rpms/jss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- bug 654657 - <jdennis@redhat.com>

Browse Source 
Incorrect socket accept error message due to bad pointer arithmetic
- bug 661142 - <cfu@redhat.com>
  Verification should fail when a revoked certificate is added
This commit is contained in:
Kevin Wright 2011-01-05 16:34:49 -08:00
parent 6e20d6e785
commit 8f6d73325c
3 changed files with 259 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clog Normal file
View File

@ -0,0 +1,4 @@
- bug 654657 - <jdennis@redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 661142 - <cfu@redhat.com>
Verification should fail when a revoked certificate is added

227
jss-VerifyCertificateReturnCU.patch Normal file
View File

@ -0,0 +1,227 @@
diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
;+ local:
;+ *;
;+};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
@@ -157,6 +157,19 @@ public final class CryptoManager impleme
public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
+
+ /*
+ The folllowing usages cannot be verified:
+ certUsageAnyCA
+ certUsageProtectedObjectSigner
+ certUsageUserCertImport
+ certUsageVerifyCA
+ */
+ public static final int basicCertificateUsages = /*0x0b80;*/
+ certificateUsageUserCertImport |
+ certificateUsageVerifyCA |
+ certificateUsageProtectedObjectSigner |
+ certificateUsageAnyCA ;
}
public final static class NotInitializedException extends Exception {}
@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
* against Now.
* @param nickname The nickname of the certificate to verify.
* @param checkSig verify the signature of the certificate
- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
- * @return true for success; false otherwise
+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
*
* @exception InvalidNicknameException If the nickname is null
* @exception ObjectNotFoundException If no certificate could be found
* with the given nickname.
*/
+ public int isCertValid(String nickname, boolean checkSig)
+ throws ObjectNotFoundException, InvalidNicknameException
+ {
+ if (nickname==null) {
+ throw new InvalidNicknameException("Nickname must be non-null");
+ }
+ int currCertificateUsage = 0x0000; // initialize it to 0
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
+ checkSig);
+ return currCertificateUsage;
+ }
+
+ private native int verifyCertificateNowCUNative(String nickname,
+ boolean checkSig) throws ObjectNotFoundException;
+ /////////////////////////////////////////////////////////////
+ // isCertValid
+ /////////////////////////////////////////////////////////////
+ /**
+ * Verify a certificate that exists in the given cert database,
+ * check if is valid and that we trust the issuer. Verify time
+ * against Now.
+ * @param nickname The nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
+ * @return true for success; false otherwise
+ *
+ * @exception InvalidNicknameException If the nickname is null
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ */
public boolean isCertValid(String nickname, boolean checkSig,
CertificateUsage certificateUsage)
throws ObjectNotFoundException, InvalidNicknameException
@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
if (nickname==null) {
throw new InvalidNicknameException("Nickname must be non-null");
}
- // 0 certificate usage was supposed to get current usage, however,
- // it is not exposed at this point
- return verifyCertificateNowNative(nickname,
- checkSig,
- (certificateUsage == null) ? 0:certificateUsage.getUsage());
+ // 0 certificate usage will get current usage
+ // should call isCertValid() call above that returns certificate usage
+ if ((certificateUsage == null) ||
+ (certificateUsage == CertificateUsage.CheckAllUsages)){
+ int currCertificateUsage = 0x0000;
+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
+ checkSig);
+
+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
+ // cert is good for nothing
+ return false;
+ } else
+ return true;
+ } else {
+ return verifyCertificateNowNative(nickname, checkSig,
+ certificateUsage.getUsage());
+ }
}
private native boolean verifyCertificateNowNative(String nickname,
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
@@ -1574,18 +1574,16 @@ finish:
}
}
+
/***********************************************************************
- * CryptoManager.verifyCertificateNowNative
- *
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ * CryptoManager.verifyCertificateNow
*/
-JNIEXPORT jboolean JNICALL
-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
+ jboolean checkSig, jint required_certificateUsage,
+ SECCertificateUsage *currUsage)
{
SECStatus rv = SECFailure;
SECCertificateUsage certificateUsage;
- SECCertificateUsage currUsage; /* unexposed for now */
CERTCertificate *cert=NULL;
char *nickname=NULL;
@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
goto finish;
} else {
- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
- * just get the current usage (which we are not passing back for now
- * but will bypass the certificate usage check
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
+ * retrieve the current valid usage into currUsage
*/
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
- checkSig, certificateUsage, NULL, &currUsage );
+ checkSig, certificateUsage, NULL, currUsage );
+ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
+ if (*currUsage ==
+ ( certUsageUserCertImport |
+ certUsageVerifyCA |
+ certUsageProtectedObjectSigner |
+ certUsageAnyCA )) {
+
+ /* the cert is good for nothing
+ The folllowing usages cannot be verified:
+ certUsageAnyCA
+ certUsageProtectedObjectSigner
+ certUsageUserCertImport
+ certUsageVerifyCA
+ (0x0b80) */
+ rv =SECFailure;
+ }
+ }
}
finish:
@@ -1617,6 +1631,49 @@ finish:
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
+
+ return rv;
+}
+
+/***********************************************************************
+ * CryptoManager.verifyCertificateNowCUNative
+ *
+ * Returns jint which contains bits in SECCertificateUsage that reflects
+ * the cert usage(s) that the cert is good for
+ * if the cert is good for nothing, returned value is
+ * (0x0b80):
+ * certUsageUserCertImport |
+ * certUsageVerifyCA |
+ * certUsageProtectedObjectSigner |
+ * certUsageAnyCA
+ */
+JNIEXPORT jint JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig)
+{
+ SECStatus rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
+
+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
+ /* rv is ignored */
+
+ return currUsage;
+}
+
+/***********************************************************************
+ * CryptoManager.verifyCertificateNowNative
+ *
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+JNIEXPORT jboolean JNICALL
+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
+{
+ SECStatus rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
+
+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
+
if( rv == SECSuccess) {
return JNI_TRUE;
} else {
@@ -1624,7 +1681,6 @@ finish:
}
}
-
/***********************************************************************
* CryptoManager.verifyCertNowNative
* note: this calls obsolete NSS function

