From 89bcbe8882b72b2957680ff66ec6a45ab234f0e8 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Wed, 21 Oct 2020 12:12:46 -0400 Subject: [PATCH] Rebase to upstream JSS v4.8.0-b1 Signed-off-by: Alexander Scheel --- .gitignore | 1 + jss-crypto-policies-1.patch | 49 ------------------------------------- jss-crypto-policies-2.patch | 47 ----------------------------------- jss.spec | 26 ++++++-------------- sources | 2 +- 5 files changed, 10 insertions(+), 115 deletions(-) delete mode 100644 jss-crypto-policies-1.patch delete mode 100644 jss-crypto-policies-2.patch diff --git a/.gitignore b/.gitignore index 349bfb5..cb5030b 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ jss-4.2.6.tar.gz /jss-4.7.0.tar.gz /jss-4.7.2.tar.gz /jss-4.7.3.tar.gz +/jss-4.8.0-b1.tar.gz diff --git a/jss-crypto-policies-1.patch b/jss-crypto-policies-1.patch deleted file mode 100644 index dc23e85..0000000 --- a/jss-crypto-policies-1.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 1 Jul 2020 12:41:20 -0400 -Subject: [PATCH] Replace SHA-1 signature with SHA-256 - -A recent change in Fedora Rawhide's crypto-policies package caused -failures in the tests like the following: - - Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate. - at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494) - at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38) - at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25) - at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435) - at java.lang.Thread.run(Thread.java:748) - Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate. - at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) - at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488) - ... 4 more - Server exiting - org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error - at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) - at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345) - at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156) - at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90) - -This was caused by dropping SHA-1 as an allowed hash during handshakes. -However, because SSLClientAuth manually generated its certificate (and -explicitly asked for SHA-1), it failed. - -Switch to SHA-256 instead. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/tests/SSLClientAuth.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java -index 6f1fd2b12..bf270a634 100644 ---- a/org/mozilla/jss/tests/SSLClientAuth.java -+++ b/org/mozilla/jss/tests/SSLClientAuth.java -@@ -28,7 +28,7 @@ - - private CryptoManager cm; - public static final SignatureAlgorithm sigAlg = -- SignatureAlgorithm.RSASignatureWithSHA1Digest; -+ SignatureAlgorithm.RSASignatureWithSHA256Digest; - - /** - * Method that generates a certificate for given credential diff --git a/jss-crypto-policies-2.patch b/jss-crypto-policies-2.patch deleted file mode 100644 index 71fe8c2..0000000 --- a/jss-crypto-policies-2.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8ed5a82a973922d07d0610fd42c48b2a0ec97d6c Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 1 Jul 2020 12:44:53 -0400 -Subject: [PATCH] Remove all legacy DSS/DSA tests - -The only signature algorithm suppoted with DSS is SHA-1, which will soon -become deprecated and broken. DSS itself isn't widely used either, so we -should remove it from the test suite as well. - -Signed-off-by: Alexander Scheel ---- - cmake/JSSTests.cmake | 12 +----------- - 1 file changed, 1 insertion(+), 11 deletions(-) - -diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake -index a26b95425..a0fe36e22 100644 ---- a/cmake/JSSTests.cmake -+++ b/cmake/JSSTests.cmake -@@ -170,11 +170,6 @@ macro(jss_tests) - COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "30" "localhost" "SHA-256/EC" "CA_ECDSA" "Server_ECDSA" "Client_ECDSA" - DEPENDS "Generate_known_RSA_cert_pair" - ) -- jss_test_java( -- NAME "Generate_known_DSS_cert_pair" -- COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "40" "localhost" "SHA-1/DSA" "CA_DSS" "Server_DSS" "Client_DSS" -- DEPENDS "Generate_known_ECDSA_cert_pair" -- ) - jss_test_exec( - NAME "Create_PKCS11_cert_to_PKCS12_rsa.pfx" - COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/rsa.pfx" "-n" "CA_RSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" -@@ -185,15 +180,10 @@ macro(jss_tests) - COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/ecdsa.pfx" "-n" "CA_ECDSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" - DEPENDS "Generate_known_ECDSA_cert_pair" - ) -- jss_test_exec( -- NAME "Create_PKCS11_cert_to_PKCS12_dss.pfx" -- COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/dss.pfx" "-n" "CA_DSS" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" -- DEPENDS "Generate_known_DSS_cert_pair" -- ) - jss_test_java( - NAME "List_CA_certs" - COMMAND "org.mozilla.jss.tests.ListCACerts" "${RESULTS_NSSDB_OUTPUT_DIR}" "Verbose" -- DEPENDS "Generate_known_DSS_cert_pair" -+ DEPENDS "Generate_known_ECDSA_cert_pair" - ) - jss_test_java( - NAME "SSLClientAuth" diff --git a/jss.spec b/jss.spec index 401fe38..c0e48c9 100644 --- a/jss.spec +++ b/jss.spec @@ -6,9 +6,9 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.7.3 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -a1 +Version: 4.8.0 +Release: 0.1%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -b1 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -50,7 +50,7 @@ BuildRequires: glassfish-jaxb-api %else BuildRequires: slf4j-jdk14 %endif -BuildRequires: apache-commons-lang +BuildRequires: apache-commons-lang3 BuildRequires: junit @@ -64,7 +64,7 @@ Requires: glassfish-jaxb-api %else Requires: slf4j-jdk14 %endif -Requires: apache-commons-lang +Requires: apache-commons-lang3 Conflicts: ldapjdk < 4.20 Conflicts: idm-console-framework < 1.2 @@ -108,26 +108,13 @@ export CFLAGS # Check if we're in FIPS mode modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1 -# RHEL's CMake doesn't support -B flag. -%if 0%{?rhel} -%{__mkdir_p} %{_vpath_builddir} -cd %{_vpath_builddir} -%endif - # The Makefile is not thread-safe %cmake \ -DJAVA_HOME=%{java_home} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -%if 0%{?rhel} - .. -%else -B %{_vpath_builddir} -%endif -%if 0%{?fedora} cd %{_vpath_builddir} -%endif - %{__make} all %{__make} javadoc ctest --output-on-failure @@ -173,6 +160,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Wed Oct 21 2020 Dogtag PKI Team - 4.8.0-b1 +- Rebase to upstream beta release JSS v4.8.0-b1 + * Fri Sep 11 2020 Dogtag PKI Team - 4.7.3-1 - Rebase to upstream stable release JSS v4.7.3 diff --git a/sources b/sources index 13d43e8..c295965 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jss-4.7.3.tar.gz) = 9358cf78d99e5e32a07dd457d6b0c916bdf9bf6959efe889f1cb91af75aa79fc419c2d057a40bfbe4e2a4924bffc1cafa04d917622cafe07062bcb633f330f98 +SHA512 (jss-4.8.0-b1.tar.gz) = 5601922b1c2e8006951a01e50486f585e2f6e3c0cd987a7e75c62755b4e14e2c7d489b583f92ba09281ceee2b5b1363f3d8fc94b039232fb3694975bd041a332