Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer identifier

Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived ECC phase2 work - support for ECC encryption key archival and recovery
Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in JSS 4.2.6 . . .
Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add benign JNI jar file symbolic link from JNI libdir to JNI jar file

clog

@@ -1,5 +0,0 @@
-Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
-unwrapping keys should be done in the token
-support for PKCS5v2; support for secure PKCS12
-Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the
-in-place upgrade( CS 8.0->8.1)

jss-ECC-Phase2KeyArchivalRecovery.patch

@@ -0,0 +1,451 @@
+diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl
+--- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig	2012-03-19 17:48:57.615048000 -0700
++++ jss-4.2.6/mozilla/security/jss/build_java.pl	2012-03-19 17:48:53.250052000 -0700
+@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm
+ org.mozilla.jss.crypto.EncryptionAlgorithm      
+ org.mozilla.jss.crypto.PQGParams     
+ org.mozilla.jss.crypto.SecretDecoderRing
++org.mozilla.jss.asn1.ASN1Util
+ org.mozilla.jss.pkcs11.CertProxy        
+ org.mozilla.jss.pkcs11.CipherContextProxy 
+ org.mozilla.jss.pkcs11.PK11Module 
+diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk
+--- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig	2012-03-19 17:48:57.535048000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/config.mk	2012-03-19 17:48:53.264052000 -0700
+@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \
+     ../org/mozilla/jss/SecretDecoderRing \
+     ../org/mozilla/jss \
+     ../org/mozilla/jss/pkcs11 \
++    ../org/mozilla/jss/asn1 \
+     ../org/mozilla/jss/ssl \
+     ../org/mozilla/jss/util \
+     ../org/mozilla/jss/provider/java/security \
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig	2012-03-19 17:48:57.362048000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/jss.def	2012-03-19 17:48:53.278052000 -0700
+@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
+ ;+    local:
+ ;+       *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk
+--- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig	2012-03-19 17:48:57.574049000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/rules.mk	2012-03-19 17:48:53.288052000 -0700
+@@ -41,6 +41,7 @@ release_sanitize::
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
++	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
++	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ 	-rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig	2012-03-19 17:48:57.381048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c	2012-03-19 17:51:32.433893000 -0700
+@@ -0,0 +1,97 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++#include "_jni/org_mozilla_jss_asn1_ASN1Util.h"
++#include <pk11func.h>
++#include <nspr.h>
++#include <seccomon.h>
++#include <key.h>
++#include <secitem.h>
++
++#include <jssutil.h>
++#include <java_ids.h>
++#include <jss_exceptions.h>
++#include <Algorithm.h>
++
++/***********************************************************************
++ *
++ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid
++ *     retrieves OID description by NSS's OID Tag identifier
++ *     the OID byte array is expected to be without the OID Tag (6) and size
++ *        (together 2 bytes)
++ */
++JNIEXPORT jstring JNICALL
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA)
++{
++    SECItem *oid = NULL;
++    SECOidTag oidTag = SEC_OID_UNKNOWN;
++    char *oidDesc = NULL;
++    jstring description= "";
++
++    if (oidBA == NULL) {
++        JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++            "JSS getTagDescriptionByOid: oidBA null");
++        goto finish;
++    } else {
++        /**************************************************
++         * Setup the parameters
++         *************************************************/
++        oid = JSS_ByteArrayToSECItem(env, oidBA);
++        if (oid == NULL) {
++            JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++                "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed");
++            goto finish;
++        }
++
++        /*
++         * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match
++         */
++        oidTag = SECOID_FindOIDTag(oid);
++        if (oidTag == SEC_OID_UNKNOWN) {
++            JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++                "JSS getTagDescriptionByOid: OID UNKNOWN");
++            goto finish;
++        }
++
++        oidDesc = SECOID_FindOIDTagDescription(oidTag);
++        if (oidDesc == NULL) {
++            oidDesc = "";
++        }
++        description = (*env)->NewStringUTF(env, oidDesc);
++    }
++
++finish:
++    return description;
++}
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig	2012-03-19 17:48:57.119048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java	2012-03-19 18:03:20.766186000 -0700
+@@ -36,6 +36,8 @@
+ package org.mozilla.jss.asn1;
+ 
+ import java.io.*;
++import java.util.Arrays;
++
+ import org.mozilla.jss.asn1.InvalidBERException;
+ import org.mozilla.jss.util.Assert;
+ 
+@@ -114,4 +116,71 @@ public class ASN1Util {
+             numRead += nr;
