import jss-4.6.2-4.module+el8.2.0+6123+b4678599
This commit is contained in:
parent
d4767398bf
commit
c4f7185131
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/jss-4.6.0.tar.gz
|
SOURCES/jss-4.6.2.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
3d6d2d885129e0d7d8ebac5dfe9055c693a7a9b1 SOURCES/jss-4.6.0.tar.gz
|
4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz
|
||||||
|
@ -1,71 +0,0 @@
|
|||||||
From d7d6d769b510118e40d9c0919317665c4c9feb8d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <alexander.m.scheel@gmail.com>
|
|
||||||
Date: Wed, 12 Jun 2019 17:17:45 -0400
|
|
||||||
Subject: [PATCH] Disable buffer-based tests
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
|
|
||||||
---
|
|
||||||
cmake/JSSTests.cmake | 33 ---------------------------------
|
|
||||||
1 file changed, 33 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
|
|
||||||
index b389be5c..473d7d4d 100644
|
|
||||||
--- a/cmake/JSSTests.cmake
|
|
||||||
+++ b/cmake/JSSTests.cmake
|
|
||||||
@@ -78,24 +78,6 @@ macro(jss_tests)
|
|
||||||
NAME "BigObjectIdentifier"
|
|
||||||
COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
|
|
||||||
)
|
|
||||||
- jss_test_java(
|
|
||||||
- NAME "JSS_Test_PR_FileDesc"
|
|
||||||
- COMMAND "org.mozilla.jss.tests.TestPRFD"
|
|
||||||
- )
|
|
||||||
- jss_test_java(
|
|
||||||
- NAME "JSS_Test_Raw_SSL"
|
|
||||||
- COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
|
|
||||||
- DEPENDS "Setup_DBs"
|
|
||||||
- )
|
|
||||||
- jss_test_java(
|
|
||||||
- NAME "JSS_Test_Buffer"
|
|
||||||
- COMMAND "org.mozilla.jss.tests.TestBuffer"
|
|
||||||
- )
|
|
||||||
- jss_test_java(
|
|
||||||
- NAME "JSS_Test_BufferPRFD"
|
|
||||||
- COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
|
|
||||||
- DEPENDS "List_CA_certs"
|
|
||||||
- )
|
|
||||||
if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
|
|
||||||
jss_test_java(
|
|
||||||
NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
|
|
||||||
@@ -126,16 +108,6 @@ macro(jss_tests)
|
|
||||||
NAME "JUnit_UTF8StringTest"
|
|
||||||
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
|
|
||||||
)
|
|
||||||
- jss_test_exec(
|
|
||||||
- NAME "buffer_size_1"
|
|
||||||
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
|
|
||||||
- DEPENDS "generate_c_buffer_size_1"
|
|
||||||
- )
|
|
||||||
- jss_test_exec(
|
|
||||||
- NAME "buffer_size_4"
|
|
||||||
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
|
|
||||||
- DEPENDS "generate_c_buffer_size_4"
|
|
||||||
- )
|
|
||||||
jss_test_java(
|
|
||||||
NAME "JUnit_ChainSortingTest"
|
|
||||||
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
|
|
||||||
@@ -180,11 +152,6 @@ macro(jss_tests)
|
|
||||||
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
|
|
||||||
DEPENDS "List_CA_certs"
|
|
||||||
)
|
|
||||||
- jss_test_exec(
|
|
||||||
- NAME "TestBufferPRFD"
|
|
||||||
- COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
|
|
||||||
- DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
|
|
||||||
- )
|
|
||||||
jss_test_java(
|
|
||||||
NAME "Key_Generation"
|
|
||||||
COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
53
SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
Normal file
53
SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Tue, 29 Oct 2019 10:43:56 -0400
|
||||||
|
Subject: [PATCH] Fix NativeProxy reference tracker
|
||||||
|
|
||||||
|
In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
|
||||||
|
setting mPointer after trying to add NativeProxy to the registry. In
|
||||||
|
most instances this won't matter, however, if another instance exists in
|
||||||
|
the HashSet with the same hash value, the equals comparator will be
|
||||||
|
used, triggering a NPE.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
|
||||||
|
1 file changed, 5 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
|
||||||
|
index 1c6d1aa5..a0811f76 100644
|
||||||
|
--- a/org/mozilla/jss/util/NativeProxy.java
|
||||||
|
+++ b/org/mozilla/jss/util/NativeProxy.java
|
||||||
|
@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
|
||||||
|
*/
|
||||||
|
public NativeProxy(byte[] pointer) {
|
||||||
|
assert(pointer!=null);
|
||||||
|
- registry.add(this);
|
||||||
|
mPointer = pointer;
|
||||||
|
+ registry.add(this);
|
||||||
|
|
||||||
|
if (saveStacktraces) {
|
||||||
|
mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
|
||||||
|
@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
|
||||||
|
if( ! (obj instanceof NativeProxy) ) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
- if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
|
||||||
|
+ if (((NativeProxy)obj).mPointer == null) {
|
||||||
|
+ /* If mPointer is null, we have no way to compare the values
|
||||||
|
+ * of the pointers, so assume they're unequal. */
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
- for(int i=0; i < mPointer.length; i++) {
|
||||||
|
- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
|
||||||
|
- return false;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- return true;
|
||||||
|
+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
--
|
||||||
|
2.21.0
|
||||||
|
|
80
SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
Normal file
80
SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Fri, 28 Feb 2020 14:10:32 -0500
|
||||||
|
Subject: [PATCH 1/2] Fix swapped parameter names with PBE
|
||||||
|
|
||||||
|
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
|
||||||
|
related to extracting the parameter classes during PBE operations:
|
||||||
|
previously, the classes of the underlying encryption algorithm were
|
||||||
|
iterated over, instead of the classes of the PBE class itself. However,
|
||||||
|
this commit iterated over the PBE parameter classes; no PBE algorithm
|
||||||
|
accepts a IvParameterSpec, resulting in a null parameter passed to the
|
||||||
|
later encryption or key wrap operation. This resulted in stack traces
|
||||||
|
like the following:
|
||||||
|
|
||||||
|
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
|
||||||
|
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
|
||||||
|
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
|
||||||
|
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
|
||||||
|
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
|
||||||
|
|
||||||
|
Resolves: rh-bz#1807371
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
|
||||||
|
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
|
||||||
|
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
|
||||||
|
3 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
|
||||||
|
index 084752c3..0344b14d 100644
|
||||||
|
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
|
||||||
|
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
|
||||||
|
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
