diff --git a/clog b/clog new file mode 100644 index 0000000..3135651 --- /dev/null +++ b/clog @@ -0,0 +1,4 @@ +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 661142 - + Verification should fail when a revoked certificate is added diff --git a/jss-VerifyCertificateReturnCU.patch b/jss-VerifyCertificateReturnCU.patch new file mode 100644 index 0000000..7d220ef --- /dev/null +++ b/jss-VerifyCertificateReturnCU.patch @@ -0,0 +1,227 @@ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800 +@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG + Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; + Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800 +@@ -157,6 +157,19 @@ public final class CryptoManager impleme + public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); + public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); + public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); ++ ++ /* ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ */ ++ public static final int basicCertificateUsages = /*0x0b80;*/ ++ certificateUsageUserCertImport | ++ certificateUsageVerifyCA | ++ certificateUsageProtectedObjectSigner | ++ certificateUsageAnyCA ; + } + + public final static class NotInitializedException extends Exception {} +@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate +- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check +- * @return true for success; false otherwise ++ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage + * + * @exception InvalidNicknameException If the nickname is null + * @exception ObjectNotFoundException If no certificate could be found + * with the given nickname. + */ ++ public int isCertValid(String nickname, boolean checkSig) ++ throws ObjectNotFoundException, InvalidNicknameException ++ { ++ if (nickname==null) { ++ throw new InvalidNicknameException("Nickname must be non-null"); ++ } ++ int currCertificateUsage = 0x0000; // initialize it to 0 ++ currCertificateUsage = verifyCertificateNowCUNative(nickname, ++ checkSig); ++ return currCertificateUsage; ++ } ++ ++ private native int verifyCertificateNowCUNative(String nickname, ++ boolean checkSig) throws ObjectNotFoundException; + ++ ///////////////////////////////////////////////////////////// ++ // isCertValid ++ ///////////////////////////////////////////////////////////// ++ /** ++ * Verify a certificate that exists in the given cert database, ++ * check if is valid and that we trust the issuer. Verify time ++ * against Now. ++ * @param nickname The nickname of the certificate to verify. ++ * @param checkSig verify the signature of the certificate ++ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above ++ * @return true for success; false otherwise ++ * ++ * @exception InvalidNicknameException If the nickname is null ++ * @exception ObjectNotFoundException If no certificate could be found ++ * with the given nickname. ++ */ + public boolean isCertValid(String nickname, boolean checkSig, + CertificateUsage certificateUsage) + throws ObjectNotFoundException, InvalidNicknameException +@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme + if (nickname==null) { + throw new InvalidNicknameException("Nickname must be non-null"); + } +- // 0 certificate usage was supposed to get current usage, however, +- // it is not exposed at this point +- return verifyCertificateNowNative(nickname, +- checkSig, +- (certificateUsage == null) ? 0:certificateUsage.getUsage()); ++ // 0 certificate usage will get current usage ++ // should call isCertValid() call above that returns certificate usage ++ if ((certificateUsage == null) || ++ (certificateUsage == CertificateUsage.CheckAllUsages)){ ++ int currCertificateUsage = 0x0000; ++ currCertificateUsage = verifyCertificateNowCUNative(nickname, ++ checkSig); ++ ++ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ ++ // cert is good for nothing ++ return false; ++ } else ++ return true; ++ } else { ++ return verifyCertificateNowNative(nickname, checkSig, ++ certificateUsage.getUsage()); ++ } + } + + private native boolean verifyCertificateNowNative(String nickname, +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800 +@@ -1574,18 +1574,16 @@ finish: + } + } + ++ + /*********************************************************************** +- * CryptoManager.verifyCertificateNowNative +- * +- * Returns JNI_TRUE if success, JNI_FALSE otherwise ++ * CryptoManager.verifyCertificateNow + */ +-JNIEXPORT jboolean JNICALL +-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, +- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) ++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, ++ jboolean checkSig, jint required_certificateUsage, ++ SECCertificateUsage *currUsage) + { + SECStatus rv = SECFailure; + SECCertificateUsage certificateUsage; +- SECCertificateUsage