operation interrupted with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation interrupted"); - } else if( err == PR_IO_TIMEOUT_ERROR ) { - #ifdef WINNT - PR_NT_CancelIo(sock->fd); - #endif -- JSSL_throwSSLSocketException(env, -- "Accept operation timed out with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation timed out"); - } else if( err == PR_IO_ERROR ) { -- JSSL_throwSSLSocketException(env, -- "Accept operation received IO error with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation received IO error"); - } else { -- JSSL_throwSSLSocketException(env, -- "Accept operation failed with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation failed"); - } - goto finish; - } diff --git a/jss-crmf-envelopedData.patch b/jss-crmf-envelopedData.patch deleted file mode 100644 index 13c21d7..0000000 --- a/jss-crmf-envelopedData.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh 2016-06-24 14:51:48.929122053 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java 2016-06-24 14:52:29.487027005 -0700 -@@ -127,7 +127,8 @@ public class EncryptedKey implements ASN - } else { - Assert._assert(type == ENVELOPED_DATA); - Assert._assert(envelopedData != null); -- envelopedData.encode(implicitTag, ostream); -+ EXPLICIT explicit = new EXPLICIT( new Tag(0), envelopedData ); -+ explicit.encode(tag, ostream); - } - } - -@@ -147,7 +148,9 @@ public class EncryptedKey implements ASN - choicet = new CHOICE.Template(); - - choicet.addElement( EncryptedValue.getTemplate() ); -- choicet.addElement( new Tag(0), ANY.getTemplate() ); -+ choicet.addElement( new EXPLICIT.Template( -+ new Tag(0), -+ ANY.getTemplate() )); - } - - public boolean tagMatch(Tag tag) { -@@ -164,7 +167,7 @@ public class EncryptedKey implements ASN - return new EncryptedKey( (EncryptedValue) choice.getValue() ); - } else { - Assert._assert( choice.getTag().equals(new Tag(0)) ); -- return new EncryptedKey( (ANY) choice.getValue() ); -+ return new EncryptedKey( (ANY) ((EXPLICIT) choice.getValue()).getContent() ); - } - - } catch(InvalidBERException e) { diff --git a/jss-eliminate-java-compiler-warnings.patch b/jss-eliminate-java-compiler-warnings.patch deleted file mode 100644 index 1df99d3..0000000 --- a/jss-eliminate-java-compiler-warnings.patch +++ /dev/null @@ -1,641 +0,0 @@ -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700 -@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme - * Imports a single certificate into the permanent certificate - * database. - * -- * @param derCert the certificate you want to add -+ * @param cert the certificate you want to add - * @param nickname the nickname you want to refer to the certificate as - * (must not be null) - */ -@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme - public static final String - JAR_JDK_VERSION = "JDK_VERSION = N/A"; - public static final String -- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM"; -+ JAR_NSS_VERSION = "NSS_VERSION = N/A"; - public static final String - JAR_DBM_VERSION = "DBM_VERSION = N/A"; - public static final String -- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM"; -+ JAR_NSPR_VERSION = "NSPR_VERSION = N/A"; - - /** - * Loads the JSS dynamic library if necessary. -@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme - * this thread's token to null will also cause the - * InternalKeyStorageToken to be used. - * -- * @param The token to use for crypto operations. Specifying null -- * will cause the InternalKeyStorageToken to be used. -+ * @param token The token to use for crypto operations. Specifying -+ * null will cause the InternalKeyStorageToken to be used. - */ - public void setThreadToken(CryptoToken token) { - if( token != null ) { -@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme - * Verify a certificate in memory. Check if - * valid and that we trust the issuer. Verify time - * against Now. -- * @param certificate in memory -+ * @param certPackage certificate in memory - * @param checkSig verify the signature of the certificate - * @param certUsage see exposed certUsage defines to verify Certificate - * @return true for success; false otherwise -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700 -@@ -51,7 +51,7 @@ public final class JSSProvider extends j - - private static int JSS_MAJOR_VERSION = 4; - private static int JSS_MINOR_VERSION = 2; -- private static int JSS_PATCH_VERSION = 5; -+ private static int JSS_PATCH_VERSION = 6; - private static double JSS_VERSION = JSS_MAJOR_VERSION + - (JSS_MINOR_VERSION * 100 + - JSS_PATCH_VERSION)/10000.0; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700 -@@ -144,8 +144,8 @@ public abstract class Cipher { - * B is the block size, the padding string consists of - * B - (M mod B) octets, each having the value - * B - (M mod B). -- * @param The block size of the encryption algorithm. Must be greater -- * than zero. -+ * @param blockSize The block size of the encryption algorithm. -+ * Must be greater than zero. - * @see #unPad - */ - public static byte[] -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700 -@@ -194,7 +194,7 @@ public interface CryptoToken { - * Login to the token. If a token is logged in, it will not trigger - * password callbacks. - * -- * @param password The password for this token. -+ * @param pwcb The password callback for this token. - * @exception IncorrectPasswordException If the supplied password is - * incorrect. - * @see #setLoginMode -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700 -@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest { - * Completes digestion. - * - * @return The, ahem, output of the digest operation. -- * @param If an error occurs while digesting. -+ * @exception DigestException If an error occurs while digesting. - */ - public byte[] digest() throws DigestException { - byte[] output = new byte[getOutputSize()]; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700 -@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements - * Must not be null. It is the responsibility of the caller to - * use the right salt length for the algorithm. Most algorithms - * use 8 bytes of salt. -- * @param The iteration count for the PBE algorithm. -+ * @param iterations The iteration count for the PBE algorithm. - */ - public PBEKeyGenParams(Password pass, byte[] salt, int iterations) { - if(pass==null || salt==null) { -@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements - * Must not be null. It is the responsibility of the caller to - * use the right salt length for the algorithm. Most algorithms - * use 8 bytes of salt. -- * @param The iteration count for the PBE algorithm. -+ * @param iterations The iteration count for the PBE algorithm. - */ - public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) { - if(pass==null || salt==null) { -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700 -@@ -228,8 +228,8 @@ public final class PK11Token implements - * Initialize PIN. This sets the user's new PIN, using the current - * security officer PIN for authentication. - * -- * @param ssopw The security officer's current password. -- * @param userpw The user's new password. -+ * @param ssopwcb The security officer's current password callback. -+ * @param userpwcb The user's new password callback. - * @exception IncorrectPinException If the security officer PIN is - * incorrect. - * @exception TokenException If the PIN was already initialized, -@@ -322,8 +322,8 @@ public final class PK11Token implements - * Change password. This changes the user's PIN after it has already - * been initialized. - * -- * @param oldPIN The user's old PIN. -- * @param newPIN The new PIN. -+ * @param oldPINcb The user's old PIN callback. -+ * @param newPINcb The new PIN callback. - * @exception IncorrectPasswordException If the old PIN is incorrect. - * @exception TokenException If some other error occurs on the token. - * -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700 -@@ -288,7 +288,7 @@ public final class SafeBag implements AS - * as the nickname of the associated cert. - * @param localKeyID The localKeyID for the key; should be the same as - * the localKeyID of the associated cert. -- * @param The password used to encrypt the private key. -+ * @param password The password used to encrypt the private key. - */ - public static SafeBag - createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName, -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700 -@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @param pubkey The public key to use to verify the signature. - * @exception NoSuchObjectException If no certificate matching the - * the issuer name and serial number can be found. - */ -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700 -@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS - * @param status A CMCStatus constant. - * @param bodyList The sequence of bodyPartID. - * @param statusString A String. -- * @param OtherInfo The OtherInfo choice. -+ * @param otherInfo The OtherInfo choice. - */ - public CMCStatusInfo(int status, SEQUENCE bodyList, String - statusString, OtherInfo otherInfo) { -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700 -@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS - /** - * Create a PKIStatusInfo with no failure info. - * @param status A PKIStatus constant. -- * @param failInfo The bitwise AND of the PKIFailureInfo constants. - */ - public PKIStatusInfo(int status) { - this.status = new INTEGER(status); -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700 -@@ -115,10 +115,6 @@ public class DirectoryString implements - - /** - * Converts an ASN.1 DirectoryString to a Java string. -- * -- * @param dirstr An ANY containing a BER-encoded DirectoryString. -- * @exception InvalidBERException If the encoding does not contain a -- * valid DirectoryString. - */ - public String toString() { - return asn1String.toString(); -@@ -176,6 +172,8 @@ public class DirectoryString implements - /** - * @param implicitTag This paramter is ignored, because - * DirectoryStrings (being CHOICEs) cannot have implicit tags. -+ * @exception InvalidBERException If the encoding does not contain a -+ * valid DirectoryString. - */ - public ASN1Value decode(Tag implicitTag, InputStream istream) - throws IOException, InvalidBERException -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700 -@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec - // versions is to use the reflection API. - Class specClass = spec.getClass(); - try { -- Method getSaltMethod = specClass.getMethod("getSalt", null); -+ Method getSaltMethod = specClass.getMethod("getSalt", -+ (java.lang.Class) null); - Method getIterationMethod = -- specClass.getMethod("getIterationCount", null); -+ specClass.getMethod("getIterationCount", -+ (java.lang.Class) null); - -- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null); -+ byte[] salt = (byte[]) getSaltMethod.invoke(spec, -+ (java.lang.Class) null); - - Integer itCountObj = -- (Integer) getIterationMethod.invoke(spec,null); -+ (Integer) getIterationMethod.invoke(spec, -+ (java.lang.Class) null); - int iterationCount = itCountObj.intValue(); - - Password pass = new Password(spec.getPassword()); -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700 -@@ -182,11 +182,11 @@ public class SSLSocket extends java.net. - } - - /** -- * Creates an SSL client socket and connects to the specified host and -+ * Creates an SSL client socket and connects to the specified address and - * port. Binds to the given local address and port. Installs the given - * callbacks for certificate approval and client certificate selection. - * -- * @param host The hostname to connect to. -+ * @param address The IP address to connect to. - * @param port The port to connect to. - * @param localAddr The local address to bind to. It can be null, in which - * case an unspecified local address will be chosen. -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700 -@@ -96,7 +96,7 @@ public class HMACTest { - - /** - * Main test method. -- * @params args[] -+ * @param argv - */ - public static void main(String []argv) { - -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700 -@@ -116,9 +116,9 @@ public class JCASymKeyGen { - } - /** - * -- * @param key -- * @param kg -- * @return -+ * @param keyType -+ * @param provider -+ * @return javax.crypto.SecretKey key - */ - public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ - javax.crypto.SecretKey key = null; -@@ -155,7 +155,7 @@ public class JCASymKeyGen { - * - * @param keyType - * @param provider -- * @return -+ * @return javax.crypto.SecretKey key - */ - public javax.crypto.SecretKey genPBESecretKey(String keyType, - String provider){ -@@ -197,8 +197,10 @@ public class JCASymKeyGen { - /** - * - * @param sKey -- * @param AlgType -- * @param provider -+ * @param algFamily -+ * @param algType -+ * @param providerForEncrypt -+ * @param providerForDecrypt - */ - public void testCipher(javax.crypto.SecretKey sKey, String algFamily, - String algType, String providerForEncrypt, String providerForDecrypt) -@@ -304,8 +306,10 @@ public class JCASymKeyGen { - /** - * - * @param sKey -- * @param AlgType -- * @param provider -+ * @param algFamily -+ * @param algType -+ * @param providerForEncrypt -+ * @param providerForDecrypt - */ - public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily, - String algType, String providerForEncrypt, String providerForDecrypt) -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700 -@@ -78,7 +78,7 @@ public class JSSE_SSLClient { - - /** - * Set the protocol type and revision -- * @param String sslRevision -+ * @param fSslRevision - */ - public void setSslRevision(String fSslRevision) { - -@@ -91,7 +91,7 @@ public class JSSE_SSLClient { - - /** - * Set the host name to connect to. -- * @param String hostname -+ * @param fHost - */ - public void setHost(String fHost) { - this.host = fHost; -@@ -99,7 +99,7 @@ public class JSSE_SSLClient { - - /** - * Set the port number to connect to. -- * @param int portnumber -+ * @param fPort - */ - public void setPort(int fPort) { - this.port = fPort; -@@ -107,7 +107,7 @@ public class JSSE_SSLClient { - - /** - * Set the cipher suite name to use. -- * @param String cipherSuiteName -+ * @param fCipherSuite - */ - public void setCipherSuite(String fCipherSuite) { - this.cipherName = fCipherSuite; -@@ -115,7 +115,7 @@ public class JSSE_SSLClient { - - /** - * Set the location of rsa.pfx -- * @param String fKeystoreLoc -+ * @param fKeystoreLoc - */ - public void setKeystoreLoc(String fKeystoreLoc) { - keystoreLoc = fKeystoreLoc + "/" + keystoreLoc; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700 -@@ -75,7 +75,7 @@ public class JSSE_SSLServer { - - /** - * Set the provider to use. -- * @param String p -+ * @param p - */ - public void setProvider(String p) { - provider = p; -@@ -90,7 +90,7 @@ public class JSSE_SSLServer { - } - /** - * Set the location of keystore file. -- * @param String fconfigDir -+ * @param fconfigDir - */ - public void setKeystore(String fconfigDir) { - configDir = fconfigDir; -@@ -117,7 +117,7 @@ public class JSSE_SSLServer { - - /** - * Start SSLServer and accept connections. -- * @param args[] -+ * @param args - */ - public void startSSLServer(String[] args) throws Exception { - String configDir = ""; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700 -@@ -79,7 +79,7 @@ public class JSS_FileUploadClient { - /** - * Initialize the desired cipher to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - fCipher = aCipher; -@@ -87,7 +87,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -95,7 +95,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -103,7 +103,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -111,7 +111,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -120,7 +120,7 @@ public class JSS_FileUploadClient { - /** - * Initialize the name of the file to - * be used for testing along with full path. -- * @param String UploadFile -+ * @param aUploadFile - */ - public void setUploadFile(String aUploadFile) { - fUploadFile = aUploadFile; -@@ -128,7 +128,7 @@ public class JSS_FileUploadClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -136,7 +136,7 @@ public class JSS_FileUploadClient { - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -@@ -170,7 +170,7 @@ public class JSS_FileUploadClient { - - /** - * Set EOF for closinng server socket -- * @param null for closing server socket -+ * @param fEof null for closing server socket - */ - public void setEOF(String fEof) { - this.EOF = fEof; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700 -@@ -99,7 +99,7 @@ public class JSS_SSLClient { - /** - * Initialize the desired cipher to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - fCipher = aCipher; -@@ -107,7 +107,7 @@ public class JSS_SSLClient { - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -115,7 +115,7 @@ public class JSS_SSLClient { - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -123,7 +123,7 @@ public class JSS_SSLClient { - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -131,7 +131,7 @@ public class JSS_SSLClient { - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public static void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -147,7 +147,7 @@ public class JSS_SSLClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param bypass - */ - public void setBypass(boolean bypass) { - testBypass = bypass; -@@ -155,7 +155,7 @@ public class JSS_SSLClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -163,7 +163,7 @@ public class JSS_SSLClient { - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -@@ -197,7 +197,7 @@ public class JSS_SSLClient { - - /** - * Set EOF for closinng server socket -- * @param null for closing server socket -+ * @param fEof null for closing server socket - */ - public void setEOF(String fEof) { - this.EOF = fEof; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700 -@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen - /** - * Initialize the desired ciphersuite to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - -@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700 -@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru - * @param rand - * @param extensions - * @throws java.lang.Exception -- * @return -+ * @return Certificate - */ - public static Certificate makeCert(String issuerName, String subjectName, - int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand, diff --git a/jss-eliminate-native-compiler-warnings.patch b/jss-eliminate-native-compiler-warnings.patch deleted file mode 100644 index d981eb7..0000000 --- a/jss-eliminate-native-compiler-warnings.patch +++ /dev/null @@ -1,621 +0,0 @@ -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700 -@@ -55,7 +55,7 @@ - - #include "pk11util.h" - --#if defined(AIX) || defined(HPUX) || defined(LINUX) -+#if defined(AIX) || defined(HPUX) - #include - #endif - -@@ -90,11 +90,11 @@ const char * jss_sccsid() { - /********************************************************************/ - - /* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */ --static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; - /* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */ --static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; - /* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */ --static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; - - - -@@ -106,13 +106,13 @@ static char* - getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg); - - /************************************************************* -- * AIX, HP, and Linux signal handling madness -+ * AIX and HP signal handling madness - * - * In order for the JVM, kernel, and NSPR to work together, we setup - * a signal handler for SIGCHLD that does nothing. This is only done -- * on AIX, HP, and Linux. -+ * on AIX and HP. - *************************************************************/ --#if defined(AIX) || defined(HPUX) || defined(LINUX) -+#if defined(AIX) || defined(HPUX) - - static PRStatus - handleSigChild(JNIEnv *env) { -@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi - jboolean initializeJavaOnly ) - { - SECStatus rv = SECFailure; -- JavaVM *VMs[5]; -- jint numVMs; - char *szConfigDir = NULL; - char *szCertPrefix = NULL; - char *szKeyPrefix = NULL; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700 -@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative - (JNIEnv *env, jobject this, jobject Cert) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; - CERTCertificate *cert; - PK11SlotInfo *slot; - SECKEYPrivateKey *privKey=NULL; -@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL - Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative - (JNIEnv *env, jobject this, jobject leafCert) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; - CERTCertificate *leaf; - jobjectArray chainArray=NULL; - CERTCertDBHandle *certdb; -@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor - SECItem *derCerts=NULL; - int certi= -1; - SECItem theDerCert; -- int numCerts; -+ int numCerts = 0; - jbyte *packageBytes=NULL; - jsize packageLen; - SECStatus status; -@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor - CERTSignedCrl *crl = NULL; - SECItem *packageItem = NULL; - int status = SECFailure; -- char *url; -+ char *url = NULL; - char *errmsg = NULL; - - /*************************************************** -@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, - jobject self, jstring nickString, jboolean checkSig) - { -- SECStatus rv = SECFailure; -+ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; - SECCertificateUsage currUsage = 0x0000; - - rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); -@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif - SECStatus rv = SECFailure; - SECCertUsage certUsage; - SECItem *derCerts[2]; -- SECStatus status; - CERTCertificate **certArray = NULL; - CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700 -@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K - { - PK11SlotInfo *slot = NULL; - PK11SymKey *symk = NULL; -- SECStatus status; - - /* get the slot */ - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700 -@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa - /*********************************************************************** - * Perform the verification. - */ -- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) { -+ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) { - JSS_throw(env, OUT_OF_MEMORY_ERROR); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700 -@@ -62,7 +62,7 @@ - JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - CERTCertificate *cert; - SECItem *derCert; - jbyteArray derArray=NULL; -@@ -118,9 +118,9 @@ finish: - JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - CERTCertificate *cert; -- long lVersion; -+ long lVersion = 0; - - pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL); - PR_ASSERT(pThread != NULL); -@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get - { - CERTCertificate *cert; - SECKEYPublicKey *pubk=NULL; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - jobject pubKey=NULL; - - PR_ASSERT(env!=NULL && this!=NULL); -@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re - (JNIEnv *env, jobject this) - { - CERTCertificate *cert; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700 -@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i - SECItem *iv=NULL; - PK11Context *context=NULL; - CK_ATTRIBUTE_TYPE op; -- jobject contextObj; -+ jobject contextObj = NULL; - - PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700 -@@ -207,7 +207,7 @@ finish: - } - #endif - --static void -+static void FUNCTION_MAY_NOT_BE_USED - print_secitem(SECItem *item) { - int i; - int online; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700 -@@ -450,7 +450,7 @@ DumpItem(SECItem *item) - for (i=0; i < item->len; i++) { - printf(" %02x",data[i]); - } -- printf(" : 0x%08x %d\n", data, item->len); -+ printf(" : %8p %d\n", data, item->len); - } - - /********************************************************************** -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700 -@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - jint keyLen, jbyteArray ivBA, jint usageEnum) - { - PK11SymKey *symKey=NULL; -- CK_MECHANISM_TYPE wrappingMech, keyTypeMech; -+ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0; - SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL; - jobject keyObj=NULL; - SECKEYPrivateKey *wrappingKey=NULL; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700 -@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - PK11Context *context = NULL; - CK_MECHANISM_TYPE mech; - SECItem param; -- PK11SlotInfo *slot=NULL; - jobject contextObj=NULL; - - mech = JSS_getPK11MechFromAlg(env, algObj); -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700 -@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_ - { - SECMODModule *module; - -- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) { -+ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) { - ASSERT_OUTOFMEM(env); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700 -@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPrivateKey *privk; - KeyType keyType; - char* keyTypeFieldName; -@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr - (JNIEnv *env, jobject this) - { - SECKEYPrivateKey *privk; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_ - (JNIEnv *env, jobject this) - { - SECKEYPrivateKey *key = NULL; -- PK11SlotInfo *slot = NULL; - SECItem *idItem = NULL; - jbyteArray byteArray = NULL; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700 -@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_ - (JNIEnv *env, jobject this) - { - SECKEYPublicKey *pubk; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL - Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken - (JNIEnv *env, jobject this, jobject token) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPublicKey *key = NULL; - PK11SlotInfo *slot = NULL; - PK11SlotInfo *keySlot = NULL; -@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPublicKey *pubk; - KeyType keyType; - char* keyTypeFieldName; -@@ -454,7 +454,7 @@ get_public_key_info - { - SECKEYPublicKey *pubk; - jbyteArray byteArray=NULL; -- SECItem *item; -+ SECItem *item=NULL; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ - { - jobject pubkObj=NULL; - SECKEYPublicKey *pubk=NULL; -- SECStatus rv; - SECItem *pubkDER=NULL; - - /* validate args */ -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700 -@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa - * "C" data members - */ - -- PRThread* pThread = NULL; -+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; - SECStatus status = PR_FALSE; - PK11SlotInfo* slot = NULL; - -@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa - * "C" data members - */ - -- PRThread* pThread = NULL; -+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; - SECStatus status = PR_FALSE; - - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700 -@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - (JNIEnv *env, jobject this, jobject certObject) - { - CERTCertificate *cert; -- SECStatus status; -+ SECStatus VARIABLE_MAY_NOT_BE_USED status; - - PR_ASSERT(env!=NULL && this!=NULL); - if(certObject == NULL) { -@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - (JNIEnv *env, jobject this, jobject certObject) - { - CERTCertificate *cert; -- SECStatus status; -+ SECStatus VARIABLE_MAY_NOT_BE_USED status; - - PR_ASSERT(env!=NULL && this!=NULL); - if(certObject == NULL) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700 -@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g - jfieldID typeField=NULL; - jobject typeObject=NULL; - -- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) { -+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700 -@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil - jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G) - { - PK11SlotInfo *slot; -- const char* c_subject; -+ const char* c_subject=NULL; - jboolean isCopy; -- unsigned char *b64request; -+ unsigned char *b64request=NULL; - SECItem p, q, g; - PQGParams *dsaParams=NULL; - const char* c_keyType; -@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env, - SECStatus rv; - PRArenaPool *arena; - SECItem result_der, result; -- SECItem *blob; -+ SECItem * VARIABLE_MAY_NOT_BE_USED blob; - CK_MECHANISM_TYPE signMech; - CK_MECHANISM_TYPE keygenMech; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700 -@@ -89,7 +89,6 @@ traverseTokenObjects - SECKEYPublicKeyList* pubkList = NULL; - PK11SymKey *symKey = NULL; - CERTCertList *certList = NULL; -- SECStatus secstat; - - /* - * Get all private keys -@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec - { - PK11SlotInfo *slot; - EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; -- jbyteArray derCertBA = NULL; - PRStatus status = PR_FAILURE; - - if( alias == NULL ) goto finish; -@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur - PK11SlotInfo *slot; - EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; - jboolean retVal = JNI_FALSE; -- SECKEYPrivateKey *privk = NULL; - - if( alias == NULL ) goto finish; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700 -@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo - { - PRSocketOptionData sockOptions; - JSSL_SocketData *sock = NULL; -- jint retval; -+ jint retval=-1; - PRStatus status; - - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL - Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable( - JNIEnv *env, jobject self) - { -- jint available; -+ jint available=0; - JSSL_SocketData *sock = NULL; - - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700 -@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env - jmethodID excepCons; - jobject excepObj; - jstring msgString; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - /* - * get the error code and error string -@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - jbyteArray sdArray = NULL; - JSSL_SocketData *sockdata = NULL; - SECStatus status; -- PRFileDesc *newFD; -- PRFileDesc *tmpFD; -+ PRFileDesc *newFD = NULL; -+ PRFileDesc *tmpFD = NULL; - PRFilePrivate *priv = NULL; - int socketFamily = 0; - -@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS - SECStatus status = SECSuccess; - PRBool bOption = PR_FALSE; - -- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) { -+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { - goto finish; - } - -@@ -649,7 +649,7 @@ JSSL_getSockAddr - (JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer) - { - JSSL_SocketData *sock = NULL; -- PRStatus status; -+ PRStatus status=PR_FAILURE; - - /* get my fd */ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P - - finish: - if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) { -- int ret = (*env)->Throw(env, currentExcep); -+ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep); - PR_ASSERT(ret == 0); - } - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700 -@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo - jmethodID getOutputStream, writeMethod; - jclass sockClass, osClass; - jobject outputStream; -- jint arrayLen; -+ jint arrayLen=-1; - PRInt32 retval; - - /* -@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe - jobject sockObj; - JNIEnv *env; - jbyteArray outbufArray; -- PRInt32 retval; -+ PRInt32 retval=-1; - - if( GET_ENV(fd->secret->javaVM, env) ) goto finish; - -@@ -500,7 +500,7 @@ static PRInt32 - jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount, - PRIntn flags, PRIntervalTime timeout) - { -- PRInt32 retval; -+ PRInt32 retval=-1; - JNIEnv *env; - jobject sockObj; - jbyteArray byteArray; -@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock - { - jclass sockClass; - jmethodID method; -- jint retval; -+ jint retval=0; - - sockClass = (*env)->GetObjectClass(env, sock); - if( sockClass == NULL ) goto finish; -@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods = - (PRReservedFN) invalidInt - }; - --static const PRIOMethods* --getJsockMethods() --{ -- return &jsockMethods; --} -- - static void - jsockDestructor(PRFileDesc *fd) - { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700 -@@ -115,7 +115,7 @@ void - JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) { - - jclass throwableClass; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - /* validate arguments */ - PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL); -@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl - jclass throwableClass; - jobject throwable; - jmethodID constructor; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL ); - -@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl - PRStatus - JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr) - { -+#ifdef DEBUG - jclass nativeProxyClass; -+#endif - jclass proxyClass; - jfieldID byteArrayField; - jbyteArray byteArray; -@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char - void - JSS_assertOutOfMem(JNIEnv *env) - { -- jclass memErrClass; -+ jclass VARIABLE_MAY_NOT_BE_USED memErrClass; - jthrowable excep; - - PR_ASSERT(env != NULL); -@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI - goto finish; - } - -- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data); -+ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data); - - finish: - return array; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700 -@@ -36,6 +36,19 @@ - #ifndef JSS_NATIVE_UTIL_H - #define JSS_NATIVE_UTIL_H - -+/* The following #defines are used to suppress undesired compiler warnings -+ * that have been deemed inappropriate. -+ * -+ * IMPORTANT: These are ONLY used on an "as-needed" basis! -+ */ -+#ifdef __GNUC__ -+#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused)) -+#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused)) -+#else -+#define FUNCTION_MAY_NOT_BE_USED -+#define VARIABLE_MAY_NOT_BE_USED -+#endif -+ - /* Need to include these first. - * #include - * #include diff --git a/jss-eliminate-native-coverity-defects.patch b/jss-eliminate-native-coverity-defects.patch deleted file mode 100644 index 68e0fad..0000000 --- a/jss-eliminate-native-coverity-defects.patch +++ /dev/null @@ -1,253 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c ---- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700 -+++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700 -@@ -275,9 +275,11 @@ diagnosePath(const char * path) - rv = readlink(myPath, buf, sizeof buf); - if (rv < 0) { - perror("readlink"); -- buf[0] = 0; -- } else { -+ buf[0] = 0; -+ } else if ( rv < BUFSIZ ) { - buf[rv] = 0; -+ } else { -+ buf[BUFSIZ-1] = 0; - } - fprintf(stderr, "%s is a link to %s\n", myPath, buf); - } else if (S_ISDIR(sb.st_mode)) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700 -@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR - } - - finish: -- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { - #ifdef DEBUG -+ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { - jclass giveupClass; - jmethodID printStackTrace; - jclass excepClass; --#endif -+ - (*env)->ExceptionClear(env); --#ifdef DEBUG -+ - giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION); - PR_ASSERT(giveupClass != NULL); - if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) { -@@ -746,8 +746,12 @@ finish: - PR_ASSERT( PR_FALSE ); - } - PR_ASSERT(returnchars==NULL); --#endif - } -+#else -+ if( ((*env)->ExceptionOccurred(env)) != NULL) { -+ (*env)->ExceptionClear(env); -+ } -+#endif - return returnchars; - } - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700 -@@ -768,6 +768,10 @@ static int find_leaf_cert( - int *linked = NULL; - - linked = PR_Malloc( sizeof(int) * numCerts ); -+ if (linked == NULL) { -+ status = 0; -+ goto finish; -+ } - - /* initialize the bitmap */ - for (i = 0; i < numCerts; i++) { -@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif - { - SECStatus rv = SECFailure; - SECCertUsage certUsage; -- SECItem *derCerts[2]; -+ SECItem *derCerts[2] = { NULL, NULL }; - CERTCertificate **certArray = NULL; - CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - -@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif - } - PR_ASSERT(certdb != NULL); - -- derCerts[0] = NULL; - derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray); - derCerts[1] = NULL; - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700 -@@ -235,7 +235,7 @@ static PRStatus - getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info) - { - jint index; -- PRStatus status; -+ PRStatus status = PR_FAILURE; - - PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL); - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700 -@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - PK11Context *context=NULL; - jbyte *bytes=NULL; - SECStatus status; -- unsigned int outLen; -+ unsigned int outLen = 0; - - if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) { - /* exception was thrown */ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700 -@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g - break; - case keaKey: - keyTypeFieldName = KEA_KEYTYPE_FIELD; -+ break; - default: - PR_ASSERT(PR_FALSE); - keyTypeFieldName = NULL_KEYTYPE_FIELD; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700 -@@ -390,12 +390,6 @@ importPrivateKey - SECStatus status; - SECItem nickname; - -- keyType = JSS_PK11_getKeyType(env, keyTypeObj); -- if( keyType == nullKey ) { -- /* exception was thrown */ -- goto finish; -- } -- - /* - * initialize so we can goto finish - */ -@@ -403,6 +397,12 @@ importPrivateKey - derPK.len = 0; - - -+ keyType = JSS_PK11_getKeyType(env, keyTypeObj); -+ if( keyType == nullKey ) { -+ /* exception was thrown */ -+ goto finish; -+ } -+ - PR_ASSERT(env!=NULL && this!