|
||||||
|
// generate IV
|
||||||
|
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
|
||||||
|
AlgorithmParameterSpec params=null;
|
||||||
|
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
|
||||||
|
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
|
||||||
|
for (int i = 0; i < paramClasses.length; i ++) {
|
||||||
|
if ( paramClasses[i].equals(
|
||||||
|
javax.crypto.spec.IvParameterSpec.class ) ) {
|
||||||
|
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
|
||||||
|
index a4709070..d85eb0d3 100644
|
||||||
|
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
|
||||||
|
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
|
||||||
|
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
|
||||||
|
// generate IV
|
||||||
|
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
|
||||||
|
AlgorithmParameterSpec params=null;
|
||||||
|
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
|
||||||
|
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
|
||||||
|
for (int i = 0; i < paramClasses.length; i ++) {
|
||||||
|
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
|
||||||
|
params = new IVParameterSpec( kg.generatePBE_IV() );
|
||||||
|
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
index b35714e3..ebd269f3 100644
|
||||||
|
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
|
||||||
|
// generate IV
|
||||||
|
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
|
||||||
|
AlgorithmParameterSpec params=null;
|
||||||
|
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
|
||||||
|
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
|
||||||
|
for (int i = 0; i < paramClasses.length; i ++) {
|
||||||
|
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
|
||||||
|
params = new IVParameterSpec( kg.generatePBE_IV() );
|
||||||
|
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
|
||||||
|
// generate IV
|
||||||
|
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
|
||||||
|
AlgorithmParameterSpec params=null;
|
||||||
|
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
|
||||||
|
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
|
||||||
|
for (int i = 0; i < paramClasses.length; i ++) {
|
||||||
|
if ( paramClasses[i].equals(
|
||||||
|
javax.crypto.spec.IvParameterSpec.class ) ) {
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
@ -1,39 +0,0 @@
|
|||||||
From 731b62d4c456a3e1a70519c24eb0df2c59d943b4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Mon, 17 Jun 2019 08:48:01 -0400
|
|
||||||
Subject: [PATCH] Support LD_FLAGS from environment
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
---
|
|
||||||
cmake/JSSConfig.cmake | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
|
|
||||||
index f045850a..e63dd5fa 100644
|
|
||||||
--- a/cmake/JSSConfig.cmake
|
|
||||||
+++ b/cmake/JSSConfig.cmake
|
|
||||||
@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
|
|
||||||
list(APPEND JSS_LD_FLAGS "-lpthread")
|
|
||||||
list(APPEND JSS_LD_FLAGS "-ldl")
|
|
||||||
|
|
||||||
+ separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
|
|
||||||
+ foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
|
|
||||||
+ list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
|
|
||||||
+ endforeach()
|
|
||||||
+
|
|
||||||
# This set of flags is specific to building the libjss library.
|
|
||||||
list(APPEND JSS_LIBRARY_FLAGS "-shared")
|
|
||||||
list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
|
|
||||||
@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
|
|
||||||
list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")
|
|
||||||
|
|
||||||
set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
|
|
||||||
+
|
|
||||||
+ message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
|
|
||||||
+ message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
|
|
||||||
endmacro()
|
|
||||||
|
|
||||||
macro(jss_config_java)
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
60
SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
Normal file
60
SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Fri, 28 Feb 2020 14:39:29 -0500
|
||||||
|
Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
|
||||||
|
|
||||||
|
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
|
||||||
|
called, it would always request DES3_CBC_PAD as the key wrapping
|
||||||
|
algorithm, regardless of the input PBE key type. However, the other form
|
||||||
|
(with an implicit token) was correctly handling this case.
|
||||||
|
|
||||||
|
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
|
||||||
|
instead of having to convert to/from a String form.
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
|
||||||
|
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
|
||||||
|
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
|
||||||
|
index 3113f614..3a106977 100644
|
||||||
|
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
|
||||||
|
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
|
||||||
|
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
|
||||||
|
|
||||||
|
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
|
||||||
|
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
|
||||||
|
+ return fromOID(oid);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
|
||||||
|
if (oid.equals(AES_KEY_WRAP_PAD_OID))
|
||||||
|
return AES_KEY_WRAP_PAD;
|
||||||
|
|
||||||
|
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
|
||||||
|
if (oid.equals(DES_CBC_PAD_OID))
|
||||||
|
return DES_CBC_PAD;
|
||||||
|
|
||||||
|
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
|
||||||
|
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
index ebd269f3..abfc39a7 100644
|
||||||
|
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
|
||||||
|
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- KeyWrapper wrapper = token.getKeyWrapper(
|
||||||
|
- KeyWrapAlgorithm.DES3_CBC_PAD);
|
||||||
|
+ // wrap the key
|
||||||
|
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
|
||||||
|
wrapper.initWrap(key, params);
|
||||||
|
byte encrypted[] = wrapper.wrap(pri);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
@ -1,346 +0,0 @@
|
|||||||
From 233795b098a17269f8495fee312fe6df404a236d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Wed, 4 Sep 2019 08:33:14 -0400
|
|
||||||
Subject: [PATCH] Fix root certificate validation
|
|
||||||
|
|
||||||
When the Leaf and Chain OCSP checking policy is enabled in
|
|
||||||
CryptoManager, JSS will switch to alternative certificate verification
|
|
||||||
logic in JSSL_DefaultCertAuthCallback. In this method, the root
|
|
||||||
certificate was incorrectly trusted without being verified to exist in
|
|
||||||
the trust store.
|
|
||||||
|
|
||||||
This patch cleans up the logic in JSSL_verifyCertPKIX and makes it
|
|
||||||
more explicit in addition to fixing the error.
