import jss-4.6.2-4.module+el8.2.0+6123+b4678599

This commit is contained in:
CentOS Sources 2020-04-28 04:54:21 -04:00 committed by Andrew Lukoshko
parent d4767398bf
commit c4f7185131
14 changed files with 328 additions and 3050 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/jss-4.6.0.tar.gz SOURCES/jss-4.6.2.tar.gz

View File

@ -1 +1 @@
3d6d2d885129e0d7d8ebac5dfe9055c693a7a9b1 SOURCES/jss-4.6.0.tar.gz 4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz

View File

@ -1,71 +0,0 @@
From d7d6d769b510118e40d9c0919317665c4c9feb8d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Wed, 12 Jun 2019 17:17:45 -0400
Subject: [PATCH] Disable buffer-based tests
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
cmake/JSSTests.cmake | 33 ---------------------------------
1 file changed, 33 deletions(-)
diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
index b389be5c..473d7d4d 100644
--- a/cmake/JSSTests.cmake
+++ b/cmake/JSSTests.cmake
@@ -78,24 +78,6 @@ macro(jss_tests)
NAME "BigObjectIdentifier"
COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
)
- jss_test_java(
- NAME "JSS_Test_PR_FileDesc"
- COMMAND "org.mozilla.jss.tests.TestPRFD"
- )
- jss_test_java(
- NAME "JSS_Test_Raw_SSL"
- COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
- DEPENDS "Setup_DBs"
- )
- jss_test_java(
- NAME "JSS_Test_Buffer"
- COMMAND "org.mozilla.jss.tests.TestBuffer"
- )
- jss_test_java(
- NAME "JSS_Test_BufferPRFD"
- COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
- DEPENDS "List_CA_certs"
- )
if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
jss_test_java(
NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
@@ -126,16 +108,6 @@ macro(jss_tests)
NAME "JUnit_UTF8StringTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
)
- jss_test_exec(
- NAME "buffer_size_1"
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
- DEPENDS "generate_c_buffer_size_1"
- )
- jss_test_exec(
- NAME "buffer_size_4"
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
- DEPENDS "generate_c_buffer_size_4"
- )
jss_test_java(
NAME "JUnit_ChainSortingTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
@@ -180,11 +152,6 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
DEPENDS "List_CA_certs"
)
- jss_test_exec(
- NAME "TestBufferPRFD"
- COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
- DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
- )
jss_test_java(
NAME "Key_Generation"
COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
--
2.21.0

View File

@ -0,0 +1,53 @@
From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 29 Oct 2019 10:43:56 -0400
Subject: [PATCH] Fix NativeProxy reference tracker
In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
setting mPointer after trying to add NativeProxy to the registry. In
most instances this won't matter, however, if another instance exists in
the HashSet with the same hash value, the equals comparator will be
used, triggering a NPE.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
index 1c6d1aa5..a0811f76 100644
--- a/org/mozilla/jss/util/NativeProxy.java
+++ b/org/mozilla/jss/util/NativeProxy.java
@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
*/
public NativeProxy(byte[] pointer) {
assert(pointer!=null);
- registry.add(this);
mPointer = pointer;
+ registry.add(this);
if (saveStacktraces) {
mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
if( ! (obj instanceof NativeProxy) ) {
return false;
}
- if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
+ if (((NativeProxy)obj).mPointer == null) {
+ /* If mPointer is null, we have no way to compare the values
+ * of the pointers, so assume they're unequal. */
return false;
}
- for(int i=0; i < mPointer.length; i++) {
- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
- return false;
- }
- }
- return true;
+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
}
/**
--
2.21.0

View File

@ -0,0 +1,80 @@
From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:10:32 -0500
Subject: [PATCH 1/2] Fix swapped parameter names with PBE
Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:
Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
Resolves: rh-bz#1807371
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
index 084752c3..0344b14d 100644
--- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
index a4709070..d85eb0d3 100644
--- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index b35714e3..ebd269f3 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
params = new IVParameterSpec( kg.generatePBE_IV() );
@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
// generate IV
EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
AlgorithmParameterSpec params=null;
- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
+ Class<?> [] paramClasses = encAlg.getParameterClasses();
for (int i = 0; i < paramClasses.length; i ++) {
if ( paramClasses[i].equals(
javax.crypto.spec.IvParameterSpec.class ) ) {
--
2.24.1

