From 7094694f24340ad0aecbcf85fbcde182458bb709 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Wed, 21 Mar 2012 21:38:00 -0700 Subject: [PATCH] Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer identifier Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived ECC phase2 work - support for ECC encryption key archival and recovery Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in JSS 4.2.6 . . . Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add benign JNI jar file symbolic link from JNI libdir to JNI jar file --- clog | 5 - jss-ECC-Phase2KeyArchivalRecovery.patch | 451 ++++++++++++++++++++++++ jss-HSM-manufacturerID.patch | 62 ++++ jss-undo-JCA-deprecations.patch | 171 +++++++++ jss.spec | 26 +- 5 files changed, 709 insertions(+), 6 deletions(-) delete mode 100644 clog create mode 100644 jss-ECC-Phase2KeyArchivalRecovery.patch create mode 100644 jss-HSM-manufacturerID.patch create mode 100644 jss-undo-JCA-deprecations.patch diff --git a/clog b/clog deleted file mode 100644 index 6a41480..0000000 --- a/clog +++ /dev/null @@ -1,5 +0,0 @@ -Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping -unwrapping keys should be done in the token -support for PKCS5v2; support for secure PKCS12 -Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the -in-place upgrade( CS 8.0->8.1) diff --git a/jss-ECC-Phase2KeyArchivalRecovery.patch b/jss-ECC-Phase2KeyArchivalRecovery.patch new file mode 100644 index 0000000..1bcc238 --- /dev/null +++ b/jss-ECC-Phase2KeyArchivalRecovery.patch @@ -0,0 +1,451 @@ +diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl +--- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700 +@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm + org.mozilla.jss.crypto.EncryptionAlgorithm + org.mozilla.jss.crypto.PQGParams + org.mozilla.jss.crypto.SecretDecoderRing ++org.mozilla.jss.asn1.ASN1Util + org.mozilla.jss.pkcs11.CertProxy + org.mozilla.jss.pkcs11.CipherContextProxy + org.mozilla.jss.pkcs11.PK11Module +diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk +--- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700 +@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \ + ../org/mozilla/jss/SecretDecoderRing \ + ../org/mozilla/jss \ + ../org/mozilla/jss/pkcs11 \ ++ ../org/mozilla/jss/asn1 \ + ../org/mozilla/jss/ssl \ + ../org/mozilla/jss/util \ + ../org/mozilla/jss/provider/java/security \ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700 +@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC + Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; ++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk +--- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700 +@@ -41,6 +41,7 @@ release_sanitize:: + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) ++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) +@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) ++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700 +@@ -0,0 +1,97 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++#include "_jni/org_mozilla_jss_asn1_ASN1Util.h" ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++/*********************************************************************** ++ * ++ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid ++ * retrieves OID description by NSS's OID Tag identifier ++ * the OID byte array is expected to be without the OID Tag (6) and size ++ * (together 2 bytes) ++ */ ++JNIEXPORT jstring JNICALL ++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA) ++{ ++ SECItem *oid = NULL; ++ SECOidTag oidTag = SEC_OID_UNKNOWN; ++ char *oidDesc = NULL; ++ jstring description= ""; ++ ++ if (oidBA == NULL) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: oidBA null"); ++ goto finish; ++ } else { ++ /************************************************** ++ * Setup the parameters ++ *************************************************/ ++ oid = JSS_ByteArrayToSECItem(env, oidBA); ++ if (oid == NULL) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed"); ++ goto finish; ++ } ++ ++ /* ++ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match ++ */ ++ oidTag = SECOID_FindOIDTag(oid); ++ if (oidTag == SEC_OID_UNKNOWN) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: OID UNKNOWN"); ++ goto finish; ++ } ++ ++ oidDesc = SECOID_FindOIDTagDescription(oidTag); ++ if (oidDesc == NULL) { ++ oidDesc = ""; ++ } ++ description = (*env)->NewStringUTF(env, oidDesc); ++ } ++ ++finish: ++ return description; ++} +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700 +@@ -36,6 +36,8 @@ + package org.mozilla.jss.asn1; + + import java.io.