|
|
||||||
|
|
||||||
Fixes CVE-2019-14823
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
---
|
|
||||||
org/mozilla/jss/ssl/common.c | 239 ++++++++++++++++++++---------------
|
|
||||||
1 file changed, 136 insertions(+), 103 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
|
|
||||||
index 1bbfed45..2db9fda1 100644
|
|
||||||
--- a/org/mozilla/jss/ssl/common.c
|
|
||||||
+++ b/org/mozilla/jss/ssl/common.c
|
|
||||||
@@ -904,7 +904,6 @@ finish:
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Get the trusted anchor for pkix */
|
|
||||||
-
|
|
||||||
CERTCertificate *getRoot(CERTCertificate *cert,
|
|
||||||
SECCertUsage certUsage)
|
|
||||||
{
|
|
||||||
@@ -938,79 +937,84 @@ finish:
|
|
||||||
return root;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* Verify a cert using explicit PKIX call.
|
|
||||||
- * For now only used in OCSP AIA context.
|
|
||||||
- * The result of this call will be a full chain
|
|
||||||
- * and leaf network AIA ocsp validation.
|
|
||||||
- * The policy param will be used in the future to
|
|
||||||
- * handle more scenarios.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
||||||
- SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy,
|
|
||||||
- CERTVerifyLog *log, SECCertificateUsage *usage)
|
|
||||||
+/* Internal helper for the below call. */
|
|
||||||
+static SECStatus
|
|
||||||
+JSSL_verifyCertPKIXInternal(CERTCertificate *cert,
|
|
||||||
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
|
|
||||||
+ CERTVerifyLog *log, SECCertificateUsage *usage,
|
|
||||||
+ CERTCertList *trustedCertList)
|
|
||||||
{
|
|
||||||
-
|
|
||||||
- /* put the first set of possible flags internally here first */
|
|
||||||
- /* later there could be a more complete list to choose from */
|
|
||||||
- /* support our hard core fetch aia ocsp policy for now */
|
|
||||||
-
|
|
||||||
- static PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
|
|
||||||
+ /* Put the first set of possible flags internally here first. Later
|
|
||||||
+ * there could be a more complete list to choose from; for now we only
|
|
||||||
+ * support our hard core fetch AIA OCSP policy. Note that we disable
|
|
||||||
+ * CRL fetching as Dogtag doesn't support it. Additionally, enable OCSP
|
|
||||||
+ * checking on the chained CA certificates. Since NSS/PKIX's
|
|
||||||
+ * CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't do what we want,
|
|
||||||
+ * we construct the policy ourselves. */
|
|
||||||
+ PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
|
|
||||||
/* crl */
|
|
||||||
- 0,
|
|
||||||
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
|
|
||||||
/* ocsp */
|
|
||||||
CERT_REV_M_TEST_USING_THIS_METHOD |
|
|
||||||
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
|
|
||||||
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
|
|
||||||
};
|
|
||||||
|
|
||||||
- static PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
|
|
||||||
+ PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
|
|
||||||
/* crl */
|
|
||||||
- 0,
|
|
||||||
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
|
|
||||||
/* ocsp */
|
|
||||||
CERT_REV_M_TEST_USING_THIS_METHOD |
|
|
||||||
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
|
|
||||||
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
|
|
||||||
};
|
|
||||||
|
|
||||||
- static CERTRevocationMethodIndex
|
|
||||||
- ocsp_Enabled_Hard_Policy_Method_Preference = {
|
|
||||||
- cert_revocation_method_ocsp
|
|
||||||
- };
|
|
||||||
-
|
|
||||||
- static CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
|
|
||||||
- { /* leafTests */
|
|
||||||
- 2,
|
|
||||||
- ocsp_Enabled_Hard_Policy_LeafFlags,
|
|
||||||
- 1,
|
|
||||||
- &ocsp_Enabled_Hard_Policy_Method_Preference,
|
|
||||||
- 0 },
|
|
||||||
- { /* chainTests */
|
|
||||||
- 2,
|
|
||||||
- ocsp_Enabled_Hard_Policy_ChainFlags,
|
|
||||||
- 1,
|
|
||||||
- &ocsp_Enabled_Hard_Policy_Method_Preference,
|
|
||||||
- 0 }
|
|
||||||
+ CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = {
|
|
||||||
+ cert_revocation_method_ocsp
|
|
||||||
};
|
|
||||||
|
|
||||||
- /* for future expansion */
|
|
||||||
+ CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
|
|
||||||
+ /* CERTRevocationTests - leafTests */
|
|
||||||
+ {
|
|
||||||
+ /* number_of_defined_methods */
|
|
||||||
+ 2,
|
|
||||||
+ /* cert_rev_flags_per_method */
|
|
||||||
+ ocsp_Enabled_Hard_Policy_LeafFlags,
|
|
||||||
+ /* number_of_preferred_methods */
|
|
||||||
+ 1,
|
|
||||||
+ /* preferred_methods */
|
|
||||||
+ ocsp_Enabled_Hard_Policy_Method_Preference,
|
|
||||||
+ /* cert_rev_method_independent_flags */
|
|
||||||
+ 0
|
|
||||||
+ },
|
|
||||||
+ /* CERTRevocationTests - chainTests */
|
|
||||||
+ {
|
|
||||||
+ /* number_of_defined_methods */
|
|
||||||
+ 2,
|
|
||||||
+ /* cert_rev_flags_per_method */
|
|
||||||
+ ocsp_Enabled_Hard_Policy_ChainFlags,
|
|
||||||
+ /* number_of_preferred_methods */
|
|
||||||
+ 1,
|
|
||||||
+ /* preferred_methods */
|
|
||||||
+ ocsp_Enabled_Hard_Policy_Method_Preference,
|
|
||||||
+ /* cert_rev_method_independent_flags */
|
|
||||||
+ 0
|
|
||||||
+ }
|
|
||||||
+ };
|
|
||||||
|
|
||||||
- CERTValOutParam cvout[20] = {{0}};
|
|
||||||
- CERTValInParam cvin[20] = {{0}};
|
|
||||||
+ /* The size of these objects are defined here based upon maximum possible
|
|
||||||
+ * inputs. A dynamic allocation could reallocate based upon actual usage,
|
|
||||||
+ * however this would affect the size by at most one or two. Note that,
|
|
||||||
+ * due to the required usage of cert_pi_end/cert_po_end, these sizes are
|
|
||||||