View File

@ -1,39 +0,0 @@
From 731b62d4c456a3e1a70519c24eb0df2c59d943b4 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 17 Jun 2019 08:48:01 -0400
Subject: [PATCH] Support LD_FLAGS from environment
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSConfig.cmake | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
index f045850a..e63dd5fa 100644
--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
list(APPEND JSS_LD_FLAGS "-lpthread")
list(APPEND JSS_LD_FLAGS "-ldl")
+ separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
+ foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
+ list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
+ endforeach()
+
# This set of flags is specific to building the libjss library.
list(APPEND JSS_LIBRARY_FLAGS "-shared")
list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")
set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
+
+ message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
+ message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
endmacro()
macro(jss_config_java)
--
2.20.1

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,60 @@
From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Fri, 28 Feb 2020 14:39:29 -0500
Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.
Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
index 3113f614..3a106977 100644
--- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
+ return fromOID(oid);
+ }
+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
if (oid.equals(AES_KEY_WRAP_PAD_OID))
return AES_KEY_WRAP_PAD;
@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
if (oid.equals(DES_CBC_PAD_OID))
return DES_CBC_PAD;
- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
}
}
diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
index ebd269f3..abfc39a7 100644
--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
}
}
- KeyWrapper wrapper = token.getKeyWrapper(
- KeyWrapAlgorithm.DES3_CBC_PAD);
+ // wrap the key
+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
wrapper.initWrap(key, params);
byte encrypted[] = wrapper.wrap(pri);
--
2.24.1

