rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebased to JSS 4.4.3

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1548548
This commit is contained in:
Endi S. Dewata 2018-04-05 22:35:09 +02:00
parent 809f0cc187
commit 657efa4d11
12 changed files with 21 additions and 2354 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -3,3 +3,4 @@ jss-4.2.6.tar.gz
/jss-4.4.0.tar.gz
/jss-4.4.1.tar.gz
/jss-4.4.2.tar.gz
/jss-4.4.3.tar.gz

196
jss-HMAC-test-for-AES-encrypt-unwrap.patch
View File

@ -1,196 +0,0 @@
# HG changeset patch
# User Jack Magne <jmagne@redhat.com>
# Date 1504307754 25200
# Fri Sep 01 16:15:54 2017 -0700
# Node ID eec15518fd61f1d988c25b4de589555796f9e65f
# Parent 17d1d7b740ca5777fbcf8ee817a2f26b9c93593a
unwrapping of HMAC-SHA1 secret keys using AES wrapping and unwrapping
cfu on behalf of jmagne
diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11KeyWrapper.java
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Mon May 01 10:39:50 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Fri Sep 01 16:15:54 2017 -0700
@@ -588,6 +588,8 @@
return EncryptionAlgorithm.RC4;
} else if( type == SymmetricKey.AES ) {
return EncryptionAlgorithm.AES_128_ECB;
+ } else if( type == SymmetricKey.SHA1_HMAC) {
+ return HMACAlgorithm.SHA1;
} else {
Assert._assert( type == SymmetricKey.RC2 );
return EncryptionAlgorithm.RC2_CBC;
diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11MessageDigest.c
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.c Mon May 01 10:39:50 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.c Fri Sep 01 16:15:54 2017 -0700
@@ -67,19 +67,19 @@
}
/* copy the key, setting the CKA_SIGN attribute */
- /*
+
newKey = PK11_CopySymKeyForSigning(origKey, mech);
+
+ /* For some key on the hsm, this call could fail, but the key may work anyway */
+
if( newKey == NULL ) {
- JSS_throwMsg(env, DIGEST_EXCEPTION,
- "Unable to set CKA_SIGN attribute on symmetric key");
- goto finish;
+ newKey = origKey;
}
- */
param.data = NULL;
param.len = 0;
- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, &param);
+ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, &param);
if( context == NULL ) {
JSS_throwMsg(env, DIGEST_EXCEPTION,
"Unable to initialize digest context");
@@ -88,7 +88,7 @@
contextObj = JSS_PK11_wrapCipherContextProxy(env, &context);
finish:
- if(newKey) {
+ if(newKey && (newKey != origKey)) {
/* SymKeys are ref counted, and the context will free it's ref
* when it is destroyed */
PK11_FreeSymKey(newKey);
diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/HmacTest.java
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/org/mozilla/jss/tests/HmacTest.java Fri Sep 01 16:15:54 2017 -0700
@@ -0,0 +1,119 @@
+
+package org.mozilla.jss.tests;
+
+
+import java.security.Key;
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.CryptoToken;
+import org.mozilla.jss.crypto.SymmetricKey;
+
+
+public class HmacTest {
+
+ private static final String INTERNAL_KEY_STORAGE_TOKEN =
+ new CryptoManager.InitializationValues("").getInternalKeyStorageTokenDescription().trim();
+
+ private static final String NSS_DATABASE_DIR = "sql:data";
+ private static final String PROVIDER = "Mozilla-JSS";
+
+
+ public static void main(String[] args)
+ {
+
+ String algorithm = "hmac-sha1";
+
+ try {
+ configureCrypto(args);
+
+ Mac mac = Mac.getInstance(algorithm, PROVIDER);
+
+ byte[] keyData = new byte[16];
+ Key key = importHmacSha1Key(keyData);
+
+ mac.init(key);
+
+ doHMAC(mac,"Dogtag rules!");
+
+ System.out.println("Done");
+
+ System.exit(0);
+ } catch (Exception e) {
+ System.exit(1);
+ }
+ }
+
+ private static void configureCrypto(String[] args)
+ throws Exception {
+
+ CryptoManager.InitializationValues initializationValues =
+ new CryptoManager.InitializationValues(args[0]);
+
+ CryptoManager.initialize(initializationValues);
+
+ CryptoManager cryptoManager = CryptoManager.getInstance();
+
+ CryptoToken cryptoToken =
+ cryptoManager.getTokenByName(INTERNAL_KEY_STORAGE_TOKEN);
+
+ cryptoManager.setThreadToken(cryptoToken);
+ }
+
+ private static Key importHmacSha1Key(byte[] key)
+ throws Exception {
+
+ final String WRAPPING_ALGORITHM = "AES/CBC/PKCS5Padding";
+
+ Key wrappingKey = getWrappingKey();
+
+ byte[] iv = new byte[16];
+ IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
+
+ Cipher wrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER);
+ wrappingCipher.init(Cipher.ENCRYPT_MODE, wrappingKey, ivParameterSpec);
+
+ byte[] wrappedKeyData = wrappingCipher.doFinal(key);
+
+ Cipher unwrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER);
+ unwrappingCipher.init(Cipher.UNWRAP_MODE, wrappingKey, ivParameterSpec);
+
+ return (SecretKey) unwrappingCipher.unwrap(wrappedKeyData,
+ SymmetricKey.SHA1_HMAC.toString(),
+ Cipher.SECRET_KEY);
+ }
+
+ private static synchronized Key getWrappingKey()
+ throws Exception {
+
+ final String keyGenAlgorithm = "AES";
+ final int wrappingKeyLength = 256;
+
+ KeyGenerator keyGen = KeyGenerator.getInstance(keyGenAlgorithm, PROVIDER);
+ keyGen.init(wrappingKeyLength);
+ return keyGen.generateKey();
+ }
+
+ public static void doHMAC(Mac mozillaHmac, String clearText)
+ throws Exception {
+ byte[] mozillaHmacOut;
+
+ //Get the Mozilla HMAC
+ mozillaHmacOut = mozillaHmac.doFinal(clearText.getBytes());
+
+ if (mozillaHmacOut.length == mozillaHmac.getMacLength()) {
+ System.out.println(PROVIDER + " supports " +
+ mozillaHmac.getAlgorithm() + " and the output size is " + mozillaHmac.getMacLength());
+ } else {
+ throw new Exception("ERROR: hmac output size is " +
+ mozillaHmacOut.length + ", should be " +
+ mozillaHmac.getMacLength());
+ }
+ }
+
+
+}
diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/all.pl
--- a/org/mozilla/jss/tests/all.pl Mon May 01 10:39:50 2017 -0700
+++ b/org/mozilla/jss/tests/all.pl Fri Sep 01 16:15:54 2017 -0700
@@ -492,6 +492,10 @@
$command = "$java -cp $jss_classpath org.mozilla.jss.tests.HMACTest $testdir $pwfile";
run_test($testname, $command);
+$testname = "HMAC Unwrap";
+$command = "$java -cp $jss_classpath org.mozilla.jss.tests.HmacTest $testdir $pwfile";
+run_test($testname, $command);
+
$testname = "KeyWrapping ";
$command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCAKeyWrap $testdir $pwfile";
run_test($testname, $command);

22
jss-HMAC-unwrap-keywrap-FIPSMODE.patch
View File

@ -1,22 +0,0 @@
# HG changeset patch
# User Jack Magne <jmagne@redhat.com>
# Date 1506640850 25200
# Thu Sep 28 16:20:50 2017 -0700
# Node ID 252c10f448971b7ae087bde259505abd5dc5a03a
# Parent 3e9a5ae2149d04877dc19b117a8917c22854f8eb
Fix: Bug 1400884 - new JSS failures: HMAC Unwrap and KeyWrapping FIPSMODE.
diff --git a/org/mozilla/jss/pkcs11/KeyType.java b/org/mozilla/jss/pkcs11/KeyType.java
--- a/org/mozilla/jss/pkcs11/KeyType.java
+++ b/org/mozilla/jss/pkcs11/KeyType.java
@@ -204,9 +204,7 @@
EncryptionAlgorithm.AES_192_CBC,
EncryptionAlgorithm.AES_256_ECB,
EncryptionAlgorithm.AES_256_CBC,
- /* AES CBC PAD is the same as AES_256_CBC_PAD */
- /* shouldn't break backward compatibility 313798*/
- //EncryptionAlgorithm.AES_CBC_PAD,
+ EncryptionAlgorithm.AES_CBC_PAD,
EncryptionAlgorithm.AES_128_CBC_PAD,
EncryptionAlgorithm.AES_192_CBC_PAD,
EncryptionAlgorithm.AES_256_CBC_PAD