+ * inflated by one. */
|
|
||||||
+ CERTValOutParam cvout[3] = {{0}};
|
|
||||||
+ CERTValInParam cvin[6] = {{0}};
|
|
||||||
|
|
||||||
+ int usageIndex = -1;
|
|
||||||
int inParamIndex = 0;
|
|
||||||
int outParamIndex = 0;
|
|
||||||
- CERTRevocationFlags *rev = NULL;
|
|
||||||
-
|
|
||||||
- CERTCertList *trustedCertList = NULL;
|
|
||||||
-
|
|
||||||
- PRBool fetchCerts = PR_FALSE;
|
|
||||||
|
|
||||||
- SECCertUsage certUsage = certUsageSSLClient /* 0 */;
|
|
||||||
-
|
|
||||||
SECStatus res = SECFailure;
|
|
||||||
|
|
||||||
- CERTCertificate *root = NULL;
|
|
||||||
-
|
|
||||||
- if(cert == NULL) {
|
|
||||||
+ if (cert == NULL) {
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1018,93 +1022,122 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* Force the strict ocsp network check on chain
|
|
||||||
- and leaf.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- fetchCerts = PR_TRUE;
|
|
||||||
- rev = &ocsp_Enabled_Hard_Policy;
|
|
||||||
-
|
|
||||||
- /* fetch aia over net */
|
|
||||||
-
|
|
||||||
+ /* Enable live AIA fetching over the network. */
|
|
||||||
cvin[inParamIndex].type = cert_pi_useAIACertFetch;
|
|
||||||
- cvin[inParamIndex].value.scalar.b = fetchCerts;
|
|
||||||
- inParamIndex++;
|
|
||||||
-
|
|
||||||
- /* time */
|
|
||||||
+ cvin[inParamIndex].value.scalar.b = PR_TRUE;
|
|
||||||
+ inParamIndex++;
|
|
||||||
|
|
||||||
+ /* By setting the time to zero, we choose the current time when the
|
|
||||||
+ * check is performed. */
|
|
||||||
cvin[inParamIndex].type = cert_pi_date;
|
|
||||||
- cvin[inParamIndex].value.scalar.time = PR_Now();
|
|
||||||
+ cvin[inParamIndex].value.scalar.time = 0;
|
|
||||||
inParamIndex++;
|
|
||||||
|
|
||||||
- /* flags */
|
|
||||||
-
|
|
||||||
+ /* Force the strict OCSP check on both the leaf and its chain. */
|
|
||||||
cvin[inParamIndex].type = cert_pi_revocationFlags;
|
|
||||||
- cvin[inParamIndex].value.pointer.revocation = rev;
|
|
||||||
+ cvin[inParamIndex].value.pointer.revocation = &ocsp_Enabled_Hard_Policy;
|
|
||||||
inParamIndex++;
|
|
||||||
|
|
||||||
- /* establish trust anchor */
|
|
||||||
-
|
|
||||||
- /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
|
|
||||||
- * the root.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- SECCertificateUsage testUsage = certificateUsage;
|
|
||||||
- while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
|
|
||||||
-
|
|
||||||
- root = getRoot(cert,certUsage);
|
|
||||||
-
|
|
||||||
- /* Try to add the root as the trust anchor so all the
|
|
||||||
- other memebers of the ca chain will get validated.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- if( root != NULL ) {
|
|
||||||
- trustedCertList = CERT_NewCertList();
|
|
||||||
- CERT_AddCertToListTail(trustedCertList, root);
|
|
||||||
-
|
|
||||||
+ /* Establish a trust anchor if it is passed to us. NOTE: this trust anchor
|
|
||||||
+ * must previously be validated before it is passed to us here. */
|
|
||||||
+ if (trustedCertList != NULL) {
|
|
||||||
cvin[inParamIndex].type = cert_pi_trustAnchors;
|
|
||||||
cvin[inParamIndex].value.pointer.chain = trustedCertList;
|
|
||||||
-
|
|
||||||
inParamIndex++;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Done establishing input parameters. */
|
|
||||||
cvin[inParamIndex].type = cert_pi_end;
|
|
||||||
|
|
||||||
- if(log != NULL) {
|
|
||||||
+ /* When we need to log rationale for failure, pass it as an output
|
|
||||||
+ * parameter. */
|
|
||||||
+ if (log != NULL) {
|
|
||||||
cvout[outParamIndex].type = cert_po_errorLog;
|
|
||||||
cvout[outParamIndex].value.pointer.log = log;
|
|
||||||
outParamIndex ++;
|
|
||||||
}
|
|
||||||
|
|
||||||
- int usageIndex = 0;
|
|
||||||
- if(usage != NULL) {
|
|
||||||
+ /* When we need to inquire about the resulting certificate usage, pass it
|
|
||||||
+ * here. */
|
|
||||||
+ if (usage != NULL) {
|
|
||||||
usageIndex = outParamIndex;
|
|
||||||
cvout[outParamIndex].type = cert_po_usages;
|
|
||||||
cvout[outParamIndex].value.scalar.usages = 0;
|
|
||||||
outParamIndex ++;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Done establishing output parameters. */
|
|
||||||
cvout[outParamIndex].type = cert_po_end;
|
|
||||||
|
|
||||||
+ /* Call into NSS's PKIX library to validate our certificate. */
|
|
||||||
res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata);
|
|
||||||
|
|
||||||
finish:
|
|
||||||
- /* clean up any trusted cert list */
|
|
||||||
-
|
|
||||||
+ /* Clean up any certificates in the trusted certificate list. This was
|
|
||||||
+ * a passed input parameter, but by taking ownership of it and clearing it,
|
|
||||||
+ * we enable tail calls to this function. */
|
|
||||||
if (trustedCertList) {
|
|
||||||
+ /* CERT_DestroyCertList destroys interior certs for us. */
|
|
||||||
CERT_DestroyCertList(trustedCertList);
|
|
||||||
trustedCertList = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* CERT_DestroyCertList destroys interior certs for us. */
|
|
||||||
-
|
|
||||||
- if(root) {
|
|
||||||
- root = NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- if(res == SECSuccess && usage) {
|
|
||||||
+ if (res == SECSuccess && usage && usageIndex != -1) {
|
|
||||||
*usage = cvout[usageIndex].value.scalar.usages;
|
|
||||||
}
|
|
||||||
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+/* Verify a cert using an explicit PKIX call. For now only perform this call
|
|
||||||
+ * when the OCSP policy is set to leaf and chain. Performs a blocking, online
|
|
||||||
+ * OCSP status refresh. The result of this call will be a full-chain OCSP
|
|
||||||
+ * validation.