=NULL); - - if(keyArray == NULL) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700 -@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil - { - PK11SlotInfo *slot; - const char* c_subject=NULL; -- jboolean isCopy; -+ jboolean isCopy = JNI_FALSE; - unsigned char *b64request=NULL; - SECItem p, q, g; - PQGParams *dsaParams=NULL; - const char* c_keyType; -- jboolean k_isCopy; -+ jboolean k_isCopy = JNI_FALSE; - SECOidTag signType = SEC_OID_UNKNOWN; - PK11RSAGenParams rsaParams; - void *params = NULL; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700 -@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - goto finish; - } - -- if( addrBAelems == NULL ) { -- ASSERT_OUTOFMEM(env); -- goto finish; -- } -- - if(addrBALen != 4 && addrBALen != 16) { - JSSL_throwSSLSocketException(env, "Invalid address in connect!"); - goto finish; -@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi - { - JSSL_SocketData *sock=NULL; - SECStatus status; -- PRBool enabled; -+ PRBool enabled = PR_FAILURE; - - /* get the fd */ - if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700 -@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P - * Now check the name field in the cert against the desired hostname. - * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! - */ -- if( peerCert == NULL ) { -- rv = SECFailure; -+ char* hostname = NULL; -+ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ -+ if (hostname && hostname[0]) { -+ rv = CERT_VerifyCertName(peerCert, hostname); -+ PORT_Free(hostname); - } else { -- char* hostname = NULL; -- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ -- if (hostname && hostname[0]) { -- rv = CERT_VerifyCertName(peerCert, hostname); -- PORT_Free(hostname); -- } else { -- rv = SECFailure; -- } -+ rv = SECFailure; - } - } - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700 -@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo - jint arrayLen=-1; - PRInt32 retval; - -+ if( env == NULL ) { -+ goto finish; -+ } -+ - /* - * get the OutputStream - */ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700 -@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo - #endif - - key.native = nativeErrcode; -+ key.java = -1; - target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode), - errcodeCompare ); - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700 -@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array) - */ - static char* getPWFromConsole() - { -- char c; -+ int c; - char *ret; - int i; - char buf[200]; /* no buffer overflow: we bail after 200 chars */ diff --git a/jss-fixed-build-issue-on-F17-or-newer.patch b/jss-fixed-build-issue-on-F17-or-newer.patch deleted file mode 100644 index 6ffc952..0000000 --- a/jss-fixed-build-issue-on-F17-or-newer.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/config.mk jss-4.2.6/mozilla/security/coreconf/config.mk ---- jss-4.2.6.orig/mozilla/security/coreconf/config.mk 2007-05-03 23:54:05.000000000 -0700 -+++ jss-4.2.6/mozilla/security/coreconf/config.mk 2013-07-22 18:42:19.000000000 -0700 -@@ -68,8 +68,19 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD Open - ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) - include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk - else -+ifeq ($(OS_TARGET), Linux) -+OS_RELEASE_VER_MAJOR := $(shell echo $(OS_RELEASE) | cut -f1 -d.) -+OS_RELEASE_VER_MINOR := $(shell echo $(OS_RELEASE) | cut -f2 -d.) -+OS_RELEASE_GT_2_6 := $(shell [ $(OS_RELEASE_VER_MAJOR) -ge 2 -o \( $(OS_RELEASE_VER_MAJOR) -eq 2 -a $(OS_RELEASE_VER_MINOR) -ge 6 \) ] && echo true) -+ifeq ($(OS_RELEASE_GT_2_6),true) -+include $(CORE_DEPTH)/coreconf/Linux2.6.mk -+else - include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk - endif -+else -+include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk -+endif -+endif - - ####################################################################### - # [4.0] Master "Core Components" source and release tags # diff --git a/jss-ipv6.patch b/jss-ipv6.patch deleted file mode 100644 index 9fd5fb9..0000000 --- a/jss-ipv6.patch +++ /dev/null @@ -1,623 +0,0 @@ -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def 2009-06-24 17:08:59.784371000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-06-19 17:56:00.000000000 -0700 -@@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket - Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake; - Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive; - Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative; -+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative; - Java_org_mozilla_jss_ssl_SSLSocket_getPort; - Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize; - Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize; -@@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - Java_org_mozilla_jss_ssl_SSLSocket_socketWrite; - Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative; - Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative; -+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative; - Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative; - Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative; - Java_org_mozilla_jss_ssl_SocketBase_setSSLOption; -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2007-03-20 15:39:28.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2009-06-24 13:46:49.000000000 -0700 -@@ -36,7 +36,8 @@ - - package org.mozilla.jss.ssl; - --import java.net.InetAddress; -+import java.util.*; -+import java.net.*; - import java.io.IOException; - import java.net.Socket; - import java.net.SocketException; -@@ -138,34 +139,34 @@ public class SSLServerSocket extends jav - super.close(); - - // create the socket -+ -+ int socketFamily = SocketBase.SSL_AF_INET; -+ if(SocketBase.supportsIPV6()) { -+ socketFamily = SocketBase.SSL_AF_INET6; -+ } -+ - sockProxy = new SocketProxy( -- base.socketCreate(this, certApprovalCallback, null) ); -+ base.socketCreate(this, certApprovalCallback, null,socketFamily) ); - - base.setProxy(sockProxy); - - setReuseAddress(reuseAddr); - -- // bind it to the local address and port -- if( bindAddr == null ) { -- bindAddr = anyLocalAddr; -- } - byte[] bindAddrBA = null; - if( bindAddr != null ) { - bindAddrBA = bindAddr.getAddress(); - } - base.socketBind(bindAddrBA, port); -+ -+ String hostName = null; -+ if(bindAddr != null) { -+ hostName = bindAddr.getCanonicalHostName(); -+ } - socketListen(backlog); - } - - private native void socketListen(int backlog) throws SocketException; - -- private static InetAddress anyLocalAddr; -- static { -- try { -- anyLocalAddr = InetAddress.getByName("0.0.0.0"); -- } catch (java.net.UnknownHostException e) { } -- } -- - /** - * Accepts a connection. This call will block until a connection is made - * or the timeout is reached. -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2009-06-24 13:27:15.000000000 -0700 -@@ -460,10 +460,15 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - JSSL_SocketData *sock; - PRNetAddr addr; - jbyte *addrBAelems = NULL; -+ int addrBALen = 0; - PRStatus status; - int stat; - const char *hostnameStr=NULL; - -+ jmethodID supportsIPV6ID; -+ jclass socketBaseClass; -+ jboolean supportsIPV6 = 0; -+ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; -@@ -472,16 +477,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - /* - * setup the PRNetAddr structure - */ -- addr.inet.family = AF_INET; -- addr.inet.port = htons(port); -- PR_ASSERT(sizeof(addr.inet.ip) == 4); -- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); -+ -+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); -+ if( socketBaseClass == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, -+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); -+ -+ if( supportsIPV6ID == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, -+ supportsIPV6ID); -+ - addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); -+ addrBALen = (*env)->GetArrayLength(env, addrBA); -+ -+ PR_ASSERT(addrBALen != 0); -+ - if( addrBAelems == NULL ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -- memcpy(&addr.inet.ip, addrBAelems, 4); - - /* - * Tell SSL the URL we think we want to connect to. -@@ -495,6 +516,38 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - goto finish; - } - -+ if( addrBAelems == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ if(addrBALen != 4 && addrBALen != 16) { -+ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); -+ goto finish; -+ } -+ -+ if( addrBALen == 4) { -+ addr.inet.family = AF_INET; -+ addr.inet.port = PR_htons(port); -+ memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(supportsIPV6) { -+ addr.ipv6.family = AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); -+ } -+ -+ } else { /* Must be 16 and ipv6 */ -+ if(supportsIPV6) { -+ addr.ipv6.family = AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ memcpy(&addr.ipv6.ip,addrBAelems, 16); -+ } else { -+ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); -+ goto finish; -+ } -+ } -+ - /* - * make the connect call - */ -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2009-06-24 13:45:59.000000000 -0700 -@@ -243,11 +243,16 @@ public class SSLSocket extends java.net. - SSLClientCertificateSelectionCallback clientCertSelectionCallback) - throws IOException - { -+ -+ int socketFamily = SocketBase.SSL_AF_INET; -+ if(SocketBase.supportsIPV6()) { -+ socketFamily = SocketBase.SSL_AF_INET6; -+ } - // create the socket - sockProxy = - new SocketProxy( - base.socketCreate( -- this, certApprovalCallback, clientCertSelectionCallback) ); -+ this, certApprovalCallback, clientCertSelectionCallback,socketFamily) ); - - base.setProxy(sockProxy); - -@@ -288,7 +293,7 @@ public class SSLSocket extends java.net. - new SocketProxy( - base.socketCreate( - this, certApprovalCallback, clientCertSelectionCallback, -- s, host ) ); -+ s, host,SocketBase.SSL_AF_INET ) ); - - base.setProxy(sockProxy); - resetHandshake(); -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2007-03-20 15:39:28.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2009-06-24 13:50:32.000000000 -0700 -@@ -70,16 +70,16 @@ class SocketBase { - native byte[] socketCreate(Object socketObject, - SSLCertificateApprovalCallback certApprovalCallback, - SSLClientCertificateSelectionCallback clientCertSelectionCallback, -- java.net.Socket javaSock, String host) -+ java.net.Socket javaSock, String host,int family) - throws SocketException; - - byte[] socketCreate(Object socketObject, - SSLCertificateApprovalCallback certApprovalCallback, -- SSLClientCertificateSelectionCallback clientCertSelectionCallback) -+ SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family) - throws SocketException - { - return socketCreate(socketObject, certApprovalCallback, -- clientCertSelectionCallback, null, null); -+ clientCertSelectionCallback, null, null,family); - } - - native void socketBind(byte[] addrBA, int port) throws SocketException; -@@ -115,6 +115,10 @@ class SocketBase { - static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; - static final int SSL_REQUIRE_NO_ERROR = 21; - -+ -+ static final int SSL_AF_INET = 50; -+ static final int SSL_AF_INET6 = 51; -+ - void close() throws IOException { - socketClose(); - } -@@ -281,13 +285,25 @@ class SocketBase { - return in; - } - -+ private native byte[] getLocalAddressByteArrayNative() throws SocketException; -+ private native byte[] getPeerAddressByteArrayNative() throws SocketException; - /** - * @return the InetAddress of the peer end of the socket. - */ - InetAddress getInetAddress() - { - try { -- return convertIntToInetAddress( getPeerAddressNative() ); -+ byte[] address = getPeerAddressByteArrayNative(); -+ -+ InetAddress iAddr = null; -+ -+ try { -+ -+ iAddr = InetAddress.getByAddress(address); -+ } catch(UnknownHostException e) { -+ } -+ -+ return iAddr; - } catch(SocketException e) { - return null; - } -@@ -299,7 +315,17 @@ class SocketBase { - */ - InetAddress getLocalAddress() { - try { -- return convertIntToInetAddress( getLocalAddressNative() ); -+ byte[] address = getLocalAddressByteArrayNative(); -+ -+ InetAddress lAddr = null; -+ -+ try { -+ -+ lAddr = InetAddress.getByAddress(address); -+ } catch(UnknownHostException e) { -+ } -+ -+ return lAddr; - } catch(SocketException e) { - return null; - } -@@ -378,4 +404,45 @@ class SocketBase { - return topException; - } - } -+ -+ static private int supportsIPV6 = -1; -+ static boolean supportsIPV6() { -+ -+ if(supportsIPV6 >= 0) { -+ if(supportsIPV6 > 0) { -+ return true; -+ } else { -+ return false; -+ } -+ } -+ -+ Enumeration netInter; -+ try { -+ netInter = NetworkInterface.getNetworkInterfaces(); -+ } catch (SocketException e) { -+ -+ return false; -+ } -+ while ( netInter.hasMoreElements() ) -+ { -+ NetworkInterface ni = (NetworkInterface)netInter.nextElement(); -+ Enumeration addrs = ni.getInetAddresses(); -+ while ( addrs.hasMoreElements() ) -+ { -+ Object o = addrs.nextElement(); -+ if ( o.getClass() == InetAddress.class || -+ o.getClass() == Inet4Address.class || -+ o.getClass() == Inet6Address.class ) -+ { -+ InetAddress iaddr = (InetAddress) o; -+ if(o.getClass() == Inet6Address.class) { -+ supportsIPV6 = 1; -+ return true; -+ } -+ } -+ } -+ } -+ supportsIPV6 = 0; -+ return false; -+ } - } -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2007-04-24 11:34:58.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2009-06-24 14:22:02.000000000 -0700 -@@ -33,7 +33,6 @@ - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -- - #include - #include - #include -@@ -51,6 +50,9 @@ - #include - #endif - -+#define SSL_AF_INET 50 -+#define SSL_AF_INET6 51 -+ - void - JSSL_throwSSLSocketException(JNIEnv *env, char *message) - { -@@ -142,7 +144,7 @@ finish: - JNIEXPORT jbyteArray JNICALL - Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self, - jobject sockObj, jobject certApprovalCallback, -- jobject clientCertSelectionCallback, jobject javaSock, jstring host) -+ jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family) - { - jbyteArray sdArray = NULL; - JSSL_SocketData *sockdata = NULL; -@@ -150,10 +152,21 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - PRFileDesc *newFD; - PRFileDesc *tmpFD; - PRFilePrivate *priv = NULL; -+ int socketFamily = 0; -+ -+ if (family != SSL_AF_INET6 && family != SSL_AF_INET) { -+ JSSL_throwSSLSocketException(env, -+ "socketCreate() Invalid family!"); -+ goto finish; -+ } -+ if( family == SSL_AF_INET) -+ socketFamily = PR_AF_INET; -+ else -+ socketFamily = PR_AF_INET6; - - if( javaSock == NULL ) { - /* create a TCP socket */ -- newFD = PR_NewTCPSocket(); -+ newFD = PR_OpenTCPSocket(socketFamily); - if( newFD == NULL ) { - JSSL_throwSSLSocketException(env, - "PR_NewTCPSocket() returned NULL"); -@@ -394,10 +407,10 @@ PRInt32 JSSL_enums[] = { - SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ - SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ - SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ -- - 0 - }; - -+ - JNIEXPORT void JNICALL - Java_org_mozilla_jss_ssl_SocketBase_socketBind - (JNIEnv *env, jobject self, jbyteArray addrBA, jint port) -@@ -405,8 +418,13 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - JSSL_SocketData *sock; - PRNetAddr addr; - jbyte *addrBAelems = NULL; -+ int addrBALen = 0; - PRStatus status; - -+ jmethodID supportsIPV6ID; -+ jclass socketBaseClass; -+ jboolean supportsIPV6 = 0; -+ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; -@@ -415,19 +433,72 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - /* - * setup the PRNetAddr structure - */ -- addr.inet.family = AF_INET; -- addr.inet.port = htons(port); -+ -+ /* -+ * Do we support IPV6? -+ */ -+ -+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); -+ if( socketBaseClass == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, -+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); -+ -+ if( supportsIPV6ID == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, -+ supportsIPV6ID); -+ -+ memset( &addr, 0, sizeof( PRNetAddr )); -+ - if( addrBA != NULL ) { -- PR_ASSERT(sizeof(addr.inet.ip) == 4); -- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); - addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); -+ addrBALen = (*env)->GetArrayLength(env, addrBA); -+ - if( addrBAelems == NULL ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -- memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(addrBALen != 4 && addrBALen != 16) { -+ JSS_throwMsgPrErr(env, BIND_EXCEPTION, -+ "Invalid address in bind!"); -+ goto finish; -+ } -+ -+ if( addrBALen == 4) { -+ addr.inet.family = PR_AF_INET; -+ addr.inet.port = PR_htons(port); -+ memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(supportsIPV6) { -+ addr.inet.family = PR_AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); -+ } -+ -+ } else { /* Must be 16 and ipv6 */ -+ if(supportsIPV6) { -+ addr.ipv6.family = PR_AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ memcpy(&addr.ipv6.ip,addrBAelems, 16); -+ } else { -+ JSS_throwMsgPrErr(env, BIND_EXCEPTION, -+ "Invalid address in bind!"); -+ goto finish; -+ } -+ } - } else { -- addr.inet.ip = PR_htonl(INADDR_ANY); -+ if(supportsIPV6) { -+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr); -+ } else { -+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr); -+ } - } - - /* do the bind() call */ -@@ -601,6 +672,78 @@ finish: - return status; - } - -+JNIEXPORT jbyteArray JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative -+ (JNIEnv *env, jobject self) -+{ -+ jbyteArray byteArray=NULL; -+ PRNetAddr addr; -+ jbyte *address=NULL; -+ int size=4; -+ -+ if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { -+ size = 16; -+ address = (jbyte *) &addr.ipv6.ip; -+ } else { -+ address = (jbyte *) &addr.inet.ip; -+ } -+ -+ byteArray = (*env)->NewByteArray(env,size); -+ if(byteArray == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address); -+ if( (*env)->ExceptionOccurred(env) != NULL) { -+ PR_ASSERT(PR_FALSE); -+ goto finish; -+ } -+ -+finish: -+ return byteArray; -+} -+ -+JNIEXPORT jbyteArray JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative -+ (JNIEnv *env, jobject self) -+{ -+ jbyteArray byteArray=NULL; -+ PRNetAddr addr; -+ jbyte *address=NULL; -+ int size=4; -+ -+ if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { -+ size = 16; -+ address = (jbyte *) &addr.ipv6.ip; -+ } else { -+ address = (jbyte *) &addr.inet.ip; -+ } -+ -+ byteArray = (*env)->NewByteArray(env,size); -+ if(byteArray == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ (*env)->SetByteArrayRegion(env, byteArray, 0,size,address); -+ if( (*env)->ExceptionOccurred(env) != NULL) { -+ PR_ASSERT(PR_FALSE); -+ goto finish; -+ } -+ -+finish: -+ return byteArray; -+} -+ -+/* Leave the original versions of these functions for compatibility */ -+ - JNIEXPORT jint JNICALL - Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative - (JNIEnv *env, jobject self) -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 11:34:58.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2009-06-24 13:43:13.000000000 -0700 -@@ -290,6 +290,7 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - jobject inetAddress; - jbyteArray addrByteArray; - jint port; -+ int addrBALen = 0; - - if( GET_ENV(fd->secret->javaVM, env) ) goto finish; - -@@ -377,8 +378,9 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - - memset(addr, 0, sizeof(PRNetAddr)); - -- /* we only handle IPV4 */ -- PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 ); -+ addrBALen = (*env)->GetArrayLength(env, addrByteArray); -+ -+ PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) ); - - /* make sure you release them later */ - addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL); -@@ -388,9 +390,16 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - } - - /* ip field is in network byte order */ -- memcpy( (void*) &addr->inet.ip, addrBytes, 4); -- addr->inet.family = PR_AF_INET; -- addr->inet.port = port; -+ -+ if (addrBALen == 4) { -+ memcpy( (void*) &addr->inet.ip, addrBytes, 4); -+ addr->inet.family = PR_AF_INET; -+ addr->inet.port = port; -+ } else { -+ memcpy( (void*) &addr->ipv6.ip,addrBytes, 16); -+ addr->inet.family = PR_AF_INET6; -+ addr->inet.port = port; -+ } - - (*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes, - JNI_ABORT); -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2006-02-22 17:21:52.