View File

@ -1,346 +0,0 @@
From 233795b098a17269f8495fee312fe6df404a236d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 4 Sep 2019 08:33:14 -0400
Subject: [PATCH] Fix root certificate validation
When the Leaf and Chain OCSP checking policy is enabled in
CryptoManager, JSS will switch to alternative certificate verification
logic in JSSL_DefaultCertAuthCallback. In this method, the root
certificate was incorrectly trusted without being verified to exist in
the trust store.
This patch cleans up the logic in JSSL_verifyCertPKIX and makes it
more explicit in addition to fixing the error.
Fixes CVE-2019-14823
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/ssl/common.c | 239 ++++++++++++++++++++---------------
1 file changed, 136 insertions(+), 103 deletions(-)
diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
index 1bbfed45..2db9fda1 100644
--- a/org/mozilla/jss/ssl/common.c
+++ b/org/mozilla/jss/ssl/common.c
@@ -904,7 +904,6 @@ finish:
}
/* Get the trusted anchor for pkix */
-
CERTCertificate *getRoot(CERTCertificate *cert,
SECCertUsage certUsage)
{
@@ -938,79 +937,84 @@ finish:
return root;
}
-/* Verify a cert using explicit PKIX call.
- * For now only used in OCSP AIA context.
- * The result of this call will be a full chain
- * and leaf network AIA ocsp validation.
- * The policy param will be used in the future to
- * handle more scenarios.
- */
-
-SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
- SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy,
- CERTVerifyLog *log, SECCertificateUsage *usage)
+/* Internal helper for the below call. */
+static SECStatus
+JSSL_verifyCertPKIXInternal(CERTCertificate *cert,
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
+ CERTVerifyLog *log, SECCertificateUsage *usage,
+ CERTCertList *trustedCertList)
{
-
- /* put the first set of possible flags internally here first */
- /* later there could be a more complete list to choose from */
- /* support our hard core fetch aia ocsp policy for now */
-
- static PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
+ /* Put the first set of possible flags internally here first. Later
+ * there could be a more complete list to choose from; for now we only
+ * support our hard core fetch AIA OCSP policy. Note that we disable
+ * CRL fetching as Dogtag doesn't support it. Additionally, enable OCSP
+ * checking on the chained CA certificates. Since NSS/PKIX's
+ * CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't do what we want,
+ * we construct the policy ourselves. */
+ PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
/* crl */
- 0,
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
/* ocsp */
CERT_REV_M_TEST_USING_THIS_METHOD |
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
- static PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
+ PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
/* crl */
- 0,
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
/* ocsp */
CERT_REV_M_TEST_USING_THIS_METHOD |
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
- static CERTRevocationMethodIndex
- ocsp_Enabled_Hard_Policy_Method_Preference = {
- cert_revocation_method_ocsp
- };
-
- static CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
- { /* leafTests */
- 2,
- ocsp_Enabled_Hard_Policy_LeafFlags,
- 1,
- &ocsp_Enabled_Hard_Policy_Method_Preference,
- 0 },
- { /* chainTests */
- 2,
- ocsp_Enabled_Hard_Policy_ChainFlags,
- 1,
- &ocsp_Enabled_Hard_Policy_Method_Preference,
- 0 }
+ CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = {
+ cert_revocation_method_ocsp
};
- /* for future expansion */
+ CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
+ /* CERTRevocationTests - leafTests */
+ {
+ /* number_of_defined_methods */
+ 2,
+ /* cert_rev_flags_per_method */
+ ocsp_Enabled_Hard_Policy_LeafFlags,
+ /* number_of_preferred_methods */
+ 1,
+ /* preferred_methods */
+ ocsp_Enabled_Hard_Policy_Method_Preference,
+ /* cert_rev_method_independent_flags */
+ 0
+ },
+ /* CERTRevocationTests - chainTests */
+ {
+ /* number_of_defined_methods */
+ 2,
+ /* cert_rev_flags_per_method */
+ ocsp_Enabled_Hard_Policy_ChainFlags,
+ /* number_of_preferred_methods */
+ 1,
+ /* preferred_methods */
+ ocsp_Enabled_Hard_Policy_Method_Preference,
+ /* cert_rev_method_independent_flags */
+ 0
+ }
+ };
- CERTValOutParam cvout[20] = {{0}};
- CERTValInParam cvin[20] = {{0}};
+ /* The size of these objects are defined here based upon maximum possible
+ * inputs. A dynamic allocation could reallocate based upon actual usage,
+ * however this would affect the size by at most one or two. Note that,
+ * due to the required usage of cert_pi_end/cert_po_end, these sizes are
+ * inflated by one. */
+ CERTValOutParam cvout[3] = {{0}};
+ CERTValInParam cvin[6] = {{0}};
+ int usageIndex = -1;
int inParamIndex = 0;
int outParamIndex = 0;
- CERTRevocationFlags *rev = NULL;
-
- CERTCertList *trustedCertList = NULL;
-
- PRBool fetchCerts = PR_FALSE;
- SECCertUsage certUsage = certUsageSSLClient /* 0 */;
-
SECStatus res = SECFailure;
- CERTCertificate *root = NULL;
-
- if(cert == NULL) {
+ if (cert == NULL) {
goto finish;
}
@@ -1018,93 +1022,122 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
goto finish;