+         }
+     }
++
++    /**
++     * returns the ECC curve byte array given the X509 public key byte array
++     *
++     * @param X509PubKeyBytes byte array of an X509PubKey
++     * @param withHeader tells if the return byes should inclulde the tag and size header or not
++     */
++    public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes,
++        boolean withHeader)
++        throws IllegalArgumentException, ArrayIndexOutOfBoundsException,
++               NullPointerException
++    {
++        if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) {
++            throw new IllegalArgumentException("X509PubKeyBytes null");
++        }
++
++        /* EC public key OID complete with tag and size */
++        byte[] EC_PubOIDBytes_full =
++            ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID);
++
++        /* EC public key OID without tag and size */
++        byte[] EC_PubOIDBytes =
++            Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length);
++
++        int curveBeginIndex = 0;
++        for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) {
++            byte[] tmp = 
++                Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length);
++            if (Arrays.equals(tmp, EC_PubOIDBytes)) {
++                curveBeginIndex = idx+ EC_PubOIDBytes.length;
++                break;
++            }
++        }
++
++        int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1];
++
++        if (withHeader) {
++            /* actual curve with tag and size */
++            byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2);
++            return curve;
++        } else {
++            /* actual curve without tag and size */
++            byte curve[] = 
++                Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2,
++                    curveBeginIndex + 2 + curveByteArraySize);
++            return curve;
++        }
++    }
++
++    /**
++     * getOIDdescription() returns a text description of the OID
++     *     from OID byte array
++     * the OID byte array is expected to be without the OID Tag (6) and size
++     *    (together 2 bytes)
++     */
++    public static String
++    getOIDdescription(byte[] oidBA) {
++        return getTagDescriptionByOid(oidBA);
++    }
++
++    /**
++     * get OID description JNI method
++     */
++    private native static String
++    getTagDescriptionByOid(byte[] oidBA);
++
++
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig	2012-03-19 17:48:57.467048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile	2012-03-19 17:48:53.348052000 -0700
+@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c
+ #######################################################################
+ # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+ #######################################################################
+-#include config.mk
++include config.mk
+ 
+ 
+ #######################################################################
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig	2012-03-19 17:48:57.178048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java	2012-03-19 17:48:53.364052000 -0700
+@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement
+     ///////////////////////////////////////////////////////////////////////
+ 
+     /**
++     * The OID space for EC
++     */
++    public static final OBJECT_IDENTIFIER EC_PUBKEY_OID =
++        new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} );
++
++    /**
+      * The OID space for RSA Data Security, Inc.
+      */
+     public static final OBJECT_IDENTIFIER RSADSI =
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig	2012-03-19 17:48:57.398048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk	2012-03-19 17:48:53.381052000 -0700
+@@ -0,0 +1,41 @@
++# 
++# ***** BEGIN LICENSE BLOCK *****
++# Version: MPL 1.1/GPL 2.0/LGPL 2.1
++#
++# The contents of this file are subject to the Mozilla Public License Version
++# 1.1 (the "License"); you may not use this file except in compliance with
++# the License. You may obtain a copy of the License at
++# http://www.mozilla.org/MPL/
++#
++# Software distributed under the License is distributed on an "AS IS" basis,
++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++# for the specific language governing rights and limitations under the
++# License.
++#
++# The Original Code is the Netscape Security Services for Java.
++#
++# The Initial Developer of the Original Code is
++# Netscape Communications Corporation.
++# Portions created by the Initial Developer are Copyright (C) 1998-2000
++# the Initial Developer. All Rights Reserved.
++#
++# Contributor(s):
++#
++# Alternatively, the contents of this file may be used under the terms of
++# either the GNU General Public License Version 2 or later (the "GPL"), or
++# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++# in which case the provisions of the GPL or the LGPL are applicable instead
++# of those above. If you wish to allow use of your version of this file only
++# under the terms of either the GPL or the LGPL, and not to allow others to
++# use your version of this file under the terms of the MPL, indicate your
++# decision by deleting the provisions above and replace them with the notice
++# and other provisions required by the GPL or the LGPL. If you do not delete
++# the provisions above, a recipient may use your version of this file under
++# the terms of any one of the MPL, the GPL or the LGPL.
++#
++# ***** END LICENSE BLOCK *****
++TARGETS=$(LIBRARY)
++SHARED_LIBRARY=
++IMPORT_LIBRARY=
++
++NO_MD_RELEASE = 1
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig	2012-03-19 17:48:57.434048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn	2012-03-19 17:48:53.401052000 -0700
+@@ -41,6 +41,8 @@ MODULE = jss
+  
+ NS_USE_JDK = 1
+ 
++REQUIRES =      nspr20 nss
++
+ PACKAGE =       org/mozilla/jss/asn1
+ 
+ CLASSES = 											\
+@@ -112,3 +114,9 @@ JSRCS = 											\
+             UTCTime.java                            \
+             UTF8String.java                         \
+ 			$(NULL)
++
++CSRCS =                             \
++            ASN1Util.c     \
++            $(NULL)
++
++LIBRARY_NAME = jssasn1
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig	2012-03-19 17:48:57.502048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn	2012-03-19 17:48:53.413052000 -0700
+@@ -48,6 +48,7 @@ DIRS =	\
+ 	crypto	\
+     SecretDecoderRing \
+ 	pkcs11	\
++    asn1   \
+     ssl     \
+     provider \
+ 	$(NULL)
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig	2012-03-19 17:48:57.238048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java	2012-03-19 17:48:53.432052000 -0700
+@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten
+ //      }
+ //    }
+ //
+-//    public BigInteger getW() {
+-//      try {
+-//        return new BigInteger( getWByteArray() );
+-//      } catch(NumberFormatException e) {
+-//        Assert.notReached("Unable to decode DSA public value");
+-//        return null;
+-//      }
+-//    }
+-//
+-//    private native byte[] getCurveByteArray();
+-//    private native byte[] getWByteArray();
++
++    public BigInteger getCurve() {
++      try {
++        return new BigInteger( getCurveByteArray() );
++      } catch(NumberFormatException e) {
++       Assert.notReached("Unable to decode EC curve");
++       return null;
++      }
++    }
++
++    public byte[] getCurveBA() {
++        return getCurveByteArray();
++    }
++
++    public BigInteger getW() {
++      try {
++        return new BigInteger( getWByteArray() );
++      } catch(NumberFormatException e) {
++        Assert.notReached("Unable to decode EC public value");
++        return null;
++      }
++    }
++
++    private native byte[] getCurveByteArray();
++    private native byte[] getWByteArray();
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig	2012-03-19 17:48:57.272048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c	2012-03-19 17:48:53.450052000 -0700
+@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+             numAttribs = 4;
+         }
+ 	break;
++    case CKK_EC:
++        numAttribs = 1;
++        attribs[0] = CKA_SIGN;
++        if (isExtractable) {
++            attribs[1] = CKA_EXTRACTABLE;
++            numAttribs = 2;
++        }
++	break;
+     case CKK_DSA:
+         attribs[0] = CKA_SIGN;
+         numAttribs = 1;
+@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+         attribs[0] = CKA_DERIVE;
+         numAttribs = 1;
+ 	break;
+-    case CKK_EC:
+-        attribs[0] = CKA_SIGN;
+-        attribs[1] = CKA_DERIVE;
+-        numAttribs = 2;
+-	break;
+     default:
+         /* unknown key type */
+         PR_ASSERT(PR_FALSE);
+@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+                 attribs, numAttribs, NULL /*wincx*/);
+     if( privk == NULL ) {
+         char err[256] = {0};
+-        PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
++        PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
+         JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+         goto finish;
+     }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig	2012-03-19 17:48:57.298048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java	2012-03-19 17:48:53.471052000 -0700
+@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke
+         if( type == PrivateKey.RSA ) {
+             if( !(publicKey instanceof RSAPublicKey)) {
+                 throw new InvalidKeyException("Type of public key does not "+
+-                    "match type of private key");
++                    "match type of private key which is RSA");
+             }
+             return ((RSAPublicKey)publicKey).getModulus().toByteArray();
++        } else if(type == PrivateKey.EC) {
++            if( !(publicKey instanceof PK11ECPublicKey) ) {
++                throw new InvalidKeyException("Type of public key does not "+
++                    "match type of private key which is EC");
++            }
++            return ((PK11ECPublicKey)publicKey).getW().toByteArray();
+         } else if(type == PrivateKey.DSA) {
+             if( !(publicKey instanceof DSAPublicKey) ) {
+                 throw new InvalidKeyException("Type of public key does not "+
+-                    "match type of private key");
++                    "match type of private key which is DSA");
+             }
+             return ((DSAPublicKey)publicKey).getY().toByteArray();
+         } else {