680
jss-ObjectNotFoundException-message.patch
View File

@ -1,680 +0,0 @@
# HG changeset patch
# User "Endi S. Dewata" <edewata@redhat.com>
# Date 1509154719 -7200
# Sat Oct 28 03:38:39 2017 +0200
# Node ID 19a0e2146a929173757e6ccbb61a035ec9426f43
# Parent b1a3c3cc6b3584948d251d3bfcfe6630d8970db5
Added certificate nickname into ObjectNotFoundException message.
The code that generates ObjectNotFoundException has been modified
to include the certificate nickname to help troubleshooting.
https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c
--- a/org/mozilla/jss/PK11Finder.c
+++ b/org/mozilla/jss/PK11Finder.c
@@ -54,7 +54,9 @@
cert = JSS_PK11_findCertAndSlotFromNickname(nick, NULL, &slot);
if(cert == NULL) {
- JSS_nativeThrow(env, OBJECT_NOT_FOUND_EXCEPTION);
+ char *message = PR_smprintf("Certificate not found: %s", nick);
+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
+ PR_smprintf_free(message);
goto finish;
}
@@ -1577,7 +1579,9 @@
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
if (cert == NULL) {
- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+ char *message = PR_smprintf("Certificate not found: %s", nickname);
+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
+ PR_smprintf_free(message);
goto finish;
} else {
/* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
@@ -1640,7 +1644,9 @@
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
if (cert == NULL) {
- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+ char *message = PR_smprintf("Certificate not found: %s", nickname);
+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
+ PR_smprintf_free(message);
goto finish;
} else {
/* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
@@ -1801,7 +1807,9 @@
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
if (cert == NULL) {
- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+ char *message = PR_smprintf("Certificate not found: %s", nickname);
+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
+ PR_smprintf_free(message);
goto finish;
} else {
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
# HG changeset patch
# User "Endi S. Dewata" <edewata@redhat.com>
# Date 1509154819 -7200
# Sat Oct 28 03:40:19 2017 +0200
# Node ID 837c79476110ecd4bf6b507faad50edb9eed7e7e
# Parent 19a0e2146a929173757e6ccbb61a035ec9426f43
Reformatted SocketBase.java.
The SocketBase.java has been auto-formatted using Eclipse to
simplify further changes on the file.
https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
--- a/org/mozilla/jss/ssl/SocketBase.java
+++ b/org/mozilla/jss/ssl/SocketBase.java
@@ -27,6 +27,7 @@
int getTimeout() {
return timeout;
}
+
void setTimeout(int timeout) {
this.timeout = timeout;
}
@@ -36,18 +37,17 @@
}
native byte[] socketCreate(Object socketObject,
- SSLCertificateApprovalCallback certApprovalCallback,
- SSLClientCertificateSelectionCallback clientCertSelectionCallback,
- java.net.Socket javaSock, String host,int family)
+ SSLCertificateApprovalCallback certApprovalCallback,
+ SSLClientCertificateSelectionCallback clientCertSelectionCallback,
+ java.net.Socket javaSock, String host, int family)
throws SocketException;
byte[] socketCreate(Object socketObject,
- SSLCertificateApprovalCallback certApprovalCallback,
- SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family)
- throws SocketException
- {
+ SSLCertificateApprovalCallback certApprovalCallback,
+ SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family)
+ throws SocketException {
return socketCreate(socketObject, certApprovalCallback,
- clientCertSelectionCallback, null, null, family);
+ clientCertSelectionCallback, null, null, family);
}
native void socketBind(byte[] addrBA, int port) throws SocketException;
@@ -57,7 +57,7 @@
* safer than copying the values of the C constants, which are subject
* to change, into Java code.
* Note to developer these constants are not all related! i.e. you cannot
- * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage
+ * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage
* in NSS and NSPR before using.
*/
static final int SSL_ENABLE_SSL2 = 0;
@@ -73,7 +73,7 @@
static final int SSL_POLICY_DOMESTIC = 10;
static final int SSL_POLICY_EXPORT = 11;
static final int SSL_POLICY_FRANCE = 12;
- static final int SSL_ROLLBACK_DETECTION = 13;
+ static final int SSL_ROLLBACK_DETECTION = 13;
static final int SSL_NO_STEP_DOWN = 14;
static final int SSL_ENABLE_FDX = 15;
static final int SSL_V2_COMPATIBLE_HELLO = 16;
@@ -98,7 +98,7 @@
static final int SSL_Variant_Stream = 33;
static final int SSL_Variant_Datagram = 34;
- static final int SSL_AF_INET = 50;
+ static final int SSL_AF_INET = 50;
static final int SSL_AF_INET6 = 51;
void close() throws IOException {
@@ -106,7 +106,7 @@
}
// SSLServerSocket and SSLSocket close methods
- // have their own synchronization control that
+ // have their own synchronization control that
// protects SocketBase.socketClose.
native void socketClose() throws IOException;
@@ -118,14 +118,13 @@
}
public void requestClientAuthNoExpiryCheck(boolean b)
- throws SocketException
- {
+ throws SocketException {
requestingClientAuth = b;
requestClientAuthNoExpiryCheckNative(b);
}
private native void requestClientAuthNoExpiryCheckNative(boolean b)
- throws SocketException;
+ throws SocketException;
void enableSSL2(boolean enable) throws SocketException {
setSSLOption(SSL_ENABLE_SSL2, enable);
@@ -144,8 +143,7 @@
}
void enableRenegotiation(int mode)
- throws SocketException
- {
+ throws SocketException {
setSSLOptionMode(SocketBase.SSL_ENABLE_RENEGOTIATION, mode);
}
@@ -168,23 +166,21 @@
void enableV2CompatibleHello(boolean enable) throws SocketException {
setSSLOption(SSL_V2_COMPATIBLE_HELLO, enable);
}
-
+
void setSSLOption(int option, boolean on)
- throws SocketException
- {
+ throws SocketException {
setSSLOption(option, on ? 1 : 0);
}
- /**
- * Sets SSL options for this socket that have simple
+ /**
+ * Sets SSL options for this socket that have simple
* enable/disable values.
*/
native void setSSLOption(int option, int on)
- throws SocketException;
+ throws SocketException;
void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
- throws SocketException
- {
+ throws SocketException {
setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
}
@@ -192,93 +188,101 @@
* Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
*/
native void setSSLVersionRange(int min, int max)
- throws SocketException;
+ throws SocketException;
- /**
+ /**
* Sets the SSL option setting mode value use for options
* that have more values than just enable/disable.
*/
native void setSSLOptionMode(int option, int option2)
- throws SocketException;
+ throws SocketException;
-
/* return 0 for option disabled 1 for option enabled. */
native int getSSLOption(int option)
- throws SocketException;
-
+ throws SocketException;
+
public String getSSLOptions() {
StringBuffer buf = new StringBuffer();
try {
buf.append("SSL Options configured for this SSLSocket:");
- buf.append("\nSSL_ENABLE_SSL2" +
- ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_ENABLE_SSL3" +
- ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_ENABLE_TLS" +
- ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_REQUIRE_CERTIFICATE");
+ buf.append("\nSSL_ENABLE_SSL2" +
+ ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_ENABLE_SSL3" +
+ ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_ENABLE_TLS" +
+ ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_REQUIRE_CERTIFICATE");
switch (getSSLOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) {
- case 0:
- buf.append("=Never");
- break;
- case 1:
- buf.append("=Always");
- break;
- case 2:
- buf.append("=First Handshake");
- break;
- case 3:
- buf.append("=No Error");
- break;
- default:
- buf.append("=Report JSS Bug this option has a status.");
- break;
+ case 0:
+ buf.append("=Never");
+ break;
+ case 1:
+ buf.append("=Always");
+ break;
+ case 2:
+ buf.append("=First Handshake");
+ break;
+ case 3:
+ buf.append("=No Error");
+ break;
+ default:
+ buf.append("=Report JSS Bug this option has a status.");
+ break;
} //end switch
- buf.append("\nSSL_REQUEST_CERTIFICATE" +
- ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_NO_CACHE" +
- ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_ROLLBACK_DETECTION" +
- ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_NO_STEP_DOWN" +
- ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_ENABLE_FDX" +
- ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
- ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
- ? "=on" : "=off"));
- buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
- ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS)
- != 0) ? "=on" : "=off"));
+ buf.append("\nSSL_REQUEST_CERTIFICATE" +
+ ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_NO_CACHE" +
+ ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_ROLLBACK_DETECTION" +
+ ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_NO_STEP_DOWN" +
+ ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_ENABLE_FDX" +
+ ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
+ ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
+ ? "=on"
+ : "=off"));
+ buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
+ ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) != 0) ? "=on" : "=off"));
buf.append("\nSSL_ENABLE_RENEGOTIATION");
switch (getSSLOption(SocketBase.SSL_ENABLE_RENEGOTIATION)) {
- case 0:
- buf.append("=SSL_RENEGOTIATE_NEVER");
- break;
- case 1:
- buf.append("=SSL_RENEGOTIATE_UNRESTRICTED");
- break;
- case 2:
- buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN");
- break;
- case 3:
- buf.append("=SSL_RENEGOTIATE_TRANSITIONAL");
- break;
- default:
- buf.append("=Report JSS Bug this option has a status.");
- break;
+ case 0:
+ buf.append("=SSL_RENEGOTIATE_NEVER");
+ break;
+ case 1:
+ buf.append("=SSL_RENEGOTIATE_UNRESTRICTED");
+ break;
+ case 2:
+ buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN");
+ break;
+ case 3:
+ buf.append("=SSL_RENEGOTIATE_TRANSITIONAL");
+ break;
+ default:
+ buf.append("=Report JSS Bug this option has a status.");
+ break;
} //end switch
- buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" +
- ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0)
- ? "=on" : "=off"));
+ buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" +
+ ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0)
+ ? "=on"
+ : "=off"));
} catch (SocketException e) {
buf.append("\ngetSSLOptions exception " + e.getMessage());
@@ -292,19 +296,18 @@
* of construction than getByName(), and it is final.
*
* @return The InetAddress corresponding to the given integer,
- * or <tt>null</tt> if the InetAddress could not be constructed.
+ * or <tt>null</tt> if the InetAddress could not be constructed.
*/
- private static InetAddress
- convertIntToInetAddress(int intAddr) {
+ private static InetAddress convertIntToInetAddress(int intAddr) {
InetAddress in;
int[] addr = new int[4];
addr[0] = ((intAddr >>> 24) & 0xff);
addr[1] = ((intAddr >>> 16) & 0xff);
- addr[2] = ((intAddr >>> 8) & 0xff);
- addr[3] = ((intAddr ) & 0xff);
+ addr[2] = ((intAddr >>> 8) & 0xff);
+ addr[3] = ((intAddr) & 0xff);
try {
in = InetAddress.getByName(
- addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3] );
+ addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3]);
} catch (java.net.UnknownHostException e) {
in = null;
}
@@ -312,12 +315,13 @@
}
private native byte[] getLocalAddressByteArrayNative() throws SocketException;
+
private native byte[] getPeerAddressByteArrayNative() throws SocketException;
+
/**
* @return the InetAddress of the peer end of the socket.
*/
- InetAddress getInetAddress()
- {
+ InetAddress getInetAddress() {
try {
byte[] address = getPeerAddressByteArrayNative();
@@ -326,14 +330,15 @@
try {
iAddr = InetAddress.getByAddress(address);
- } catch(UnknownHostException e) {
+ } catch (UnknownHostException e) {
}
return iAddr;
- } catch(SocketException e) {
+ } catch (SocketException e) {
return null;
}
}
+
private native int getPeerAddressNative() throws SocketException;
/**
@@ -348,20 +353,21 @@
try {
lAddr = InetAddress.getByAddress(address);
- } catch(UnknownHostException e) {
+ } catch (UnknownHostException e) {
}
return lAddr;
- } catch(SocketException e) {
+ } catch (SocketException e) {
return null;
}
}
+
private native int getLocalAddressNative() throws SocketException;
public int getLocalPort() {
try {
return getLocalPortNative();
- } catch(SocketException e) {
+ } catch (SocketException e) {
return 0;
}
}
@@ -369,18 +375,16 @@
private native int getLocalPortNative() throws SocketException;
void requireClientAuth(boolean require, boolean onRedo)
- throws SocketException
- {
- if( require && !requestingClientAuth ) {
+ throws SocketException {
+ if (require && !requestingClientAuth) {
requestClientAuth(true);
}
setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0);
}
void requireClientAuth(int mode)
- throws SocketException
- {
- if(mode > 0 && !requestingClientAuth ) {
+ throws SocketException {
+ if (mode > 0 && !requestingClientAuth) {
requestClientAuth(true);
}
setSSLOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE, mode);
@@ -390,52 +394,52 @@
* Sets the nickname of the certificate to use for client authentication.
*/
public void setClientCertNickname(String nick) throws SocketException {
- try {
- setClientCert( CryptoManager.getInstance().findCertByNickname(nick) );
- } catch(CryptoManager.NotInitializedException nie) {
- throw new SocketException("CryptoManager not initialized");
- } catch(ObjectNotFoundException onfe) {
- throw new SocketException("Object not found: " + onfe);
- } catch(TokenException te) {
- throw new SocketException("Token Exception: " + te);
- }
+ try {
+ setClientCert(CryptoManager.getInstance().findCertByNickname(nick));
+ } catch (CryptoManager.NotInitializedException nie) {
+ throw new SocketException("CryptoManager not initialized");
+ } catch (ObjectNotFoundException onfe) {
+ throw new SocketException("Object not found: " + onfe);
+ } catch (TokenException te) {
+ throw new SocketException("Token Exception: " + te);
+ }
}
native void setClientCert(org.mozilla.jss.crypto.X509Certificate cert)
- throws SocketException;
+ throws SocketException;
void useCache(boolean b) throws SocketException {
setSSLOption(SSL_NO_CACHE, !b);
}
static Throwable processExceptions(Throwable topException,
- Throwable bottomException)
- {
- try {
- StringBuffer strBuf;
- strBuf = new StringBuffer( topException.toString() );
+ Throwable bottomException) {
+ try {
+ StringBuffer strBuf;
+ strBuf = new StringBuffer(topException.toString());
- if( bottomException != null ) {
- strBuf.append(" --> ");
- strBuf.append( bottomException.toString() );
+ if (bottomException != null) {
+ strBuf.append(" --> ");
+ strBuf.append(bottomException.toString());
+ }
+
+ Class excepClass = topException.getClass();
+ Class stringClass = java.lang.String.class;
+ Constructor cons = excepClass.getConstructor(new Class[] { stringClass });
+
+ return (Throwable) cons.newInstance(new Object[] { strBuf.toString() });
+ } catch (Exception e) {
+ Assert.notReached("Problem constructing exception container");
+ return topException;
}
-
- Class excepClass = topException.getClass();
- Class stringClass = java.lang.String.class;
- Constructor cons = excepClass.getConstructor(new Class[] {stringClass});
-
- return (Throwable) cons.newInstance(new Object[] { strBuf.toString() });
- } catch(Exception e ) {
- Assert.notReached("Problem constructing exception container");
- return topException;
- }
}
static private int supportsIPV6 = -1;
+
static boolean supportsIPV6() {
- if(supportsIPV6 >= 0) {
- if(supportsIPV6 > 0) {
+ if (supportsIPV6 >= 0) {
+ if (supportsIPV6 > 0) {
return true;
} else {
return false;
@@ -444,28 +448,25 @@
Enumeration netInter;
try {
- netInter = NetworkInterface.getNetworkInterfaces();
- } catch (SocketException e) {
+ netInter = NetworkInterface.getNetworkInterfaces();
+ } catch (SocketException e) {
- return false;
+ return false;
}
- while ( netInter.hasMoreElements() )
- {
- NetworkInterface ni = (NetworkInterface)netInter.nextElement();
+ while (netInter.hasMoreElements()) {
+ NetworkInterface ni = (NetworkInterface) netInter.nextElement();
Enumeration addrs = ni.getInetAddresses();
- while ( addrs.hasMoreElements() )
- {
- Object o = addrs.nextElement();
- if ( o.getClass() == InetAddress.class ||
- o.getClass() == Inet4Address.class ||
- o.getClass() == Inet6Address.class )
- {
- InetAddress iaddr = (InetAddress) o;
- if(o.getClass() == Inet6Address.class) {
- supportsIPV6 = 1;
- return true;
- }
- }
+ while (addrs.hasMoreElements()) {
+ Object o = addrs.nextElement();
+ if (o.getClass() == InetAddress.class ||
+ o.getClass() == Inet4Address.class ||
+ o.getClass() == Inet6Address.class) {
+ InetAddress iaddr = (InetAddress) o;
+ if (o.getClass() == Inet6Address.class) {
+ supportsIPV6 = 1;
+ return true;
+ }
+ }
}
}
supportsIPV6 = 0;
# HG changeset patch
# User "Endi S. Dewata" <edewata@redhat.com>
# Date 1509154824 -7200
# Sat Oct 28 03:40:24 2017 +0200
# Node ID ca2c2fcfaf207f87c3c69e493f2b30fd0a088e95
# Parent 837c79476110ecd4bf6b507faad50edb9eed7e7e
Fixed SocketBase.setClientCertNickname() exception handling.
Previously the SocketBase.setClientCertNickname() would catch
the original exception and throw a SocketException instead.
The original stack trace was lost since SocketException does not
support chaining.
The code has been modified to throw a RuntimeException instead
and chain the original exception. This way the original stack
trace can be preserved to help troubleshooting.
https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
--- a/org/mozilla/jss/ssl/SocketBase.java
+++ b/org/mozilla/jss/ssl/SocketBase.java
@@ -4,17 +4,21 @@
package org.mozilla.jss.ssl;
-import java.net.*;
+import java.io.IOException;
+import java.lang.reflect.Constructor;
+import java.net.Inet4Address;
+import java.net.Inet6Address;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
import java.net.SocketException;
-import java.io.*;
-import java.io.IOException;
-import java.util.Vector;
+import java.net.UnknownHostException;
import java.util.Enumeration;
-import java.lang.reflect.Constructor;
-import org.mozilla.jss.util.Assert;
+
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.crypto.ObjectNotFoundException;
import org.mozilla.jss.crypto.TokenException;
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.util.Assert;
class SocketBase {
@@ -395,13 +399,18 @@
*/
public void setClientCertNickname(String nick) throws SocketException {
try {
- setClientCert(CryptoManager.getInstance().findCertByNickname(nick));
+ CryptoManager cm = CryptoManager.getInstance();
+ X509Certificate cert = cm.findCertByNickname(nick);
+ setClientCert(cert);
+
} catch (CryptoManager.NotInitializedException nie) {
- throw new SocketException("CryptoManager not initialized");
+ throw new RuntimeException(nie);
+
} catch (ObjectNotFoundException onfe) {
- throw new SocketException("Object not found: " + onfe);
+ throw new RuntimeException(onfe);
+
} catch (TokenException te) {
- throw new SocketException("Token Exception: " + te);
+ throw new RuntimeException(te);
}
}