}
- /* Force the strict ocsp network check on chain
- and leaf.
- */
-
- fetchCerts = PR_TRUE;
- rev = &ocsp_Enabled_Hard_Policy;
-
- /* fetch aia over net */
-
+ /* Enable live AIA fetching over the network. */
cvin[inParamIndex].type = cert_pi_useAIACertFetch;
- cvin[inParamIndex].value.scalar.b = fetchCerts;
- inParamIndex++;
-
- /* time */
+ cvin[inParamIndex].value.scalar.b = PR_TRUE;
+ inParamIndex++;
+ /* By setting the time to zero, we choose the current time when the
+ * check is performed. */
cvin[inParamIndex].type = cert_pi_date;
- cvin[inParamIndex].value.scalar.time = PR_Now();
+ cvin[inParamIndex].value.scalar.time = 0;
inParamIndex++;
- /* flags */
-
+ /* Force the strict OCSP check on both the leaf and its chain. */
cvin[inParamIndex].type = cert_pi_revocationFlags;
- cvin[inParamIndex].value.pointer.revocation = rev;
+ cvin[inParamIndex].value.pointer.revocation = &ocsp_Enabled_Hard_Policy;
inParamIndex++;
- /* establish trust anchor */
-
- /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
- * the root.
- */
-
- SECCertificateUsage testUsage = certificateUsage;
- while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
-
- root = getRoot(cert,certUsage);
-
- /* Try to add the root as the trust anchor so all the
- other memebers of the ca chain will get validated.
- */
-
- if( root != NULL ) {
- trustedCertList = CERT_NewCertList();
- CERT_AddCertToListTail(trustedCertList, root);
-
+ /* Establish a trust anchor if it is passed to us. NOTE: this trust anchor
+ * must previously be validated before it is passed to us here. */
+ if (trustedCertList != NULL) {
cvin[inParamIndex].type = cert_pi_trustAnchors;
cvin[inParamIndex].value.pointer.chain = trustedCertList;
-
inParamIndex++;
}
+ /* Done establishing input parameters. */
cvin[inParamIndex].type = cert_pi_end;
- if(log != NULL) {
+ /* When we need to log rationale for failure, pass it as an output
+ * parameter. */
+ if (log != NULL) {
cvout[outParamIndex].type = cert_po_errorLog;
cvout[outParamIndex].value.pointer.log = log;
outParamIndex ++;
}
- int usageIndex = 0;
- if(usage != NULL) {
+ /* When we need to inquire about the resulting certificate usage, pass it
+ * here. */
+ if (usage != NULL) {
usageIndex = outParamIndex;
cvout[outParamIndex].type = cert_po_usages;
cvout[outParamIndex].value.scalar.usages = 0;
outParamIndex ++;
}
+ /* Done establishing output parameters. */
cvout[outParamIndex].type = cert_po_end;
+ /* Call into NSS's PKIX library to validate our certificate. */
res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata);
finish:
- /* clean up any trusted cert list */
-
+ /* Clean up any certificates in the trusted certificate list. This was
+ * a passed input parameter, but by taking ownership of it and clearing it,
+ * we enable tail calls to this function. */
if (trustedCertList) {
+ /* CERT_DestroyCertList destroys interior certs for us. */
CERT_DestroyCertList(trustedCertList);
trustedCertList = NULL;
}
- /* CERT_DestroyCertList destroys interior certs for us. */
-
- if(root) {
- root = NULL;
- }
-
- if(res == SECSuccess && usage) {
+ if (res == SECSuccess && usage && usageIndex != -1) {
*usage = cvout[usageIndex].value.scalar.usages;
}
return res;
}
+
+/* Verify a cert using an explicit PKIX call. For now only perform this call
+ * when the OCSP policy is set to leaf and chain. Performs a blocking, online
+ * OCSP status refresh. The result of this call will be a full-chain OCSP
+ * validation.
+ *
+ * In the future, we'll use ocspPolicy to condition around additional policies
+ * and handle them all with this method (and a call to PKIX).
+ *
+ * Note that this currently requires the certificate to be added directly
+ * to the NSS DB. We can't otherwise validate against root certificates in
+ * the default NSS DB.
+ */
+SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
+ CERTVerifyLog *log, SECCertificateUsage *usage)
+{
+ SECCertUsage certUsage = certUsageSSLClient /* 0 */;
+
+ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
+ * the root.
+ */
+
+ SECCertificateUsage testUsage = certificateUsage;
+ while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
+
+ CERTCertificate *root = getRoot(cert, certUsage);
+
+ // Two cases: either the root is present, or it isn't.
+ if (root == NULL) {
+ /* In this case, we've had a hard time finding the root. In all
+ * likelihood, the following call will fail to validate the end cert
+ * as well and thus fail to validate. I don't believe there's a risk
+ * in trying it however. */
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
+ ocspPolicy, log, usage, NULL);
+ } else {
+ /* In this case, we've found the root certificate. Before passing it
+ * to the leaf, explicitly validate it with strict OCSP checking. Then
+ * validate the leaf certificate with a known and trusted root
+ * certificate. */
+ SECStatus ret = JSSL_verifyCertPKIXInternal(root, certificateUsageSSLCA,
+ pwdata, ocspPolicy, log, usage, NULL);
+ if (ret != SECSuccess) {
+ return ret;
+ }
+
+ CERTCertList *rootList = CERT_NewCertList();
+ CERT_AddCertToListTail(rootList, root);
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
+ ocspPolicy, log, usage, rootList);
+ }
+}
--
2.21.0

