Rebase to upstream JSS v4.8.0-b1

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
2020-10-21 12:12:46 -04:00 · 2020-10-21 12:12:46 -04:00 · 89bcbe8882
commit 89bcbe8882
parent 8d0f659a7b
5 changed files with 10 additions and 115 deletions
--- a/.gitignore
+++ b/.gitignore
@ -30,3 +30,4 @@ jss-4.2.6.tar.gz
 /jss-4.7.0.tar.gz
 /jss-4.7.2.tar.gz
 /jss-4.7.3.tar.gz
+/jss-4.8.0-b1.tar.gz
--- a/jss-crypto-policies-1.patch
+++ b/jss-crypto-policies-1.patch
@ -1,49 +0,0 @@
-From 1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 1 Jul 2020 12:41:20 -0400
-Subject: [PATCH] Replace SHA-1 signature with SHA-256
-
-A recent change in Fedora Rawhide's crypto-policies package caused
-failures in the tests like the following:
-
-    Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
-        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494)
-        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38)
-        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25)
-        at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435)
-        at java.lang.Thread.run(Thread.java:748)
-    Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
-        at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method)
-        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488)
-        ... 4 more
-    Server exiting
-    org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error
-        at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
-        at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345)
-        at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156)
-        at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)
-
-This was caused by dropping SHA-1 as an allowed hash during handshakes.
-However, because SSLClientAuth manually generated its certificate (and
-explicitly asked for SHA-1), it failed.
-
-Switch to SHA-256 instead.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- org/mozilla/jss/tests/SSLClientAuth.java | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java
-index 6f1fd2b12..bf270a634 100644
--- a/org/mozilla/jss/tests/SSLClientAuth.java
-+++ b/org/mozilla/jss/tests/SSLClientAuth.java
-@@ -28,7 +28,7 @@
-     
-     private CryptoManager cm;
-     public static final SignatureAlgorithm sigAlg =
-            SignatureAlgorithm.RSASignatureWithSHA1Digest;
-+            SignatureAlgorithm.RSASignatureWithSHA256Digest;
-     
-     /**
-      * Method that generates a certificate for given credential
--- a/jss-crypto-policies-2.patch
+++ b/jss-crypto-policies-2.patch
@ -1,47 +0,0 @@
-From 8ed5a82a973922d07d0610fd42c48b2a0ec97d6c Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 1 Jul 2020 12:44:53 -0400
-Subject: [PATCH] Remove all legacy DSS/DSA tests
-
-The only signature algorithm suppoted with DSS is SHA-1, which will soon
-become deprecated and broken. DSS itself isn't widely used either, so we
-should remove it from the test suite as well.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
- cmake/JSSTests.cmake | 12 +-----------
- 1 file changed, 1 insertion(+), 11 deletions(-)
-
-diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
-index a26b95425..a0fe36e22 100644
--- a/cmake/JSSTests.cmake
-+++ b/cmake/JSSTests.cmake
-@@ -170,11 +170,6 @@ macro(jss_tests)
-         COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "30" "localhost" "SHA-256/EC" "CA_ECDSA" "Server_ECDSA" "Client_ECDSA"
-         DEPENDS "Generate_known_RSA_cert_pair"
-     )
-    jss_test_java(
-        NAME "Generate_known_DSS_cert_pair"
-        COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "40" "localhost" "SHA-1/DSA" "CA_DSS" "Server_DSS" "Client_DSS"
-        DEPENDS "Generate_known_ECDSA_cert_pair"
-    )
-     jss_test_exec(
-         NAME "Create_PKCS11_cert_to_PKCS12_rsa.pfx"
-         COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/rsa.pfx" "-n" "CA_RSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
-@@ -185,15 +180,10 @@ macro(jss_tests)
-         COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/ecdsa.pfx" "-n" "CA_ECDSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
-         DEPENDS "Generate_known_ECDSA_cert_pair"
-     )
-    jss_test_exec(
-        NAME "Create_PKCS11_cert_to_PKCS12_dss.pfx"
-        COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/dss.pfx" "-n" "CA_DSS" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
-        DEPENDS "Generate_known_DSS_cert_pair"
-    )
-     jss_test_java(
-         NAME "List_CA_certs"
-         COMMAND "org.mozilla.jss.tests.ListCACerts" "${RESULTS_NSSDB_OUTPUT_DIR}" "Verbose"
-        DEPENDS "Generate_known_DSS_cert_pair"
-+        DEPENDS "Generate_known_ECDSA_cert_pair"
-     )
-     jss_test_java(
-         NAME "SSLClientAuth"
--- a/jss.spec
+++ b/jss.spec
@ -6,9 +6,9 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+

-Version:        4.7.3
-Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
-#global         _phase -a1
+Version:        4.8.0
+Release:        0.1%{?_timestamp}%{?_commit_id}%{?dist}
+%global         _phase -b1

 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@ -50,7 +50,7 @@ BuildRequires:  glassfish-jaxb-api
 %else
 BuildRequires:  slf4j-jdk14
 %endif
-BuildRequires:  apache-commons-lang
+BuildRequires:  apache-commons-lang3

 BuildRequires:  junit

@ -64,7 +64,7 @@ Requires:       glassfish-jaxb-api
 %else
 Requires:       slf4j-jdk14
 %endif
-Requires:       apache-commons-lang
+Requires:       apache-commons-lang3

 Conflicts:      ldapjdk < 4.20
 Conflicts:      idm-console-framework < 1.2
@ -108,26 +108,13 @@ export CFLAGS
 # Check if we're in FIPS mode
 modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1

-# RHEL's CMake doesn't support -B flag.
-%if 0%{?rhel}
-%{__mkdir_p} %{_vpath_builddir}
-cd %{_vpath_builddir}
-%endif
-
 # The Makefile is not thread-safe
 %cmake \
    -DJAVA_HOME=%{java_home} \
    -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-%if 0%{?rhel}
-    ..
-%else
    -B %{_vpath_builddir}
-%endif

-%if 0%{?fedora}
 cd %{_vpath_builddir}
-%endif
-
 %{__make} all
 %{__make} javadoc
 ctest --output-on-failure
@ -173,6 +160,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}

 ################################################################################
 %changelog
+* Wed Oct 21 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.8.0-b1
+- Rebase to upstream beta release JSS v4.8.0-b1
+
 * Fri Sep 11 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.7.3-1
 - Rebase to upstream stable release JSS v4.7.3

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (jss-4.7.3.tar.gz) = 9358cf78d99e5e32a07dd457d6b0c916bdf9bf6959efe889f1cb91af75aa79fc419c2d057a40bfbe4e2a4924bffc1cafa04d917622cafe07062bcb633f330f98
+SHA512 (jss-4.8.0-b1.tar.gz) = 5601922b1c2e8006951a01e50486f585e2f6e3c0cd987a7e75c62755b4e14e2c7d489b583f92ba09281ceee2b5b1363f3d8fc94b039232fb3694975bd041a332