620
jss-PBE-padded-block-cipher-enhancements.patch
View File

@ -1,620 +0,0 @@
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504894163 25200
# Fri Sep 08 11:09:23 2017 -0700
# Node ID 3629b598a9ce73e83c7896407e3ca820f6383750
# Parent eec15518fd61f1d988c25b4de589555796f9e65f
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0006-PBEKeyGenParams-allow-specifying-encryption-algorith.patch
Allow specifying an target encryption algorithm in PBEKeyGenParams;
if the PBE algorithm does not imply a particular cipher, this is needed
to determine the size of the key to generate
cfu for ftweedale
diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/crypto/PBEKeyGenParams.java
--- a/org/mozilla/jss/crypto/PBEKeyGenParams.java Fri Sep 01 16:15:54 2017 -0700
+++ b/org/mozilla/jss/crypto/PBEKeyGenParams.java Fri Sep 08 11:09:23 2017 -0700
@@ -13,6 +13,7 @@
private Password pass;
private byte[] salt;
private int iterations;
+ private EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.DES3_CBC;
private PBEKeyGenParams() { }
@@ -40,7 +41,8 @@
}
/**
- * Creates PBE parameters.
+ * Creates PBE parameters using default encryption algorithm
+ * (DES3_EDE3_CBC).
*
* @param pass The password. It will be cloned, so the
* caller is still responsible for clearing it. It must not be null.
@@ -60,6 +62,33 @@
}
/**
+ * Creates PBE parameters using default encryption algorithm
+ * (DES3_EDE3_CBC).
+ *
+ * @param pass The password. It will be cloned, so the
+ * caller is still responsible for clearing it. It must not be null.
+ * @param salt The salt for the PBE algorithm. Will <b>not</b> be cloned.
+ * Must not be null. It is the responsibility of the caller to
+ * use the right salt length for the algorithm. Most algorithms
+ * use 8 bytes of salt.
+ * @param iterations The iteration count for the PBE algorithm.
+ * @param encAlg The encryption algorithm. This is used with SOME
+ * PBE algorithms for determining the KDF output length.
+ */
+ public PBEKeyGenParams(
+ char[] pass, byte[] salt, int iterations,
+ EncryptionAlgorithm encAlg) {
+ if (pass == null || salt == null) {
+ throw new NullPointerException();
+ }
+ this.pass = new Password((char[]) pass.clone());
+ this.salt = salt;
+ this.iterations = iterations;
+ if (encAlg != null)
+ this.encryptionAlgorithm = encAlg;
+ }
+
+ /**
* Returns a <b>reference</b> to the password, not a copy.
*/
public Password getPassword() {
@@ -81,6 +110,14 @@
}
/**
+ * The encryption algorithm is used with SOME PBE algorithms for
+ * determining the KDF output length.
+ */
+ public EncryptionAlgorithm getEncryptionAlgorithm() {
+ return encryptionAlgorithm;
+ }
+
+ /**
* Clears the password. This should be called when this object is no
* longer needed so the password is not left around in memory.
*/
diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/pkcs11/PK11KeyGenerator.c
--- a/org/mozilla/jss/pkcs11/PK11KeyGenerator.c Fri Sep 01 16:15:54 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11KeyGenerator.c Fri Sep 08 11:09:23 2017 -0700
@@ -246,9 +246,9 @@
*
*/
JNIEXPORT jobject JNICALL
-Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generatePBE
- (JNIEnv *env, jclass clazz, jobject token, jobject alg, jbyteArray passBA,
- jbyteArray saltBA, jint iterationCount)
+Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generatePBE(
+ JNIEnv *env, jclass clazz, jobject token, jobject alg, jobject encAlg,
+ jbyteArray passBA, jbyteArray saltBA, jint iterationCount)
{
PK11SlotInfo *slot=NULL;
PK11SymKey *skey=NULL;
@@ -299,12 +299,15 @@
oidTag = JSS_getOidTagFromAlg(env, alg);
PR_ASSERT(oidTag != SEC_OID_UNKNOWN);
+ SECOidTag encAlgOidTag = JSS_getOidTagFromAlg(env, encAlg);
+ PR_ASSERT(encAlgOidTag != SEC_OID_UNKNOWN);
+
/* create algid */
algid = PK11_CreatePBEV2AlgorithmID(
oidTag,
- SEC_OID_DES_EDE3_CBC,
+ encAlgOidTag,
SEC_OID_HMAC_SHA1,
- 168/8,
+ 0,
iterationCount,
salt);
diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/pkcs11/PK11KeyGenerator.java
--- a/org/mozilla/jss/pkcs11/PK11KeyGenerator.java Fri Sep 01 16:15:54 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11KeyGenerator.java Fri Sep 08 11:09:23 2017 -0700
@@ -178,8 +178,9 @@
byte[] pwbytes=null;
try {
pwbytes = charToByte.convert( kgp.getPassword().getChars() );
- return generatePBE(token, algorithm, pwbytes,
- kgp.getSalt(), kgp.getIterations());
+ return generatePBE(
+ token, algorithm, kgp.getEncryptionAlgorithm(),
+ pwbytes, kgp.getSalt(), kgp.getIterations());
} finally {
if( pwbytes!=null ) {
Password.wipeBytes(pwbytes);
@@ -296,7 +297,9 @@
* be null.
*/
private static native SymmetricKey
- generatePBE(PK11Token token, KeyGenAlgorithm algorithm, byte[] pass,
- byte[] salt, int iterationCount) throws TokenException;
+ generatePBE(
+ PK11Token token, KeyGenAlgorithm algorithm, EncryptionAlgorithm encAlg,
+ byte[] pass, byte[] salt, int iterationCount)
+ throws TokenException;
}
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504894529 25200
# Fri Sep 08 11:15:29 2017 -0700
# Node ID bada1409d2bb67cd92c3b7c292b8bb4ae6388513
# Parent 3629b598a9ce73e83c7896407e3ca820f6383750
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0007-Support-the-CKK_GENERIC_SECRET-symmetric-key-type.patch
Subject: Support the CKK_GENERIC_SECRET symmetric key type
From: Fraser Tweedale <ftweedal@redhat.com>
Content-Type: text/plain
found patch at byte 873
message:
Support the CKK_GENERIC_SECRET symmetric key type
The NSS PBKDF2 generation produces a key with the CKK_GENERIC_SECRET
key type. The underlying PKCS #11 object *does* record the intended
encryption algorithm that was specified when generating the key via
PK11_PBEKeyGen, but this information is not exposed via the PKCS #11
interface. When initialising a cipher, JSS checks the key type
against the encryption algorithm and fails if they do not match,
which is always the case with PBKDF2-derived keys.
To work around this problem, properly record the key type for
CKK_GENERIC_SECRET keys, and update the cipher initialisation key
type check to always accept such keys.
cfu for ftweedal
diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/KeyType.java
--- a/org/mozilla/jss/pkcs11/KeyType.java Fri Sep 08 11:09:23 2017 -0700
+++ b/org/mozilla/jss/pkcs11/KeyType.java Fri Sep 08 11:15:29 2017 -0700
@@ -242,4 +242,7 @@
"SHA1_HMAC"
);
+ static public final KeyType GENERIC_SECRET =
+ new KeyType(new Algorithm[] { }, "GENERIC_SECRET");
+
}
diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/PK11Cipher.java
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:09:23 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:15:29 2017 -0700
@@ -243,8 +243,11 @@
}
try {
- if( ((PK11SymKey)key).getKeyType() !=
- KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
+ KeyType keyType = ((PK11SymKey) key).getKeyType();
+ if (
+ keyType != KeyType.GENERIC_SECRET
+ && keyType != KeyType.getKeyTypeFromAlgorithm(algorithm)
+ ) {
throw new InvalidKeyException("Key is not the right type for"+
" this algorithm: " + ((PK11SymKey)key).getKeyType() + ":" + KeyType.getKeyTypeFromAlgorithm(algorithm) +";");
}
diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/PK11SymKey.c
--- a/org/mozilla/jss/pkcs11/PK11SymKey.c Fri Sep 08 11:09:23 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11SymKey.c Fri Sep 08 11:15:29 2017 -0700
@@ -305,6 +305,9 @@
case CKK_DES2:
typeFieldName = DES3_KEYTYPE_FIELD;
break;
+ case CKK_GENERIC_SECRET:
+ typeFieldName = GENERIC_SECRET_KEYTYPE_FIELD;
+ break;
default:
PR_ASSERT(PR_FALSE);
typeFieldName = DES_KEYTYPE_FIELD;
diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/util/java_ids.h
--- a/org/mozilla/jss/util/java_ids.h Fri Sep 08 11:09:23 2017 -0700
+++ b/org/mozilla/jss/util/java_ids.h Fri Sep 08 11:15:29 2017 -0700
@@ -87,6 +87,7 @@
#define RC2_KEYTYPE_FIELD "RC2"
#define SHA1_HMAC_KEYTYPE_FIELD "SHA1_HMAC"
#define AES_KEYTYPE_FIELD "AES"
+#define GENERIC_SECRET_KEYTYPE_FIELD "GENERIC_SECRET"
/*
* NativeProxy
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504894882 25200
# Fri Sep 08 11:21:22 2017 -0700
# Node ID 890216599f21df4c6d07815604aaac526823a892
# Parent bada1409d2bb67cd92c3b7c292b8bb4ae6388513
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0008-PK11Cipher-improve-error-reporting.patch
Subject: PK11Cipher: improve error reporting
From: Fraser Tweedale <ftweedal@redhat.com>
message:
PK11Cipher: improve error reporting
cfu for ftweedal
diff -r bada1409d2bb -r 890216599f21 org/mozilla/jss/pkcs11/PK11Cipher.c
--- a/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:15:29 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:21:22 2017 -0700
@@ -152,7 +152,9 @@
/* do the operation */
if( PK11_CipherOp(context, outbuf, (int*)&outlen, outlen,
(unsigned char*)inbuf, inlen) != SECSuccess) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Cipher Operation failed");
+ JSS_throwMsgPrErrArg(
+ env, TOKEN_EXCEPTION, "Cipher context update failed",
+ PR_GetError());
goto finish;
}
PR_ASSERT(outlen >= 0);
@@ -209,7 +211,9 @@
/* perform the finalization */
status = PK11_DigestFinal(context, outBuf, &newOutLen, outLen);
if( (status != SECSuccess) ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Cipher operation failed on token");
+ JSS_throwMsgPrErrArg(
+ env, TOKEN_EXCEPTION, "Cipher context finalization failed",
+ PR_GetError());
goto finish;
}
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504895552 25200
# Fri Sep 08 11:32:32 2017 -0700
# Node ID d39e9b373798ea9d6ae7f35089b07143845b210e
# Parent 890216599f21df4c6d07815604aaac526823a892
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0009-Update-AES-CBC-PAD-cipher-definitions.patch
Subject: Update AES-CBC-PAD cipher definitions
From: Fraser Tweedale <ftweedal@redhat.com>
message:
Update AES-CBC-PAD cipher definitions
The AES_{128,192,256}_CBC_PAD EncryptionAlgorithm definitions declare
the correct PKCS #11 cipher mechanism and padding, but do not declare
the relevant OIDs. They are also unusable as target algorithms in
PBE key generation because they declare a PK11_MECH instead of a
SEC_OID_TAG.
Update these algorithms definitions to declare a SEC_OID_TAG instead
of a PK11_MECH (JSS_getOidTagFromAlg() will still return the correct
mechanism) and declare the associated OIDs.
cfu for ftweedal
diff -r 890216599f21 -r d39e9b373798 org/mozilla/jss/crypto/EncryptionAlgorithm.java
--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java Fri Sep 08 11:21:22 2017 -0700
+++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java Fri Sep 08 11:32:32 2017 -0700
@@ -359,8 +359,10 @@
AES_ROOT_OID.subBranch(2), 128);
public static final EncryptionAlgorithm
- AES_128_CBC_PAD = new EncryptionAlgorithm(CKM_AES_CBC_PAD, Alg.AES, Mode.CBC,
- Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid
+ AES_128_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_128_CBC,
+ Alg.AES, Mode.CBC,
+ Padding.PKCS5, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(2), 128);
public static final EncryptionAlgorithm
AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB,
@@ -374,8 +376,10 @@
AES_ROOT_OID.subBranch(22), 192);
public static final EncryptionAlgorithm
- AES_192_CBC_PAD = new EncryptionAlgorithm(CKM_AES_CBC_PAD, Alg.AES, Mode.CBC,
- Padding.PKCS5, IVParameterSpecClasses, 16, null, 192); // no oid