View File

@ -0,0 +1,112 @@
From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Tue, 17 Mar 2020 12:54:49 -0400
Subject: [PATCH 1/2] Remove token key checks
Previously we enforced strict token key matching: the primary key used
for the operation must strictly reside on the current PKCS#11 token,
otherwise JSS would bail. However, NSS has the ability to move the key
to whichever token best supports the given operation. This means that
we'd prematurely bail when the operation would succeed if it were
actually executed. By removing these checks, we still leave the ability
to generate keys on a specific token, we just allow them to be used on
whatever token supports the given operation (and the key is allowed to
be moved to).
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
3 files changed, 33 deletions(-)
diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
index 81b600a4..aac411a4 100644
--- a/org/mozilla/jss/pkcs11/PK11Cipher.java
+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
index 28840a87..eee2984d 100644
--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("Key is null");
}
try {
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
- key.getOwningToken().getName());
- }
if( ! (key instanceof PK11SymKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
if( key==null ) {
throw new InvalidKeyException("Key is null");
}
- if( ! key.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("Key does not reside on the "+
- "current token");
- }
if( ! (key instanceof PK11PrivKey) ) {
throw new InvalidKeyException("Key is not a PKCS #11 key");
}
@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! symKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
throw new InvalidKeyException("key to be wrapped is not a "+
"PKCS #11 key");
}
-/* NSS is capable of moving keys appropriately,
- so this call is prematurely bailing
- if( ! privKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-*/
}
/**
diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
index cd732788..7a1a6dad 100644
--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
}
hmacKey = (PK11SymKey) key;
-
- if( ! key.getOwningToken().equals(token) ) {
- hmacKey = null;
- throw new InvalidKeyException(
- "HMAC key does not live on the same token as this digest");
- }
-
this.digestProxy = initHMAC(token, alg, hmacKey);
}
--
2.25.1

View File

@ -1,91 +0,0 @@
From 7d1c481e947edf0786223ef43a359c8d5771a214 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 1/3] Add helper to run a single test case
run_test.sh.in is templated by CMake to build/run_test.sh, fully
configured to your test execution environment. In particular, it writes
the classpath and loads the JSS native library.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSConfig.cmake | 29 +++++++++++++++++++----------
tools/run_test.sh.in | 15 +++++++++++++++
2 files changed, 34 insertions(+), 10 deletions(-)
create mode 100755 tools/run_test.sh.in
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
index 27b2a9bf..6295a6e3 100644
--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -13,6 +13,9 @@ macro(jss_config)
# Configure java-related flags
jss_config_java()
+
+ # Template auto-generated files
+ jss_config_template()
endmacro()
macro(jss_config_version MAJOR MINOR PATCH BETA)
@@ -45,16 +48,6 @@ macro(jss_config_version MAJOR MINOR PATCH BETA)
set(JSS_VERSION "${JSS_VERSION} beta ${JSS_VERSION_BETA}")
set(JSS_VERSION_STR "${JSS_VERSION_STR}_b${JSS_VERSION_BETA}")
endif()
-
- # Template files
- configure_file(
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
- )
- configure_file(
- "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
- "${CMAKE_BINARY_DIR}/MANIFEST.MF"
- )
endmacro()
macro(jss_config_outputs)
@@ -326,3 +319,19 @@ macro(jss_config_java)
math(EXPR JSS_TEST_PORT_CLIENTAUTH ${JSS_BASE_PORT}+0)
math(EXPR JSS_TEST_PORT_CLIENTAUTH_FIPS ${JSS_BASE_PORT}+1)
endmacro()
+
+macro(jss_config_template)
+ # Template files
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
+ )
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
+ "${CMAKE_BINARY_DIR}/MANIFEST.MF"
+ )
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/tools/run_test.sh.in"
+ "${CMAKE_BINARY_DIR}/run_test.sh"
+ )
+endmacro()
diff --git a/tools/run_test.sh.in b/tools/run_test.sh.in
new file mode 100755
index 00000000..60233c05
--- /dev/null
+++ b/tools/run_test.sh.in
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# This utility gets templated to build/run_test.sh to help with running a
+# single test after building JSS. This gives the caller more flexibility
+# with command line arguments and ensures that the correct build artifacts
+# get used.
+
+export LD_LIBRARY_PATH="${CMAKE_BINARY_DIR}"
+
+if [ "$1" == "--gdb" ]; then
+ shift
+ gdb --args "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
+else
+ "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
+fi
--
2.21.0