|
|
||||||
+ *
|
|
||||||
+ * In the future, we'll use ocspPolicy to condition around additional policies
|
|
||||||
+ * and handle them all with this method (and a call to PKIX).
|
|
||||||
+ *
|
|
||||||
+ * Note that this currently requires the certificate to be added directly
|
|
||||||
+ * to the NSS DB. We can't otherwise validate against root certificates in
|
|
||||||
+ * the default NSS DB.
|
|
||||||
+ */
|
|
||||||
+SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
|
|
||||||
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
|
|
||||||
+ CERTVerifyLog *log, SECCertificateUsage *usage)
|
|
||||||
+{
|
|
||||||
+ SECCertUsage certUsage = certUsageSSLClient /* 0 */;
|
|
||||||
+
|
|
||||||
+ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
|
|
||||||
+ * the root.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+ SECCertificateUsage testUsage = certificateUsage;
|
|
||||||
+ while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
|
|
||||||
+
|
|
||||||
+ CERTCertificate *root = getRoot(cert, certUsage);
|
|
||||||
+
|
|
||||||
+ // Two cases: either the root is present, or it isn't.
|
|
||||||
+ if (root == NULL) {
|
|
||||||
+ /* In this case, we've had a hard time finding the root. In all
|
|
||||||
+ * likelihood, the following call will fail to validate the end cert
|
|
||||||
+ * as well and thus fail to validate. I don't believe there's a risk
|
|
||||||
+ * in trying it however. */
|
|
||||||
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
|
|
||||||
+ ocspPolicy, log, usage, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ /* In this case, we've found the root certificate. Before passing it
|
|
||||||
+ * to the leaf, explicitly validate it with strict OCSP checking. Then
|
|
||||||
+ * validate the leaf certificate with a known and trusted root
|
|
||||||
+ * certificate. */
|
|
||||||
+ SECStatus ret = JSSL_verifyCertPKIXInternal(root, certificateUsageSSLCA,
|
|
||||||
+ pwdata, ocspPolicy, log, usage, NULL);
|
|
||||||
+ if (ret != SECSuccess) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ CERTCertList *rootList = CERT_NewCertList();
|
|
||||||
+ CERT_AddCertToListTail(rootList, root);
|
|
||||||
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
|
|
||||||
+ ocspPolicy, log, usage, rootList);
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
112
SOURCES/0004-Remove-token-key-checks.patch
Normal file
112
SOURCES/0004-Remove-token-key-checks.patch
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
Date: Tue, 17 Mar 2020 12:54:49 -0400
|
||||||
|
Subject: [PATCH 1/2] Remove token key checks
|
||||||
|
|
||||||
|
Previously we enforced strict token key matching: the primary key used
|
||||||
|
for the operation must strictly reside on the current PKCS#11 token,
|
||||||
|
otherwise JSS would bail. However, NSS has the ability to move the key
|
||||||
|
to whichever token best supports the given operation. This means that
|
||||||
|
we'd prematurely bail when the operation would succeed if it were
|
||||||
|
actually executed. By removing these checks, we still leave the ability
|
||||||
|
to generate keys on a specific token, we just allow them to be used on
|
||||||
|
whatever token supports the given operation (and the key is allowed to
|
||||||
|
be moved to).
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||||
|
---
|
||||||
|
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
|
||||||
|
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
|
||||||
|
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
|
||||||
|
3 files changed, 33 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||||||
|
index 81b600a4..aac411a4 100644
|
||||||
|
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||||||
|
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
|
||||||
|
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
|
||||||
|
if( key==null ) {
|
||||||
|
throw new InvalidKeyException("Key is null");
|
||||||
|
}
|
||||||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||||||
|
- throw new InvalidKeyException("Key does not reside on the "+
|
||||||
|
- "current token");
|
||||||
|
- }
|
||||||
|
if( ! (key instanceof PK11SymKey) ) {
|
||||||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||||||
|
}
|
||||||
|
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||||||
|
index 28840a87..eee2984d 100644
|
||||||
|
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||||||
|
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
|
||||||
|
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||||||
|
throw new InvalidKeyException("Key is null");
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||||||
|
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
|
||||||
|
- key.getOwningToken().getName());
|
||||||
|
- }
|
||||||
|
if( ! (key instanceof PK11SymKey) ) {
|
||||||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||||||
|
}
|
||||||
|
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||||||
|
if( key==null ) {
|
||||||
|
throw new InvalidKeyException("Key is null");
|
||||||
|
}
|
||||||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||||||
|
- throw new InvalidKeyException("Key does not reside on the "+
|
||||||
|
- "current token");
|
||||||
|
- }
|
||||||
|
if( ! (key instanceof PK11PrivKey) ) {
|
||||||
|
throw new InvalidKeyException("Key is not a PKCS #11 key");
|
||||||
|
}
|
||||||
|
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||||||
|
throw new InvalidKeyException("key to be wrapped is not a "+
|
||||||
|
"PKCS #11 key");
|
||||||
|
}
|
||||||
|
-/* NSS is capable of moving keys appropriately,
|
||||||
|
- so this call is prematurely bailing
|
||||||
|
- if( ! symKey.getOwningToken().equals(token) ) {
|
||||||
|
- throw new InvalidKeyException("key to be wrapped does not live"+
|
||||||
|
- " on the same token as the wrapping key");
|
||||||
|
- }
|
||||||
|
-*/
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
|
||||||
|