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2009-06-19 17:56:00.000000000 -0700 -@@ -312,6 +312,8 @@ PR_BEGIN_EXTERN_C - #define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase" - #define PROCESS_EXCEPTIONS_NAME "processExceptions" - #define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;" -+#define SUPPORTS_IPV6_NAME "supportsIPV6" -+#define SUPPORTS_IPV6_SIG "()Z" - - /* - * SSLCertificateApprovalCallback diff --git a/jss-javadocs-param.patch b/jss-javadocs-param.patch deleted file mode 100644 index 5cf92e3..0000000 --- a/jss-javadocs-param.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java.orig 2008-01-18 16:39:46.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2009-06-05 11:08:54.000000000 -0400 -@@ -116,7 +116,9 @@ - } - /** - * -- * @param -+ * @param key -+ * @param kg -+ * @return - */ - public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ - javax.crypto.SecretKey key = null; diff --git a/jss-key_pair_usage_with_op_flags.patch b/jss-key_pair_usage_with_op_flags.patch deleted file mode 100644 index a7ca9df..0000000 --- a/jss-key_pair_usage_with_op_flags.patch +++ /dev/null @@ -1,544 +0,0 @@ -diff -rupN jss-4.2.5/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.5/mozilla/security/jss/lib/jss.def 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-05-30 01:57:48.000000000 -0700 -@@ -316,3 +316,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_isFip - ;+ local: - ;+ *; - ;+}; -+;+JSS_4.2.6 { # JSS 4.2.6 release -+;+ global: -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; -+;+ local: -+;+ *; -+;+}; -+ -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2009-05-22 07:40:14.000000000 -0700 -@@ -81,7 +81,6 @@ public class KeyPairGenerator { - genKeyPair() throws TokenException { - return engine.generateKeyPair(); - } -- - /** - * @return The type of key that this generator generates. - */ -@@ -192,6 +191,15 @@ public class KeyPairGenerator { - engine.extractablePairs(extractable); - } - -+ public void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, -+ KeyPairGeneratorSpi.Usage[] usages_mask) { -+ engine.setKeyPairUsages(usages,usages_mask); -+ } -+ -+ -+ -+ -+ - protected KeyPairAlgorithm algorithm; - protected KeyPairGeneratorSpi engine; - } -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2009-05-30 03:24:31.000000000 -0700 -@@ -60,4 +60,38 @@ public abstract class KeyPairGeneratorSp - public abstract void extractablePairs(boolean extractable); - - public abstract boolean keygenOnInternalToken(); -+ -+ /** -+ * In PKCS #11, each keypair can be marked with the operations it will -+ * be used to perform. Some tokens require that a key be marked for -+ * an operation before the key can be used to perform that operation; -+ * other tokens don't care. NSS provides a way to specify a set of -+ * flags and a corresponding mask for these flags. If a specific usage -+ * is desired set the value for that usage. If it is not set, let NSS -+ * behave in it's default fashion. If a behavior is desired, also set -+ * that behavior in the mask as well as the flags. -+ * -+ */ -+ public final static class Usage { -+ private Usage() { } -+ private Usage(int val) { this.val = val;} -+ private int val; -+ -+ public int getVal() { return val; } -+ -+ // these enums must match the -+ // and the opFlagForUsage list in PK11KeyPairGenerator.java -+ public static final Usage ENCRYPT = new Usage(0); -+ public static final Usage DECRYPT = new Usage(1); -+ public static final Usage SIGN = new Usage(2); -+ public static final Usage SIGN_RECOVER = new Usage(3); -+ public static final Usage VERIFY = new Usage(4); -+ public static final Usage VERIFY_RECOVER = new Usage(5); -+ public static final Usage WRAP = new Usage(6); -+ public static final Usage UNWRAP = new Usage(7); -+ public static final Usage DERIVE = new Usage(8); -+ } -+ -+ public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, -+ KeyPairGeneratorSpi.Usage[] usages_mask); - } -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2009-06-02 10:36:46.819581000 -0700 -@@ -120,13 +120,11 @@ finish: - - int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int); - --/* -- * make a common key gen function for both this file and PK11Token.c -- */ - SECStatus --JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+JSS_PK11_generateKeyPairWithOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, - PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -- void *params, PRBool temporary, jint sensitive, jint extractable) -+ void *params, PRBool temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) - { - PK11AttrFlags attrFlags = 0; - *privk=NULL; -@@ -173,12 +171,16 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK - } else { - attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); - } -- *privk = PK11_GenerateKeyPairWithFlags(slot, -+ -+ *privk = PK11_GenerateKeyPairWithOpFlags(slot, - mechanism, - params, - pubk, - attrFlags, -+ (CK_FLAGS) op_flags, -+ (CK_FLAGS) op_flags_mask/* the ones we don't want*/, - NULL /* default PW callback */ ); -+ - if( *privk == NULL ) { - int errLength; - char *errBuf; -@@ -217,13 +219,28 @@ finish: - return SECFailure; - } - -+/* -+ * make a common key gen function for both this file and PK11Token.c -+ */ -+SECStatus -+JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -+ void *params, PRBool temporary, jint sensitive, jint extractable) -+{ -+ -+ return JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, pubk, privk, params, temporary, sensitive, extractable, 0, 0); -+} -+ -+ - /********************************************************************** -- * Local generic helper -+ * Local generic helpers - */ -+ - static jobject --PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, -+PK11KeyPairGeneratorWithOpFlags(JNIEnv *env, jobject this, jobject token, - CK_MECHANISM_TYPE mechanism, void *params, -- jboolean temporary, jint sensitive, jint extractable) -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) - { - PK11SlotInfo* slot; - SECKEYPrivateKey *privk=NULL; -@@ -242,8 +259,8 @@ PK11KeyPairGenerator(JNIEnv *env, jobjec - } - PR_ASSERT(slot != NULL); - -- rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk, -- params, temporary, sensitive, extractable); -+ rv = JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, &pubk, &privk, -+ params, temporary, sensitive, extractable, op_flags, op_flags_mask); - if (rv != SECSuccess) { - goto finish; - } -@@ -267,6 +284,16 @@ finish: - return keyPair; - } - -+static jobject -+PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, -+ CK_MECHANISM_TYPE mechanism, void *params, -+ jboolean temporary, jint sensitive, jint extractable) -+{ -+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, mechanism, params, temporary, sensitive, extractable, 0, 0); -+} -+ -+ -+ - /********************************************************************** - * PK11KeyPairGenerator.generateRSAKeyPair - */ -@@ -289,6 +316,30 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - ¶ms, temporary, sensitive, extractable); - } - -+/********************************************************************** -+ * PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent, -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ PK11RSAGenParams params; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL); -+ -+ /************************************************** -+ * setup parameters -+ *************************************************/ -+ params.keySizeInBits = keySize; -+ params.pe = publicExponent; -+ -+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN, -+ ¶ms, temporary, sensitive, extractable, op_flags, op_flags_mask); -+} -+ -+ - #define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;} - - /********************************************************************** -@@ -339,6 +390,57 @@ finish: - return keyPair; - } - -+/********************************************************************** -+ * -+ * PK11KeyPairGenerator.generateDSAKeyPair -+ * -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q, -+ jbyteArray G, jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ SECItem p, q, g; -+ PQGParams *params=NULL; -+ jobject keyPair=NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL -+ && G!=NULL); -+ -+ /* zero these so we can free them indiscriminately later */ -+ ZERO_SECITEM(p); -+ ZERO_SECITEM(q); -+ ZERO_SECITEM(g); -+ -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ if( JSS_ByteArrayToOctetString(env, P, &p) || -+ JSS_ByteArrayToOctetString(env, Q, &q) || -+ JSS_ByteArrayToOctetString(env, G, &g) ) -+ { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); -+ goto finish; -+ } -+ params = PK11_PQG_NewParams(&p, &q, &g); -+ if(params == NULL) { -+ JSS_throw(env, OUT_OF_MEMORY_ERROR); -+ goto finish; -+ } -+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_DSA_KEY_PAIR_GEN, -+ params, temporary, sensitive, extractable, -+ op_flags, op_flags_mask); -+ -+finish: -+ SECITEM_FreeItem(&p, PR_FALSE); -+ SECITEM_FreeItem(&q, PR_FALSE); -+ SECITEM_FreeItem(&g, PR_FALSE); -+ PK11_PQG_DestroyParams(params); -+ return keyPair; -+} -+ -+ - void - DumpItem(SECItem *item) - { -@@ -361,6 +463,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, - jboolean temporary, jint sensitive, jint extractable) - { -+ - SECItem curve; - jobject keyPair=NULL; - -@@ -385,3 +488,39 @@ finish: - SECITEM_FreeItem(&curve, PR_FALSE); - return keyPair; - } -+ -+/********************************************************************** -+ * -+ * PK11KeyPairGenerator.generateECKeyPairWithOpFlags -+ * -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ SECItem curve; -+ jobject keyPair=NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL ); -+ -+ /* zero these so we can free them indiscriminately later */ -+ ZERO_SECITEM(curve); -+ -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ if( JSS_ByteArrayToOctetString(env, Curve, &curve)) -+ { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); -+ goto finish; -+ } -+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_EC_KEY_PAIR_GEN, -+ &curve, temporary, sensitive, extractable, -+ op_flags, op_flags_mask); -+ -+finish: -+ SECITEM_FreeItem(&curve, PR_FALSE); -+ return keyPair; -+} -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2009-05-30 05:30:25.000000000 -0700 -@@ -55,6 +55,39 @@ public final class PK11KeyPairGenerator - extends org.mozilla.jss.crypto.KeyPairGeneratorSpi - { - -+ // opFlag constants: each of these flags specifies a crypto operation -+ // the key will support. Their values must match the same-named C -+ // preprocessor macros defined in the PKCS #11 header pkcs11t.h. -+ private static final int CKF_ENCRYPT = 0x00000100; -+ private static final int CKF_DECRYPT = 0x00000200; -+ private static final int CKF_SIGN = 0x00000800; -+ private static final int CKF_SIGN_RECOVER = 0x00001000; -+ private static final int CKF_VERIFY = 0x00002000; -+ private static final int CKF_VERIFY_RECOVER = 0x00004000; -+ private static final int CKF_WRAP = 0x00020000; -+ private static final int CKF_UNWRAP = 0x00040000; -+ private static final int CKF_DERIVE = 0x00080000; -+ -+ // A table for mapping SymmetricKey.Usage to opFlag. This must be -+ // synchronized with SymmetricKey.Usage. -+ private static final int opFlagForUsage[] = { -+ CKF_ENCRYPT, /* 0 */ -+ CKF_DECRYPT, /* 1 */ -+ CKF_SIGN, /* 2 */ -+ CKF_SIGN_RECOVER, /* 3 */ -+ CKF_VERIFY, /* 4 */ -+ CKF_VERIFY_RECOVER, /* 5 */ -+ CKF_WRAP, /* 6 */ -+ CKF_UNWRAP, /* 7 */ -+ CKF_DERIVE /* 8 */ -+ }; -+ -+ // The crypto operations the key will support. It is the logical OR -+ // of the opFlag constants, each specifying a supported operation. -+ private int opFlags = 0; -+ private int opFlagsMask = 0; -+ -+ - /////////////////////////////////////////////////////////////////////// - /////////////////////////////////////////////////////////////////////// - // Constructors -@@ -189,41 +222,45 @@ public final class PK11KeyPairGenerator - * Generates a key pair on a token. Uses parameters if they were passed - * in through a call to initialize, otherwise uses defaults. - */ -+ - public KeyPair generateKeyPair() - throws TokenException - { - if(algorithm == KeyPairAlgorithm.RSA) { - if(params != null) { - RSAParameterSpec rsaparams = (RSAParameterSpec)params; -- return generateRSAKeyPair( -+ return generateRSAKeyPairWithOpFlags( - token, - rsaparams.getKeySize(), - rsaparams.getPublicExponent().longValue(), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } else { -- return generateRSAKeyPair( -+ return generateRSAKeyPairWithOpFlags( - token, - DEFAULT_RSA_KEY_SIZE, - DEFAULT_RSA_PUBLIC_EXPONENT.longValue(), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } - } else if(algorithm == KeyPairAlgorithm.DSA ) { - if(params==null) { - params = PQG1024; - } - DSAParameterSpec dsaParams = (DSAParameterSpec)params; -- return generateDSAKeyPair( -+ return generateDSAKeyPairWithOpFlags( - token, - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getP()), - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getQ()), - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getG()), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } else { - Assert._assert( algorithm == KeyPairAlgorithm.EC ); - // requires JAVA 1.5 for ECParameters. -@@ -233,12 +270,14 @@ public final class PK11KeyPairGenerator - // ecParams.init(params); - PK11ParameterSpec ecParams = (PK11ParameterSpec) params; - -- return generateECKeyPair( -+ return generateECKeyPairWithOpFlags( - token, - ecParams.getEncoded(), /* curve */ - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, -+ opFlagsMask); - } - } - -@@ -266,6 +305,17 @@ public final class PK11KeyPairGenerator - throws TokenException; - - /** -+ * Generates an RSA key pair with the given size and public exponent. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ private native KeyPair -+ generateRSAKeyPairWithOpFlags(PK11Token token, int keySize, long publicExponent, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; -+ -+ /** - * Generates a DSA key pair with the given P, Q, and G values. - * P, Q, and G are stored as big-endian twos-complement octet strings. - */ -@@ -275,6 +325,19 @@ public final class PK11KeyPairGenerator - throws TokenException; - - /** -+ * Generates a DSA key pair with the given P, Q, and G values. -+ * P, Q, and G are stored as big-endian twos-complement octet strings. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ private native KeyPair -+ generateDSAKeyPairWithOpFlags(PK11Token token, byte[] P, byte[] Q, byte[] G, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; -+ -+ -+ /** - * Generates a EC key pair with the given a curve. - * Curves are stored as DER Encoded Parameters. - */ -@@ -282,6 +345,18 @@ public final class PK11KeyPairGenerator - generateECKeyPair(PK11Token token, byte[] Curve, - boolean temporary, int sensitive, int extractable) - throws TokenException; -+ /** -+ * Generates a EC key pair with the given a curve. -+ * Curves are stored as DER Encoded Parameters. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ -+ private native KeyPair -+ generateECKeyPairWithOpFlags(PK11Token token, byte[] Curve, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; - - /////////////////////////////////////////////////////////////////////// - /////////////////////////////////////////////////////////////////////// -@@ -397,6 +472,38 @@ public final class PK11KeyPairGenerator - extractablePairMode = extractable ? 1 : 0; - } - -+ /** -+ * Sets the requested key usages desired for the -+ * generated key pair. -+ * This allows the caller to suggest how NSS generates the key pair. -+ * @param usages List of desired key usages. -+ * @param usages_mask Corresponding mask for the key usages. -+ * if a usages is desired, make sure it is in the mask as well. -+ */ -+ -+ public void setKeyPairUsages(org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages, -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages_mask) { -+ -+ this.opFlags = 0; -+ this.opFlagsMask = 0; -+ -+ if(usages != null) { -+ for( int i = 0; i < usages.length; i++ ) { -+ if( usages[i] != null ) { -+ this.opFlags |= opFlagForUsage[usages[i].getVal()]; -+ } -+ } -+ } -+ -+ if(usages_mask != null) { -+ for( int i = 0; i < usages_mask.length; i++ ) { -+ if( usages_mask[i] != null ) { -+ this.opFlagsMask |= opFlagForUsage[usages_mask[i].getVal()]; -+ } -+ } -+ } -+ } -+ - // - // requires JAVA 1.5 - // -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2009-05-29 08:34:24.000000000 -0700 -@@ -157,6 +157,12 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK - PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK, - void *params, PRBool temporary, jint senstive, jint extractable); - -+SECStatus -+JSS_PK11_generateKeyPair_withOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -+ void *params, PRBool temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask); -+ - /*===================================================================== - C E R T I F I C A T E S - =====================================================================*/ diff --git a/jss-loadlibrary.patch b/jss-loadlibrary.patch deleted file mode 100644 index a8643a4..0000000 --- a/jss-loadlibrary.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -uN --recursive jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2008-01-31 17:29:16.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-01-07 10:47:04.000000000 -0500 -@@ -1334,11 +1334,20 @@ - */ - synchronized static void loadNativeLibraries() - { -- if( ! mNativeLibrariesLoaded ) -- { -- System.loadLibrary("jss4"); -- Debug.trace(Debug.VERBOSE, "jss library loaded"); -- mNativeLibrariesLoaded = true; -+ if( ! mNativeLibrariesLoaded ) { -+ try { -+ System.load( "/usr/lib64/jss/libjss4.so" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError e ) { -+ try { -+ System.load( "/usr/lib/jss/libjss4.so" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError f ) { -+ Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ } -+ } - } - } - static private boolean mNativeLibrariesLoaded = false; diff --git a/jss-lunasaUnwrap.patch b/jss-lunasaUnwrap.patch deleted file mode 100644 index 5021bd6..0000000 --- a/jss-lunasaUnwrap.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700 -@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - isSensitive = PR_FALSE; - isExtractable = PR_FALSE; - } else if ( isLunasa) { -- isSensitive = PR_FALSE; -+ isSensitive = PR_TRUE; - isExtractable = PR_TRUE; - } - diff --git a/jss-ocspSettings.patch b/jss-ocspSettings.patch deleted file mode 100644 index c9ac226..0000000 --- a/jss-ocspSettings.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.orig jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.orig 2009-11-04 14:26:26.