jss-HSM-manufacturerID.patch

@@ -0,0 +1,62 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu	2011-11-10 17:18:02.706421000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c	2011-11-10 17:18:23.370442000 -0800
+@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE
+             }
+             PR_GetErrorText(errBuf);
+         }
+-        msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
++        msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s",
++            PR_GetError(),
+             errLength>0? errBuf : "");
+         if(errLength>0) {
+             PR_Free(errBuf);
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu	2011-11-10 17:18:10.767429000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c	2011-11-10 17:52:34.703491000 -0800
+@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+     PRBool isExtractable = PR_FALSE;
+ 
+     /* special case nethsm and lunasa*/
+-    CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
+-    CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
++    const int numManufacturerIDchars = 7;
++    CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'};
++    CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'};
+     PRBool isNethsm = PR_TRUE;
+     PRBool isLunasa = PR_TRUE;
+ 
++    tokenInfo.manufacturerID[0] = 0;
++
+     if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
+         /* exception was thrown */
+         goto finish;
+     }
+ 
+-    if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
++    if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) &&
++       (tokenInfo.manufacturerID[0] != 0)) {
+         int ix = 0;
+-        for(ix=0; ix < 4; ix++) {
+-            if (tokenInfo.label[ix] != nethsmLabel[ix]) {
++
++        for(ix=0; ix < numManufacturerIDchars; ix++) {
++            if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) {
+                isNethsm = PR_FALSE;
+                break;
+             }
+         }
+-        ix = 0;
+-        for(ix=0; ix < 4; ix++) {
+-            if (tokenInfo.label[ix] != lunasaLabel[ix]) {
++
++        for(ix=0; ix < numManufacturerIDchars; ix++) {
++            if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) {
+                isLunasa = PR_FALSE;
+                break;
+             }
+         }
+-
+     } else {
+         isNethsm = PR_FALSE;
+         isLunasa = PR_FALSE;

jss-undo-JCA-deprecations.patch

@@ -0,0 +1,171 @@
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java	2012-03-20 16:30:26.570338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java	2012-03-20 16:39:59.083196000 -0700
+@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert;
+  * it is not necessary to call <code>update</code> if all of the data is
+  * available at once.  In this case, all of the input can be processed with one
+  * call to <code>doFinal</code>.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+  */
+ public abstract class Cipher {
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java	2012-03-20 16:30:26.587338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java	2012-03-20 16:41:54.792964000 -0700
+@@ -60,7 +60,6 @@ public interface CryptoToken {
+      * @param algorithm The algorithm used for the signing/verification.
+      * @exception java.security.NoSuchAlgorithmException If the given
+      *      algorithm is not supported by this provider.
+-     * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+      */
+     public abstract org.mozilla.jss.crypto.Signature
+     getSignatureContext(SignatureAlgorithm algorithm)
+@@ -73,7 +72,6 @@ public interface CryptoToken {
+      * @param algorithm The algorithm used for digesting.
+      * @exception java.security.NoSuchAlgorithmException If this provider
+      *  does not support the given algorithm.
+-     * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+      */
+     public abstract JSSMessageDigest
+     getDigestContext(DigestAlgorithm algorithm)
+@@ -89,15 +87,11 @@ public interface CryptoToken {
+      * @param algorithm The algorithm used for encryption/decryption.
+      * @exception java.security.NoSuchAlgorithmException If this provider
+      *      does not support the given algorithm.
+-     * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+      */
+     public abstract Cipher
+     getCipherContext(EncryptionAlgorithm algorithm)
+         throws java.security.NoSuchAlgorithmException, TokenException;
+ 
+-    /**
+-     * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+-     */
+     public abstract KeyWrapper
+     getKeyWrapper(KeyWrapAlgorithm algorithm)
+         throws java.security.NoSuchAlgorithmException, TokenException;
+@@ -123,7 +117,6 @@ public interface CryptoToken {
+      * @param algorithm The algorithm that the keys will be used with.
+      * @exception java.security.NoSuchAlgorithmException If this token does not
+      *      support the given algorithm.
+-     * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+      */
+     public abstract KeyGenerator
+     getKeyGenerator(KeyGenAlgorithm algorithm)
+@@ -136,7 +129,6 @@ public interface CryptoToken {
+      *      cannot be extracted from the current token.
+      * @exception InvalidKeyException If the owning token cannot process
+      *      the key to be cloned.
+-     * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory})
+      */
+     public SymmetricKey cloneKey(SymmetricKey key)
+         throws SymmetricKey.NotExtractableException,
+@@ -151,7 +143,6 @@ public interface CryptoToken {
+      *      DSA, EC, etc.)
+      * @exception java.security.NoSuchAlgorithmException If this token does
+      *      not support the given algorithm.
+-     * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+      */
+     public abstract KeyPairGenerator
+     getKeyPairGenerator(KeyPairAlgorithm algorithm)
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java	2012-03-20 16:30:26.595338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java	2012-03-20 16:38:31.987370000 -0700
+@@ -41,7 +41,6 @@ import java.security.InvalidKeyException
+ 
+ /**
+  * A class for performing message digesting (hashing) and MAC operations.
+- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+  */
+ public abstract class JSSMessageDigest {
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java	2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java	2012-03-20 16:39:02.938308000 -0700
+@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto;
+ 
+ /**
+  * An interface for secure random numbers.
+- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom})
+  */
+ public interface JSSSecureRandom {
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java	2005-11-14 14:15:06.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java	2012-03-20 16:39:19.687274000 -0700
+@@ -43,7 +43,6 @@ import java.io.CharConversionException;
+ 
+ /**
+  * Generates symmetric keys for encryption and decryption.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+  */
+ public interface KeyGenerator {
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java	2012-03-20 16:30:25.755340000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java	2012-03-20 16:38:03.635426000 -0700
+@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam
+  * <code>keygenOnInternalToken</code> to find out if this is happening.
+  *
+  * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator
+- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+  */
+ public class KeyPairGenerator {
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java	2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java	2012-03-20 16:39:40.551232000 -0700
+@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar
+ import java.security.PublicKey;
+ import java.security.InvalidKeyException;
+ 
+-/**
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+- */
+ public interface KeyWrapper {
+ 
+     public void initWrap(SymmetricKey wrappingKey,
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java	2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java	2012-03-20 16:38:46.468340000 -0700
+@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam
+  * Instances of this class can be obtain from <code>CryptoToken</code>s.
+  *
+  * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext
+- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+  */
+ public class Signature { 
+ 
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java	2005-11-23 15:40:26.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java	2012-03-20 16:35:13.653766000 -0700
+@@ -37,15 +37,10 @@
+ 
+ /* This program demonstrates how to sign data with keys from JSS
+  *
+- * Most of this code is deprecated look at JCASigTest.java
+- *
+  * The token name can be either the name of a hardware token, or
+  * one of the internal tokens:
+  *  Internal Crypto Services Token
+  *  Internal Key Storage Token    (keys stored in key3.db)
+- *
+- * @see org.mozilla.jss.tests.JCASigTest
+- * @deprecated Use the JCA interface instead
+  */
+ 
+ package org.mozilla.jss.tests;
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl	2007-12-20 10:38:44.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl	2012-03-20 16:36:37.711598000 -0700
+@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature "
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
+ run_test($testname, $command);
+ 
++$testname = "Mozilla-JSS NSS Signature ";
++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
++run_test($testname, $command);
++
+ $testname = "Secret Decoder Ring";
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
+ run_test($testname, $command);