throw new InvalidKeyException("key to be wrapped is not a "+
|
||||||
|
"PKCS #11 key");
|
||||||
|
}
|
||||||
|
-/* NSS is capable of moving keys appropriately,
|
||||||
|
- so this call is prematurely bailing
|
||||||
|
- if( ! privKey.getOwningToken().equals(token) ) {
|
||||||
|
- throw new InvalidKeyException("key to be wrapped does not live"+
|
||||||
|
- " on the same token as the wrapping key");
|
||||||
|
- }
|
||||||
|
-*/
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||||||
|
index cd732788..7a1a6dad 100644
|
||||||
|
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||||||
|
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
|
||||||
|
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
|
||||||
|
}
|
||||||
|
|
||||||
|
hmacKey = (PK11SymKey) key;
|
||||||
|
-
|
||||||
|
- if( ! key.getOwningToken().equals(token) ) {
|
||||||
|
- hmacKey = null;
|
||||||
|
- throw new InvalidKeyException(
|
||||||
|
- "HMAC key does not live on the same token as this digest");
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
this.digestProxy = initHMAC(token, alg, hmacKey);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
@ -1,91 +0,0 @@
|
|||||||
From 7d1c481e947edf0786223ef43a359c8d5771a214 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Wed, 28 Aug 2019 09:23:41 -0400
|
|
||||||
Subject: [PATCH 1/3] Add helper to run a single test case
|
|
||||||
|
|
||||||
run_test.sh.in is templated by CMake to build/run_test.sh, fully
|
|
||||||
configured to your test execution environment. In particular, it writes
|
|
||||||
the classpath and loads the JSS native library.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
---
|
|
||||||
cmake/JSSConfig.cmake | 29 +++++++++++++++++++----------
|
|
||||||
tools/run_test.sh.in | 15 +++++++++++++++
|
|
||||||
2 files changed, 34 insertions(+), 10 deletions(-)
|
|
||||||
create mode 100755 tools/run_test.sh.in
|
|
||||||
|
|
||||||
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
|
|
||||||
index 27b2a9bf..6295a6e3 100644
|
|
||||||
--- a/cmake/JSSConfig.cmake
|
|
||||||
+++ b/cmake/JSSConfig.cmake
|
|
||||||
@@ -13,6 +13,9 @@ macro(jss_config)
|
|
||||||
|
|
||||||
# Configure java-related flags
|
|
||||||
jss_config_java()
|
|
||||||
+
|
|
||||||
+ # Template auto-generated files
|
|
||||||
+ jss_config_template()
|
|
||||||
endmacro()
|
|
||||||
|
|
||||||
macro(jss_config_version MAJOR MINOR PATCH BETA)
|
|
||||||
@@ -45,16 +48,6 @@ macro(jss_config_version MAJOR MINOR PATCH BETA)
|
|
||||||
set(JSS_VERSION "${JSS_VERSION} beta ${JSS_VERSION_BETA}")
|
|
||||||
set(JSS_VERSION_STR "${JSS_VERSION_STR}_b${JSS_VERSION_BETA}")
|
|
||||||
endif()
|
|
||||||
-
|
|
||||||
- # Template files
|
|
||||||
- configure_file(
|
|
||||||
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
|
|
||||||
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
|
|
||||||
- )
|
|
||||||
- configure_file(
|
|
||||||
- "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
|
|
||||||
- "${CMAKE_BINARY_DIR}/MANIFEST.MF"
|
|
||||||
- )
|
|
||||||
endmacro()
|
|
||||||
|
|
||||||
macro(jss_config_outputs)
|
|
||||||
@@ -326,3 +319,19 @@ macro(jss_config_java)
|
|
||||||
math(EXPR JSS_TEST_PORT_CLIENTAUTH ${JSS_BASE_PORT}+0)
|
|
||||||
math(EXPR JSS_TEST_PORT_CLIENTAUTH_FIPS ${JSS_BASE_PORT}+1)
|
|
||||||
endmacro()
|
|
||||||
+
|
|
||||||
+macro(jss_config_template)
|
|
||||||
+ # Template files
|
|
||||||
+ configure_file(
|
|
||||||
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
|
|
||||||
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
|
|
||||||
+ )
|
|
||||||
+ configure_file(
|
|
||||||
+ "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
|
|
||||||
+ "${CMAKE_BINARY_DIR}/MANIFEST.MF"
|
|
||||||
+ )
|
|
||||||
+ configure_file(
|
|
||||||
+ "${PROJECT_SOURCE_DIR}/tools/run_test.sh.in"
|
|
||||||
+ "${CMAKE_BINARY_DIR}/run_test.sh"
|
|
||||||
+ )
|
|
||||||
+endmacro()
|
|
||||||
diff --git a/tools/run_test.sh.in b/tools/run_test.sh.in
|
|
||||||
new file mode 100755
|
|
||||||
index 00000000..60233c05
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tools/run_test.sh.in
|
|
||||||
@@ -0,0 +1,15 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+# This utility gets templated to build/run_test.sh to help with running a
|
|
||||||
+# single test after building JSS. This gives the caller more flexibility
|
|
||||||
+# with command line arguments and ensures that the correct build artifacts
|
|
||||||
+# get used.
|
|
||||||
+
|
|
||||||
+export LD_LIBRARY_PATH="${CMAKE_BINARY_DIR}"
|
|
||||||
+
|
|
||||||
+if [ "$1" == "--gdb" ]; then
|
|
||||||
+ shift
|
|
||||||
+ gdb --args "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
|
|
||||||
+else
|
|
||||||
+ "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
|
|
||||||
+fi
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Thu, 29 Aug 2019 16:14:08 -0400
|
|
||||||
Subject: [PATCH 2/3] Add script to add common root CAs
|
|
||||||
|
|
||||||
When given an NSS DB, common_roots.sh uses the trust command to extract
|
|
||||||
the root CAs trusted by the local system and add them to said NSS DB.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
---
|
|
||||||
tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 36 insertions(+)
|
|
||||||
create mode 100755 tools/common_roots.sh
|
|
||||||
|
|
||||||
diff --git a/tools/common_roots.sh b/tools/common_roots.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 00000000..97341c4c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tools/common_roots.sh
|
|
||||||
@@ -0,0 +1,36 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+
|
|
||||||
+# This script reads the contents of the OS CA bundle store,
|
|
||||||
+# /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
|
|
||||||
+# and places the contained CAs into the specified NSS DB.
|
|
||||||
+#
|
|
||||||
+# This NSS DB is used by various JSS tests that aren't enabled
|
|
||||||
+# by default because they require an active internet connection.