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-11-04 14:11:05.000000000 -0800 -@@ -329,6 +329,8 @@ Java_org_mozilla_jss_pkcs11_PK11Token_ne - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; -+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; -+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig 2009-11-04 14:20:43.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2009-11-05 10:48:32.590000000 -0800 -@@ -976,3 +976,45 @@ Java_org_mozilla_jss_CryptoManager_confi - } - } - -+ -+/********************************************************************** -+* OCSPCacheSettingsNative -+* -+* Allows configuration of the OCSP responder cache during runtime. -+*/ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative( -+ JNIEnv *env, jobject this, -+ jint ocsp_cache_size, -+ jint ocsp_min_cache_entry_duration, -+ jint ocsp_max_cache_entry_duration) -+{ -+ SECStatus rv = SECFailure; -+ -+ rv = CERT_OCSPCacheSettings( -+ ocsp_cache_size, ocsp_min_cache_entry_duration, -+ ocsp_max_cache_entry_duration); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, -+ GENERAL_SECURITY_EXCEPTION, -+ "Failed to set OCSP cache: error "+ PORT_GetError()); -+ } -+} -+ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative( -+ JNIEnv *env, jobject this, -+ jint ocsp_timeout ) -+{ -+ SECStatus rv = SECFailure; -+ -+ rv = CERT_SetOCSPTimeout(ocsp_timeout); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, -+ GENERAL_SECURITY_EXCEPTION, -+ "Failed to set OCSP timeout: error "+ PORT_GetError()); -+ } -+} -+ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig 2009-11-04 14:20:33.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2009-11-05 10:48:59.415001000 -0800 -@@ -1479,4 +1479,41 @@ public final class CryptoManager impleme - String ocspResponderCertNickname ) - throws GeneralSecurityException; - -+ /** -+ * change OCSP cache settings -+ * * @param ocsp_cache_size max cache entries -+ * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt -+ * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt -+ */ -+ public void OCSPCacheSettings( -+ int ocsp_cache_size, -+ int ocsp_min_cache_entry_duration, -+ int ocsp_max_cache_entry_duration) -+ throws GeneralSecurityException -+ { -+ OCSPCacheSettingsNative(ocsp_cache_size, -+ ocsp_min_cache_entry_duration, -+ ocsp_max_cache_entry_duration); -+ } -+ -+ private native void OCSPCacheSettingsNative( -+ int ocsp_cache_size, -+ int ocsp_min_cache_entry_duration, -+ int ocsp_max_cache_entry_duration) -+ throws GeneralSecurityException; -+ -+ /** -+ * set OCSP timeout value -+ * * @param ocspTimeout OCSP timeout in seconds -+ */ -+ public void setOCSPTimeout( -+ int ocsp_timeout ) -+ throws GeneralSecurityException -+ { -+ setOCSPTimeoutNative( ocsp_timeout); -+ } -+ -+ private native void setOCSPTimeoutNative( -+ int ocsp_timeout ) -+ throws GeneralSecurityException; - } diff --git a/jss-support-TLS1_1-TLS1_2.patch b/jss-support-TLS1_1-TLS1_2.patch deleted file mode 100644 index 7fd2207..0000000 --- a/jss-support-TLS1_1-TLS1_2.patch +++ /dev/null @@ -1,345 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved 2014-09-29 14:12:27.560206348 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2014-09-29 14:12:34.376194464 -0700 -@@ -334,6 +334,8 @@ Java_org_mozilla_jss_CryptoManager_setOC - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; - Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; -+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; -+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved 2014-09-29 14:12:27.565206339 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2014-09-29 14:13:33.222091053 -0700 -@@ -56,6 +56,105 @@ - #endif - - -+/* -+ * support TLS v1.1 and v1.2 -+ * sets default SSL version range for sockets created after this call -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env, -+ jclass clazz, jint ssl_variant, jint min, jint max) -+{ -+ SECStatus status; -+ SSLVersionRange vrange; -+ -+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size|| -+ min <0 || min >= JSSL_enums_size || -+ max <0 || max >= JSSL_enums_size) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ vrange.min = JSSL_enums[min]; -+ vrange.max = JSSL_enums[max]; -+ -+ /* get supported range */ -+ SSLVersionRange supported_range; -+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant], -+ &supported_range); -+ if( status != SECSuccess ) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ /* now check the min and max */ -+ if (vrange.min < supported_range.min || -+ vrange.max > supported_range.max) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ /* set the default SSL Version Range */ -+ status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant], -+ &vrange); -+ if( status != SECSuccess ) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+finish: -+ return; -+} -+ -+/* -+ * support TLS v1.1 and v1.2 -+ * sets SSL version range for this socket -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange -+ (JNIEnv *env, jobject self, jint min, jint max) -+{ -+ SECStatus status; -+ JSSL_SocketData *sock = NULL; -+ SSLVersionRange vrange; -+ -+ if ( min <0 || min >= JSSL_enums_size || -+ max <0 || max >= JSSL_enums_size) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "JSS setSSLVersionRange(): for max=%d failed - out of range for array JSSL_enums size: %d", min, max, JSSL_enums_size); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ /* get my fd */ -+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -+ goto finish; -+ } -+ -+ vrange.min = JSSL_enums[min]; -+ vrange.max = JSSL_enums[max]; -+ -+ /* -+ * set the SSL Version Range -+ * The validity of the range will be checked by this NSS call -+ */ -+ status = SSL_VersionRangeSet(sock->fd, &vrange); -+ if( status != SECSuccess ) { -+ JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed"); -+ goto finish; -+ } -+ -+finish: -+ EXCEPTION_CHECK(env, sock) -+ return; -+} -+ - JNIEXPORT void JNICALL - Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env, - jclass clazz, jint joption, jint on) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved 2014-09-29 14:12:27.566206338 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2014-09-29 14:12:34.377194462 -0700 -@@ -36,6 +36,7 @@ - - package org.mozilla.jss.ssl; - -+import java.lang.IllegalArgumentException; - import java.net.*; - import java.net.SocketException; - import java.net.SocketTimeoutException; -@@ -948,6 +949,63 @@ public class SSLSocket extends java.net. - setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b); - } - -+ /* -+ * _min_enum and _max_enum should be one of the following: -+ * SocketBase.SSL_LIBRARY_VERSION_3_0 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2 -+ */ -+ public static class SSLVersionRange { -+ private int _min_enum; -+ private int _max_enum; -+ public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0; -+ public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0; -+ public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1; -+ public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2; -+ public SSLVersionRange(int min_enum, int max_enum) -+ throws IllegalArgumentException { -+ if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) && -+ (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) && -+ (min_enum <= max_enum)) { -+ _min_enum = min_enum; -+ _max_enum = max_enum; -+ } else { -+ throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range"); -+ } -+ } -+ -+ int getMinEnum() { return _min_enum; } -+ int getMaxEnum() { return _max_enum; } -+ -+ } -+ -+ public static class SSLProtocolVariant { -+ private int _enum; -+ private SSLProtocolVariant(int val) { _enum = val; } -+ -+ int getEnum() { return _enum; } -+ -+ public static final SSLProtocolVariant STREAM = -+ new SSLProtocolVariant(SocketBase.SSL_Variant_Stream); -+ public static final SSLProtocolVariant DATA_GRAM = -+ new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram); -+ -+ } -+ -+ public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range) -+ throws SocketException -+ { -+ if (range == null) -+ throw new SocketException("setSSLVersionRangeDefault: range null"); -+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum()); -+ } -+ -+ /** -+ * Sets SSL Version Range Default -+ */ -+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max) -+ throws SocketException; - - private static void setSSLDefaultOption(int option, boolean on) - throws SocketException -@@ -1221,6 +1279,8 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; - public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; - public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; -+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; -+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; - - // New TLS cipher suites in NSS 3.4 - public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; -@@ -1236,6 +1296,10 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; - public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; - public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; -+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; -+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; -+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; -+ - - public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; - public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; -@@ -1251,6 +1315,12 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; - public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; - -+ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; -+ -+ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; -+ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; -+ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; -+ - public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; - public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; - public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; -@@ -1281,5 +1351,13 @@ public class SSLSocket extends java.net. - public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; - public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; - -+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; -+ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; -+ -+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; -+ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; -+ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; -+ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; -+ - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved 2014-09-29 14:12:27.564206341 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2014-09-29 14:12:34.378194460 -0700 -@@ -114,6 +114,15 @@ class SocketBase { - static final int SSL_REQUIRE_ALWAYS = 19; - static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; - static final int SSL_REQUIRE_NO_ERROR = 21; -+ /* ssl/sslproto.h for supporting SSLVersionRange */ -+ static final int SSL_LIBRARY_VERSION_2 = 22; -+ static final int SSL_LIBRARY_VERSION_3_0 = 23; -+ static final int SSL_LIBRARY_VERSION_TLS_1_0 = 24; -+ static final int SSL_LIBRARY_VERSION_TLS_1_1 = 25; -+ static final int SSL_LIBRARY_VERSION_TLS_1_2 = 26; -+ /* ssl/sslt.h */ -+ static final int SSL_Variant_Stream = 27; -+ static final int SSL_Variant_Datagram = 28; - - - static final int SSL_AF_INET = 50; -@@ -190,6 +199,18 @@ class SocketBase { - native void setSSLOption(int option, int on) - throws SocketException; - -+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range) -+ throws SocketException -+ { -+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum()); -+ } -+ -+ /** -+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2 -+ */ -+ native void setSSLVersionRange(int min, int max) -+ throws SocketException; -+ - /** - * Sets the SSL option setting mode value use for options - * that have more values than just enable/diasable. -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved 2014-09-29 14:12:27.562206345 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2014-09-29 14:12:34.378194460 -0700 -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -407,8 +408,16 @@ PRInt32 JSSL_enums[] = { - SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ - SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ - SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ -+ SSL_LIBRARY_VERSION_2, /* 22 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_3_0, /* 23 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_0, /* 24 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_1, /* 25 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_2, /* 26 */ /* sslproto.h */ -+ ssl_variant_stream, /* 27 */ /* sslt.h */ -+ ssl_variant_datagram, /* 28 */ /* sslt.h */ - 0 - }; -+ - - - JNIEXPORT void JNICALL -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved 2014-09-29 14:12:27.563206343 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h 2014-09-29 14:13:59.605044228 -0700 -@@ -111,6 +111,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL - - - extern PRInt32 JSSL_enums[]; -+#define JSSL_enums_size 29 - - JSSL_SocketData* - JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved 2014-09-29 14:12:27.567206336 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java 2014-09-29 14:12:34.379194458 -0700 -@@ -149,6 +149,21 @@ public interface Constants { - /*52*/ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"), - /*53*/ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"), - /*54*/ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"), -+/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"), -+/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"), -+/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"), -+/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"), -+/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"), -+/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"), -+/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"), -+/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"), -+/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"), -+/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"), -+/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"), -+/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), -+/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"), -+/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), -+/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256") - }; - - /** Cipher supported by JSSE (JDK 1.5.x) */ diff --git a/jss-symkey-enhancements.patch b/jss-symkey-enhancements.patch deleted file mode 100644 index 248ba76..0000000 --- a/jss-symkey-enhancements.patch +++ /dev/null @@ -1,1855 +0,0 @@ -diff -up ./mozilla/security/jss/build_java.pl.jmagne ./mozilla/security/jss/build_java.pl ---- ./mozilla/security/jss/build_java.pl.jmagne 2016-04-14 13:56:16.946920239 -0700 -+++ ./mozilla/security/jss/build_java.pl 2016-04-14 14:53:08.501298062 -0700 -@@ -31,7 +31,8 @@ org.mozilla.jss.pkcs11.PK11MessageDigest - org.mozilla.jss.pkcs11.PK11PrivKey - org.mozilla.jss.pkcs11.PK11PubKey - org.mozilla.jss.pkcs11.PK11SymKey --org.mozilla.jss.pkcs11.PK11KeyPairGenerator -+org.mozilla.jss.pkcs11.PK11KeyPairGenerator -+org.mozilla.jss.pkcs11.PK11SymmetricKeyDeriver - org.mozilla.jss.pkcs11.PK11KeyGenerator - org.mozilla.jss.pkcs11.PK11Token - org.mozilla.jss.pkcs11.PrivateKeyProxy -diff -up ./mozilla/security/jss/lib/jss.def.jmagne ./mozilla/security/jss/lib/jss.def ---- ./mozilla/security/jss/lib/jss.def.jmagne 2016-04-14 16:00:06.229534228 -0700 -+++ ./mozilla/security/jss/lib/jss.def 2016-04-14 16:00:32.229356314 -0700 -@@ -158,6 +158,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey; - Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector; - Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector; -+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector; - Java_org_mozilla_jss_pkcs11_SigContextProxy_releaseNativeResources; - Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getModulusByteArray; - Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getPublicExponentByteArray; -@@ -336,6 +337,8 @@ Java_org_mozilla_jss_CryptoManager_verif - Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; - Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; - Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault; -+Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey; -+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative; - ;+ local: - ;+ *; - ;+}; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne 2016-04-14 16:02:38.108494940 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2016-04-14 16:02:47.243432431 -0700 -@@ -114,6 +114,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG}, - /* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG}, - /* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, -+/* 54 */ {SEC_OID_HMAC_SHA1,SEC_OID_TAG}, -+/* 55 */ {SEC_OID_HMAC_SHA224,SEC_OID_TAG}, -+/* 56 */ {SEC_OID_HMAC_SHA256,SEC_OID_TAG}, -+/* 57 */ {SEC_OID_HMAC_SHA384,SEC_OID_TAG}, -+/* 58 */ {SEC_OID_HMAC_SHA512,SEC_OID_TAG} - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne 2016-04-14 11:30:41.871517926 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2016-04-14 11:30:54.933436860 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 54 -+#define NUM_ALGS 59 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne 2016-04-14 16:06:13.388021812 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2016-04-14 16:06:27.537924813 -0700 -@@ -237,5 +237,9 @@ public class Algorithm { - protected static final short SEC_OID_PKCS5_PBKDF2=51; - protected static final short SEC_OID_PKCS5_PBES2=52; - protected static final short SEC_OID_PKCS5_PBMAC1=53; -- -+ protected static final short SEC_OID_HMAC_SHA1=54; -+ protected static final short SEC_OID_HMAC_SHA224=55; -+ protected static final short SEC_OID_HMAC_SHA256=56; -+ protected static final short SEC_OID_HMAC_SHA384=57; -+ protected static final short SEC_OID_HMAC_SHA512=58; - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne 2016-04-14 17:03:33.504298176 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java 2016-04-14 17:03:42.198238112 -0700 -@@ -75,6 +75,18 @@ public interface CryptoStore { - getPrivateKeys() throws TokenException; - - /** -+ * Returns all symmetric keys stored on this token. -+ * -+ * @return An array of all symmetric keys stored on this token. -+ * @exception TokenException If an error occurs on the token while -+ * gathering the keys. -+ */ -+ public SymmetricKey[] -+ getSymmetricKeys() throws TokenException; -+ -+ -+ -+ /** - * Deletes the given PrivateKey from the CryptoToken. - * This is a very dangerous call: it deletes the key from the underlying - * token. After calling this, the PrivateKey passed in must no longer -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne 2016-04-14 16:07:39.458429756 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2016-04-14 16:07:52.266341595 -0700 -@@ -92,6 +92,9 @@ public interface CryptoToken { - getCipherContext(EncryptionAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; - -+ public abstract SymmetricKeyDeriver getSymmetricKeyDeriver() -+ throws TokenException; -+ - public abstract KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne 2016-04-14 16:09:02.858855679 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java 2016-04-14 16:09:18.048751121 -0700 -@@ -85,4 +85,21 @@ public class HMACAlgorithm extends Diges - public static final HMACAlgorithm SHA1 = new HMACAlgorithm - (CKM_SHA_1_HMAC, "SHA-1-HMAC", - OBJECT_IDENTIFIER.ALGORITHM.subBranch(26), 20); -+ -+ public static final HMACAlgorithm SHA224 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA224, "SHA-224-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(8), 28); -+ -+ public static final HMACAlgorithm SHA256 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA256, "SHA-256-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(9), 32); -+ -+ public static final HMACAlgorithm SHA384 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA384, "SHA-384-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(10), 48); -+ -+ public static final HMACAlgorithm SHA512 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA512, "SHA-512-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(11), 64); -+ - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne 2016-04-14 16:10:43.930159965 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2016-04-14 16:10:55.377081172 -0700 -@@ -133,4 +133,21 @@ public interface KeyWrapper { - throws TokenException, IllegalStateException, - InvalidAlgorithmParameterException; - -+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ SymmetricKey.Usage usage, int keyLength) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException; -+ -+ /** -+ * Unwraps a key and allows it to be used for all operations. -+ * @param keyLength The expected length of the key in bytes. This is -+ * only used for variable-length keys (RC4) and non-padding -+ * algorithms. Otherwise, it can be set to anything(like 0). -+ */ -+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ int keyLength) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException; -+ -+ - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne 2016-04-14 16:36:36.080464052 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java 2016-04-14 16:36:49.784369514 -0700 -@@ -0,0 +1,79 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.crypto; -+ -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.PublicKey; -+import java.security.InvalidKeyException; -+ -+public interface SymmetricKeyDeriver { -+ -+ /* Use with the encrypt type mechanisms -+ Example: initDerive( -+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16); -+ */ -+ -+ public abstract void initDerive(SymmetricKey baseKey, -+ long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize) -+ throws InvalidKeyException; -+ -+ -+ -+ /* Use with key extraction and key concatanation mechanisms -+ -+ Example: -+ param: byte array that has the bit position of where to extract -+ initDerive( -+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8); -+ -+ -+ initDerive( -+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0); -+ -+ */ -+ -+ public abstract void initDerive(SymmetricKey baseKey, -+ SymmetricKey secondaryKey, long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize) -+ throws InvalidKeyException; -+ -+ public abstract SymmetricKey derive() -+ throws TokenException; -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne 2016-04-14 16:11:50.865699222 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java 2016-04-14 16:12:02.768617289 -0700 -@@ -71,6 +71,10 @@ public interface SymmetricKey { - - String getFormat(); - -+ String getNickName(); -+ -+ void setNickName(String nickName); -+ - public final static class Type { - // all names converted to lowercase for case insensitivity - private static Hashtable nameMap = new Hashtable(); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne 2016-04-14 16:15:59.271989344 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn 2016-04-14 16:16:10.670910881 -0700 -@@ -64,6 +64,7 @@ CSRCS = \ - PK11Store.c \ - PK11SymKey.c \ - PK11Token.c \ -+ PK11SymmetricKeyDeriver.c \ - $(NULL) - - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne 2016-04-14 16:17:29.760366477 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-14 16:17:58.742166983 -0700 -@@ -519,7 +519,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym - (JNIEnv *env, jclass clazz, jobject tokenObj, jobject unwrapperObj, - jbyteArray wrappedBA, jobject wrapAlgObj, jobject typeAlgObj, -- jint keyLen, jbyteArray ivBA, jint usageEnum) -+ jint keyLen, jbyteArray ivBA, jint usageEnum,jboolean temporary) - { - PK11SymKey *symKey=NULL, *wrappingKey=NULL; - CK_MECHANISM_TYPE wrappingMech, keyTypeMech; -@@ -527,6 +527,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - jobject keyObj = NULL; - CK_ULONG operation; - CK_FLAGS flags; -+ PRBool isPermanent = PR_FALSE; - - /* get key type */ - keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj); -@@ -579,8 +580,21 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - flags = 0; - } - -- symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param, -- wrappedKey, keyTypeMech, operation, keyLen, flags); -+ if( temporary ) { -+ isPermanent = PR_FALSE; -+ } else { -+ isPermanent = PR_TRUE; -+ } -+ -+ if( isPermanent == PR_FALSE) { -+ symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param, -+ wrappedKey, keyTypeMech, operation, keyLen, flags); -+ -+ } else { -+ symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrappingKey, wrappingMech, param, -+ wrappedKey, keyTypeMech, operation, keyLen, flags,isPermanent); -+ } -+ - if( symKey == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key"); - goto finish; -@@ -702,7 +716,7 @@ finish: - JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext - (JNIEnv *env, jclass clazz, jobject tokenObj, jbyteArray wrappedBA, -- jobject typeAlgObj, jint usageEnum) -+ jobject typeAlgObj, jint usageEnum,jboolean temporary) - { - PK11SymKey *symKey=NULL; - CK_MECHANISM_TYPE keyTypeMech; -@@ -711,6 +725,8 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - PK11SlotInfo *slot = NULL; - CK_ULONG operation; - CK_FLAGS flags; -+ PRBool isPerm = PR_FALSE; -+ - - /* get key type */ - keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj); -@@ -740,9 +756,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - flags = 0; - } - -+ if( temporary ) { -+ isPerm = PR_FALSE; -+ } else { -+ isPerm = PR_TRUE; -+ } -+ - /* pull in the key */ - symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, -- operation, wrappedKey, flags, PR_FALSE /*isPerm*/, NULL); -+ operation, wrappedKey, flags, isPerm, NULL); - if( symKey == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key"); - goto finish; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne 2016-04-14 16:19:26.998559480 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2016-04-14 16:19:40.941463506 -0700 -@@ -498,8 +498,25 @@ final class PK11KeyWrapper implements Ke - return unwrapSymmetric(wrapped, type, -1, keyLen); - } - -+ public SymmetricKey -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ SymmetricKey.Usage usage, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ return unwrapSymmetricPerm(wrapped, type, usage.getVal(), keyLen); -+ } -+ -+ public SymmetricKey -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ return unwrapSymmetricPerm(wrapped, type, -1, keyLen); -+ } -+ - private SymmetricKey -- unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type, -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, - int usageEnum, int keyLen) - throws TokenException, IllegalStateException, - InvalidAlgorithmParameterException -@@ -508,6 +525,10 @@ final class PK11KeyWrapper implements Ke - throw new IllegalStateException(); - } - -+ /* Since we want permanent,make the temporary arg false */ -+ boolean temporary = false; -+ -+ - if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) { - if( keyLen <= 0 ) { - throw new InvalidAlgorithmParameterException( -@@ -521,12 +542,53 @@ final class PK11KeyWrapper implements Ke - - if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) { - return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type), -- usageEnum ); -+ usageEnum,temporary ); - } else { - if( symKey != null ) { - Assert._assert(pubKey==null && privKey==null); - return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm, -- algFromType(type), keyLen, IV, usageEnum); -+ algFromType(type), keyLen, IV, usageEnum,temporary); -+ } else { -+ Assert._assert(privKey!=null && pubKey==null && symKey==null); -+ throw new TokenException("We do not support permnament unwrapping with private key."); -+ } -+ } -+ } -+ -+ -+ private SymmetricKey -+ unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type, -+ int usageEnum, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ if( state != UNWRAP ) { -+ throw new IllegalStateException(); -+ } -+ -+ if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) { -+ if( keyLen <= 0 ) { -+ throw new InvalidAlgorithmParameterException( -+ "RC4 keys wrapped in unpadded algorithms need key length"+ -+ " specified when unwrapping"); -+ } -+ } else { -+ // Don't use the key length -+ //keyLen = 0; -+ } -+ -+ /* Since we DONT want permanent,make the temporary arg true */ -+ boolean temporary = true; -+ -+ -+ if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) { -+ return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type), -+ usageEnum, temporary ); -+ } else { -+ if( symKey != null ) { -+ Assert._assert(pubKey==null && privKey==null); -+ return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm, -+ algFromType(type), keyLen, IV, usageEnum,temporary); - } else { - Assert._assert(privKey!=null && pubKey==null && symKey==null); - return nativeUnwrapSymWithPriv(token, privKey, wrapped, -@@ -586,7 +648,7 @@ final class PK11KeyWrapper implements Ke - private static native SymmetricKey - nativeUnwrapSymWithSym(PK11Token token, SymmetricKey unwrappingKey, - byte[] wrappedKey, KeyWrapAlgorithm alg, Algorithm type, int keyLen, -- byte[] IV, int usageEnum) -+ byte[] IV, int usageEnum,boolean temporary) - throws TokenException; - - /** -@@ -600,7 +662,7 @@ final class PK11KeyWrapper implements Ke - - private static native SymmetricKey - nativeUnwrapSymPlaintext(PK11Token token, byte[] wrappedKey, -- Algorithm type, int usageEnum); -+ Algorithm type, int usageEnum,boolean temporary); - - private void reset() { - state = UNINITIALIZED; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne 2016-05-06 18:10:04.531912407 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2016-05-06 17:36:19.913933639 -0700 -@@ -99,17 +99,19 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - } - - /* copy the key, setting the CKA_SIGN attribute */ -- newKey = PK11_CopySymKeyForSigning(origKey, mech); -+/* newKey = PK11_CopySymKeyForSigning(origKey, mech); - if( newKey == NULL ) { - JSS_throwMsg(env, DIGEST_EXCEPTION, - "Unable to set CKA_SIGN attribute on symmetric key"); - goto finish; - } - -+*/ -+ - param.data = NULL; - param.len = 0; - -- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, ¶m); -+ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, ¶m); - if( context == NULL ) { - JSS_throwMsg(env, DIGEST_EXCEPTION, - "Unable to initialize digest context"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne 2016-04-14 16:22:16.174394977 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2016-04-14 16:22:26.605323176 -0700 -@@ -44,13 +44,101 @@ - #include - #include - #include -- - #include - #include - #include "pk11util.h" - #include - #include - -+typedef struct -+{ -+ enum -+ { -+ PW_NONE = 0, -+ PW_FROMFILE = 1, -+ PW_PLAINTEXT = 2, -+ PW_EXTERNAL = 3 -+ } source; -+ char *data; -+} secuPWData; -+ -+/********************************************************************** -+ * PK11Store.putSymKeysInVector -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector -+ (JNIEnv *env, jobject this, jobject keyVector) -+{ -+ PK11SlotInfo *slot; -+ jobject object = NULL; -+ jclass vectorClass; -+ jmethodID addElement; -+ -+ PK11SymKey *firstSymKey= NULL; -+ PK11SymKey *sk = NULL; -+ PK11SymKey *nextSymKey = NULL; -+ secuPWData pwdata; -+ -+ PK11SymKey *freeSymKey = NULL; -+ PK11SymKey *nextFreeSymKey = NULL; -+ -+ pwdata.source = PW_NONE; -+ pwdata.data = (char *) NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && keyVector!=NULL); -+ -+ if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ PR_ASSERT(slot!=NULL); -+ -+ vectorClass = (*env)->GetObjectClass(env, keyVector); -+ if(vectorClass == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ addElement = (*env)->GetMethodID(env, -+ vectorClass, -+ VECTOR_ADD_ELEMENT_NAME, -+ VECTOR_ADD_ELEMENT_SIG); -+ if(addElement == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ PK11_Authenticate(slot, PR_TRUE /*load certs*/, NULL /*wincx*/); -+ -+ /* Obtain the symmetric key list. */ -+ firstSymKey = PK11_ListFixedKeysInSlot( slot , NULL, ( void *) &pwdata ); -+ sk = firstSymKey; -+ -+ while(( sk != NULL )) -+ { -+ if( sk ) { -+ -+ nextSymKey = sk; -+ object = JSS_PK11_wrapSymKey(env, &sk); -+ -+ if(object == NULL) { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) ); -+ goto finish; -+ } -+ -+ /*************************************************** -+ * Insert the key into the vector -+ ***************************************************/ -+ (*env)->CallVoidMethod(env, keyVector, addElement, object); -+ } -+ -+ sk = PK11_GetNextSymKey( nextSymKey ); -+ } -+ -+finish: -+ -+ return; -+} - - /********************************************************************** - * PK11Store.putKeysInVector -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne 2016-04-14 16:23:26.997907471 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java 2016-04-14 16:23:34.435856272 -0700 -@@ -66,8 +66,23 @@ public final class PK11Store implements - keys.copyInto( (Object[]) array ); - return array; - } -+ -+ public synchronized SymmetricKey[] -+ getSymmetricKeys() throws TokenException { -+ -+ Vector keys = new Vector(); -+ putSymKeysInVector(keys); -+ SymmetricKey[] array = new SymmetricKey[keys.size()]; -+ keys.copyInto( (Object[]) array); -+ return array; -+ } -+ -+ -+ - protected native void putKeysInVector(Vector keys) throws TokenException; - -+ protected native void putSymKeysInVector(Vector symKeys) throws TokenException; -+ - - public native void deletePrivateKey(PrivateKey key) - throws NoSuchItemOnTokenException, TokenException; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne 2016-04-14 16:24:44.565372557 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2016-05-17 11:37:48.532485104 -0700 -@@ -33,7 +33,6 @@ - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -- - #include "_jni/org_mozilla_jss_pkcs11_SymKeyProxy.h" - - #include -@@ -62,6 +61,8 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - jmethodID constructor; - jbyteArray ptrArray; - jobject Key=NULL; -+ char *nickname = NULL; -+ jstring jnickname = NULL; - - PR_ASSERT(env!=NULL && symKey!=NULL && *symKey!=NULL); - -@@ -72,10 +73,17 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - goto finish; - } - -+ nickname = PK11_GetSymKeyNickname( *symKey ); -+ -+ if (nickname) { -+ jnickname = (*env)->NewStringUTF(env, nickname); -+ } -+ -+ - /* find the constructor */ - constructor = (*env)->GetMethodID(env, keyClass, - PLAIN_CONSTRUCTOR, -- PK11SYMKEY_CONSTRUCTOR_SIG); -+ PK11SYMKEY_CONSTRUCTOR_1_SIG); - if(constructor == NULL) { - ASSERT_OUTOFMEM(env); - goto finish; -@@ -87,12 +95,16 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - goto finish; - } - /* call the constructor */ -- Key = (*env)->NewObject(env, keyClass, constructor, ptrArray); -+ Key = (*env)->NewObject(env, keyClass, constructor, ptrArray,jnickname); - - finish: - if(Key == NULL) { - PK11_FreeSymKey(*symKey); - } -+ if(nickname != NULL) { -+ PORT_Free(nickname); -+ nickname = NULL; -+ } - *symKey = NULL; - return Key; - } -@@ -181,6 +193,49 @@ finish: - - /*********************************************************************** - * -+ * PK11SymKey.setNickNameNative -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative -+ (JNIEnv *env, jobject this,jstring nickname) -+{ -+ PK11SymKey *key=NULL; -+ const char *keyname = NULL; -+ SECStatus status; -+ -+ /* If no nickname provided, we are done */ -+ if( nickname == NULL ) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, -+ "Nickname is NULL, will not be set"); -+ goto finish; -+ } -+ -+ /* get the key pointer */ -+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ /* convert the Java String into a native "C" string */ -+ keyname = (*env)->GetStringUTFChars( env, nickname, 0 ); -+ -+ /* name the key */ -+ status = PK11_SetSymKeyNickname( key, keyname ); -+ if( status != SECSuccess ) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, -+ "Failed to name symmetric key"); -+ } -+finish: -+ -+ if( keyname != NULL ) { -+ /* free the native "C" string */ -+ (*env)->ReleaseStringUTFChars(env, nickname, keyname); -+ } -+ -+ return; -+} -+ -+/*********************************************************************** -+ * - * PK11SymKey.getKeyData - */ - JNIEXPORT jbyteArray JNICALL -@@ -279,6 +334,10 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g - case CKK_AES: - typeFieldName = AES_KEYTYPE_FIELD; - break; -+ case CKK_DES2: -+ printf("hello des2! \n"); -+ typeFieldName = DES3_KEYTYPE_FIELD; -+ break; - default: - PR_ASSERT(PR_FALSE); - typeFieldName = DES_KEYTYPE_FIELD; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne 2016-04-14 16:58:33.385371633 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java 2016-05-17 11:41:36.323841045 -0700 -@@ -44,9 +44,17 @@ public final class PK11SymKey implements - protected PK11SymKey(byte[] pointer) { - Assert._assert(pointer!=null); - keyProxy = new SymKeyProxy(pointer); -+ nickName = null; -+ } -+ -+ protected PK11SymKey(byte[] pointer,String nickName) { -+ Assert._assert(pointer!=null); -+ keyProxy = new SymKeyProxy(pointer); -+ this.nickName = nickName; - } - - private SymKeyProxy keyProxy; -+ private String nickName; - - public SymmetricKey.Type getType() { - KeyType kt = getKeyType(); -@@ -108,6 +116,20 @@ public final class PK11SymKey implements - public String getFormat() { - return "RAW"; - } -+ -+ public String getNickName() { -+ return nickName; -+ } -+ -+ public void setNickName(String nickName) { -+ this.nickName = nickName; -+ -+ if( nickName != null) { -+ setNickNameNative(nickName); -+ } -+ } -+ -+ public native void setNickNameNative(String nickName); - } - - class SymKeyProxy extends KeyProxy { -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne 2016-04-14 16:26:18.611723763 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c 2016-05-17 14:13:35.456574082 -0700 -@@ -0,0 +1,364 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+#include "_jni/org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "java_ids.h" -+ -+#include "pk11util.h" -+#include -+ -+/*********************************************************************** -+ * Expose the NSS functionality at low level, one should know what to do -+ * at the Java level. -+ */ -+ -+JNIEXPORT jobject JNICALL Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey -+ (JNIEnv * env, jobject this,jobject tokenObj, -+ jobject baseKeyObj, jobject secondaryKeyObj, -+ jlong deriveMechanism, jbyteArray param, jbyteArray iv, jlong targetMechanism, jlong operation, jlong keySize) -+{ -+ jobject keyObj = NULL; -+ PK11SlotInfo *slot=NULL; -+ PK11SlotInfo *bestSlot = NULL; -+ PK11SlotInfo *slotForKey = NULL; -+ PK11SlotInfo *slotForSecondaryKey = NULL; -+ PK11SlotInfo *finalSlot = NULL; -+ PK11SlotInfo *finalSecondarySlot = NULL; -+ PK11SlotInfo *finalBaseKeySlot = NULL; -+ -+ PK11SymKey *baseKey = NULL; -+ PK11SymKey *bestBaseKey = NULL; -+ PK11SymKey *finalBaseKey = NULL; -+ PK11SymKey *newKey = NULL; -+ -+ PK11SymKey *secondaryKey = NULL; -+ PK11SymKey *bestSecondaryKey = NULL; -+ PK11SymKey *finalSecondaryKey = NULL; -+ PK11SymKey *derivedKey = NULL; -+ jbyte *paramValue = NULL; -+ int paramLength = 0; -+ jbyte *ivValue = NULL; -+ int ivLength = 0; -+ -+ -+ CK_OBJECT_HANDLE keyhandle = 0; -+ -+ CK_AES_CBC_ENCRYPT_DATA_PARAMS aes; -+ CK_DES_CBC_ENCRYPT_DATA_PARAMS des; -+ CK_KEY_DERIVATION_STRING_DATA string; -+ -+ SECItem paramsItem = { siBuffer, NULL, 0 }; -+ -+ PR_ASSERT(env!