+ AES_192_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_192_CBC,
+ Alg.AES, Mode.CBC,
+ Padding.PKCS5, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(22), 192);
public static final EncryptionAlgorithm
AES_256_ECB = new EncryptionAlgorithm(SEC_OID_AES_256_ECB,
@@ -393,6 +397,9 @@
Padding.PKCS5, IVParameterSpecClasses, 16, null, 256); // no oid
public static final EncryptionAlgorithm
- AES_256_CBC_PAD = AES_CBC_PAD;
+ AES_256_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_256_CBC,
+ Alg.AES, Mode.CBC,
+ Padding.PKCS5, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(42), 256);
}
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504896621 25200
# Fri Sep 08 11:50:21 2017 -0700
# Node ID 0b8a6e84b6c736743f2184b2b858fda6be740544
# Parent d39e9b373798ea9d6ae7f35089b07143845b210e
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0010-PK11Cipher-use-pad-mechanism-for-algorithms-that-use.patch
Subject: PK11Cipher: use pad mechanism for algorithms that use padding
From: Fraser Tweedale <ftweedal@redhat.com>
message:
PK11Cipher: use pad mechanism for algorithms that use padding
The PK11Cipher implementation, when initialising a cipher context,
uses JSS_getPK11MechFromAlg() to retrieve the PKCS #11 mechanism to
use. When a JSS EncryptionAlgorithm uses a SEC_OID_TAG, this will
return the non-padded mechanism. Then, if the size of the data is
not a multiple of the cipher block size, a padding error occurs.
When the EncryptionAlgorithm indicates that padding is to be used,
call PK11_GetPadMechanism() on the result of JSS_getPK11MechFromAlg()
to get the padding variant of the mechanism.
cfu for ftweedal
diff -r d39e9b373798 -r 0b8a6e84b6c7 org/mozilla/jss/pkcs11/PK11Cipher.c
--- a/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:32:32 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:50:21 2017 -0700
@@ -24,16 +24,16 @@
JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_pkcs11_PK11Cipher_initContext
(JNIEnv *env, jclass clazz, jboolean encrypt, jobject keyObj,
- jobject algObj, jbyteArray ivBA)
+ jobject algObj, jbyteArray ivBA, jboolean padded)
{
return Java_org_mozilla_jss_pkcs11_PK11Cipher_initContextWithKeyBits
- ( env, clazz, encrypt, keyObj, algObj, ivBA, 0);
+ ( env, clazz, encrypt, keyObj, algObj, ivBA, 0, padded);
}
JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_pkcs11_PK11Cipher_initContextWithKeyBits
(JNIEnv *env, jclass clazz, jboolean encrypt, jobject keyObj,
- jobject algObj, jbyteArray ivBA, jint keyBits)
+ jobject algObj, jbyteArray ivBA, jint keyBits, jboolean padded)
{
CK_MECHANISM_TYPE mech;
PK11SymKey *key=NULL;
@@ -53,6 +53,9 @@
goto finish;
}
+ if (padded)
+ mech = PK11_GetPadMechanism(mech);
+
/* get operation type */
if( encrypt ) {
op = CKA_ENCRYPT;
diff -r d39e9b373798 -r 0b8a6e84b6c7 org/mozilla/jss/pkcs11/PK11Cipher.java
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:32:32 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:50:21 2017 -0700
@@ -90,10 +90,13 @@
state = ENCRYPT;
if( parameters instanceof RC2ParameterSpec ) {
- contextProxy = initContextWithKeyBits( true, key, algorithm, IV,
- ((RC2ParameterSpec)parameters).getEffectiveKeyBits() );
+ contextProxy = initContextWithKeyBits(
+ true, key, algorithm, IV,
+ ((RC2ParameterSpec)parameters).getEffectiveKeyBits(),
+ algorithm.isPadded());
} else {
- contextProxy = initContext( true, key, algorithm, IV );
+ contextProxy = initContext(
+ true, key, algorithm, IV, algorithm.isPadded());
}
}
@@ -112,10 +115,13 @@
state = DECRYPT;
if( parameters instanceof RC2ParameterSpec ) {
- contextProxy = initContextWithKeyBits(false, key, algorithm, IV,
- ((RC2ParameterSpec)parameters).getEffectiveKeyBits() );
+ contextProxy = initContextWithKeyBits(
+ false, key, algorithm, IV,
+ ((RC2ParameterSpec)parameters).getEffectiveKeyBits(),
+ algorithm.isPadded());
} else {
- contextProxy = initContext(false, key, algorithm, IV);
+ contextProxy = initContext(
+ false, key, algorithm, IV, algorithm.isPadded());
}
}
@@ -182,13 +188,13 @@
private static native CipherContextProxy
initContext(boolean encrypt, SymmetricKey key, EncryptionAlgorithm alg,
- byte[] IV)
+ byte[] IV, boolean padded)
throws TokenException;
// This version accepts the number of effective key bits for RC2 CBC.
private static native CipherContextProxy
initContextWithKeyBits(boolean encrypt, SymmetricKey key,
- EncryptionAlgorithm alg, byte[] IV, int keyBits)
+ EncryptionAlgorithm alg, byte[] IV, int keyBits, boolean padded)
throws TokenException;
private static native byte[]
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504896816 25200
# Fri Sep 08 11:53:36 2017 -0700
# Node ID b3b653faef8475ae03c670766429fd4dfab37a5e
# Parent 0b8a6e84b6c736743f2184b2b858fda6be740544
bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0012-2-Add-method-EncryptedPrivateKeyInfo.createPBES2.patch
Subject: Add method EncryptedPrivateKeyInfo.createPBES2
From: Fraser Tweedale <ftweedal@redhat.com>
Content-Type: text/plain
found patch at byte 404
message:
Add method EncryptedPrivateKeyInfo.createPBES2
The createPBE method does not support PBES2 (it is necessary to know
the desired encrypted algorithm to derive the key and build the
parameters data). Add the createPBES2 method, which uses PBKDF2 to
derive the symmetric key and allows the caller to specify the
encryption algorithm.
cfu for ftweedal
diff -r 0b8a6e84b6c7 -r b3b653faef84 org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java Fri Sep 08 11:50:21 2017 -0700
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java Fri Sep 08 11:53:36 2017 -0700
@@ -155,6 +155,100 @@
/**
+ * Export a private key in PBES2 format, using a random PBKDF2 salt.
+ *
+ * Token must support the CKM_PKCS5_PBKD2 mechanism.
+ *
+ * @param saltLen Length of salt in bytes (default: 16)
+ * @param kdfIterations PBKDF2 iterations (default: 2000)
+ * @param encAlg The symmetric encryption algorithm for enciphering the
+ * private key. Determines the size of derived key.
+ * @param pwd Password
+ * @param charToByteConverter The mechanism for converting the characters
+ * in the password into bytes. If null, the default mechanism
+ * will be used, which is UTF8.
+ * @param privateKeyInfo The encoded PrivateKeyInfo to be encrypted and
+ * stored in the EncryptedContentInfo.
+ */
+ public static EncryptedPrivateKeyInfo createPBES2(
+ int saltLen,
+ int kdfIterations,
+ EncryptionAlgorithm encAlg,
+ Password pwd,
+ KeyGenerator.CharToByteConverter charToByteConverter,
+ PrivateKeyInfo privateKeyInfo)
+ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
+ InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
+ CharConversionException
+ {
+ if (encAlg == null)
+ throw new IllegalArgumentException("encAlg cannot be null");
+ if (pwd == null)
+ throw new IllegalArgumentException("pwd cannot be null");
+ if (privateKeyInfo == null)
+ throw new IllegalArgumentException("privateKeyInfo cannot be null");
+
+ if (kdfIterations < 1)
+ kdfIterations = 2000;
+ if (saltLen < 1)
+ saltLen = 16;
+
+ try {
+ // generate random PBKDF2 salt
+ SecureRandom random = new SecureRandom();
+ byte salt[] = new byte[saltLen];
+ random.nextBytes(salt);
+
+ // derive symmetric key from passphrase using PBKDF2
+ CryptoManager cm = CryptoManager.getInstance();
+ CryptoToken token = cm.getInternalCryptoToken();
+ KeyGenerator kg = token.getKeyGenerator(
+ PBEAlgorithm.PBE_PKCS5_PBKDF2);
+ PBEKeyGenParams pbekgParams = new PBEKeyGenParams(
+ pwd.getChars(), salt, kdfIterations, encAlg);
+ if (charToByteConverter != null)
+ kg.setCharToByteConverter(charToByteConverter);
+ kg.initialize(pbekgParams);
+ SymmetricKey sk = kg.generate();
+
+ // encrypt PrivateKeyInfo
+ byte iv[] = new byte[encAlg.getBlockSize()];
+ random.nextBytes(iv);
+ Cipher cipher = token.getCipherContext(encAlg);
+ cipher.initEncrypt(sk, new IVParameterSpec(iv));
+ byte[] encData = cipher.doFinal(ASN1Util.encode(privateKeyInfo));
+
+ // construct KDF AlgorithmIdentifier
+ SEQUENCE paramsKdf = new SEQUENCE();
+ paramsKdf.addElement(new OCTET_STRING(salt));
+ paramsKdf.addElement(new INTEGER((long) kdfIterations));
+ paramsKdf.addElement(new INTEGER((long) sk.getLength()));
+ AlgorithmIdentifier algIdKdf = new AlgorithmIdentifier(
+ PBEAlgorithm.PBE_PKCS5_PBKDF2.toOID(), paramsKdf);
+
+ // construct encryption AlgorithmIdentifier
+ AlgorithmIdentifier algIdEnc = new AlgorithmIdentifier(
+ encAlg.toOID(), new OCTET_STRING(iv));
+
+ // construct "composite" PBES2 AlgorithmIdentifier
+ SEQUENCE paramsPBES2 = new SEQUENCE();
+ paramsPBES2.addElement(algIdKdf);
+ paramsPBES2.addElement(algIdEnc);
+ AlgorithmIdentifier algIdPBES2 = new AlgorithmIdentifier(
+ PBEAlgorithm.PBE_PKCS5_PBES2.toOID(), paramsPBES2);
+
+ // construct EncryptedPrivateKeyInfo
+ return new EncryptedPrivateKeyInfo(algIdPBES2, new OCTET_STRING(encData));
+ } catch (IllegalBlockSizeException e) {
+ Assert.notReached("IllegalBlockSizeException in EncryptedContentInfo.createPBES2");
+ } catch (BadPaddingException e) {
+ Assert.notReached("BadPaddingException in EncryptedContentInfo.createPBES2");
+ }
+ return null; // unreachable
+ }
+
+
+ /**
* Creates a new EncryptedPrivateKeyInfo, where the data is encrypted
* with a password-based key-
* with wrapping/unwrapping happening on token.
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1504896964 25200
# Fri Sep 08 11:56:04 2017 -0700
# Node ID 87dca07f7529463398734d1279bcfd7023a43d4c
# Parent b3b653faef8475ae03c670766429fd4dfab37a5e
Bug 1370778 PBE and padded block cipher enhancements and fixes -
patch jss-ftweedal-0013-Improve-error-reporting.patch
Subject: Improve error reporting
From: Fraser Tweedale <ftweedal@redhat.com>
Content-Type: text/plain
found patch at byte 157
message:
Improve error reporting
cfu for ftweedal
diff -r b3b653faef84 -r 87dca07f7529 org/mozilla/jss/pkcs11/PK11KeyWrapper.c
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c Fri Sep 08 11:53:36 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c Fri Sep 08 11:56:04 2017 -0700
@@ -251,9 +251,7 @@
status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param,
&wrapped, NULL /* wincx */ );
if(status != SECSuccess) {
- char err[256] = {0};
- PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError());
- JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Wrapping operation failed on token");
goto finish;
}
PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL);
@@ -450,8 +448,8 @@
attribs, numAttribs, NULL /*wincx*/);
if( privk == NULL ) {
char err[256] = {0};
- PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
- JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ PR_snprintf(err, 256, "Key Unwrap failed on token; keyType=%d", keyType);
+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, err);
goto finish;
}
diff -r b3b653faef84 -r 87dca07f7529 org/mozilla/jss/pkcs11/PK11Store.c
--- a/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:53:36 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:56:04 2017 -0700
@@ -734,7 +734,7 @@
PR_TRUE /* isperm */, PR_TRUE /* isprivate */,
pubKey->keyType, keyUsage, NULL /* wincx */);
if (result != SECSuccess) {
- JSS_throwMsg(
+ JSS_throwMsgPrErr(
env, TOKEN_EXCEPTION,
"Failed to import EncryptedPrivateKeyInfo to token");
goto finish;

34
jss-SignatureAlgorithm.patch
View File

@ -1,34 +0,0 @@
# HG changeset patch
# User David Stutzman david.konrad.stutzman@us.army.mil
# Date 1509062346 25200
# Thu Oct 26 16:59:06 2017 -0700
# Node ID b1a3c3cc6b3584948d251d3bfcfe6630d8970db5
# Parent 252c10f448971b7ae087bde259505abd5dc5a03a
Bugzilla.mozilla 1409867 org.mozilla.jss.pkix.cms.SignerInfo incorrectly producing signatures (especially for EC)
The patch fixes the OID that goes into the signatureAlgorithm field as well as passing the full signature algorithm to the Signature context to generate the signature using the proper algorithm.
With this patch, if one passes SignatureAlgorithm.RSASignatureWithSHA256Digest in the constructor one will now get sha256WithRSAEncryption (1 2 840 113549 1 1 11) in the signatureAlgorithm field.
cfu checking in for dstutzman
diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java
--- a/org/mozilla/jss/pkix/cms/SignerInfo.java
+++ b/org/mozilla/jss/pkix/cms/SignerInfo.java
@@ -289,7 +289,7 @@
}
digestEncryptionAlgorithm = new AlgorithmIdentifier(
- signingAlg.getRawAlg().toOID(),null );
+ signingAlg.toOID(),null );
if( signedAttributes != null )
@@ -332,7 +332,7 @@
// encrypt the DER-encoded DigestInfo with the private key
CryptoToken token = signingKey.getOwningToken();
Signature sig;
- sig = token.getSignatureContext( signingAlg.getRawAlg() );
+ sig = token.getSignatureContext( signingAlg );
sig.initSign(signingKey);
sig.update(toBeSigned);
encryptedDigest = new OCTET_STRING(sig.sign());