View File

@ -1,59 +0,0 @@
From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 29 Aug 2019 16:14:08 -0400
Subject: [PATCH 2/3] Add script to add common root CAs
When given an NSS DB, common_roots.sh uses the trust command to extract
the root CAs trusted by the local system and add them to said NSS DB.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100755 tools/common_roots.sh
diff --git a/tools/common_roots.sh b/tools/common_roots.sh
new file mode 100755
index 00000000..97341c4c
--- /dev/null
+++ b/tools/common_roots.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script reads the contents of the OS CA bundle store,
+# /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
+# and places the contained CAs into the specified NSS DB.
+#
+# This NSS DB is used by various JSS tests that aren't enabled
+# by default because they require an active internet connection.
+
+nssdb="$1"
+
+if [ -z "$nssdb" ] && [ -e "build" ]; then
+ nssdb="build/results/cadb"
+elif [ -z "$nssdb" ] && [ -e "../build" ]; then
+ nssdb="../build/results/cadb"
+else
+ echo "Must provide path to NSS DB!" 1>&2
+ exit 1
+fi
+
+if [ -e "$nssdb" ]; then
+ rm -rf "$nssdb"
+fi
+
+mkdir -p "$nssdb"
+echo "" > "$nssdb/password.txt"
+certutil -N -d "$nssdb" -f "$nssdb/password.txt"
+
+trust extract --format=pem-bundle --filter=ca-anchors "$nssdb/complete.pem"
+
+# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file
+csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+for cert in "$nssdb"/individual*; do
+ certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt"
+done
--
2.21.0

View File

@ -1,233 +0,0 @@
From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 3/3] Add optional test case against badssl.com
badssl.com maintains a number of subdomains with valid and invalid TLS
configurations. A number of these test certificates which fail in
certain scenarios (revoked, expired, etc). Add a test runner which
validates SSLSocket's implementation against badssl.com.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++
1 file changed, 208 insertions(+)
create mode 100644 org/mozilla/jss/tests/BadSSL.java
diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java
new file mode 100644
index 00000000..60bfe820
--- /dev/null
+++ b/org/mozilla/jss/tests/BadSSL.java
@@ -0,0 +1,208 @@
+package org.mozilla.jss.tests;
+
+import org.mozilla.jss.CryptoManager;
+
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketException;
+
+import org.mozilla.jss.util.NativeErrcodes;
+
+/**
+ * The BadSSL test case maintains an internal mapping from badssl.com
+ * subdomains to expected exceptions and validates they occur.
+ *
+ * Since badssl.com offers no guaranteed SLA or availability, we likely
+ * shouldn't add this site to automated tests.
+ */
+
+public class BadSSL {
+ public static void main(String[] args) throws Exception {
+ boolean ocsp = false;
+
+ if (args.length < 1) {
+ System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]");
+ return;
+ }
+
+ if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) {
+ System.out.println("Enabling leaf and chain policy...");
+ ocsp = true;
+ }
+
+ CryptoManager.initialize(args[0]);
+ CryptoManager cm = CryptoManager.getInstance();
+
+ if (ocsp) {
+ cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN);
+ }
+
+
+ // Test cases which should fail due to various certificate errors.
+ testExpired();
+ testWrongHost();
+ testSelfSigned();
+ testUntrustedRoot();
+
+ // The following test cases depend on crypto-policies or local NSS
+ // configuration.
+ testSHA1();
+ testRC4MD5();
+ testRC4();
+ test3DES();
+ testNULL();
+
+ // The following test cases depend on OCSP being enabled.
+ if (ocsp) {
+ testRevoked();
+ }
+
+ // Test cases which should pass given the correct root certs.
+ testSHA256();
+ testSHA384();
+ testSHA512();
+
+ testECC256();
+ testECC384();
+
+ testRSA2048();
+ testRSA4096();
+ testRSA8192();
+
+ testExtendedValidation();
+ }
+
+ /* Test cases whose handshakes should fail below. */
+
+ public static void testExpired() throws Exception {
+ testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" });
+ }
+
+ public static void testWrongHost() throws Exception {
+ testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" });
+ }
+
+ public static void testSelfSigned() throws Exception {
+ testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" });
+ }
+
+ public static void testUntrustedRoot() throws Exception {
+ testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" });
+ }
+
+ public static void testRevoked() throws Exception {
+ testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" });
+ }
+
+ public static void testSHA1() throws Exception {
+ testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4MD5() throws Exception {
+ testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4() throws Exception {
+ testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void test3DES() throws Exception {
+ testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testNULL() throws Exception {
+ testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ /* Test cases which should handshake successfully below. */
+
+ public static void testSHA256() throws Exception {
+ testHelper("sha256.badssl.com", 443);
+ }
+
+ public static void testSHA384() throws Exception {
+ testHelper("sha384.badssl.com", 443);
+ }
+
+ public static void testSHA512() throws Exception {
+ testHelper("sha512.badssl.com", 443);
+ }
+
+ public static void testECC256() throws Exception {
+ testHelper("ecc256.badssl.com", 443);
+ }
+
+ public static void testECC384() throws Exception {
+ testHelper("ecc384.badssl.com", 443);
+ }
+
+ public static void testRSA2048() throws Exception {
+ testHelper("rsa2048.badssl.com", 443);
+ }
+
+ public static void testRSA4096() throws Exception {
+ testHelper("rsa4096.badssl.com", 443);
+ }
+
+ public static void testRSA8192() throws Exception {
+ testHelper("rsa8192.badssl.com", 443);
+ }
+
+ public static void testExtendedValidation() throws Exception {
+ testHelper("extended-validation.badssl.com", 443);
+ }
+
+ /* Test case helpers. */
+
+ public static void testHelper(String host, int port) throws Exception {
+ testSite(host, port);
+ System.out.println("\t...ok");
+ }
+
+ public static void testHelper(String host, int port, String[] substrs) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ String actual = sse.getMessage().toLowerCase();
+
+ for (String expected : substrs) {
+ if (actual.contains(expected.toLowerCase())) {
+ System.out.println("\t...got expected error message.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error message: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testHelper(String host, int port, int[] codes) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ int actual = sse.getErrcode();
+ for (int expected : codes) {
+ if (actual == expected) {
+ System.out.println("\t...got expected error code.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error code: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testSite(String host, int port) throws Exception {
+ System.out.println("Testing connection to " + host + ":" + port);
+ SSLSocket sock = new SSLSocket(host, 443);
+ sock.forceHandshake();
+ sock.shutdownOutput();
+ sock.shutdownInput();
+ sock.close();
+ }
+}
--
2.21.0