=NULL && this!=NULL); -+ -+ if( baseKeyObj == 0) { -+ PR_fprintf(PR_STDOUT,"baseKeyObj can not be null!\n"); -+ goto loser; -+ } -+ -+ if( param != NULL) { -+ paramValue = (*env)->GetByteArrayElements(env,param, NULL); -+ paramLength = (*env)->GetArrayLength(env,param); -+ } -+ -+ if( iv != NULL) { -+ ivValue = (*env)->GetByteArrayElements(env,iv, NULL); -+ ivLength = (*env)->GetArrayLength(env,iv); -+ } -+ -+ /* Set up the params data for the PK11_Derive family */ -+ -+ switch ( deriveMechanism ) { -+ case CKM_DES_ECB_ENCRYPT_DATA: -+ case CKM_DES3_ECB_ENCRYPT_DATA: -+ case CKM_AES_ECB_ENCRYPT_DATA: -+ case CKM_CAMELLIA_ECB_ENCRYPT_DATA: -+ case CKM_SEED_ECB_ENCRYPT_DATA: -+ /* Use CK_KEY_DERIVATION_STRING_DATA */ -+ -+ string.pData = (unsigned char *) paramValue; -+ string.ulLen = paramLength; -+ paramsItem.data = (void *) &string; -+ paramsItem.len = sizeof(string); -+ -+ break; -+ case CKM_DES_CBC_ENCRYPT_DATA: -+ case CKM_DES3_CBC_ENCRYPT_DATA: -+ /* Use CK_DES_CBC_ENCRYPT_DATA_PARAMS */ -+ -+ if( ivValue == NULL) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA or CKM_DES3_CBC_ENCRYPT_DATA. \n"); -+ goto loser; -+ } -+ -+ if( ivLength != 8) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA structure to be 8 bytes!. \n"); -+ goto loser; -+ } -+ -+ des.pData = (unsigned char *) paramValue; -+ des.length = paramLength; -+ PORT_Memcpy(des.iv,ivValue,ivLength); -+ paramsItem.data = (void *) &des; -+ paramsItem.len = sizeof(des); -+ -+ break; -+ -+ case CKM_AES_CBC_ENCRYPT_DATA: -+ case CKM_CAMELLIA_CBC_ENCRYPT_DATA: -+ case CKM_SEED_CBC_ENCRYPT_DATA: -+ /* Use CK_AES_CBC_ENCRYPT_DATA_PARAMS */ -+ -+ if ( ivValue == NULL ) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CBC encrypt derive for AES, or CAMELLIA or SEED. \n"); -+ goto loser; -+ } -+ -+ if( ivLength != 16) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CK_AES_CBC_ENCRYPT_DATA_PARAMS structure to be 16 bytes!. \n"); -+ goto loser; -+ } -+ -+ aes.pData = (unsigned char *) paramValue; -+ aes.length = paramLength; -+ PORT_Memcpy(aes.iv,ivValue,ivLength); -+ paramsItem.data = (void *) &aes; -+ paramsItem.len = sizeof(aes); -+ break; -+ default: -+ paramsItem.data = (unsigned char *) paramValue; -+ paramsItem.len = paramLength; -+ break; -+ } -+ -+ /* Get slot */ -+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { -+ goto loser; -+ } -+ -+ /* Get base key */ -+ -+ if( JSS_PK11_getSymKeyPtr(env, baseKeyObj, &baseKey) != PR_SUCCESS) { -+ PR_fprintf(PR_STDOUT, "PK11SymmetricKeyDeriver.nativeDeriveSymKey: Unable to extract symmetric base key!"); -+ goto loser; -+ } -+ -+ /* Ask NSS what the best slot for the given mechanism */ -+ -+ bestSlot = PK11_GetBestSlot(deriveMechanism, NULL); -+ -+ if( bestSlot == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find suitable slot for sym key derivation! \n"); -+ goto loser; -+ } -+ -+ slotForKey = PK11_GetSlotFromKey(baseKey); -+ -+ int keyOnRequestedSlot = 0; -+ int baseKeyMoved= 0; -+ -+ if(slotForKey != slot) { -+ keyOnRequestedSlot = 0; -+ } else { -+ keyOnRequestedSlot = 1; -+ finalBaseKeySlot = slot; -+ } -+ -+ if ( PK11_DoesMechanism( slot, deriveMechanism)) { -+ if ( keyOnRequestedSlot ) { -+ finalBaseKey = baseKey; -+ } else { -+ bestBaseKey = PK11_MoveSymKey( slot, CKA_ENCRYPT, 0, PR_FALSE, baseKey ); -+ if(bestBaseKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to requested slot!\n"); -+ goto loser; -+ } -+ baseKeyMoved = 1; -+ finalBaseKey = bestBaseKey; -+ finalBaseKeySlot = slot; -+ } -+ -+ } else { -+ bestBaseKey = PK11_MoveSymKey( bestSlot, CKA_ENCRYPT, 0, PR_FALSE, baseKey ); -+ if(bestBaseKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to best slot!\n"); -+ goto loser; -+ } -+ baseKeyMoved = 1; -+ finalBaseKey = bestBaseKey; -+ finalBaseKeySlot = bestSlot; -+ } -+ -+ /* Assume we want to do a concatenation family here */ -+ -+ if( secondaryKeyObj != NULL) { -+ if( JSS_PK11_getSymKeyPtr(env, secondaryKeyObj, &secondaryKey) != PR_SUCCESS) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find secondary sym key!\n"); -+ goto loser; -+ } -+ -+ /* Make sure the secondary key is in the proper slot to do concatenation */ -+ -+ slotForSecondaryKey = PK11_GetSlotFromKey( secondaryKey ); -+ -+ if( finalBaseKeySlot != slotForSecondaryKey ) { -+ -+ finalSecondaryKey = PK11_MoveSymKey (finalBaseKeySlot, CKA_ENCRYPT, 0, PR_FALSE, secondaryKey); -+ -+ if( finalSecondaryKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, Problem moving secondary key to proper slot.\n"); -+ goto loser; -+ } -+ } else { -+ finalSecondaryKey = secondaryKey; -+ } -+ -+ if( paramValue == NULL) { -+ keyhandle = PK11_GetSymKeyHandle(finalSecondaryKey); -+ -+ if( keyhandle == 0) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, can't get handle for secondary sym key.\n"); -+ goto loser; -+ } -+ -+ paramsItem.data=(unsigned char *) &keyhandle; -+ paramsItem.len=sizeof(keyhandle); -+ -+ } else { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: incorrect input parameter provided!\n"); -+ goto loser; -+ } -+ } -+ -+ derivedKey = PK11_Derive(finalBaseKey, deriveMechanism, ¶msItem, targetMechanism, -+ operation, keySize); -+ if(derivedKey == NULL) { -+ PR_fprintf(PR_STDOUT, -+ "ERROR: Can't derive symmetric key, error: %d \n",PR_GetError()); -+ goto loser; -+ } -+ -+ if ( (finalSlot = PK11_GetSlotFromKey(derivedKey )) != slot) { -+ newKey = PK11_MoveSymKey ( slot, CKA_ENCRYPT, 0, PR_FALSE, derivedKey); -+ -+ if ( newKey == NULL ) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: error moving key to original slot, return anyway. \n"); -+ newKey = derivedKey; -+ derivedKey = NULL; -+ } -+ -+ } else { -+ newKey = derivedKey; -+ derivedKey = NULL; -+ } -+ -+ keyObj = JSS_PK11_wrapSymKey(env, &newKey); -+ -+loser: -+ -+ if ( bestBaseKey != NULL ) { -+ PK11_FreeSymKey ( bestBaseKey ); -+ bestBaseKey = NULL; -+ } -+ -+ if ( bestSecondaryKey != NULL ) { -+ PK11_FreeSymKey ( bestSecondaryKey ); -+ bestSecondaryKey = NULL; -+ } -+ -+ if ( derivedKey != NULL) { -+ PK11_FreeSymKey ( derivedKey ); -+ derivedKey = NULL; -+ } -+ -+ if (bestSlot != NULL ) { -+ PK11_FreeSlot(bestSlot); -+ bestSlot = NULL; -+ } -+ -+ if ( slotForKey != NULL ) { -+ PK11_FreeSlot( slotForKey ); -+ slotForKey = NULL; -+ } -+ -+ if ( finalSlot != NULL ) { -+ PK11_FreeSlot( finalSlot ); -+ finalSlot = NULL; -+ } -+ -+ if ( finalSecondarySlot != NULL ) { -+ PK11_FreeSlot( finalSecondarySlot ); -+ finalSecondarySlot = NULL; -+ } -+ -+ if ( slotForSecondaryKey != NULL ) { -+ PK11_FreeSlot( slotForSecondaryKey ); -+ slotForSecondaryKey = NULL; -+ } -+ -+ if(paramValue) { -+ (*env)->ReleaseByteArrayElements(env, param, (jbyte*)paramValue, -+ JNI_ABORT); -+ } -+ if(ivValue) { -+ (*env)->ReleaseByteArrayElements(env, iv, (jbyte*)ivValue, -+ JNI_ABORT); -+ } -+ -+ if( keyObj == NULL) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Unable to derive symmetric key! " -+ "failure!"); -+ } -+ -+ return keyObj; -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne 2016-04-14 16:28:29.179823017 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java 2016-04-14 16:28:36.186774680 -0700 -@@ -0,0 +1,158 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.pkcs11; -+ -+import org.mozilla.jss.crypto.*; -+import org.mozilla.jss.util.Assert; -+import sun.security.pkcs11.wrapper.*; -+import java.security.InvalidKeyException; -+ -+ -+/*This operation is pkcs11 based only */ -+ -+public class PK11SymmetricKeyDeriver implements SymmetricKeyDeriver { -+ -+ private PK11Token token = null; -+ private SymmetricKey baseKey = null; -+ private SymmetricKey secondaryKey = null; -+ private long deriveMechanism = 0; -+ private long targetMechanism = 0; -+ private long operation = 0; -+ private long keySize = 0; -+ private byte[] param = null; -+ private byte[] iv = null; -+ -+ public PK11SymmetricKeyDeriver(PK11Token token) -+ { -+ this.token = token; -+ } -+ -+ /* Use with the encrypt type mechanisms -+ -+ Example: initDerive( -+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16); -+ -+ -+ */ -+ public void initDerive(SymmetricKey baseKey, long deriveMech, byte[] param, byte[] iv, -+ long targetMech, long operation, long keySize) throws InvalidKeyException -+ { -+ reset(); -+ -+ if(baseKey == null) { -+ throw new InvalidKeyException("Key is null"); -+ } -+ -+ this.baseKey = baseKey; -+ this.deriveMechanism = deriveMech; -+ this.targetMechanism = targetMech; -+ this.operation = operation; -+ -+ if ( param != null) { -+ this.param = new byte[param.length]; -+ System.arraycopy(param,0,this.param,0,param.length); -+ } -+ -+ if ( iv != null) { -+ this.iv = new byte[iv.length]; -+ System.arraycopy(iv,0,this.iv,0,iv.length); -+ } -+ -+ this.keySize = keySize; -+ -+ } -+ -+ /* Use with key extraction and key concatanation mechanisms -+ -+ Example Extraction: -+ param: byte array that has the bit position of where to extract -+ initDerive( -+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8); -+ -+ Example Concat: -+ -+ initDerive( -+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0); -+ -+ */ -+ -+ public void initDerive(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMech, -+ byte[] param, byte[] iv, long targetMech, long operation, long keySize) throws InvalidKeyException -+ { -+ reset(); -+ -+ if ( baseKey == null || secondaryKey == null) { -+ throw new InvalidKeyException("Key is null"); -+ } -+ -+ initDerive(baseKey, deriveMech, param,iv,targetMech,operation,keySize); -+ this.secondaryKey = secondaryKey; -+ -+ } -+ -+ -+ public SymmetricKey derive() -+ throws TokenException -+ { -+ SymmetricKey result = deriveSymKey(this.baseKey,this.secondaryKey,this.deriveMechanism, this.param, this.iv, this.targetMechanism, this.operation,this.keySize); -+ return result; -+ } -+ -+ private SymmetricKey -+ deriveSymKey(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv, long targetMechanism, long operation, long keySize) -+ throws TokenException, IllegalStateException -+ { -+ return nativeDeriveSymKey(token, baseKey, secondaryKey,deriveMechanism, param, iv, targetMechanism, operation, keySize); -+ } -+ -+ public native SymmetricKey nativeDeriveSymKey(PK11Token token, SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv, -+ long targetMechanism, long operation, long keySize); -+ -+ private void reset() { -+ baseKey = null; -+ secondaryKey = null; -+ deriveMechanism = 0; -+ targetMechanism = 0; -+ operation = 0; -+ keySize = 0; -+ param = null; -+ iv = null; -+ } -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne 2016-04-14 16:30:46.098878459 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2016-04-14 17:27:30.918367372 -0700 -@@ -131,6 +131,11 @@ public final class PK11Token implements - return PK11KeyGenerator.clone(key, this); - } - -+ public PK11SymmetricKeyDeriver getSymmetricKeyDeriver() -+ { -+ return new PK11SymmetricKeyDeriver(this); -+ } -+ - public KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException -diff -up ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java ---- ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne 2016-04-14 16:32:58.529964860 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java 2016-05-17 11:43:51.858862556 -0700 -@@ -0,0 +1,516 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.tests; -+ -+import org.mozilla.jss.crypto.*; -+import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.util.Assert; -+import org.mozilla.jss.pkcs11.*; -+import sun.security.pkcs11.wrapper.PKCS11Constants; -+import java.nio.ByteBuffer; -+import java.util.Arrays; -+import java.util.Vector; -+import java.util.Enumeration; -+ -+/** -+ * Sym Key deriving tests.. -+ * -+ */ -+ -+public class SymKeyDeriving { -+ -+ private static final byte[] iv8 = new byte [] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8 }; -+ private static final byte[] iv16 = new byte [] { 0x1, 0x2, 0x3, 0x4, -+ 0x5, 0x6, 0x7, 0x8, -+ 0x9,0xa, 0xb, 0xc,0xd,0xe, 0xf,0x10 }; -+ -+ private static final byte[] derivationData1 = new byte[] { 0x11, 0x11, 0x13, -+ 0x14, 0x15, 0x16, 0x17, 0x18 }; -+ -+ private static final byte[] derivationData2 = new byte [] { 0x9, 0xa, 0xb, 0xc, 0xd, -+ 0xe, 0xf, 0x10 }; -+ -+ private static final byte[] derivationData16 = new byte[] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6,0x7, 0x8, -+ 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0x10 }; -+ -+ -+ public static void main(String args[]) { -+ -+ SymmetricKey macKeyDev = null; -+ try { -+ -+ CryptoManager.InitializationValues vals = -+ new CryptoManager.InitializationValues("./" -+ ); -+ CryptoManager.initialize(vals); -+ CryptoManager cm = CryptoManager.getInstance(); -+ CryptoToken token = cm.getInternalCryptoToken(); -+ CryptoToken keyToken = cm.getInternalKeyStorageToken(); -+ System.out.println("interal token name: " + keyToken.getName()); -+ KeyGenerator keyKg = keyToken.getKeyGenerator(KeyGenAlgorithm.DES3); -+ SymmetricKey baseKey = keyKg.generate(); -+ -+ -+ KeyGenerator keyKgDes = keyToken.getKeyGenerator(KeyGenAlgorithm.DES); -+ SymmetricKey baseKeyDes = keyKgDes.generate(); -+ System.out.println("strength: " + baseKeyDes.getStrength()); -+ -+ -+ KeyGenerator keyKgAES = keyToken.getKeyGenerator(KeyGenAlgorithm.AES); -+ keyKgAES.initialize(128); -+ SymmetricKey baseKeyAES = keyKgAES.generate(); -+ -+ -+ -+ System.out.println("baseKey bytes: "); -+ byte[] baseBytes = baseKey.getEncoded(); -+ displayByteArray(baseBytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 16 bytes. \n"); -+ -+ -+ SymmetricKeyDeriver deriver = token.getSymmetricKeyDeriver(); -+ System.out.println("deriver: " + deriver); -+ System.out.println("CKM_EXTRACT_KEY_FROM_KEY : " + PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY); -+ -+ long bitPosition = 0; -+ -+ byte[] param = longToBytes(bitPosition); -+ -+ deriver.initDerive( -+ baseKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey extracted16 = deriver.derive(); -+ -+ System.out.println("Derived key: " + extracted16); -+ -+ if(extracted16 == null) { -+ System.out.println("Failed to derive 16 byte key with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n"); -+ } -+ -+ System.out.println("derivedKey 16 bytes: "); -+ byte[] derivedBytes = extracted16.getEncoded(); -+ displayByteArray(derivedBytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 8 bytes. \n"); -+ -+ -+ SymmetricKeyDeriver extract8 = token.getSymmetricKeyDeriver(); -+ extract8.initDerive( -+ extracted16, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ -+ SymmetricKey extracted8 = extract8.derive(); -+ System.out.println("Derived key: " + extracted8); -+ -+ if(extracted8 == null) { -+ System.out.println("Failed to derive key extracted 8 bytes with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n"); -+ } -+ -+ byte[] extracted8Bytes = extracted8.getEncoded(); -+ System.out.println("derived extracted 8 bytes of key: "); -+ displayByteArray(extracted8Bytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ -+ System.out.println("\n Mechanism CKM_CONCATENATE_BASE_AND_KEY test 16 + 8 = 24 byte key. \n"); -+ -+ SymmetricKeyDeriver concat = keyToken.getSymmetricKeyDeriver(); -+ concat.initDerive( -+ extracted16,extracted8, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 0); -+ -+ SymmetricKey concated24 = concat.derive(); -+ -+ if( concated24 == null) { -+ System.out.println("Failed to derive key concated 8 bytes to 16 bytes key: CKM_CONCATENATE_BASE_AND_KEY \n"); -+ } -+ -+ byte[] concated24Bytes = concated24.getEncoded(); -+ System.out.println("derived concated 16 + 8 = 24 byte key: "); -+ displayByteArray(concated24Bytes,true); -+ -+ /*****************************************************************************************************/ -+ -+ // Now lets try more complex derivation -+ -+ // tmp2 = PK11_Derive( master , CKM_DES_ECB_ENCRYPT_DATA , ¶m , CKM_CONCATENATE_BASE_AND_KEY , CKA_DERIVE , 0); -+ -+ System.out.println("\n Mechanism CKM_DES_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encrypt = token.getSymmetricKeyDeriver(); -+ -+ encrypt.initDerive( -+ baseKeyDes, /* PKCS11Constants.CKM_DES_ECB_ENCRYPT_DATA */ 4352L,derivationData1 ,null, -+ PKCS11Constants.CKM_DES_ECB, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ SymmetricKey encrypted8 = encrypt.derive(); -+ -+ if( encrypted8 == null) { -+ System.out.println("Failed to derive 8 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encrypted8Bytes = encrypted8.getEncoded(); -+ System.out.println("derived encrypted 8 bytes: " + encrypted8Bytes.length); -+ displayByteArray(encrypted8Bytes,true); -+ -+ Cipher cipher = null; -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_ECB); -+ -+ cipher.initEncrypt(baseKeyDes); -+ -+ byte[] ciphertext = cipher.doFinal(derivationData1); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encrypted8Bytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encrypted8Bytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encrypted8Bytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ // Try ecnrypted des3 derivation -+ -+ System.out.println("\n Mechanism CKM_DES3_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDes3 = token.getSymmetricKeyDeriver(); -+ -+ encryptDes3.initDerive( -+ baseKey, /* PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA */ 4354L ,derivationData16 ,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encrypted16 = encryptDes3.derive(); -+ -+ if ( encrypted16 == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encrypted16Bytes = encrypted16.