51
jss.spec
View File

@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
Release: 10%{?dist}
Release: 11%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@ -31,6 +31,7 @@ Patch6: jss-ocspSettings.patch
Patch7: jss-ECC_keygen_byCurveName.patch
Patch8: jss-VerifyCertificate.patch
Patch9: jss-bad-error-string-pointer.patch
Patch10: jss-VerifyCertificateReturnCU.patch
%description
@ -153,35 +154,39 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Thu Dec 16 2010 John Dennis <jdennis@redhat.com> - 4.2.6-10
- move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this:
/usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar
/usr/lib/jss/jss4-<version>.jar
/usr/lib/jss/jss4.jar -> jss4-<version>.jar
/usr/lib/jss/libjss4.so
* Mon Dec 6 2010 John Dennis <jdennis@redhat.com> - 4.2.6-9
- Resolves: bug 654657 - <jdennis@redhat.com>
* Tue Dec 21 2010 Christina Fu <cfu@redhat.com> - 4.2.6-11
- bug 654657 - <jdennis@redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 661142 - <cfu@redhat.com>
Verification should fail when a revoked certificate is added
* Mon Nov 1 2010 Christina Fu <cfu@redhat.com> 4.2.6-8
- Resolves: bug 647364 - <cfu@redhat.com>
* Thu Dec 16 2010 John Dennis <jdennis@redhat.com> - 4.2.6-10
- Resolves: bug 656094 - <jdennis@redhat.com>
Rebase jss to at least jss-4.2.6-9
- <jdennis@redhat.com>
merge in updates from Fedora
move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this:
/usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar
/usr/lib/jss/jss4-<version>.jar
/usr/lib/jss/jss4.jar -> jss4-<version>.jar
/usr/lib/jss/libjss4.so
- bug 654657 - <jdennis@redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 647364 - <cfu@redhat.com>
Expose updated certificate verification function in JSS
* Wed Oct 20 2010 Christina Fu <cfu@redhat.com> 4.2.6-7
- Resolves: bug 529945 - <cfu@redhat.com>
- bug 529945 - <cfu@redhat.com>
expose NSS calls for OCSP settings
- Resolves: bug 638833 - <cfu@redhat.com>
- bug 638833 - <cfu@redhat.com>
rfe ecc - add ec curve name support in JSS and CS
* Wed Jan 13 2010 Rob Crittenden <rcritten@redhat.com> 4.2.6-6
- Need to explicitly catch UnsatisfiedLinkError exception for System.load()
* Thu Jan 7 2010 Rob Crittenden <rcritten@redhat.com> 4.2.6-5
- Resolves: bug 533304 - <rcritten@redhat.com>
- <rcritten@redhat.com>
Need to explicitly catch UnsatisfiedLinkError exception for System.load()
- bug 533304 - <rcritten@redhat.com>
Move location of libjss4.so to subdirectory and use System.load() to
load it instead of System.loadLibrary() for Fedora packaging compliance
* Mon Nov 30 2009 Dennis Gregorovic <dgregor@redhat.com> - 4.2.6-4.1
- Rebuilt for RHEL 6
* Fri Jul 31 2009 Rob Crittenden <rcritten@redhat.com> 4.2.6-4
- Resolves: bug 224688 - <cfu@redhat.com>
Support ECC POP on the server
@ -208,7 +213,7 @@ rm -rf $RPM_BUILD_ROOT
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Tue Aug 5 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 4.2.5-3
- fix license tag