rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix build with new Crypto-Policies on Fedora Rawhide

Browse Source 
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2020-07-06 17:34:31 -04:00
parent 90b6186a2b
commit 77453bee29
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
jss-crypto-policies-1.patch Normal file
View File

@ -0,0 +1,49 @@
From 1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 1 Jul 2020 12:41:20 -0400
Subject: [PATCH] Replace SHA-1 signature with SHA-256
A recent change in Fedora Rawhide's crypto-policies package caused
failures in the tests like the following:
Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494)
at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38)
at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25)
at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method)
at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488)
... 4 more
Server exiting
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error
at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345)
at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156)
at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)
This was caused by dropping SHA-1 as an allowed hash during handshakes.
However, because SSLClientAuth manually generated its certificate (and
explicitly asked for SHA-1), it failed.
Switch to SHA-256 instead.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/tests/SSLClientAuth.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java
index 6f1fd2b12..bf270a634 100644
--- a/org/mozilla/jss/tests/SSLClientAuth.java
+++ b/org/mozilla/jss/tests/SSLClientAuth.java
@@ -28,7 +28,7 @@
private CryptoManager cm;
public static final SignatureAlgorithm sigAlg =
- SignatureAlgorithm.RSASignatureWithSHA1Digest;
+ SignatureAlgorithm.RSASignatureWithSHA256Digest;
/**
* Method that generates a certificate for given credential

47
jss-crypto-policies-2.patch Normal file
View File

@ -0,0 +1,47 @@
From 8ed5a82a973922d07d0610fd42c48b2a0ec97d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 1 Jul 2020 12:44:53 -0400
Subject: [PATCH] Remove all legacy DSS/DSA tests
The only signature algorithm suppoted with DSS is SHA-1, which will soon
become deprecated and broken. DSS itself isn't widely used either, so we
should remove it from the test suite as well.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSTests.cmake | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
index a26b95425..a0fe36e22 100644
--- a/cmake/JSSTests.cmake
+++ b/cmake/JSSTests.cmake
@@ -170,11 +170,6 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "30" "localhost" "SHA-256/EC" "CA_ECDSA" "Server_ECDSA" "Client_ECDSA"
DEPENDS "Generate_known_RSA_cert_pair"
)
- jss_test_java(
- NAME "Generate_known_DSS_cert_pair"
- COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "40" "localhost" "SHA-1/DSA" "CA_DSS" "Server_DSS" "Client_DSS"
- DEPENDS "Generate_known_ECDSA_cert_pair"
- )
jss_test_exec(
NAME "Create_PKCS11_cert_to_PKCS12_rsa.pfx"
COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/rsa.pfx" "-n" "CA_RSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
@@ -185,15 +180,10 @@ macro(jss_tests)
COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/ecdsa.pfx" "-n" "CA_ECDSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
DEPENDS "Generate_known_ECDSA_cert_pair"
)
- jss_test_exec(
- NAME "Create_PKCS11_cert_to_PKCS12_dss.pfx"
- COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/dss.pfx" "-n" "CA_DSS" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
- DEPENDS "Generate_known_DSS_cert_pair"
- )
jss_test_java(
NAME "List_CA_certs"
COMMAND "org.mozilla.jss.tests.ListCACerts" "${RESULTS_NSSDB_OUTPUT_DIR}" "Verbose"
- DEPENDS "Generate_known_DSS_cert_pair"
+ DEPENDS "Generate_known_ECDSA_cert_pair"
)
jss_test_java(
NAME "SSLClientAuth"

7
jss.spec
View File

@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.7.0
Release: 0.4%{?_timestamp}%{?_commit_id}%{?dist}
Release: 0.5%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -b4
# To generate the source tarball:
@ -25,6 +25,8 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \
# > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch
Patch0: jss-crypto-policies-1.patch
Patch1: jss-crypto-policies-2.patch
################################################################################
# Build Dependencies
@ -160,6 +162,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
* Mon Jul 06 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.7.0-0.5
- Fix build issues with new Crypto-Policies denying SHA-1 usage
* Tue Jun 30 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.7.0-0.4
- Rebase to latest upstream JSS v4.7.0-b4