View File

@ -6,8 +6,8 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.0 Version: 4.6.2
Release: 5%{?_timestamp}%{?_commit_id}%{?dist} Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1 # global _phase -a1
# To generate the source tarball: # To generate the source tarball:
@ -25,13 +25,10 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \ # <version tag> \
# > jss-VERSION-RELEASE.patch # > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch
Patch1: 0001-Disable-buffer-based-tests.patch Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
Patch2: 0002-Support-LD_FLAGS-from-environment.patch Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
Patch3: 0003-Remove-legacy-DSA-implementation.patch Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
Patch4: 0004-JSS-CVE-2019-14823-fix.patch Patch4: 0004-Remove-token-key-checks.patch
Patch5: 0005-Add-helper-to-run-a-single-test-case.patch
Patch6: 0006-Add-script-to-add-common-root-CAs.patch
Patch7: 0007-Add-optional-test-case-against-badssl.com.patch
################################################################################ ################################################################################
# Build Dependencies # Build Dependencies
@ -88,7 +85,6 @@ This only works with gcj. Other JREs require that JCE providers be signed.
################################################################################ ################################################################################
Summary: Java Security Services (JSS) Javadocs Summary: Java Security Services (JSS) Javadocs
Group: Documentation
Requires: jss = %{version}-%{release} Requires: jss = %{version}-%{release}
%description javadoc %description javadoc
@ -113,6 +109,9 @@ export BUILD_OPT=1
CFLAGS="-g $RPM_OPT_FLAGS" CFLAGS="-g $RPM_OPT_FLAGS"
export CFLAGS export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
# The Makefile is not thread-safe # The Makefile is not thread-safe
rm -rf build && mkdir -p build && cd build rm -rf build && mkdir -p build && cd build
%cmake \ %cmake \
@ -164,14 +163,24 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################ ################################################################################
%changelog %changelog
* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
* Mon Mar 02 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-3
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
* Tue Oct 29 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-2
- Red Hat Bugzilla #1730767 - JSS: Wrap NSS CMAC + KDF implementations
- Rebased to JSS 4.6.2
* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5 * Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
- Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate - Red Hat Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4 * Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
- Red Hat Bugzilla #1698059 - pki-core implements crypto - Red Hat Bugzilla #1698059 - pki-core implements crypto
* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3 * Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
- Red Hat Bugilla #1721135 - JSS - LD_FLAGS support - Red Hat Bugzilla #1721135 - JSS - LD_FLAGS support
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2 * Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
- Minor updates to release - Minor updates to release