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encrypted16Bytes.length); -+ displayByteArray(encrypted16Bytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_ECB); -+ cipher.initEncrypt(baseKey); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encrypted16Bytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encrypted16Bytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encrypted16Bytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_DES_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDesCBC = token.getSymmetricKeyDeriver(); -+ -+ encryptDesCBC.initDerive( -+ baseKeyDes, /* PKCS11Constants.CKM_DES_CBC_ENCRYPT_DATA */ 4353L ,derivationData1 ,iv8, -+ PKCS11Constants.CKM_DES_CBC, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ -+ SymmetricKey encryptedDesCBC = encryptDesCBC.derive(); -+ -+ if ( encryptedDesCBC == null) { -+ System.out.println("Failed to derive 8 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedDesCBCBytes = encryptedDesCBC.getEncoded(); -+ -+ System.out.println("derived encrypted 8 bytes: " + encryptedDesCBCBytes.length); -+ displayByteArray(encryptedDesCBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_CBC); -+ cipher.initEncrypt(baseKeyDes,new IVParameterSpec(iv8)); -+ ciphertext = cipher.doFinal(derivationData1); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedDesCBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedDesCBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedDesCBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_DES3_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDes3CBC = token.getSymmetricKeyDeriver(); -+ -+ encryptDes3CBC.initDerive( -+ baseKey, /* PKCS11Constants.CKM_DES3_CBC_ENCRYPT_DATA */ 4355L ,derivationData16 ,iv8, -+ PKCS11Constants.CKM_DES3_CBC, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedDes3CBC = encryptDes3CBC.derive(); -+ -+ if ( encryptedDes3CBC == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedDes3CBCBytes = encryptedDes3CBC.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedDes3CBCBytes.length); -+ displayByteArray(encryptedDes3CBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_CBC); -+ cipher.initEncrypt(baseKey,new IVParameterSpec(iv8)); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedDes3CBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedDes3CBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedDes3CBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_AES_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptAESECB = token.getSymmetricKeyDeriver(); -+ -+ //System.in.read(); -+ encryptAESECB.initDerive( -+ baseKeyAES, /* PKCS11Constants.CKM_AES_ECB_ENCRYPT_DATA */ 4356L ,derivationData16 ,null, -+ PKCS11Constants.CKM_AES_ECB, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedAESECB = encryptAESECB.derive(); -+ -+ if ( encryptedAESECB == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedAESECBBytes = encryptedAESECB.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedAESECBBytes.length); -+ displayByteArray(encryptedAESECBBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_ECB); -+ cipher.initEncrypt(baseKeyAES); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedAESECBBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedAESECBBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedAESECBBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_AES_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptAESCBC= token.getSymmetricKeyDeriver(); -+ -+ //System.in.read(); -+ encryptAESCBC.initDerive( -+ baseKeyAES, /* PKCS11Constants.CKM_AES_CBC_ENCRYPT_DATA */ 4357L ,derivationData16 ,iv16, -+ PKCS11Constants.CKM_AES_CBC, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedAESCBC = encryptAESCBC.derive(); -+ -+ if ( encryptedAESCBC == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedAESCBCBytes = encryptedAESCBC.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedAESCBCBytes.length); -+ displayByteArray(encryptedAESCBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_CBC); -+ cipher.initEncrypt(baseKeyAES,new IVParameterSpec(iv16)); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedAESCBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedAESCBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedAESCBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ // get vector of symkeys -+ -+ Enumeration ect = null; -+ ect = (Enumeration) cm.getAllTokens(); -+ CryptoToken ct = null; //ct = cm.getTokenByName("ePass Token"); -+ while (ect.hasMoreElements()) -+ { -+ ct = ect.nextElement(); -+ System.out.println("CryptoToken.name= " + ct.getName()); -+ } -+ -+ SymmetricKey[] keys = keyToken.getCryptoStore().getSymmetricKeys(); -+ -+ SymmetricKey macKey = getSymKeyByName(keys, "defKeySet-macKey"); -+ -+ System.out.println("macKey: " + macKey); -+ -+ } catch(Exception e) { -+ e.printStackTrace(); -+ } -+ } -+ -+ public static void -+ displayByteArray(byte[] ba, boolean has_check_sum) { -+ char mask = 0xff; -+ -+ if ( has_check_sum == true ) -+ mask = 0xfe; -+ -+ for(int i=0; i < ba.length; i++) { -+ -+ System.out.print( Integer.toHexString(ba[i]&mask) + " " ); -+ if( (i % 26) == 25 ) { -+ System.out.println(""); -+ } -+ } -+ System.out.println(""); -+ } -+ -+ public static byte[] longToBytes(long x) { -+ ByteBuffer buffer = ByteBuffer.allocate(8); -+ buffer.putLong(x); -+ return buffer.array(); -+ } -+ -+ public static byte[] concatByteArrays(byte[] a, byte[] b) { -+ byte[] result = new byte[a.length + b.length]; -+ System.arraycopy(a, 0, result, 0, a.length); -+ System.arraycopy(b, 0, result, a.length, b.length); -+ return result; -+ } -+ -+ public static SymmetricKey getSymKeyByName( SymmetricKey[] keys, String name) { -+ if ( keys == null || name == null ) { -+ return null; -+ } -+ -+ int len = keys.length; -+ for(int i = 0 ; i < len ; i++ ) { -+ SymmetricKey cur = keys[i]; -+ if ( cur != null ) { -+ if( name.equals(cur.getNickName())) { -+ System.out.println("Found key: " + name + "\n"); -+ return cur; -+ } -+ } -+ } -+ -+ return null; -+ } -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h ---- ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne 2016-04-14 16:34:36.729287416 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2016-04-14 16:34:45.608226163 -0700 -@@ -243,6 +243,7 @@ PR_BEGIN_EXTERN_C - */ - #define PK11SYMKEY_CLASS_NAME "org/mozilla/jss/pkcs11/PK11SymKey" - #define PK11SYMKEY_CONSTRUCTOR_SIG "([B)V" -+#define PK11SYMKEY_CONSTRUCTOR_1_SIG "([BLjava/lang/String;)V" - - /* - * PK11Token diff --git a/jss-undo-BadPaddingException-deprecation.patch b/jss-undo-BadPaddingException-deprecation.patch deleted file mode 100644 index 1b372a7..0000000 --- a/jss-undo-BadPaddingException-deprecation.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700 -@@ -35,9 +35,6 @@ - * ***** END LICENSE BLOCK ***** */ - package org.mozilla.jss.crypto; - --/** -- * @deprecated Use javax.crypto.BadPaddingException. -- */ - public class BadPaddingException extends Exception { - public BadPaddingException() { - super(); diff --git a/jss-undo-JCA-deprecations.patch b/jss-undo-JCA-deprecations.patch deleted file mode 100644 index a51c51a..0000000 --- a/jss-undo-JCA-deprecations.patch +++ /dev/null @@ -1,171 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700 -@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert; - * it is not necessary to call update if all of the data is - * available at once. In this case, all of the input can be processed with one - * call to doFinal. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) - */ - public abstract class Cipher { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700 -@@ -60,7 +60,6 @@ public interface CryptoToken { - * @param algorithm The algorithm used for the signing/verification. - * @exception java.security.NoSuchAlgorithmException If the given - * algorithm is not supported by this provider. -- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) - */ - public abstract org.mozilla.jss.crypto.Signature - getSignatureContext(SignatureAlgorithm algorithm) -@@ -73,7 +72,6 @@ public interface CryptoToken { - * @param algorithm The algorithm used for digesting. - * @exception java.security.NoSuchAlgorithmException If this provider - * does not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) - */ - public abstract JSSMessageDigest - getDigestContext(DigestAlgorithm algorithm) -@@ -89,15 +87,11 @@ public interface CryptoToken { - * @param algorithm The algorithm used for encryption/decryption. - * @exception java.security.NoSuchAlgorithmException If this provider - * does not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) - */ - public abstract Cipher - getCipherContext(EncryptionAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; - -- /** -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) -- */ - public abstract KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; -@@ -123,7 +117,6 @@ public interface CryptoToken { - * @param algorithm The algorithm that the keys will be used with. - * @exception java.security.NoSuchAlgorithmException If this token does not - * support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) - */ - public abstract KeyGenerator - getKeyGenerator(KeyGenAlgorithm algorithm) -@@ -136,7 +129,6 @@ public interface CryptoToken { - * cannot be extracted from the current token. - * @exception InvalidKeyException If the owning token cannot process - * the key to be cloned. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory}) - */ - public SymmetricKey cloneKey(SymmetricKey key) - throws SymmetricKey.NotExtractableException, -@@ -151,7 +143,6 @@ public interface CryptoToken { - * DSA, EC, etc.) - * @exception java.security.NoSuchAlgorithmException If this token does - * not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) - */ - public abstract KeyPairGenerator - getKeyPairGenerator(KeyPairAlgorithm algorithm) -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700 -@@ -41,7 +41,6 @@ import java.security.InvalidKeyException - - /** - * A class for performing message digesting (hashing) and MAC operations. -- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) - */ - public abstract class JSSMessageDigest { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700 -@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto; - - /** - * An interface for secure random numbers. -- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom}) - */ - public interface JSSSecureRandom { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700 -@@ -43,7 +43,6 @@ import java.io.CharConversionException; - - /** - * Generates symmetric keys for encryption and decryption. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) - */ - public interface KeyGenerator { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700 -@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam - * keygenOnInternalToken to find out if this is happening. - * - * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator -- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) - */ - public class KeyPairGenerator { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700 -@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar - import java.security.PublicKey; - import java.security.InvalidKeyException; - --/** -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) -- */ - public interface KeyWrapper { - - public void initWrap(SymmetricKey wrappingKey, -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700 -@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam - * Instances of this class can be obtain from CryptoTokens. - * - * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext -- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) - */ - public class Signature { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700 -@@ -37,15 +37,10 @@ - - /* This program demonstrates how to sign data with keys from JSS - * -- * Most of this code is deprecated look at JCASigTest.java -- * - * The token name can be either the name of a hardware token, or - * one of the internal tokens: - * Internal Crypto Services Token - * Internal Key Storage Token (keys stored in key3.db) -- * -- * @see org.mozilla.jss.tests.JCASigTest -- * @deprecated Use the JCA interface instead - */ - - package org.mozilla.jss.tests; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700 -@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature " - $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile"; - run_test($testname, $command); - -+$testname = "Mozilla-JSS NSS Signature "; -+$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile"; -+run_test($testname, $command); -+ - $testname = "Secret Decoder Ring"; - $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile"; - run_test($testname, $command); diff --git a/jss-unwrap-AES-sym-keys-on-token.patch b/jss-unwrap-AES-sym-keys-on-token.patch deleted file mode 100644 index 1a024c7..0000000 --- a/jss-unwrap-AES-sym-keys-on-token.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.aes 2017-01-03 17:14:57.642278989 -0800 -+++ ./jss-4.2.6.aes/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2017-01-03 17:44:03.220626460 -0800 -@@ -617,7 +617,9 @@ final class PK11KeyWrapper implements Ke - return EncryptionAlgorithm.DES3_ECB; - } else if( type == SymmetricKey.RC4 ) { - return EncryptionAlgorithm.RC4; -- } else { -+ } else if( type == SymmetricKey.AES ) { -+ return EncryptionAlgorithm.AES_128_ECB; -+ } else { - Assert._assert( type == SymmetricKey.RC2 ); - return EncryptionAlgorithm.RC2_CBC; - } diff --git a/jss-wrapInToken.patch b/jss-wrapInToken.patch deleted file mode 100644 index 697895f..0000000 --- a/jss-wrapInToken.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700 -@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param, - &wrapped, NULL /* wincx */ ); - if(status != SECSuccess) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, -- "Wrapping operation failed on token"); -+ char err[256] = {0}; -+ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError()); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } - PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL); -@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - int numAttribs = 0; - CK_TOKEN_INFO tokenInfo; - -+ /* ideal defaults */ - PRBool isSensitive = PR_TRUE; - PRBool isExtractable = PR_FALSE; -- /* special case nethsm*/ -+ -+ /* special case nethsm and lunasa*/ - CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -+ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; - PRBool isNethsm = PR_TRUE; -+ PRBool isLunasa = PR_TRUE; - - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ -@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - break; - } - } -+ ix = 0; -+ for(ix=0; ix < 4; ix++) { -+ if (tokenInfo.label[ix] != lunasaLabel[ix]) { -+ isLunasa = PR_FALSE; -+ break; -+ } -+ } - - } else { - isNethsm = PR_FALSE; -+ isLunasa = PR_FALSE; - } - - /* get unwrapping key */ -@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - } - keyType = PK11_GetKeyType(keyTypeMech, 0); - -+ /* special case nethsm and lunasa*/ - if( isNethsm ) { - isSensitive = PR_FALSE; - isExtractable = PR_FALSE; -+ } else if ( isLunasa) { -+ isSensitive = PR_FALSE; -+ isExtractable = PR_TRUE; - } - --setAttrs: - /* figure out which operations to enable for this key */ - switch (keyType) { - case CKK_RSA: -+ numAttribs = 3; - attribs[0] = CKA_SIGN; - attribs[1] = CKA_SIGN_RECOVER; - attribs[2] = CKA_UNWRAP; - if (isExtractable) { - attribs[3] = CKA_EXTRACTABLE; - numAttribs = 4; -- } else { -- numAttribs = 3; - } - break; - case CKK_DSA: -@@ -459,7 +474,9 @@ setAttrs: - &label, pubValue, token, isSensitive /*sensitive*/, keyType, - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); -+ char err[256] = {0}; -+ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700 -@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } -+/* NSS is capable of moving keys appropriately, -+ so this call is prematurely bailing - if( ! symKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -+*/ - } - - /** -@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } -+/* NSS is capable of moving keys appropriately, -+ so this call is prematurely bailing - if( ! privKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -+*/ - } - - /** -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700 -@@ -135,10 +135,13 @@ public final class PK11Token implements - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException - { -+/* NSS is capable of finding the right token to do algorithm, -+ so this call is prematurely bailing - if( ! doesAlgorithm(algorithm) ) { - throw new NoSuchAlgorithmException( - algorithm+" is not supported by this token"); - } -+*/ - return new PK11KeyWrapper(this, algorithm); - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700 -@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp - } - - KeyWrapper wrapper = token.getKeyWrapper( -- KeyWrapAlgorithm.DES3_CBC); -+ KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(key, params); - byte encrypted[] = wrapper.wrap(pri); - -@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp - return epki; - - } catch (Exception e) { -+ System.out.println("createPBE: exception:"+e.toString()); - Assert.notReached("EncryptedPrivateKeyInfo exception:" - +".createPBE"); - } diff --git a/jss.spec b/jss.spec index 0047f4b..900a1ee 100644 --- a/jss.spec +++ b/jss.spec @@ -11,6 +11,7 @@ License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/jss/ # The source for this package was pulled from upstream's hg. Use the # following commands to generate the tarball: +# # hg clone --rev JSS_4_4_0_RTM https://hg.mozilla.org/projects/jss jss-4.4.0/jss # rm -rf jss-4.4.0/jss/.hg # if the tarball is Beta, set this define in 'org/mozilla/jss/util/jssver.h': @@ -19,9 +20,16 @@ URL: http://www.mozilla.org/projects/security/pki/jss/ # #define JSS_BETA PR_FALSE # tar -czvf jss-4.4.0.tar.gz jss-4.4.0 # -# For now util the JSS_4_4_0_RTM tag is created I actually used: -# hg clone --rev b1c6660e7e71 https://hg.mozilla.org/projects/jss jss-4.4.0/jss -# This is from upstream tip +# For now until the JSS_4_4_0_RTM tag is created I actually used: +# hg clone --rev d48f63b92b05 https://hg.mozilla.org/projects/jss jss-4.4.0/jss +# This is from upstream tip as of Mon, 13 Mar 2017 11:49:51 -0700 +# https://hg.mozilla.org/projects/jss/rev/d48f63b92b0538e47e867122c475cfbc1334f7c9 +# +# Alternatively (if using 'default' hg tip): +# +# hg clone https://hg.mozilla.org/projects/jss +# cd jss +# hg archive --prefix jss-4.4.0/jss/ ../jss-4.4.0.tar.gz # Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/%{name}-%{version}.tar.gz Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/MPL-1.1.txt @@ -114,7 +122,7 @@ cp -p %{SOURCE3} . # jars install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} -# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_debug.jar +# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_dbg.jar install -m 644 dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar # We have to use the name libjss4.so because this is dynamically @@ -149,8 +157,8 @@ rm -rf $RPM_BUILD_ROOT %changelog -* Sat Mar 11 2017 Elio Maldonado - 4.4.0-0.1 -- Experimental build to rebase to jss-4.4.0 +* Mon Mar 13 2017 Elio Maldonado - 4.4.0-1 +- Bugzilla Bug #1431937 - Rebase jss to 4.4.0 in Fedora 25+ - ## JSS 4.4.0 includes the following patches ported from downstream: - Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS - Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings diff --git a/sources b/sources index a5d5ca3..b607491 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jss-4.2.6.tar.gz) = 5827c0fd192f0ec52798df2304619367c67366bfe19e8dc7bd0aa882efa6c62afbc5e9ae576d168f9666a9af1de66334995c9411f0f60623e752af5fe1194915 +SHA512 (jss-4.4.0.tar.gz) = 2a3c6c3a5f0b3fe5b0a503a04ce0fa3475e5e79f5f34ab4318384f22c4f0689d183585b861624200143161e4ff5c7a6dead81ed2824e39bd7df74804dbcace21