*; ++import java.util.Arrays; ++ + import org.mozilla.jss.asn1.InvalidBERException; + import org.mozilla.jss.util.Assert; + +@@ -114,4 +116,71 @@ public class ASN1Util { + numRead += nr; + } + } ++ ++ /** ++ * returns the ECC curve byte array given the X509 public key byte array ++ * ++ * @param X509PubKeyBytes byte array of an X509PubKey ++ * @param withHeader tells if the return byes should inclulde the tag and size header or not ++ */ ++ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes, ++ boolean withHeader) ++ throws IllegalArgumentException, ArrayIndexOutOfBoundsException, ++ NullPointerException ++ { ++ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) { ++ throw new IllegalArgumentException("X509PubKeyBytes null"); ++ } ++ ++ /* EC public key OID complete with tag and size */ ++ byte[] EC_PubOIDBytes_full = ++ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID); ++ ++ /* EC public key OID without tag and size */ ++ byte[] EC_PubOIDBytes = ++ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length); ++ ++ int curveBeginIndex = 0; ++ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) { ++ byte[] tmp = ++ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length); ++ if (Arrays.equals(tmp, EC_PubOIDBytes)) { ++ curveBeginIndex = idx+ EC_PubOIDBytes.length; ++ break; ++ } ++ } ++ ++ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1]; ++ ++ if (withHeader) { ++ /* actual curve with tag and size */ ++ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2); ++ return curve; ++ } else { ++ /* actual curve without tag and size */ ++ byte curve[] = ++ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2, ++ curveBeginIndex + 2 + curveByteArraySize); ++ return curve; ++ } ++ } ++ ++ /** ++ * getOIDdescription() returns a text description of the OID ++ * from OID byte array ++ * the OID byte array is expected to be without the OID Tag (6) and size ++ * (together 2 bytes) ++ */ ++ public static String ++ getOIDdescription(byte[] oidBA) { ++ return getTagDescriptionByOid(oidBA); ++ } ++ ++ /** ++ * get OID description JNI method ++ */ ++ private native static String ++ getTagDescriptionByOid(byte[] oidBA); ++ ++ + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700 +@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # + ####################################################################### +-#include config.mk ++include config.mk + + + ####################################################################### +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700 +@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement + /////////////////////////////////////////////////////////////////////// + + /** ++ * The OID space for EC ++ */ ++ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID = ++ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} ); ++ ++ /** + * The OID space for RSA Data Security, Inc. + */ + public static final OBJECT_IDENTIFIER RSADSI = +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700 +@@ -0,0 +1,41 @@ ++# ++# ***** BEGIN LICENSE BLOCK ***** ++# Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++# ++# The contents of this file are subject to the Mozilla Public License Version ++# 1.1 (the "License"); you may not use this file except in compliance with ++# the License. You may obtain a copy of the License at ++# http://www.mozilla.org/MPL/ ++# ++# Software distributed under the License is distributed on an "AS IS" basis, ++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++# for the specific language governing rights and limitations under the ++# License. ++# ++# The Original Code is the Netscape Security Services for Java. ++# ++# The Initial Developer of the Original Code is ++# Netscape Communications Corporation. ++# Portions created by the Initial Developer are Copyright (C) 1998-2000 ++# the Initial Developer. All Rights Reserved. ++# ++# Contributor(s): ++# ++# Alternatively, the contents of this file may be used under the terms of ++# either the GNU General Public License Version 2 or later (the "GPL"), or ++# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++# in which case the provisions of the GPL or the LGPL are applicable instead ++# of those above. If you wish to allow use of your version of this file only ++# under the terms of either the GPL or the LGPL, and not to allow others to ++# use your version of this file under the terms of the MPL, indicate your ++# decision by deleting the provisions above and