35
jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch
View File

@ -1,35 +0,0 @@
# HG changeset patch
# User Fraser Tweedale<ftweedale@redhat.com>
# Date 1505175862 25200
# Mon Sep 11 17:24:22 2017 -0700
# Node ID 3e9a5ae2149d04877dc19b117a8917c22854f8eb
# Parent 87dca07f7529463398734d1279bcfd7023a43d4c
Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails -
patch jss-ftweedal-0011-Don-t-crash-if-PK11_ExportEncryptedPrivKeyInfo-retur.patch
Subject: Don't crash if PK11_ExportEncryptedPrivKeyInfo returns NULL
From: Fraser Tweedale <ftweedal@redhat.com>
Content-Type: text/plain
found patch at byte 239
message:
Don't crash if PK11_ExportEncryptedPrivKeyInfo returns NULL
PK11_ExportEncryptedPrivKeyInfo returning NULL is not being handled
properly, causing segfault. Detect this condition and raise a
TokenException instead.
cfu for ftweedal
diff -r 87dca07f7529 -r 3e9a5ae2149d org/mozilla/jss/pkcs11/PK11Store.c
--- a/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:56:04 2017 -0700
+++ b/org/mozilla/jss/pkcs11/PK11Store.c Mon Sep 11 17:24:22 2017 -0700
@@ -581,6 +581,11 @@
// export the epki
epki = PK11_ExportEncryptedPrivKeyInfo(
slot, algTag, pwItem, privk, iterations, NULL /*wincx*/);
+ if (epki == NULL) {
+ JSS_throwMsgPrErr(
+ env, TOKEN_EXCEPTION, "Failed to export EncryptedPrivateKeyInfo");
+ goto finish;
+ }
// DER-encode the epki
if (SEC_ASN1EncodeItem(NULL, &epkiItem, epki,

44
jss-fix-SignerInfo-version.patch
View File

@ -1,44 +0,0 @@
# HG changeset patch
# User David Stutzman<david.konrad.stutzman@us.army.mil>
# Date 1516144092 28800
# Tue Jan 16 15:08:12 2018 -0800
# Node ID 1d858c6d4626b625bb671426e6899d98c2f5bb2e
# Parent 8746a3fc74785e2fd12f86d08a6886ed9160620e
Bug# 386351 SignerInfo version, r=cfu
This patch fixes versioning of SignerInfo to match CMS spec.
cfu for dstutzman
diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java
--- a/org/mozilla/jss/pkix/cms/SignerInfo.java
+++ b/org/mozilla/jss/pkix/cms/SignerInfo.java
@@ -52,9 +52,6 @@
private OCTET_STRING encryptedDigest;
private SET unsignedAttributes; // [1] OPTIONAL
- // we only do CMS in RFC 2630
- private static final INTEGER VERSION = new INTEGER(3);
-
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Accessor methods
@@ -198,8 +195,17 @@
CryptoManager.NotInitializedException, SignatureException,
TokenException
{
- version = VERSION;
+ if (signerIdentifier == null) {
+ throw new IllegalArgumentException("SignerIdentifier may not be null");
+ }
this.signerIdentifier = signerIdentifier;
+ if (SignerIdentifier.ISSUER_AND_SERIALNUMBER.equals(this.signerIdentifier.getType())) {
+ this.version = new INTEGER(1);
+ } else if (SignerIdentifier.SUBJECT_KEY_IDENTIFIER.equals(this.signerIdentifier.getType())) {
+ this.version = new INTEGER(3);
+ } else {
+ throw new IllegalArgumentException("Unexpected SignerIdentifier type");
+ }
this.digestAlgorithm =
new AlgorithmIdentifier(signingAlg.getDigestAlg().toOID(),null);

306
jss-signature-correction.patch
View File

@ -1,306 +0,0 @@
# HG changeset patch
# User David Stutzman<david.konrad.stutzman@us.army.mil>
# Date 1515711524 28800
# Thu Jan 11 14:58:44 2018 -0800
# Node ID 9e2db7eee6652330723d935c2b900b9b09b1ab9d
# Parent ca2c2fcfaf207f87c3c69e493f2b30fd0a088e95
Bug 1409867 - additional fix from dstutzman: allow signatures to be created correctly.
cfu for dstutzman
diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java
--- a/org/mozilla/jss/pkix/cms/SignerInfo.java
+++ b/org/mozilla/jss/pkix/cms/SignerInfo.java
@@ -9,14 +9,10 @@
import org.mozilla.jss.util.Assert;
import org.mozilla.jss.pkix.primitive.*;
import org.mozilla.jss.crypto.*;
-import java.util.Vector;
-import java.math.BigInteger;
-import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.security.NoSuchAlgorithmException;
import java.security.MessageDigest;
-import org.mozilla.jss.crypto.*;
import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.pkix.cert.*;
import org.mozilla.jss.*;
@@ -73,14 +69,6 @@
}
/**
- * Low-level method to set the version.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setVersion(INTEGER version) {
- this.version = version;
- }
- */
-
- /**
* Retrieves the SignerIdentifier.
*/
public SignerIdentifier getSignerIdentifier() {
@@ -88,14 +76,6 @@
}
/**
- * Low-level method to set the signerIdentifier.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setSignerIdentifier( SignerIdentifier iasn ) {
- this.signerIdentifier = iasn;
- }
- */
-
- /**
* Retrieves the DigestAlgorithm used in this SignerInfo.
*
* @exception NoSuchAlgorithmException If the algorithm is not
@@ -116,14 +96,6 @@
}
/**
- * Low-level method to set the digest AlgorithmIdentifier.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setDigestAlgorithmIdentifier(AlgorithmIdentifier algid) {
- this.digestAlgorithm = algid;
- }
- */
-
- /**
* Retrieves the signed attributes, if they exist.
*
*/
@@ -139,14 +111,6 @@
}
/**
- * Low-level method to set the signedAttributes field.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setSignedAttributes(SET authAttrib) {
- this.signedAttributes = authAttrib;
- }
- */
-
- /**
* Returns the raw signature (digest encryption) algorithm used in this
* SignerInfo.
*
@@ -168,15 +132,6 @@
}
/**
- * Low-level method to set the digestEncryptionAlgorithm field.
- * It is not normally necessary to call this. Use it at your own risk.
- public void
- setDigestEncryptionAlgorithmIdentifier(AlgorithmIdentifier algid) {
- this.digestEncryptionAlgorithm= algid;
- }
- */
-
- /**
* Retrieves the encrypted digest.
*/
public byte[] getEncryptedDigest() {
@@ -184,14 +139,6 @@
}
/**
- * Low-level method to set the encryptedDigest field.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setEncryptedDigest(byte[] ed) {
- this.encryptedDigest = new OCTET_STRING(ed);
- }
- */
-
- /**
* Retrieves the unsigned attributes, if they exist.
*
*/
@@ -206,14 +153,6 @@
return (unsignedAttributes!=null);
}
- /**
- * Low-level method to set the unsignedAttributes field.
- * It is not normally necessary to call this. Use it at your own risk.
- public void setUnsignedAttributes(SET unauthAttrib) {
- this.unsignedAttributes = unauthAttrib;
- }
- */
-
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// Constructors
@@ -221,17 +160,6 @@
///////////////////////////////////////////////////////////////////////
/**
- * Low-level default constructor. All fields are initialized to null.
- * Before this SignerInfo can be processed or used in any way, all of
- * the fields except <code>signedAttributes</code> and
- * <code>unsignedAttributes</code> must be non-null.
- * <p>It is not normally necessary to call this constructor.Use it at
- * your own risk.
- public SignerInfo() {
- }
- */
-
- /**
* A constructor for creating a new SignerInfo from scratch.
*
* @param signerIdentifier The signerIdentifier of the
@@ -303,36 +231,32 @@
//////////////////////////////////////////////////
// compute the digest
- byte[] digest=null;
- DigestAlgorithm digestAlg = signingAlg.getDigestAlg();
- if( signedAttributes == null ) {
+ CryptoToken token = signingKey.getOwningToken();
+ Signature sig;
+ byte[] toBeSigned = null;
+ if (signedAttributes == null) {
// just use the message digest of the content
- digest = messageDigest;
+ if (signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
+ SEQUENCE digestInfo = createDigestInfo(messageDigest, false);
+ toBeSigned = ASN1Util.encode(digestInfo);
+ } else {
+ toBeSigned = messageDigest;
+ }
+ sig = token.getSignatureContext(signingAlg.getRawAlg()); //data is already digested
} else {
- // digest the contents octets of the signed attributes
- byte[] enc = ASN1Util.encode(signedAttributes);
- MessageDigest md =
- MessageDigest.getInstance(digestAlg.toString());
- digest = md.digest( enc );
- }
-
- byte[] toBeSigned;
- if( signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) {
- // put the digest in a DigestInfo
- SEQUENCE digestInfo = new SEQUENCE();
- AlgorithmIdentifier digestAlgId =
- new AlgorithmIdentifier( digestAlg.toOID(),null );
- digestInfo.addElement( digestAlgId );
- digestInfo.addElement( new OCTET_STRING( digest ) );
- toBeSigned = ASN1Util.encode(digestInfo);
- } else {
- toBeSigned = digest;
+ byte[] encoding = ASN1Util.encode(signedAttributes);
+ if (signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
+ // put the digest in a DigestInfo
+ SEQUENCE digestInfo = createDigestInfo(encoding, true);
+ toBeSigned = ASN1Util.encode(digestInfo);
+ sig = token.getSignatureContext(SignatureAlgorithm.RSASignature);
+ } else {
+ toBeSigned = encoding;
+ sig = token.getSignatureContext(signingAlg);
+ }
}
// encrypt the DER-encoded DigestInfo with the private key
- CryptoToken token = signingKey.getOwningToken();
- Signature sig;
- sig = token.getSignatureContext( signingAlg );
sig.initSign(signingKey);
sig.update(toBeSigned);
encryptedDigest = new OCTET_STRING(sig.sign());
@@ -494,21 +418,20 @@
digestEncryptionAlgorithm.getOID()
);
+ CryptoToken token = CryptoManager.getInstance()
+ .getInternalCryptoToken();
+ Signature sig;
byte[] toBeVerified;
- if( sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) {
+ if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
// create DigestInfo structure
- SEQUENCE digestInfo = new SEQUENCE();
- digestInfo.addElement(
- new AlgorithmIdentifier(digestAlgorithm.getOID(), null) );
- digestInfo.addElement( new OCTET_STRING(messageDigest) );
+ SEQUENCE digestInfo = createDigestInfo(messageDigest, false);
toBeVerified = ASN1Util.encode(digestInfo);
+ sig = token.getSignatureContext(sigAlg.getRawAlg());
} else {
toBeVerified = messageDigest;
+ sig = token.getSignatureContext(sigAlg);
}
-
- CryptoToken token = CryptoManager.getInstance()
- .getInternalCryptoToken();
- Signature sig = token.getSignatureContext(sigAlg);
+
sig.initVerify(pubkey);
sig.update(toBeVerified);
if( sig.verify(encryptedDigest.toByteArray()) ) {
@@ -671,31 +594,22 @@
// Now verify the signature.
CryptoToken token =
CryptoManager.getInstance().getInternalCryptoToken();
- Signature sig = token.getSignatureContext( sigAlg );
- sig.initVerify(pubkey);
+ Signature sig;
// verify the contents octets of the DER encoded signed attribs
- byte[] toBeDigested = ASN1Util.encode(signedAttributes);
-
- MessageDigest md = MessageDigest.getInstance(
- DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString() );
- byte[] digest = md.digest(toBeDigested);
-
+ byte[] encoding = ASN1Util.encode(signedAttributes);
byte[] toBeVerified;
- if( sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) {
+ if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) {
// create DigestInfo structure
- SEQUENCE digestInfo = new SEQUENCE();
-
- AlgorithmIdentifier digestAlgId =
- new AlgorithmIdentifier( digestAlgorithm.getOID(),null );
- digestInfo.addElement( digestAlgId );
-
- digestInfo.addElement( new OCTET_STRING(digest) );
+ SEQUENCE digestInfo = createDigestInfo(encoding, true);
toBeVerified = ASN1Util.encode(digestInfo);
+ sig = token.getSignatureContext(SignatureAlgorithm.RSASignature);
} else {
- toBeVerified = digest;
+ toBeVerified = encoding;
+ sig = token.getSignatureContext(sigAlg);
}
+ sig.initVerify(pubkey);
sig.update( toBeVerified );
if( ! sig.verify(encryptedDigest.toByteArray()) ) {
@@ -708,6 +622,25 @@
// SUCCESSFULLY VERIFIED
}
+
+ private SEQUENCE createDigestInfo(byte[] data, boolean doDigest) throws NoSuchAlgorithmException {
+ if(data == null || data.length == 0){
+ throw new IllegalArgumentException("Data to digest must be supplied");
+ }
+ SEQUENCE digestInfo = new SEQUENCE();
+ digestInfo.addElement(this.digestAlgorithm);
+ byte[] digest;
+ if (doDigest) {
+ MessageDigest md = MessageDigest.getInstance(
+ DigestAlgorithm.fromOID(this.digestAlgorithm.getOID()).toString());
+ digest = md.digest(data);
+ } else {
+ digest = data;
+ }
+ digestInfo.addElement(new OCTET_STRING(digest));
+ return digestInfo;
+ }
+
/**
* Compares two non-null byte arrays. Returns true if they are identical,