currUsage; /* unexposed for now */ + CERTCertificate *cert=NULL; + char *nickname=NULL; + +@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif + JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); + goto finish; + } else { +- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to +- * just get the current usage (which we are not passing back for now +- * but will bypass the certificate usage check ++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will ++ * retrieve the current valid usage into currUsage + */ + rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certificateUsage, NULL, &currUsage ); ++ checkSig, certificateUsage, NULL, currUsage ); ++ if ((rv == SECSuccess) && certificateUsage == 0x0000) { ++ if (*currUsage == ++ ( certUsageUserCertImport | ++ certUsageVerifyCA | ++ certUsageProtectedObjectSigner | ++ certUsageAnyCA )) { ++ ++ /* the cert is good for nothing ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ (0x0b80) */ ++ rv =SECFailure; ++ } ++ } + } + + finish: +@@ -1617,6 +1631,49 @@ finish: + if(cert != NULL) { + CERT_DestroyCertificate(cert); + } ++ ++ return rv; ++} ++ ++/*********************************************************************** ++ * CryptoManager.verifyCertificateNowCUNative ++ * ++ * Returns jint which contains bits in SECCertificateUsage that reflects ++ * the cert usage(s) that the cert is good for ++ * if the cert is good for nothing, returned value is ++ * (0x0b80): ++ * certUsageUserCertImport | ++ * certUsageVerifyCA | ++ * certUsageProtectedObjectSigner | ++ * certUsageAnyCA ++ */ ++JNIEXPORT jint JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); ++ /* rv is ignored */ ++ ++ return currUsage; ++} ++ ++/*********************************************************************** ++ * CryptoManager.verifyCertificateNowNative ++ * ++ * Returns JNI_TRUE if success, JNI_FALSE otherwise ++ */ ++JNIEXPORT jboolean JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); ++ + if( rv == SECSuccess) { + return JNI_TRUE; + } else { +@@ -1624,7 +1681,6 @@ finish: + } + } + +- + /*********************************************************************** + * CryptoManager.verifyCertNowNative + * note: this calls obsolete NSS function diff --git a/jss.spec b/jss.spec index f2b1785..10fedb9 100644 --- a/jss.spec +++ b/jss.spec @@ -1,6 +1,6 @@ Name: jss Version: 4.2.6 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries @@ -31,6 +31,7 @@ Patch6: jss-ocspSettings.patch Patch7: jss-ECC_keygen_byCurveName.patch Patch8: jss-VerifyCertificate.patch Patch9: jss-bad-error-string-pointer.patch +Patch10: jss-VerifyCertificateReturnCU.patch %description @@ -153,35 +154,39 @@ rm -rf $RPM_BUILD_ROOT %changelog -* Thu Dec 16 2010 John Dennis - 4.2.6-10 -- move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this: - /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar - /usr/lib/jss/jss4-.jar - /usr/lib/jss/jss4.jar -> jss4-.jar - /usr/lib/jss/libjss4.so - -* Mon Dec 6 2010 John Dennis - 4.2.6-9 -- Resolves: bug 654657 - +* Tue Dec 21 2010 Christina Fu - 4.2.6-11 +- bug 654657 - Incorrect socket accept error message due to bad pointer arithmetic +- bug 661142 - + Verification should fail when a revoked certificate is added -* Mon Nov 1 2010 Christina Fu 4.2.6-8 -- Resolves: bug 647364 - +* Thu Dec 16 2010 John Dennis - 4.2.6-10 +- Resolves: bug 656094 - + Rebase jss to at least jss-4.2.6-9 +- + merge in updates from Fedora + move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this: + /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar + /usr/lib/jss/jss4-.jar + /usr/lib/jss/jss4.jar -> jss4-.jar + /usr/lib/jss/libjss4.so +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 647364 - Expose updated certificate verification function in JSS - -* Wed Oct 20 2010 Christina Fu 4.2.6-7 -- Resolves: bug 529945 - +- bug 529945 - expose NSS calls for OCSP settings -- Resolves: bug 638833 - +- bug 638833 - rfe ecc - add ec curve name support in JSS and CS - -* Wed Jan 13 2010 Rob Crittenden 4.2.6-6 -- Need to explicitly catch UnsatisfiedLinkError exception for System.load() - -* Thu Jan 7 2010 Rob Crittenden 4.2.6-5 -- Resolves: bug 533304 - +- + Need to explicitly catch UnsatisfiedLinkError exception for System.load() +- bug 533304 - Move location of libjss4.so to subdirectory and use System.load() to load it instead of System.loadLibrary() for Fedora packaging compliance +* Mon Nov 30 2009 Dennis Gregorovic - 4.2.6-4.1 +- Rebuilt for RHEL 6 + * Fri Jul 31 2009 Rob Crittenden 4.2.6-4 - Resolves: bug 224688 - Support ECC POP on the server @@ -208,7 +213,7 @@ rm -rf $RPM_BUILD_ROOT * Wed Feb 25 2009 Fedora Release Engineering - 4.2.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - + * Tue Aug 5 2008 Tom "spot" Callaway - 4.2.5-3 - fix license tag