|
|
||||||
+
|
|
||||||
+nssdb="$1"
|
|
||||||
+
|
|
||||||
+if [ -z "$nssdb" ] && [ -e "build" ]; then
|
|
||||||
+ nssdb="build/results/cadb"
|
|
||||||
+elif [ -z "$nssdb" ] && [ -e "../build" ]; then
|
|
||||||
+ nssdb="../build/results/cadb"
|
|
||||||
+else
|
|
||||||
+ echo "Must provide path to NSS DB!" 1>&2
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ -e "$nssdb" ]; then
|
|
||||||
+ rm -rf "$nssdb"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+mkdir -p "$nssdb"
|
|
||||||
+echo "" > "$nssdb/password.txt"
|
|
||||||
+certutil -N -d "$nssdb" -f "$nssdb/password.txt"
|
|
||||||
+
|
|
||||||
+trust extract --format=pem-bundle --filter=ca-anchors "$nssdb/complete.pem"
|
|
||||||
+
|
|
||||||
+# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file
|
|
||||||
+csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'
|
|
||||||
+
|
|
||||||
+for cert in "$nssdb"/individual*; do
|
|
||||||
+ certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt"
|
|
||||||
+done
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -1,233 +0,0 @@
|
|||||||
From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
Date: Wed, 28 Aug 2019 09:23:41 -0400
|
|
||||||
Subject: [PATCH 3/3] Add optional test case against badssl.com
|
|
||||||
|
|
||||||
badssl.com maintains a number of subdomains with valid and invalid TLS
|
|
||||||
configurations. A number of these test certificates which fail in
|
|
||||||
certain scenarios (revoked, expired, etc). Add a test runner which
|
|
||||||
validates SSLSocket's implementation against badssl.com.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
||||||
---
|
|
||||||
org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 208 insertions(+)
|
|
||||||
create mode 100644 org/mozilla/jss/tests/BadSSL.java
|
|
||||||
|
|
||||||
diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java
|
|
||||||
new file mode 100644
|
|
||||||
index 00000000..60bfe820
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/org/mozilla/jss/tests/BadSSL.java
|
|
||||||
@@ -0,0 +1,208 @@
|
|
||||||
+package org.mozilla.jss.tests;
|
|
||||||
+
|
|
||||||
+import org.mozilla.jss.CryptoManager;
|
|
||||||
+
|
|
||||||
+import org.mozilla.jss.ssl.SSLSocket;
|
|
||||||
+import org.mozilla.jss.ssl.SSLSocketException;
|
|
||||||
+
|
|
||||||
+import org.mozilla.jss.util.NativeErrcodes;
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * The BadSSL test case maintains an internal mapping from badssl.com
|
|
||||||
+ * subdomains to expected exceptions and validates they occur.
|
|
||||||
+ *
|
|
||||||
+ * Since badssl.com offers no guaranteed SLA or availability, we likely
|
|
||||||
+ * shouldn't add this site to automated tests.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+public class BadSSL {
|
|
||||||
+ public static void main(String[] args) throws Exception {
|
|
||||||
+ boolean ocsp = false;
|
|
||||||
+
|
|
||||||
+ if (args.length < 1) {
|
|
||||||
+ System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) {
|
|
||||||
+ System.out.println("Enabling leaf and chain policy...");
|
|
||||||
+ ocsp = true;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ CryptoManager.initialize(args[0]);
|
|
||||||
+ CryptoManager cm = CryptoManager.getInstance();
|
|
||||||
+
|
|
||||||
+ if (ocsp) {
|
|
||||||
+ cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+ // Test cases which should fail due to various certificate errors.
|
|
||||||
+ testExpired();
|
|
||||||
+ testWrongHost();
|
|
||||||
+ testSelfSigned();
|
|
||||||
+ testUntrustedRoot();
|
|
||||||
+
|
|
||||||
+ // The following test cases depend on crypto-policies or local NSS
|
|
||||||
+ // configuration.
|
|
||||||
+ testSHA1();
|
|
||||||
+ testRC4MD5();
|
|
||||||
+ testRC4();
|
|
||||||
+ test3DES();
|
|
||||||
+ testNULL();
|
|
||||||
+
|
|
||||||
+ // The following test cases depend on OCSP being enabled.
|
|
||||||
+ if (ocsp) {
|
|
||||||
+ testRevoked();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Test cases which should pass given the correct root certs.