jss.spec

@@ -1,6 +1,6 @@
 Name:           jss
 Version:        4.2.6
-Release:        22%{?dist}
+Release:        23%{?dist}
 Summary:        Java Security Services (JSS)
 
 Group:          System Environment/Libraries
@@ -40,6 +40,9 @@ Patch15:        jss-PKCS12-FIPS.patch
 Patch16:        jss-eliminate-native-coverity-defects.patch
 Patch17:        jss-PBE-PKCS5-V2-secure-P12.patch
 Patch18:        jss-wrapInToken.patch
+Patch19:        jss-HSM-manufacturerID.patch
+Patch20:        jss-ECC-Phase2KeyArchivalRecovery.patch
+Patch21:        jss-undo-JCA-deprecations.patch
 
 
 %description
@@ -75,6 +78,9 @@ This package contains the API documentation for JSS.
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
 
 %build
 [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -112,6 +118,9 @@ export USE_64
 %if 0%{?fedora} >= 16
 cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk 
 sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk
+
+cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk 
+sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk
 %endif
 
 # The Makefile is not thread-safe
@@ -146,6 +155,11 @@ ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar
 # loaded by the jar file.
 install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
 install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
+%if 0%{?fedora} >= 16
+pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
+    ln -fs %{_jnidir}/jss4.jar jss4.jar
+popd
+%endif
 
 # javadoc
 install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
@@ -168,6 +182,16 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Tue Mar 20 2012 Christina Fu <cfu@redhat.com> - 4.2.6-23
+- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer
+  identifier (cfu)
+- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived
+  ECC phase2 work - support for ECC encryption key archival and recovery (cfu)
+- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in
+  JSS 4.2.6 . . . (mharmsen)
+- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add
+  benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen)
+
 * Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-22
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild