Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/jss.git#89bcbe8882b72b2957680ff66ec6a45ab234f0e8
This commit is contained in:
DistroBaker 2020-10-27 17:43:07 +01:00 committed by Petr Šabata
parent af554a80d1
commit bbcd1adde9
5 changed files with 10 additions and 115 deletions

1
.gitignore vendored
View File

@ -30,3 +30,4 @@ jss-4.2.6.tar.gz
/jss-4.7.0.tar.gz
/jss-4.7.2.tar.gz
/jss-4.7.3.tar.gz
/jss-4.8.0-b1.tar.gz

View File

@ -1,49 +0,0 @@
From 1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 1 Jul 2020 12:41:20 -0400
Subject: [PATCH] Replace SHA-1 signature with SHA-256
A recent change in Fedora Rawhide's crypto-policies package caused
failures in the tests like the following:
Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494)
at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38)
at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25)
at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method)
at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488)
... 4 more
Server exiting
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error
at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345)
at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156)
at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)
This was caused by dropping SHA-1 as an allowed hash during handshakes.
However, because SSLClientAuth manually generated its certificate (and
explicitly asked for SHA-1), it failed.
Switch to SHA-256 instead.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/tests/SSLClientAuth.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java
index 6f1fd2b12..bf270a634 100644
--- a/org/mozilla/jss/tests/SSLClientAuth.java
+++ b/org/mozilla/jss/tests/SSLClientAuth.java
@@ -28,7 +28,7 @@
private CryptoManager cm;
public static final SignatureAlgorithm sigAlg =
- SignatureAlgorithm.RSASignatureWithSHA1Digest;
+ SignatureAlgorithm.RSASignatureWithSHA256Digest;
/**
* Method that generates a certificate for given credential

View File

@ -1,47 +0,0 @@
From 8ed5a82a973922d07d0610fd42c48b2a0ec97d6c Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 1 Jul 2020 12:44:53 -0400
Subject: [PATCH] Remove all legacy DSS/DSA tests
The only signature algorithm suppoted with DSS is SHA-1, which will soon
become deprecated and broken. DSS itself isn't widely used either, so we
should remove it from the test suite as well.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSTests.cmake | 12 +-----------
1 file changed, 1 insertion(+), 11 deletions(-)
diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
index a26b95425..a0fe36e22 100644
--- a/cmake/JSSTests.cmake
+++ b/cmake/JSSTests.cmake
@@ -170,11 +170,6 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "30" "localhost" "SHA-256/EC" "CA_ECDSA" "Server_ECDSA" "Client_ECDSA"
DEPENDS "Generate_known_RSA_cert_pair"
)
- jss_test_java(
- NAME "Generate_known_DSS_cert_pair"
- COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "40" "localhost" "SHA-1/DSA" "CA_DSS" "Server_DSS" "Client_DSS"
- DEPENDS "Generate_known_ECDSA_cert_pair"
- )
jss_test_exec(
NAME "Create_PKCS11_cert_to_PKCS12_rsa.pfx"
COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/rsa.pfx" "-n" "CA_RSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
@@ -185,15 +180,10 @@ macro(jss_tests)
COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/ecdsa.pfx" "-n" "CA_ECDSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
DEPENDS "Generate_known_ECDSA_cert_pair"
)
- jss_test_exec(
- NAME "Create_PKCS11_cert_to_PKCS12_dss.pfx"
- COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/dss.pfx" "-n" "CA_DSS" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}"
- DEPENDS "Generate_known_DSS_cert_pair"
- )
jss_test_java(
NAME "List_CA_certs"
COMMAND "org.mozilla.jss.tests.ListCACerts" "${RESULTS_NSSDB_OUTPUT_DIR}" "Verbose"
- DEPENDS "Generate_known_DSS_cert_pair"
+ DEPENDS "Generate_known_ECDSA_cert_pair"
)
jss_test_java(
NAME "SSLClientAuth"

View File

@ -6,9 +6,9 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.7.3
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
Version: 4.8.0
Release: 0.1%{?_timestamp}%{?_commit_id}%{?dist}
%global _phase -b1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
@ -50,7 +50,7 @@ BuildRequires: glassfish-jaxb-api
%else
BuildRequires: slf4j-jdk14
%endif
BuildRequires: apache-commons-lang
BuildRequires: apache-commons-lang3
BuildRequires: junit
@ -64,7 +64,7 @@ Requires: glassfish-jaxb-api
%else
Requires: slf4j-jdk14
%endif
Requires: apache-commons-lang
Requires: apache-commons-lang3
Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2
@ -108,26 +108,13 @@ export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
# RHEL's CMake doesn't support -B flag.
%if 0%{?rhel}
%{__mkdir_p} %{_vpath_builddir}
cd %{_vpath_builddir}
%endif
# The Makefile is not thread-safe
%cmake \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
%if 0%{?rhel}
..
%else
-B %{_vpath_builddir}
%endif
%if 0%{?fedora}
cd %{_vpath_builddir}
%endif
%{__make} all
%{__make} javadoc
ctest --output-on-failure
@ -173,6 +160,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
* Wed Oct 21 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.8.0-b1
- Rebase to upstream beta release JSS v4.8.0-b1
* Fri Sep 11 2020 Dogtag PKI Team <pki-devel@redhat.com> - 4.7.3-1
- Rebase to upstream stable release JSS v4.7.3

View File

@ -1 +1 @@
SHA512 (jss-4.7.3.tar.gz) = 9358cf78d99e5e32a07dd457d6b0c916bdf9bf6959efe889f1cb91af75aa79fc419c2d057a40bfbe4e2a4924bffc1cafa04d917622cafe07062bcb633f330f98
SHA512 (jss-4.8.0-b1.tar.gz) = 5601922b1c2e8006951a01e50486f585e2f6e3c0cd987a7e75c62755b4e14e2c7d489b583f92ba09281ceee2b5b1363f3d8fc94b039232fb3694975bd041a332