|
|
||||||
+ testSHA256();
|
|
||||||
+ testSHA384();
|
|
||||||
+ testSHA512();
|
|
||||||
+
|
|
||||||
+ testECC256();
|
|
||||||
+ testECC384();
|
|
||||||
+
|
|
||||||
+ testRSA2048();
|
|
||||||
+ testRSA4096();
|
|
||||||
+ testRSA8192();
|
|
||||||
+
|
|
||||||
+ testExtendedValidation();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Test cases whose handshakes should fail below. */
|
|
||||||
+
|
|
||||||
+ public static void testExpired() throws Exception {
|
|
||||||
+ testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testWrongHost() throws Exception {
|
|
||||||
+ testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testSelfSigned() throws Exception {
|
|
||||||
+ testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testUntrustedRoot() throws Exception {
|
|
||||||
+ testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRevoked() throws Exception {
|
|
||||||
+ testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testSHA1() throws Exception {
|
|
||||||
+ testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRC4MD5() throws Exception {
|
|
||||||
+ testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRC4() throws Exception {
|
|
||||||
+ testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void test3DES() throws Exception {
|
|
||||||
+ testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testNULL() throws Exception {
|
|
||||||
+ testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Test cases which should handshake successfully below. */
|
|
||||||
+
|
|
||||||
+ public static void testSHA256() throws Exception {
|
|
||||||
+ testHelper("sha256.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testSHA384() throws Exception {
|
|
||||||
+ testHelper("sha384.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testSHA512() throws Exception {
|
|
||||||
+ testHelper("sha512.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testECC256() throws Exception {
|
|
||||||
+ testHelper("ecc256.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testECC384() throws Exception {
|
|
||||||
+ testHelper("ecc384.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRSA2048() throws Exception {
|
|
||||||
+ testHelper("rsa2048.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRSA4096() throws Exception {
|
|
||||||
+ testHelper("rsa4096.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testRSA8192() throws Exception {
|
|
||||||
+ testHelper("rsa8192.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testExtendedValidation() throws Exception {
|
|
||||||
+ testHelper("extended-validation.badssl.com", 443);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Test case helpers. */
|
|
||||||
+
|
|
||||||
+ public static void testHelper(String host, int port) throws Exception {
|
|
||||||
+ testSite(host, port);
|
|
||||||
+ System.out.println("\t...ok");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testHelper(String host, int port, String[] substrs) throws Exception {
|
|
||||||
+ try {
|
|
||||||
+ testSite(host, port);
|
|
||||||
+ } catch (SSLSocketException sse) {
|
|
||||||
+ String actual = sse.getMessage().toLowerCase();
|
|
||||||
+
|
|
||||||
+ for (String expected : substrs) {
|
|
||||||
+ if (actual.contains(expected.toLowerCase())) {
|
|
||||||
+ System.out.println("\t...got expected error message.");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ System.err.println("\tUnexpected error message: " + actual);
|
|
||||||
+ throw sse;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ throw new RuntimeException("Expected to get an exception, but didn't!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testHelper(String host, int port, int[] codes) throws Exception {
|
|
||||||
+ try {
|
|
||||||
+ testSite(host, port);
|
|
||||||
+ } catch (SSLSocketException sse) {
|
|
||||||
+ int actual = sse.getErrcode();
|
|
||||||
+ for (int expected : codes) {
|
|
||||||
+ if (actual == expected) {
|
|
||||||
+ System.out.println("\t...got expected error code.");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ System.err.println("\tUnexpected error code: " + actual);
|
|
||||||
+ throw sse;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ throw new RuntimeException("Expected to get an exception, but didn't!");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public static void testSite(String host, int port) throws Exception {
|
|
||||||
+ System.out.println("Testing connection to " + host + ":" + port);
|
|
||||||
+ SSLSocket sock = new SSLSocket(host, 443);
|
|
||||||
+ sock.forceHandshake();
|
|
||||||
+ sock.shutdownOutput();
|
|
||||||
+ sock.shutdownInput();
|
|
||||||
+ sock.close();
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
@ -6,8 +6,8 @@ Summary: Java Security Services (JSS)
|
|||||||
URL: http://www.dogtagpki.org/wiki/JSS
|
URL: http://www.dogtagpki.org/wiki/JSS
|
||||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||||
|
|
||||||
Version: 4.6.0
|
Version: 4.6.2
|
||||||
Release: 5%{?_timestamp}%{?_commit_id}%{?dist}
|
Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
|
||||||
# global _phase -a1
|
# global _phase -a1
|
||||||
|
|
||||||
# To generate the source tarball:
|
# To generate the source tarball:
|
||||||
@ -25,13 +25,10 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
|
|||||||
# <version tag> \
|
# <version tag> \
|
||||||
# > jss-VERSION-RELEASE.patch
|
# > jss-VERSION-RELEASE.patch
|
||||||
# Patch: jss-VERSION-RELEASE.patch
|
# Patch: jss-VERSION-RELEASE.patch
|
||||||
Patch1: 0001-Disable-buffer-based-tests.patch
|
Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
|
||||||
Patch2: 0002-Support-LD_FLAGS-from-environment.patch
|
Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
|
||||||
Patch3: 0003-Remove-legacy-DSA-implementation.patch
|
Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
|
||||||
Patch4: 0004-JSS-CVE-2019-14823-fix.patch
|
Patch4: 0004-Remove-token-key-checks.patch
|
||||||
Patch5: 0005-Add-helper-to-run-a-single-test-case.patch
|
|
||||||
Patch6: 0006-Add-script-to-add-common-root-CAs.patch
|
|
||||||
Patch7: 0007-Add-optional-test-case-against-badssl.com.patch
|
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
# Build Dependencies
|
# Build Dependencies
|
||||||
@ -88,7 +85,6 @@ This only works with gcj. Other JREs require that JCE providers be signed.
|
|||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
Summary: Java Security Services (JSS) Javadocs
|
Summary: Java Security Services (JSS) Javadocs
|
||||||
Group: Documentation
|
|
||||||
Requires: jss = %{version}-%{release}
|
Requires: jss = %{version}-%{release}
|
||||||
|
|
||||||
%description javadoc
|
%description javadoc
|
||||||
@ -113,6 +109,9 @@ export BUILD_OPT=1
|
|||||||
CFLAGS="-g $RPM_OPT_FLAGS"
|
CFLAGS="-g $RPM_OPT_FLAGS"
|
||||||
export CFLAGS
|
export CFLAGS
|
||||||
|
|
||||||
|
# Check if we're in FIPS mode
|
||||||
|
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
|
||||||
|
|
||||||
# The Makefile is not thread-safe
|
# The Makefile is not thread-safe
|
||||||
rm -rf build && mkdir -p build && cd build
|
rm -rf build && mkdir -p build && cd build
|
||||||
%cmake \
|
%cmake \
|
||||||
@ -164,14 +163,24 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
|
|||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
|
||||||
|
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
|
||||||
|
|
||||||
|
* Mon Mar 02 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-3
|
||||||
|
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
|
||||||
|
|
||||||
|
* Tue Oct 29 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-2
|
||||||
|
- Red Hat Bugzilla #1730767 - JSS: Wrap NSS CMAC + KDF implementations
|
||||||
|
- Rebased to JSS 4.6.2
|
||||||
|
|
||||||
* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
|
* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
|
||||||
- Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
|
- Red Hat Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
|
||||||
|
|
||||||
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
|
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
|
||||||
- Red Hat Bugzilla #1698059 - pki-core implements crypto
|
- Red Hat Bugzilla #1698059 - pki-core implements crypto
|
||||||
|
|
||||||
* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
|
* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
|
||||||
- Red Hat Bugilla #1721135 - JSS - LD_FLAGS support
|
- Red Hat Bugzilla #1721135 - JSS - LD_FLAGS support
|
||||||
|
|
||||||
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
|
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
|
||||||
- Minor updates to release
|
- Minor updates to release
|
||||||
|
Loading…
Reference in New Issue
Block a user