41
jss-standardize-ECC-algorithm-names.patch
View File

@ -1,41 +0,0 @@
# HG changeset patch
# User David Stutzman<david.konrad.stutzman@us.army.mil>
# Date 1515722400 28800
# Thu Jan 11 18:00:00 2018 -0800
# Node ID 8746a3fc74785e2fd12f86d08a6886ed9160620e
# Parent 9e2db7eee6652330723d935c2b900b9b09b1ab9d
Bug 589158 Add support for Java Security Standard Algorithm Names for EC Signature types
This patch adds the aliases for Java Security Standard Algorithm Names for EC Signature types.
cfu for dstutzman (reviewed by wtc)
diff --git a/org/mozilla/jss/JSSProvider.java b/org/mozilla/jss/JSSProvider.java
--- a/org/mozilla/jss/JSSProvider.java
+++ b/org/mozilla/jss/JSSProvider.java
@@ -79,21 +79,25 @@
put("Alg.Alias.Signature.SHA-1/EC", "SHA1withEC");
put("Alg.Alias.Signature.SHA/ECDSA", "SHA1withEC");
put("Alg.Alias.Signature.SHA1/ECDSA", "SHA1withEC");
+ put("Alg.Alias.Signature.SHA1withECDSA", "SHA1withEC"); //JCE Standard Name
put("Signature.SHA256withEC",
"org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA256EC");
put("Alg.Alias.Signature.SHA256/EC", "SHA256withEC");
put("Alg.Alias.Signature.SHA-256/EC", "SHA256withEC");
+ put("Alg.Alias.Signature.SHA256withECDSA", "SHA256withEC"); //JCE Standard Name
put("Signature.SHA384withEC",
"org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA384EC");
put("Alg.Alias.Signature.SHA384/EC", "SHA384withEC");
put("Alg.Alias.Signature.SHA-384/EC", "SHA384withEC");
+ put("Alg.Alias.Signature.SHA384withECDSA", "SHA384withEC"); //JCE Standard Name
put("Signature.SHA512withEC",
"org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA512EC");
put("Alg.Alias.Signature.SHA512/EC", "SHA512withEC");
put("Alg.Alias.Signature.SHA-512/EC", "SHA512withEC");
+ put("Alg.Alias.Signature.SHA512withECDSA", "SHA512withEC"); //JCE Standard Name
/////////////////////////////////////////////////////////////
// Message Digesting