replace them with the notice ++# and other provisions required by the GPL or the LGPL. If you do not delete ++# the provisions above, a recipient may use your version of this file under ++# the terms of any one of the MPL, the GPL or the LGPL. ++# ++# ***** END LICENSE BLOCK ***** ++TARGETS=$(LIBRARY) ++SHARED_LIBRARY= ++IMPORT_LIBRARY= ++ ++NO_MD_RELEASE = 1 +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700 +@@ -41,6 +41,8 @@ MODULE = jss + + NS_USE_JDK = 1 + ++REQUIRES = nspr20 nss ++ + PACKAGE = org/mozilla/jss/asn1 + + CLASSES = \ +@@ -112,3 +114,9 @@ JSRCS = \ + UTCTime.java \ + UTF8String.java \ + $(NULL) ++ ++CSRCS = \ ++ ASN1Util.c \ ++ $(NULL) ++ ++LIBRARY_NAME = jssasn1 +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700 +@@ -48,6 +48,7 @@ DIRS = \ + crypto \ + SecretDecoderRing \ + pkcs11 \ ++ asn1 \ + ssl \ + provider \ + $(NULL) +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700 +@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten + // } + // } + // +-// public BigInteger getW() { +-// try { +-// return new BigInteger( getWByteArray() ); +-// } catch(NumberFormatException e) { +-// Assert.notReached("Unable to decode DSA public value"); +-// return null; +-// } +-// } +-// +-// private native byte[] getCurveByteArray(); +-// private native byte[] getWByteArray(); ++ ++ public BigInteger getCurve() { ++ try { ++ return new BigInteger( getCurveByteArray() ); ++ } catch(NumberFormatException e) { ++ Assert.notReached("Unable to decode EC curve"); ++ return null; ++ } ++ } ++ ++ public byte[] getCurveBA() { ++ return getCurveByteArray(); ++ } ++ ++ public BigInteger getW() { ++ try { ++ return new BigInteger( getWByteArray() ); ++ } catch(NumberFormatException e) { ++ Assert.notReached("Unable to decode EC public value"); ++ return null; ++ } ++ } ++ ++ private native byte[] getCurveByteArray(); ++ private native byte[] getWByteArray(); + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700 +@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + numAttribs = 4; + } + break; ++ case CKK_EC: ++ numAttribs = 1; ++ attribs[0] = CKA_SIGN; ++ if (isExtractable) { ++ attribs[1] = CKA_EXTRACTABLE; ++ numAttribs = 2; ++ } ++ break; + case CKK_DSA: + attribs[0] = CKA_SIGN; + numAttribs = 1; +@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + attribs[0] = CKA_DERIVE; + numAttribs = 1; + break; +- case CKK_EC: +- attribs[0] = CKA_SIGN; +- attribs[1] = CKA_DERIVE; +- numAttribs = 2; +- break; + default: + /* unknown key type */ + PR_ASSERT(PR_FALSE); +@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + attribs, numAttribs, NULL /*wincx*/); + if( privk == NULL ) { + char err[256] = {0}; +- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); ++ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType); + JSS_throwMsg(env, TOKEN_EXCEPTION, err); + goto finish; + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700 +@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke + if( type == PrivateKey.RSA ) { + if( !(publicKey instanceof RSAPublicKey)) { + throw new InvalidKeyException("Type of public key does not "+ +- "match type of private key"); ++ "match type of private key which is RSA"); + } + return ((RSAPublicKey)publicKey).getModulus().toByteArray(); ++ } else if(type == PrivateKey.EC) { ++ if( !(publicKey instanceof PK11ECPublicKey) ) { ++ throw new InvalidKeyException("Type of public key does not "+ ++ "match type of private key which is EC"); ++ } ++ return ((PK11ECPublicKey)publicKey).getW().toByteArray(); + } else if(type == PrivateKey.DSA) { + if( !(publicKey instanceof DSAPublicKey) ) { + throw new InvalidKeyException("Type of public key does not "+ +- "match type of private key"); ++ "match type of private key which is DSA"); + } + return ((DSAPublicKey)publicKey).getY().toByteArray(); + } else { diff --git a/jss-HSM-manufacturerID.patch b/jss-HSM-manufacturerID.patch new file mode 100644 index 0000000..2a7bdff --- /dev/null +++ b/jss-HSM-manufacturerID.patch @@ -0,0 +1,62 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800 +@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE + } + PR_GetErrorText(errBuf); + } +- msgBuf = PR_smprintf("Keypair Generation failed on token: %s", ++ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s", ++ PR_GetError(), + errLength>0? errBuf : ""); + if(errLength>0) { + PR_Free(errBuf); +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800 +@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + PRBool isExtractable = PR_FALSE; + + /* special case