From bbcd1adde94b31a6403d914562c35409491e47d5 Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Tue, 27 Oct 2020 17:43:07 +0100 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/jss.git#89bcbe8882b72b2957680ff66ec6a45ab234f0e8 --- .gitignore | 1 + jss-crypto-policies-1.patch | 49 ------------------------------------- jss-crypto-policies-2.patch | 47 ----------------------------------- jss.spec | 26 ++++++-------------- sources | 2 +- 5 files changed, 10 insertions(+), 115 deletions(-) delete mode 100644 jss-crypto-policies-1.patch delete mode 100644 jss-crypto-policies-2.patch diff --git a/.gitignore b/.gitignore index 349bfb5..cb5030b 100644 --- a/.gitignore +++ b/.gitignore @@ -30,3 +30,4 @@ jss-4.2.6.tar.gz /jss-4.7.0.tar.gz /jss-4.7.2.tar.gz /jss-4.7.3.tar.gz +/jss-4.8.0-b1.tar.gz diff --git a/jss-crypto-policies-1.patch b/jss-crypto-policies-1.patch deleted file mode 100644 index dc23e85..0000000 --- a/jss-crypto-policies-1.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 1 Jul 2020 12:41:20 -0400 -Subject: [PATCH] Replace SHA-1 signature with SHA-256 - -A recent change in Fedora Rawhide's crypto-policies package caused -failures in the tests like the following: - - Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate. - at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494) - at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38) - at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25) - at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435) - at java.lang.Thread.run(Thread.java:748) - Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate. - at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method) - at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488) - ... 4 more - Server exiting - org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error - at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method) - at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345) - at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156) - at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90) - -This was caused by dropping SHA-1 as an allowed hash during handshakes. -However, because SSLClientAuth manually generated its certificate (and -explicitly asked for SHA-1), it failed. - -Switch to SHA-256 instead. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/tests/SSLClientAuth.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java -index 6f1fd2b12..bf270a634 100644 ---- a/org/mozilla/jss/tests/SSLClientAuth.java -+++ b/org/mozilla/jss/tests/SSLClientAuth.java -@@ -28,7 +28,7 @@ - - private CryptoManager cm; - public static final SignatureAlgorithm sigAlg = -- SignatureAlgorithm.RSASignatureWithSHA1Digest; -+ SignatureAlgorithm.RSASignatureWithSHA256Digest; - - /** - * Method that generates a certificate for given credential diff --git a/jss-crypto-policies-2.patch b/jss-crypto-policies-2.patch deleted file mode 100644 index 71fe8c2..0000000 --- a/jss-crypto-policies-2.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 8ed5a82a973922d07d0610fd42c48b2a0ec97d6c Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Wed, 1 Jul 2020 12:44:53 -0400 -Subject: [PATCH] Remove all legacy DSS/DSA tests - -The only signature algorithm suppoted with DSS is SHA-1, which will soon -become deprecated and broken. DSS itself isn't widely used either, so we -should remove it from the test suite as well. - -Signed-off-by: Alexander Scheel ---- - cmake/JSSTests.cmake | 12 +----------- - 1 file changed, 1 insertion(+), 11 deletions(-) - -diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake -index a26b95425..a0fe36e22 100644 ---- a/cmake/JSSTests.cmake -+++ b/cmake/JSSTests.cmake -@@ -170,11 +170,6 @@ macro(jss_tests) - COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "30" "localhost" "SHA-256/EC" "CA_ECDSA" "Server_ECDSA" "Client_ECDSA" - DEPENDS "Generate_known_RSA_cert_pair" - ) -- jss_test_java( -- NAME "Generate_known_DSS_cert_pair" -- COMMAND "org.mozilla.jss.tests.GenerateTestCert" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "40" "localhost" "SHA-1/DSA" "CA_DSS" "Server_DSS" "Client_DSS" -- DEPENDS "Generate_known_ECDSA_cert_pair" -- ) - jss_test_exec( - NAME "Create_PKCS11_cert_to_PKCS12_rsa.pfx" - COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/rsa.pfx" "-n" "CA_RSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" -@@ -185,15 +180,10 @@ macro(jss_tests) - COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/ecdsa.pfx" "-n" "CA_ECDSA" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" - DEPENDS "Generate_known_ECDSA_cert_pair" - ) -- jss_test_exec( -- NAME "Create_PKCS11_cert_to_PKCS12_dss.pfx" -- COMMAND "pk12util" "-o" "${RESULTS_NSSDB_OUTPUT_DIR}/dss.pfx" "-n" "CA_DSS" "-d" "${RESULTS_NSSDB_OUTPUT_DIR}" "-K" "${DB_PWD}" "-W" "${DB_PWD}" -- DEPENDS "Generate_known_DSS_cert_pair" -- ) - jss_test_java( - NAME "List_CA_certs" - COMMAND "org.mozilla.jss.tests.ListCACerts" "${RESULTS_NSSDB_OUTPUT_DIR}" "Verbose" -- DEPENDS "Generate_known_DSS_cert_pair" -+ DEPENDS "Generate_known_ECDSA_cert_pair" - ) - jss_test_java( - NAME "SSLClientAuth" diff --git a/jss.spec b/jss.spec index 401fe38..c0e48c9 100644 --- a/jss.spec +++ b/jss.spec @@ -6,9 +6,9 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.7.3 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -a1 +Version: 4.8.0 +Release: 0.1%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -b1 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -50,7 +50,7 @@ BuildRequires: glassfish-jaxb-api %else BuildRequires: slf4j-jdk14 %endif -BuildRequires: apache-commons-lang +BuildRequires: apache-commons-lang3 BuildRequires: junit @@ -64,7 +64,7 @@ Requires: glassfish-jaxb-api %else Requires: slf4j-jdk14 %endif -Requires: apache-commons-lang +Requires: apache-commons-lang3 Conflicts: ldapjdk < 4.20 Conflicts: idm-console-framework < 1.2 @@ -108,26 +108,13 @@ export CFLAGS # Check if we're in FIPS mode modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1 -# RHEL's CMake doesn't support -B flag. -%if 0%{?rhel} -%{__mkdir_p} %{_vpath_builddir} -cd %{_vpath_builddir} -%endif - # The Makefile is not thread-safe %cmake \ -DJAVA_HOME=%{java_home} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ -%if 0%{?rhel} - .. -%else -B %{_vpath_builddir} -%endif -%if 0%{?fedora} cd %{_vpath_builddir} -%endif - %{__make} all %{__make} javadoc ctest --output-on-failure @@ -173,6 +160,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Wed Oct 21 2020 Dogtag PKI Team - 4.8.0-b1 +- Rebase to upstream beta release JSS v4.8.0-b1 + * Fri Sep 11 2020 Dogtag PKI Team - 4.7.3-1 - Rebase to upstream stable release JSS v4.7.3 diff --git a/sources b/sources index 13d43e8..c295965 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jss-4.7.3.tar.gz) = 9358cf78d99e5e32a07dd457d6b0c916bdf9bf6959efe889f1cb91af75aa79fc419c2d057a40bfbe4e2a4924bffc1cafa04d917622cafe07062bcb633f330f98 +SHA512 (jss-4.8.0-b1.tar.gz) = 5601922b1c2e8006951a01e50486f585e2f6e3c0cd987a7e75c62755b4e14e2c7d489b583f92ba09281ceee2b5b1363f3d8fc94b039232fb3694975bd041a332