394
jss.spec
View File

@ -1,17 +1,24 @@
Name: jss
Version: 4.4.2
Release: 10%{?dist}
Version: 4.4.3
Release: 1%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/jss/
# The source for this package was pulled from upstream's hg. Use the
# following commands to generate the tarball:
# The source for this package was pulled from upstream repository.
#
# To generate the tarball with HG:
#
# hg clone https://hg.mozilla.org/projects/jss
# cd jss
# hg archive --prefix jss-4.4.2/jss/ ../jss-4.4.2.tar.gz
# hg archive --prefix jss-4.4.3/jss/ ../jss-4.4.3.tar.gz
#
# To generate the tarball with Git:
#
# git clone hg::https://hg.mozilla.org/projects/jss
# cd jss
# git archive --format=tar.gz --prefix jss-4.4.3/jss/ -o ../jss-4.4.3.tar.gz -v HEAD
#
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{name}-%{version}.tar.gz
Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/MPL-1.1.txt
@ -31,16 +38,6 @@ BuildRequires: perl-interpreter
Requires: java-headless
Requires: nss >= 3.28.4-6
Patch1: jss-HMAC-test-for-AES-encrypt-unwrap.patch
Patch2: jss-PBE-padded-block-cipher-enhancements.patch
Patch3: jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch
Patch4: jss-HMAC-unwrap-keywrap-FIPSMODE.patch
Patch5: jss-SignatureAlgorithm.patch
Patch6: jss-ObjectNotFoundException-message.patch
Patch7: jss-signature-correction.patch
Patch8: jss-standardize-ECC-algorithm-names.patch
Patch9: jss-fix-SignerInfo-version.patch
%description
Java Security Services (JSS) is a java native interface which provides a bridge
for java-based applications to use native Network Security Services (NSS).
@ -55,20 +52,12 @@ Requires: jss = %{version}-%{release}
This package contains the API documentation for JSS.
%prep
%setup -q -n %{name}-%{version}
pushd jss
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
popd
%autosetup -n %{name}-%{version}
%build
%set_build_flags
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
[ -z "$USE_INSTALLED_NSPR" ] && export USE_INSTALLED_NSPR=1
[ -z "$USE_INSTALLED_NSS" ] && export USE_INSTALLED_NSS=1
@ -155,351 +144,6 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
%{_javadocdir}/%{name}-%{version}/*
%changelog
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.2-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Mon Jan 22 2018 Dogtag Team <pki-devel@redhat.com> 4.4.2-9
- Mozilla Bugzilla #1409867 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly
producing signatures (especially for EC) (cfu,dstutzman)
- Mozilla Bugzilla #589158 - Add Sun's standard algorithm names for all ECC
signature types (cfu,dstutzman)
- Mozilla Bugzilla #386351 - SignerInfo class inserts wrong version # into
the resulting structure (cfu,dstutzman)
* Mon Jan 08 2018 Karsten Hopp <karsten@redhat.com> - 4.4.2-8
- update build dependencies
* Wed Nov 1 2017 Dogtag Team <pki-devel@redhat.com> 4.4.2-7
- Mozilla Bugzilla #1408057 - JSS throws ObjectNotFoundException without
message (edewata)
- Mozilla Bugzilla #1409867 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly
producing signatures (especially for EC) (cfu,dstutzman)
* Fri Oct 27 2017 Dogtag Team <pki-devel@redhat.com> 4.4.2-6
- Mozilla Bugzilla #1400884 - new JSS failures: HMAC Unwrap and KeyWrapping
FIPSMODE (jmagne)
* Mon Sep 11 2017 Dogtag Team <pki-devel@redhat.com> 4.4.2-5
- Mozilla Bugzilla #1370778 - PBE and padded block cipher enhancements and
fixes (ftweedal)
- Mozilla Bugzilla #1371147 - PK11Store.getEncryptedPrivateKeyInfo() segfault
if export fails (ftweedal)
- Mozilla Bugzilla #1373824 - Mozilla Bug #1373824 - Bug 1308027 (change 2163)
breaks HMAC-SHA1 key imports (jmagne)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.4.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue May 9 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.2-2
- Bump NSS dependencies from 4.28.3 to 4.28.4-6 to pick-up fix in
Mozilla Bugzilla #1360207 - Fix incorrect if (ss->...) in SSL_ReconfigFD
* Mon May 1 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.2-1
- Mozilla Bugzilla #1352476 - RFE: Document on the README how to create a
release tag (mharmsen)
- Mozilla Bugzilla #1355358 - CryptoStore: add methods for importing and
exporting EncryptedPrivateKeyInfo (ftweedal)
- Mozilla Bugzilla #1359731 - CryptoStore.importPrivateKey enhancements
(ftweedal)
* Mon Apr 17 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.1-2
- Mozilla Bugzilla #1355268 - JSS 4.4 is incompatible with versions of
idm-console-framework < 1.1.17-4
- Red Hat Bugzilla #1435076 - Remove unused legacy lines from JSS spec files
* Mon Mar 27 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.1-1
- Bugzilla Bug #1431937 - Rebase jss to 4.4.x in Fedora 25+
- Updated build requirements for NSPR
- Updated build and runtime requirements for NSS
- ## 'jss-post-rebase.patch' resolves the following issues ported from
## upstream:
- Mozilla Bugzilla #1337092 - CMC conformance update: Implement required ASN.1
code for RFC5272+ (cfu)
- Mozilla Bugzilla #1347394 - Eclipse project files for JSS (edewata)
- Mozilla Bugzilla #1347429 - Deprecated SSL 3.0 cipher names in SSLSocket
class. (edewata)
- Mozilla Bugzilla #1348856 - SSL alert callback (edewata)
- Mozilla Bugzilla #1349278 - SSL cipher enumeration (edewata)
- Mozilla Bugzilla #1349349 - Problem with Password.readPasswordFromConsole().
(edewata)
- Mozilla Bugzilla #1349831 - Revise top-level README file (mharmsen)
- Mozilla Bugzilla #1349836 - Changes to JSS Version Block (mharmsen)
- Mozilla Bugzilla #1350130 - Missing
CryptoManager.verifyCertificateNowCUNative() implementation. (emaldona)
* Tue Mar 21 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-3
- Bugzilla Bug #1434535 - JSS 4.4.x is incompatible with versions of
pki-base < 10.4.0
* Wed Mar 15 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-2
- Bugzilla Bug #1432568 - JSS 4.4.x is incompatible with versions of
tomcatjss < 7.2.1
* Mon Mar 13 2017 Elio Maldonado <emaldona@redhat.com> - 4.4.0-1
- Bugzilla Bug #1431937 - Rebase jss to 4.4.x in Fedora 25+
- ## JSS 4.4.0 includes the following patches ported from downstream:
- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS
- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings
- Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS and
CS interface
- Mozilla Bugzilla #1307993 - Expose updated certificate verification function
in JSS
- Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to bad
pointer arithmetic
- Mozilla Bugzilla #1308001 - Verification should fail when a revoked
certificate is added
- Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build
- Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode
(HSM + NSS)
- Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan
- Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PKCS12
- Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping
unwrapping keys should be done in the token
- Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for
manufacturer identifier
- Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in
JSS 4.2.6
- Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and
TLS v1.2 via NSS through JSS
- Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up exact
error from NSS
- Mozilla Bugzilla #1308027 - Merge pki-symkey into jss
- Mozilla Bugzilla #1308029 - Resolve Javadoc build issues
- Mozilla Bugzilla #1308047 - support ECC encryption key archival and recovery
- Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed
PKCS#11 bypass support
- Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on token
- Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA HSM
in FIPS Mode and ECC algorithms
- Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID
functions
- Mozilla Bugzilla #1346410 - Load JSS libraries appropriately
- ## JSS 4.4.0 includes the following changes for building and testing:
- Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test
- Mozilla Bugzilla #1346420 - Document steps required to use the proper
libjss4.so when running certain HMAC Algorithms tests
* Wed Feb 22 2017 Jack Magne <jmagne@redhat.com> - 4.2.6-44
- Bugzilla Bug #1425971 - Simple problem unwrapping AES sym keys on token
* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.6-43
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Aug 9 2016 Christina Fu <cfu@redhat.com> - 4.2.6-42
- Sync up patches from both Fedora and RHEL; adding two patches
(cfu, edewata, mharmsen) from RHEL:
- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows (cfu)
- make it compile on Windows platforms (cfu for nhosoi)
* Fri Jun 24 2016 Christina Fu <cfu@redhat.com> - 4.2.6-41
- Bugzilla 1221295 jss fails to decode EncryptedKey >> EnvelopedData
(cfu for roysjosh@gmail.com)
* Thu May 19 2016 Christina Fu <cfu@redhat.com> - 4.2.6-40
- Bugzilla 1074208 - pass up exact JSS certificate validation errors from NSS
(edewata)
- Bugzilla 1331596 - Key archival fails when KRA is configured with lunasa.
(cfu)
- PKI ticket 801 - Merge pki-symkey into jss (phase 1)
(jmagne)
* Wed Dec 09 2015 Endi Dewata <edewata@redhat.com> - 4.2.6-38
- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata)
* Thu Apr 09 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 4.2.6-37
- Fix use of __isa_bits macro so it does not fail during srpm generation on koji
* Thu Apr 09 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 4.2.6-36
- Use __isa_bits macro to check for 64-bit arch. Unblocks aarch64 and ppc64le.
* Tue Sep 30 2014 Christina Fu <cfu@redhat.com> - 4.2.6-35
- Bugzilla Bug #1040640 - Incorrect OIDs for SHA2 algorithms
(cfu for jnimeh@gmail.com)
- Bugzilla Bug #1133718 - Key strength validation is not performed for RC4
algorithm (nkinder)
- Bugzilla Bug #816396 - Provide Tomcat support for TLS v1.1 and
TLS v1.2 via NSS through JSS (cfu)
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-34
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-33
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Fri Mar 28 2014 Michael Simacek <msimacek@redhat.com> - 4.2.6-32
- Use Requires: java-headless rebuild (#1067528)
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-31
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Nathan Kinder <nkinder@redhat.com> - 4.2.6-30
- Bugzilla Bug #847120 - Unable to build JSS on F17 or newer
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-29
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
* Wed Dec 19 2012 Stanislav Ochotnicky <sochotnicky@redhat.com> - 4.2.6-28
- revbump after jnidir change
* Wed Dec 12 2012 Stanislav Ochotnicky <sochotnicky@redhat.com> - 4.2.6-27
- Simple rebuild
* Mon Nov 19 2012 Christina Fu <cfu@redhat.com> - 4.2.6-26
- added source URLs in spec file to pass Package Wrangler
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-25
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Fri Mar 30 2012 Matthew Harmsen <mharmsen@redhat.com> - 4.2.6-24
- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in
JSS 4.2.6 . . . BadPaddingException (mharmsen)
* Tue Mar 20 2012 Christina Fu <cfu@redhat.com> - 4.2.6-23
- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer
identifier (cfu)
- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived
ECC phase2 work - support for ECC encryption key archival and recovery (cfu)
- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in
JSS 4.2.6 . . . (mharmsen)
- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add
benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen)
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-22
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
* Wed Oct 19 2011 Christina Fu <cfu@redhat.com> - 4.2.6-21
- Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
unwrapping keys should be done in the token
- support for PKCS5v2; support for secure PKCS12
- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the
in-place upgrade( CS 8.0->8.1)
* Mon Sep 19 2011 Matthew Harmsen <mharmsen@redhat.com> - 4.2.6-20
- Bugzilla Bug #715621 - Defects revealed by Coverity scan
* Wed Aug 31 2011 Matthew Harmsen <mharmsen@redhat.com> - 4.2.6-19.1
- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .
* Mon Aug 15 2011 Christina Fu <cfu@redhat.com> - 4.2.6-19
- Bugzilla Bug 733550 - DRM failed to recovery keys when in FIPS mode
(HSM + NSS)
* Fri Aug 12 2011 Matthew Harmsen <mharmsen@redhat.com> - 4.2.6-18
- Bugzilla Bug #660436 - Warnings should be cleaned up in JSS build
(jdennis, mharmsen)
* Wed May 18 2011 Christina Fu <cfu@redhat.com> - 4.2.6-17
- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
and ECC algorithms (support tokens that don't do ECDH)
* Fri Apr 08 2011 Jack Magne <jmagne@redhat.com> - 4.2.6-15.99
- bug 694661 - TKS instance crash during token enrollment.
Back out of previous patch for #676083.
* Thu Feb 24 2011 Andrew Wnuk <awnuk@redhat.com> - 4.2.6-15
- bug 676083 - JSS: slots not freed
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Mon Jan 31 2011 John Dennis <jdennis@redhat.com> - 4.2.6-13
- remove misleading comment in spec file concerning jar signing
* Tue Jan 11 2011 Kevin Wright <kwright@redhat.com> - 4.2.6-12
- added missing patch line
* Tue Dec 21 2010 Christina Fu <cfu@redhat.com> - 4.2.6-11
- bug 654657 - <jdennis@redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 661142 - <cfu@redhat.com>
Verification should fail when a revoked certificate is added
* Thu Dec 16 2010 John Dennis <jdennis@redhat.com> - 4.2.6-10
- Resolves: bug 656094 - <jdennis@redhat.com>
Rebase jss to at least jss-4.2.6-9
- <jdennis@redhat.com>
merge in updates from Fedora
move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this:
/usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar
/usr/lib/jss/jss4-<version>.jar
/usr/lib/jss/jss4.jar -> jss4-<version>.jar
/usr/lib/jss/libjss4.so
- bug 654657 - <jdennis@redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 647364 - <cfu@redhat.com>
Expose updated certificate verification function in JSS
- bug 529945 - <cfu@redhat.com>
expose NSS calls for OCSP settings
- bug 638833 - <cfu@redhat.com>
rfe ecc - add ec curve name support in JSS and CS
- <rcritten@redhat.com>
Need to explicitly catch UnsatisfiedLinkError exception for System.load()
- bug 533304 - <rcritten@redhat.com>
Move location of libjss4.so to subdirectory and use System.load() to
load it instead of System.loadLibrary() for Fedora packaging compliance
* Mon Nov 30 2009 Dennis Gregorovic <dgregor@redhat.com> - 4.2.6-4.1
- Rebuilt for RHEL 6
* Fri Jul 31 2009 Rob Crittenden <rcritten@redhat.com> 4.2.6-4
- Resolves: bug 224688 - <cfu@redhat.com>
Support ECC POP on the server
- Resolves: bug 469456 - <jmagne@redhat.com>
Server Sockets are hard coded to IPV4
- Resolves: bug 509183 - <mharmsen@redhat.com>
Set NSS dependency >= 3.12.3.99
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Fri Jun 5 2009 Rob Crittenden <rcritten@redhat.com> 4.2.6-2
- Include patch to fix missing @param so javadocs will build
* Fri Jun 5 2009 Rob Crittenden <rcritten@redhat.com> 4.2.6-1
- Resolves: bug 455305 - <cfu@redhat.com>
CA ECC Signing Key Failure
- Resolves: bug 502111 - <cfu@redhat.com>
Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function
- Resolves: bug 503809 - <mharmsen@redhat.com>
Update JSS version to 4.2.6
- Resolves: bug 503817 - <mharmsen@redhat.com>
Create JSS Javadocs as their own RPM
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Tue Aug 5 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 4.2.5-3
- fix license tag
* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 4.2.5-2
- Autorebuild for GCC 4.3
* Fri Aug 3 2007 Rob Crittenden <rcritten@redhat.com> 4.2.5-1
- update to 4.2.5
* Thu May 24 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-6
- Use _jnidir macro instead of _javadir for the jar files. This will break
multilib installs but adheres to the jpackage spec.
* Wed May 16 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-5
- Include the 3 license files
- Remove Requires for nss and nspr. These libraries have versioned symbols
so BuildRequires is enough to set the minimum.
- Add sparc64 for the 64-bit list
* Mon May 14 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-4
- Included additional comments on jar signing and why ldconfig is not
required.
* Thu May 10 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-3
- Added information on how to pull the source into a tar.gz
* Thu Mar 15 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-2
- Added RPM_OPT_FLAGS to XCFLAGS
- Added link to Sun JCE information
* Tue Feb 27 2007 Rob Crittenden <rcritten@redhat.com> 4.2.4-1
- Initial build
* Thu Apr 05 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.4.3-1
- Rebased to JSS 4.4.3
- Red Hat Bugzilla #1548548 - Partial Fedora build flags injection

2
sources
View File

@ -1 +1 @@
SHA512 (jss-4.4.2.tar.gz) = 71f76aef2905c374a0d87b25a73db2498562fe16cef1489c5859271d2ae264695dd2b00880539c35b21f4e0b19856abc5028b813fe05b33352304b538182b251
SHA512 (jss-4.4.3.tar.gz) = 4c471cc0195ece984f5cd232862e7de77ec371d8d994c72d1fb1d82ac4c3a523feda561c93c6668d3c50d6700128d56d05ab1bac918d0a618f5023afee3d36e5