nethsm and lunasa*/ +- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; +- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; ++ const int numManufacturerIDchars = 7; ++ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'}; ++ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'}; + PRBool isNethsm = PR_TRUE; + PRBool isLunasa = PR_TRUE; + ++ tokenInfo.manufacturerID[0] = 0; ++ + if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { + /* exception was thrown */ + goto finish; + } + +- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { ++ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) && ++ (tokenInfo.manufacturerID[0] != 0)) { + int ix = 0; +- for(ix=0; ix < 4; ix++) { +- if (tokenInfo.label[ix] != nethsmLabel[ix]) { ++ ++ for(ix=0; ix < numManufacturerIDchars; ix++) { ++ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) { + isNethsm = PR_FALSE; + break; + } + } +- ix = 0; +- for(ix=0; ix < 4; ix++) { +- if (tokenInfo.label[ix] != lunasaLabel[ix]) { ++ ++ for(ix=0; ix < numManufacturerIDchars; ix++) { ++ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) { + isLunasa = PR_FALSE; + break; + } + } +- + } else { + isNethsm = PR_FALSE; + isLunasa = PR_FALSE; diff --git a/jss-undo-JCA-deprecations.patch b/jss-undo-JCA-deprecations.patch new file mode 100644 index 0000000..a51c51a --- /dev/null +++ b/jss-undo-JCA-deprecations.patch @@ -0,0 +1,171 @@ +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700 +@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert; + * it is not necessary to call update if all of the data is + * available at once. In this case, all of the input can be processed with one + * call to doFinal. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) + */ + public abstract class Cipher { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700 +@@ -60,7 +60,6 @@ public interface CryptoToken { + * @param algorithm The algorithm used for the signing/verification. + * @exception java.security.NoSuchAlgorithmException If the given + * algorithm is not supported by this provider. +- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) + */ + public abstract org.mozilla.jss.crypto.Signature + getSignatureContext(SignatureAlgorithm algorithm) +@@ -73,7 +72,6 @@ public interface CryptoToken { + * @param algorithm The algorithm used for digesting. + * @exception java.security.NoSuchAlgorithmException If this provider + * does not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) + */ + public abstract JSSMessageDigest + getDigestContext(DigestAlgorithm algorithm) +@@ -89,15 +87,11 @@ public interface CryptoToken { + * @param algorithm The algorithm used for encryption/decryption. + * @exception java.security.NoSuchAlgorithmException If this provider + * does not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) + */ + public abstract Cipher + getCipherContext(EncryptionAlgorithm algorithm) + throws java.security.NoSuchAlgorithmException, TokenException; + +- /** +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) +- */ + public abstract KeyWrapper + getKeyWrapper(KeyWrapAlgorithm algorithm) + throws java.security.NoSuchAlgorithmException, TokenException; +@@ -123,7 +117,6 @@ public interface CryptoToken { + * @param algorithm The algorithm that the keys will be used with. + * @exception java.security.NoSuchAlgorithmException If this token does not + * support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) + */ + public abstract KeyGenerator + getKeyGenerator(KeyGenAlgorithm algorithm) +@@ -136,7 +129,6 @@ public interface CryptoToken { + * cannot be extracted from the current token. + * @exception InvalidKeyException If the owning token cannot process + * the key to be cloned. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory}) + */ + public SymmetricKey cloneKey(SymmetricKey key) + throws SymmetricKey.NotExtractableException, +@@ -151,7 +143,6 @@ public interface CryptoToken { + * DSA, EC, etc.) + * @exception java.security.NoSuchAlgorithmException If this token does + * not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) + */ + public abstract KeyPairGenerator + getKeyPairGenerator(KeyPairAlgorithm algorithm) +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700 +@@ -41,7 +41,6 @@ import java.security.InvalidKeyException + + /** + * A class for performing message digesting (hashing) and MAC operations. +- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) + */ + public abstract class JSSMessageDigest { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700 +@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto; + + /** + * An interface for secure random numbers. +- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom}) + */ + public interface JSSSecureRandom { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700 +@@ -43,7 +43,6 @@ import java.io.CharConversionException; + + /** + * Generates symmetric keys for encryption and decryption. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) + */ + public interface KeyGenerator { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700 +@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam + * keygenOnInternalToken to find out if this is happening. + * + * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator +- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) + */ + public class KeyPairGenerator { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700 +@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar + import java.security.PublicKey; + import java.security.InvalidKeyException; + +-/** +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) +- */ + public interface KeyWrapper { + + public void initWrap(SymmetricKey wrappingKey, +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700 +@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam + * Instances of this class can be obtain from CryptoTokens. + * + * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext +- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) + */ + public class Signature { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700 +@@ -37,15 +37,10 @@ + + /* This program demonstrates how to sign data with keys from JSS + * +- * Most of this code is deprecated look at JCASigTest.java +- * + * The token name can be either the name of a hardware token, or + * one of the internal tokens: + * Internal Crypto Services Token + * Internal Key Storage Token (keys stored in key3.db) +- * +- * @see org.mozilla.jss.tests.JCASigTest +- * @deprecated Use the JCA interface instead + */ + + package org.mozilla.jss.tests; +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700 +@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature " + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile"; + run_test($testname, $command); + ++$testname = "Mozilla-JSS NSS Signature "; ++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile"; ++run_test($testname, $command); ++ + $testname = "Secret Decoder Ring"; + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile"; + run_test($testname, $command); diff --git a/jss.spec b/jss.spec index a9200fe..c5d3b9a 100644 --- a/jss.spec +++ b/jss.spec @@ -1,6 +1,6 @@ Name: jss Version: 4.2.6 -Release: 22%{?dist} +Release: 23%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries @@ -40,6 +40,9 @@ Patch15: jss-PKCS12-FIPS.patch Patch16: jss-eliminate-native-coverity-defects.patch Patch17: jss-PBE-PKCS5-V2-secure-P12.patch Patch18: jss-wrapInToken.patch +Patch19: jss-HSM-manufacturerID.patch +Patch20: jss-ECC-Phase2KeyArchivalRecovery.patch +Patch21: jss-undo-JCA-deprecations.patch %description @@ -75,6 +78,9 @@ This package contains the API documentation for JSS. %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 %build [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java @@ -112,6 +118,9 @@ export USE_64 %if 0%{?fedora} >= 16 cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk + +cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk +sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk %endif # The Makefile is not thread-safe @@ -146,6 +155,11 @@ ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar # loaded by the jar file. install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ +%if 0%{?fedora} >= 16 +pushd ${RPM_BUILD_ROOT}%{_libdir}/jss + ln -fs %{_jnidir}/jss4.jar jss4.jar +popd +%endif # javadoc install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} @@ -168,6 +182,16 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Mar 20 2012 Christina Fu - 4.2.6-23 +- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer + identifier (cfu) +- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived + ECC phase2 work - support for ECC encryption key archival and recovery (cfu) +- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in + JSS 4.2.6 . . . (mharmsen) +- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add + benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen) + * Fri Jan 13 2012 Fedora Release Engineering - 4.2.6-22 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild