Resolves: rhbz #1074208,1331596

-PKI Ticket #801
2016-05-19 14:01:14 -07:00 · 2016-05-19 14:01:14 -07:00 · 94b8206fde
commit 94b8206fde
parent 8a9c23e226
4 changed files with 2089 additions and 4 deletions
--- a/jss-VerifyCertificate-enhancement.patch
+++ b/jss-VerifyCertificate-enhancement.patch
@ -0,0 +1,204 @@
 From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
 Date: Wed, 9 Dec 2015 00:30:50 +0100
 Subject: [PATCH] Added verifyCertificate() method.
 A new CryptoManager.verifyCertificate() method has been added as
 an alternative to isCertValid(). If there is a certificate
 validation problem, the method will throw a CertificateValidation
 exception that contains the NSS error message and code. The
 exception will also provide a stack trace to help troubleshoot
 validation issues.
 https://fedorahosted.org/pki/ticket/850
 ---
 .../jss/org/mozilla/jss/CryptoManager.java         | 54 ++++++++------
 mozilla/security/jss/org/mozilla/jss/PK11Finder.c  | 83 +++++++++++++++++++---
 .../jss/org/mozilla/jss/util/jss_exceptions.h      |  2 +
 3 files changed, 110 insertions(+), 29 deletions(-)
 diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
 index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644
 --- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
 +++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier
             CertificateUsage certificateUsage)
         throws ObjectNotFoundException, InvalidNicknameException
     {
 -        if (nickname==null) {
 -            throw new InvalidNicknameException("Nickname must be non-null");
 -        }
 -        // 0 certificate usage will get current usage
 -        // should call isCertValid() call above that returns certificate usage
 -        if ((certificateUsage == null) ||
 -                (certificateUsage == CertificateUsage.CheckAllUsages)){
 -            int currCertificateUsage = 0x0000;
 -            currCertificateUsage = verifyCertificateNowCUNative(nickname,
 -                checkSig);
 +        try {
 +            verifyCertificate(nickname, checkSig, certificateUsage);
 +            return true;
 +
 +        } catch (ObjectNotFoundException | InvalidNicknameException e) {
 +            throw e;
 -            if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ 
 -                // cert is good for nothing
 -                return false;
 -            } else
 -                return true;
 -        } else {
 -            return verifyCertificateNowNative(nickname, checkSig,
 -              certificateUsage.getUsage());
 +        } catch (CertificateException e) {
 +            return false;
         }
     }
 -    private native boolean verifyCertificateNowNative(String nickname,
 -        boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
 +    /**
 +     * Verify a certificate that exists in the given cert database,
 +     * check if it's valid and that we trust the issuer. Verify time
 +     * against now.
 +     * @param nickname nickname of the certificate to verify.
 +     * @param checkSig verify the signature of the certificate
 +     * @param certificateUsage see certificate usage defined to verify certificate
 +     *
 +     * @exception InvalidNicknameException If the nickname is null.
 +     * @exception ObjectNotFoundException If no certificate could be found
 +     *      with the given nickname.
 +     * @exception CertificateException If certificate is invalid.
 +     */
 +    public void verifyCertificate(String nickname,
 +            boolean checkSig,
 +            CertificateUsage certificateUsage)
 +                    throws ObjectNotFoundException, InvalidNicknameException, CertificateException {
 +        int usage = certificateUsage == null ? 0 : certificateUsage.getUsage();
 +        verifyCertificateNowNative(nickname, checkSig, usage);
 +    }
 +
 +    private native void verifyCertificateNowNative(
 +            String nickname,
 +            boolean checkSig,
 +            int certificateUsage)
 +                    throws ObjectNotFoundException, InvalidNicknameException, CertificateException;
     /**
      * note: this method calls obsolete function in NSS
 diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
 index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644
 --- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
 +++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
 /***********************************************************************
  * CryptoManager.verifyCertificateNowNative
  *
 - * Returns JNI_TRUE if success, JNI_FALSE otherwise
 + * Verify a certificate that exists in the given cert database,
 + * check if it's valid and that we trust the issuer. Verify time
 + * against now.
 + * @param nickname nickname of the certificate to verify.
 + * @param checkSig verify the signature of the certificate
 + * @param certificateUsage see certificate usage defined to verify certificate
 + *
 + * @exception InvalidNicknameException If the nickname is null.
 + * @exception ObjectNotFoundException If no certificate could be found
 + *      with the given nickname.
 + * @exception CertificateException If certificate is invalid.
  */
 -JNIEXPORT jboolean JNICALL
 +JNIEXPORT void JNICALL
 Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
 -        jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
 +        jobject self, jstring nickString, jboolean checkSig, jint certificateUsage)
 {
 -    SECStatus         rv    = SECFailure;
     SECCertificateUsage      currUsage = 0x0000;
 +    SECStatus                rv = SECFailure;
 +    CERTCertificate          *cert = NULL;
 +    char                     *nickname = NULL;
 -    rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
 +    if (nickString == NULL) {
 +        JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
 +        goto finish;
 +    }
 -    if( rv == SECSuccess) {
 -        return JNI_TRUE;
 -    } else {
 -        return JNI_FALSE;
 +    nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
 +
 +    if (nickname == NULL) {
 +        JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
 +        goto finish;
 +    }
 +
 +    cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
 +
 +    if (cert == NULL) {
 +        char *msgBuf;
 +        msgBuf = PR_smprintf("Certificate not found: %s", nickname);
 +        JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf);
 +        PR_Free(msgBuf);
 +        goto finish;
 +    }
 +
 +    /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
 +     * retrieve the current valid usage into currUsage
 +     */
 +    rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
 +        checkSig, certificateUsage, NULL, &currUsage);
 +
 +    if (rv != SECSuccess) {
 +        JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate");
 +        goto finish;
 +    }
 +
 +    if ((certificateUsage == 0x0000) &&
 +        (currUsage ==
 +            ( certUsageUserCertImport |
 +            certUsageVerifyCA |
 +            certUsageProtectedObjectSigner |
 +            certUsageAnyCA ))) {
 +
 +        /* The certificate is good for nothing.
 +         * The following usages cannot be verified:
 +         *   certUsageAnyCA
 +         *   certUsageProtectedObjectSigner
 +         *   certUsageUserCertImport
 +         *   certUsageVerifyCA
 +         *   (0x0b80)
 +         */
 +
 +        JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate");
 +        goto finish;
 +    }
 +
 +finish:
 +    if (nickname != NULL) {
 +        (*env)->ReleaseStringUTFChars(env, nickString, nickname);
 +    }
 +    if (cert != NULL) {
 +        CERT_DestroyCertificate(cert);
     }
 }
 diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
 index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644
 --- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
 +++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C
 #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException"
 +#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException"
 +
 #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException"
 #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException"
 -- 
 2.5.0
--- a/jss-lunasaUnwrap.patch
+++ b/jss-lunasaUnwrap.patch
@ -0,0 +1,12 @@
 diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
 --- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu	2016-04-28 16:50:06.000000000 -0700
 +++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c	2016-04-28 16:50:00.000000000 -0700
@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
         isSensitive = PR_FALSE;
         isExtractable = PR_FALSE;
     } else if ( isLunasa) {
 -        isSensitive = PR_FALSE;
 +        isSensitive = PR_TRUE;
         isExtractable = PR_TRUE;
     }
--- a/jss-symkey-enhancements.patch
+++ b/jss-symkey-enhancements.patch
--- a/jss.spec
+++ b/jss.spec
@ -1,6 +1,6 @@
 Name:           jss
 Version:        4.2.6
-Release:        38%{?dist}
+Release:        39%{?dist}
 Summary:        Java Security Services (JSS)
 Group:          System Environment/Libraries
@ -16,11 +16,11 @@ Source2:        http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{versi
 Source3:        http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/lgpl.txt
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires:  nss-devel >= 3.14.3
+BuildRequires:  nss-devel >= 3.21.0
-BuildRequires:  nspr-devel >= 4.9.5
+BuildRequires:  nspr-devel >= 4.11.0
 BuildRequires:  java-devel
 Requires:       java-headless
-Requires:       nss >= 3.14.3
+Requires:       nss >= 3.21.0
 Patch1:         jss-key_pair_usage_with_op_flags.patch
 Patch2:         jss-javadocs-param.patch
@ -49,6 +49,9 @@ Patch24:        jss-SHA-OID-fix.patch
 Patch25:        jss-RC4-strengh-verify.patch
 Patch26:        jss-support-TLS1_1-TLS1_2.patch
 Patch27:        jss-Fixed-build-failures.patch
 Patch28:        jss-VerifyCertificate-enhancement.patch
 Patch29:        jss-lunasaUnwrap.patch
 Patch30:        jss-symkey-enhancements.patch
 %description
@ -93,6 +96,9 @@ This package contains the API documentation for JSS.
 %patch25 -p1
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
 %patch29 -p1
 %patch30 -p1
 %build
 [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@ -197,6 +203,14 @@ rm -rf $RPM_BUILD_ROOT
 %changelog
 * Thu May 19 2016 Christina Fu <cfu@redhat.com> - 4.2.6-39
 - Bugzilla 1074208 - pass up exact JSS certificate validation errors from NSS
  (edewata)
 - Bugzilla 1331596 - Key archival fails when KRA is configured with lunasa.
  (cfu)
 - PKI ticket 801 - Merge pki-symkey into jss (phase 1)
  (jmagne)
 * Wed Dec 09 2015 Endi Dewata <edewata@redhat.com> - 4.2.6-38
 - Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata)