rpms/jss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import jss-4.6.0-5.module+el8.1.0+4218+3fd65c36

Browse Source
This commit is contained in:
CentOS Sources 2019-11-11 07:59:15 -05:00 committed by Andrew Lukoshko
commit d4767398bf
10 changed files with 3243 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/jss-4.6.0.tar.gz

1
.jss.metadata Normal file
View File

@ -0,0 +1 @@
3d6d2d885129e0d7d8ebac5dfe9055c693a7a9b1 SOURCES/jss-4.6.0.tar.gz

71
SOURCES/0001-Disable-buffer-based-tests.patch Normal file
View File

@ -0,0 +1,71 @@
From d7d6d769b510118e40d9c0919317665c4c9feb8d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Wed, 12 Jun 2019 17:17:45 -0400
Subject: [PATCH] Disable buffer-based tests
Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
cmake/JSSTests.cmake | 33 ---------------------------------
1 file changed, 33 deletions(-)
diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
index b389be5c..473d7d4d 100644
--- a/cmake/JSSTests.cmake
+++ b/cmake/JSSTests.cmake
@@ -78,24 +78,6 @@ macro(jss_tests)
NAME "BigObjectIdentifier"
COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
)
- jss_test_java(
- NAME "JSS_Test_PR_FileDesc"
- COMMAND "org.mozilla.jss.tests.TestPRFD"
- )
- jss_test_java(
- NAME "JSS_Test_Raw_SSL"
- COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
- DEPENDS "Setup_DBs"
- )
- jss_test_java(
- NAME "JSS_Test_Buffer"
- COMMAND "org.mozilla.jss.tests.TestBuffer"
- )
- jss_test_java(
- NAME "JSS_Test_BufferPRFD"
- COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
- DEPENDS "List_CA_certs"
- )
if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
jss_test_java(
NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
@@ -126,16 +108,6 @@ macro(jss_tests)
NAME "JUnit_UTF8StringTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
)
- jss_test_exec(
- NAME "buffer_size_1"
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
- DEPENDS "generate_c_buffer_size_1"
- )
- jss_test_exec(
- NAME "buffer_size_4"
- COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
- DEPENDS "generate_c_buffer_size_4"
- )
jss_test_java(
NAME "JUnit_ChainSortingTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
@@ -180,11 +152,6 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
DEPENDS "List_CA_certs"
)
- jss_test_exec(
- NAME "TestBufferPRFD"
- COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
- DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
- )
jss_test_java(
NAME "Key_Generation"
COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
--
2.21.0

39
SOURCES/0002-Support-LD_FLAGS-from-environment.patch Normal file
View File

@ -0,0 +1,39 @@
From 731b62d4c456a3e1a70519c24eb0df2c59d943b4 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Mon, 17 Jun 2019 08:48:01 -0400
Subject: [PATCH] Support LD_FLAGS from environment
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSConfig.cmake | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
index f045850a..e63dd5fa 100644
--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
list(APPEND JSS_LD_FLAGS "-lpthread")
list(APPEND JSS_LD_FLAGS "-ldl")
+ separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
+ foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
+ list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
+ endforeach()
+
# This set of flags is specific to building the libjss library.
list(APPEND JSS_LIBRARY_FLAGS "-shared")
list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")
set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
+
+ message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
+ message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
endmacro()
macro(jss_config_java)
--
2.20.1

2197
SOURCES/0003-Remove-legacy-DSA-implementation.patch Normal file
View File

File diff suppressed because it is too large Load Diff

346
SOURCES/0004-JSS-CVE-2019-14823-fix.patch Normal file
View File

@ -0,0 +1,346 @@
From 233795b098a17269f8495fee312fe6df404a236d Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 4 Sep 2019 08:33:14 -0400
Subject: [PATCH] Fix root certificate validation
When the Leaf and Chain OCSP checking policy is enabled in
CryptoManager, JSS will switch to alternative certificate verification
logic in JSSL_DefaultCertAuthCallback. In this method, the root
certificate was incorrectly trusted without being verified to exist in
the trust store.
This patch cleans up the logic in JSSL_verifyCertPKIX and makes it
more explicit in addition to fixing the error.
Fixes CVE-2019-14823
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/ssl/common.c | 239 ++++++++++++++++++++---------------
1 file changed, 136 insertions(+), 103 deletions(-)
diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
index 1bbfed45..2db9fda1 100644
--- a/org/mozilla/jss/ssl/common.c
+++ b/org/mozilla/jss/ssl/common.c
@@ -904,7 +904,6 @@ finish:
}
/* Get the trusted anchor for pkix */
-
CERTCertificate *getRoot(CERTCertificate *cert,
SECCertUsage certUsage)
{
@@ -938,79 +937,84 @@ finish:
return root;
}
-/* Verify a cert using explicit PKIX call.
- * For now only used in OCSP AIA context.
- * The result of this call will be a full chain
- * and leaf network AIA ocsp validation.
- * The policy param will be used in the future to
- * handle more scenarios.
- */
-
-SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
- SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy,
- CERTVerifyLog *log, SECCertificateUsage *usage)
+/* Internal helper for the below call. */
+static SECStatus
+JSSL_verifyCertPKIXInternal(CERTCertificate *cert,
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
+ CERTVerifyLog *log, SECCertificateUsage *usage,
+ CERTCertList *trustedCertList)
{
-
- /* put the first set of possible flags internally here first */
- /* later there could be a more complete list to choose from */
- /* support our hard core fetch aia ocsp policy for now */
-
- static PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
+ /* Put the first set of possible flags internally here first. Later
+ * there could be a more complete list to choose from; for now we only
+ * support our hard core fetch AIA OCSP policy. Note that we disable
+ * CRL fetching as Dogtag doesn't support it. Additionally, enable OCSP
+ * checking on the chained CA certificates. Since NSS/PKIX's
+ * CERT_GetClassicOCSPEnabledHardFailurePolicy doesn't do what we want,
+ * we construct the policy ourselves. */
+ PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
/* crl */
- 0,
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
/* ocsp */
CERT_REV_M_TEST_USING_THIS_METHOD |
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
- static PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
+ PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
/* crl */
- 0,
+ CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
/* ocsp */
CERT_REV_M_TEST_USING_THIS_METHOD |
- CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
+ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
};
- static CERTRevocationMethodIndex
- ocsp_Enabled_Hard_Policy_Method_Preference = {
- cert_revocation_method_ocsp
- };
-
- static CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
- { /* leafTests */
- 2,
- ocsp_Enabled_Hard_Policy_LeafFlags,
- 1,
- &ocsp_Enabled_Hard_Policy_Method_Preference,
- 0 },
- { /* chainTests */
- 2,
- ocsp_Enabled_Hard_Policy_ChainFlags,
- 1,
- &ocsp_Enabled_Hard_Policy_Method_Preference,
- 0 }
+ CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = {
+ cert_revocation_method_ocsp
};
- /* for future expansion */
+ CERTRevocationFlags ocsp_Enabled_Hard_Policy = {
+ /* CERTRevocationTests - leafTests */
+ {
+ /* number_of_defined_methods */
+ 2,
+ /* cert_rev_flags_per_method */
+ ocsp_Enabled_Hard_Policy_LeafFlags,
+ /* number_of_preferred_methods */
+ 1,
+ /* preferred_methods */
+ ocsp_Enabled_Hard_Policy_Method_Preference,
+ /* cert_rev_method_independent_flags */
+ 0
+ },
+ /* CERTRevocationTests - chainTests */
+ {
+ /* number_of_defined_methods */
+ 2,
+ /* cert_rev_flags_per_method */
+ ocsp_Enabled_Hard_Policy_ChainFlags,
+ /* number_of_preferred_methods */
+ 1,
+ /* preferred_methods */
+ ocsp_Enabled_Hard_Policy_Method_Preference,
+ /* cert_rev_method_independent_flags */
+ 0
+ }
+ };
- CERTValOutParam cvout[20] = {{0}};
- CERTValInParam cvin[20] = {{0}};
+ /* The size of these objects are defined here based upon maximum possible
+ * inputs. A dynamic allocation could reallocate based upon actual usage,
+ * however this would affect the size by at most one or two. Note that,
+ * due to the required usage of cert_pi_end/cert_po_end, these sizes are
+ * inflated by one. */
+ CERTValOutParam cvout[3] = {{0}};
+ CERTValInParam cvin[6] = {{0}};
+ int usageIndex = -1;
int inParamIndex = 0;
int outParamIndex = 0;
- CERTRevocationFlags *rev = NULL;
-
- CERTCertList *trustedCertList = NULL;
-
- PRBool fetchCerts = PR_FALSE;
- SECCertUsage certUsage = certUsageSSLClient /* 0 */;
-
SECStatus res = SECFailure;
- CERTCertificate *root = NULL;
-
- if(cert == NULL) {
+ if (cert == NULL) {
goto finish;
}
@@ -1018,93 +1022,122 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
goto finish;
}
- /* Force the strict ocsp network check on chain
- and leaf.
- */
-
- fetchCerts = PR_TRUE;
- rev = &ocsp_Enabled_Hard_Policy;
-
- /* fetch aia over net */
-
+ /* Enable live AIA fetching over the network. */
cvin[inParamIndex].type = cert_pi_useAIACertFetch;
- cvin[inParamIndex].value.scalar.b = fetchCerts;
- inParamIndex++;
-
- /* time */
+ cvin[inParamIndex].value.scalar.b = PR_TRUE;
+ inParamIndex++;
+ /* By setting the time to zero, we choose the current time when the
+ * check is performed. */
cvin[inParamIndex].type = cert_pi_date;
- cvin[inParamIndex].value.scalar.time = PR_Now();
+ cvin[inParamIndex].value.scalar.time = 0;
inParamIndex++;
- /* flags */
-
+ /* Force the strict OCSP check on both the leaf and its chain. */
cvin[inParamIndex].type = cert_pi_revocationFlags;
- cvin[inParamIndex].value.pointer.revocation = rev;
+ cvin[inParamIndex].value.pointer.revocation = &ocsp_Enabled_Hard_Policy;
inParamIndex++;
- /* establish trust anchor */
-
- /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
- * the root.
- */
-
- SECCertificateUsage testUsage = certificateUsage;
- while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
-
- root = getRoot(cert,certUsage);
-
- /* Try to add the root as the trust anchor so all the
- other memebers of the ca chain will get validated.
- */
-
- if( root != NULL ) {
- trustedCertList = CERT_NewCertList();
- CERT_AddCertToListTail(trustedCertList, root);
-
+ /* Establish a trust anchor if it is passed to us. NOTE: this trust anchor
+ * must previously be validated before it is passed to us here. */
+ if (trustedCertList != NULL) {
cvin[inParamIndex].type = cert_pi_trustAnchors;
cvin[inParamIndex].value.pointer.chain = trustedCertList;
-
inParamIndex++;
}
+ /* Done establishing input parameters. */
cvin[inParamIndex].type = cert_pi_end;
- if(log != NULL) {
+ /* When we need to log rationale for failure, pass it as an output
+ * parameter. */
+ if (log != NULL) {
cvout[outParamIndex].type = cert_po_errorLog;
cvout[outParamIndex].value.pointer.log = log;
outParamIndex ++;
}
- int usageIndex = 0;
- if(usage != NULL) {
+ /* When we need to inquire about the resulting certificate usage, pass it
+ * here. */
+ if (usage != NULL) {
usageIndex = outParamIndex;
cvout[outParamIndex].type = cert_po_usages;
cvout[outParamIndex].value.scalar.usages = 0;
outParamIndex ++;
}
+ /* Done establishing output parameters. */
cvout[outParamIndex].type = cert_po_end;
+ /* Call into NSS's PKIX library to validate our certificate. */
res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata);
finish:
- /* clean up any trusted cert list */
-
+ /* Clean up any certificates in the trusted certificate list. This was
+ * a passed input parameter, but by taking ownership of it and clearing it,
+ * we enable tail calls to this function. */
if (trustedCertList) {
+ /* CERT_DestroyCertList destroys interior certs for us. */
CERT_DestroyCertList(trustedCertList);
trustedCertList = NULL;
}
- /* CERT_DestroyCertList destroys interior certs for us. */
-
- if(root) {
- root = NULL;
- }
-
- if(res == SECSuccess && usage) {
+ if (res == SECSuccess && usage && usageIndex != -1) {
*usage = cvout[usageIndex].value.scalar.usages;
}
return res;
}
+
+/* Verify a cert using an explicit PKIX call. For now only perform this call
+ * when the OCSP policy is set to leaf and chain. Performs a blocking, online
+ * OCSP status refresh. The result of this call will be a full-chain OCSP
+ * validation.
+ *
+ * In the future, we'll use ocspPolicy to condition around additional policies
+ * and handle them all with this method (and a call to PKIX).
+ *
+ * Note that this currently requires the certificate to be added directly
+ * to the NSS DB. We can't otherwise validate against root certificates in
+ * the default NSS DB.
+ */
+SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert,
+ SECCertificateUsage certificateUsage, secuPWData *pwdata, int ocspPolicy,
+ CERTVerifyLog *log, SECCertificateUsage *usage)
+{
+ SECCertUsage certUsage = certUsageSSLClient /* 0 */;
+
+ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain
+ * the root.
+ */
+
+ SECCertificateUsage testUsage = certificateUsage;
+ while (0 != (testUsage = testUsage >> 1)) { certUsage++; }
+
+ CERTCertificate *root = getRoot(cert, certUsage);
+
+ // Two cases: either the root is present, or it isn't.
+ if (root == NULL) {
+ /* In this case, we've had a hard time finding the root. In all
+ * likelihood, the following call will fail to validate the end cert
+ * as well and thus fail to validate. I don't believe there's a risk
+ * in trying it however. */
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
+ ocspPolicy, log, usage, NULL);
+ } else {
+ /* In this case, we've found the root certificate. Before passing it
+ * to the leaf, explicitly validate it with strict OCSP checking. Then
+ * validate the leaf certificate with a known and trusted root
+ * certificate. */
+ SECStatus ret = JSSL_verifyCertPKIXInternal(root, certificateUsageSSLCA,
+ pwdata, ocspPolicy, log, usage, NULL);
+ if (ret != SECSuccess) {
+ return ret;
+ }
+
+ CERTCertList *rootList = CERT_NewCertList();
+ CERT_AddCertToListTail(rootList, root);
+ return JSSL_verifyCertPKIXInternal(cert, certificateUsage, pwdata,
+ ocspPolicy, log, usage, rootList);
+ }
+}
--
2.21.0

91
SOURCES/0005-Add-helper-to-run-a-single-test-case.patch Normal file
View File

@ -0,0 +1,91 @@
From 7d1c481e947edf0786223ef43a359c8d5771a214 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 1/3] Add helper to run a single test case
run_test.sh.in is templated by CMake to build/run_test.sh, fully
configured to your test execution environment. In particular, it writes
the classpath and loads the JSS native library.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSConfig.cmake | 29 +++++++++++++++++++----------
tools/run_test.sh.in | 15 +++++++++++++++
2 files changed, 34 insertions(+), 10 deletions(-)
create mode 100755 tools/run_test.sh.in
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
index 27b2a9bf..6295a6e3 100644
--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -13,6 +13,9 @@ macro(jss_config)
# Configure java-related flags
jss_config_java()
+
+ # Template auto-generated files
+ jss_config_template()
endmacro()
macro(jss_config_version MAJOR MINOR PATCH BETA)
@@ -45,16 +48,6 @@ macro(jss_config_version MAJOR MINOR PATCH BETA)
set(JSS_VERSION "${JSS_VERSION} beta ${JSS_VERSION_BETA}")
set(JSS_VERSION_STR "${JSS_VERSION_STR}_b${JSS_VERSION_BETA}")
endif()
-
- # Template files
- configure_file(
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
- "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
- )
- configure_file(
- "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
- "${CMAKE_BINARY_DIR}/MANIFEST.MF"
- )
endmacro()
macro(jss_config_outputs)
@@ -326,3 +319,19 @@ macro(jss_config_java)
math(EXPR JSS_TEST_PORT_CLIENTAUTH ${JSS_BASE_PORT}+0)
math(EXPR JSS_TEST_PORT_CLIENTAUTH_FIPS ${JSS_BASE_PORT}+1)
endmacro()
+
+macro(jss_config_template)
+ # Template files
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h.in"
+ "${PROJECT_SOURCE_DIR}/org/mozilla/jss/util/jssver.h"
+ )
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/lib/MANIFEST.MF.in"
+ "${CMAKE_BINARY_DIR}/MANIFEST.MF"
+ )
+ configure_file(
+ "${PROJECT_SOURCE_DIR}/tools/run_test.sh.in"
+ "${CMAKE_BINARY_DIR}/run_test.sh"
+ )
+endmacro()
diff --git a/tools/run_test.sh.in b/tools/run_test.sh.in
new file mode 100755
index 00000000..60233c05
--- /dev/null
+++ b/tools/run_test.sh.in
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# This utility gets templated to build/run_test.sh to help with running a
+# single test after building JSS. This gives the caller more flexibility
+# with command line arguments and ensures that the correct build artifacts
+# get used.
+
+export LD_LIBRARY_PATH="${CMAKE_BINARY_DIR}"
+
+if [ "$1" == "--gdb" ]; then
+ shift
+ gdb --args "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
+else
+ "${Java_JAVA_EXECUTABLE}" -classpath "${TEST_CLASSPATH}" -ea -Djava.library.path="${CMAKE_BINARY_DIR}" "$@"
+fi
--
2.21.0

59
SOURCES/0006-Add-script-to-add-common-root-CAs.patch Normal file
View File

@ -0,0 +1,59 @@
From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 29 Aug 2019 16:14:08 -0400
Subject: [PATCH 2/3] Add script to add common root CAs
When given an NSS DB, common_roots.sh uses the trust command to extract
the root CAs trusted by the local system and add them to said NSS DB.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100755 tools/common_roots.sh
diff --git a/tools/common_roots.sh b/tools/common_roots.sh
new file mode 100755
index 00000000..97341c4c
--- /dev/null
+++ b/tools/common_roots.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script reads the contents of the OS CA bundle store,
+# /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
+# and places the contained CAs into the specified NSS DB.
+#
+# This NSS DB is used by various JSS tests that aren't enabled
+# by default because they require an active internet connection.
+
+nssdb="$1"
+
+if [ -z "$nssdb" ] && [ -e "build" ]; then
+ nssdb="build/results/cadb"
+elif [ -z "$nssdb" ] && [ -e "../build" ]; then
+ nssdb="../build/results/cadb"
+else
+ echo "Must provide path to NSS DB!" 1>&2
+ exit 1
+fi
+
+if [ -e "$nssdb" ]; then
+ rm -rf "$nssdb"
+fi
+
+mkdir -p "$nssdb"
+echo "" > "$nssdb/password.txt"
+certutil -N -d "$nssdb" -f "$nssdb/password.txt"
+
+trust extract --format=pem-bundle --filter=ca-anchors "$nssdb/complete.pem"
+
+# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file
+csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+for cert in "$nssdb"/individual*; do
+ certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt"
+done
--
2.21.0

233
SOURCES/0007-Add-optional-test-case-against-badssl.com.patch Normal file
View File

@ -0,0 +1,233 @@
From 7b4c0fa04f5e4469fc8bc442c9f12f975c5e1610 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 28 Aug 2019 09:23:41 -0400
Subject: [PATCH 3/3] Add optional test case against badssl.com
badssl.com maintains a number of subdomains with valid and invalid TLS
configurations. A number of these test certificates which fail in
certain scenarios (revoked, expired, etc). Add a test runner which
validates SSLSocket's implementation against badssl.com.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
org/mozilla/jss/tests/BadSSL.java | 208 ++++++++++++++++++++++++++++++
1 file changed, 208 insertions(+)
create mode 100644 org/mozilla/jss/tests/BadSSL.java
diff --git a/org/mozilla/jss/tests/BadSSL.java b/org/mozilla/jss/tests/BadSSL.java
new file mode 100644
index 00000000..60bfe820
--- /dev/null
+++ b/org/mozilla/jss/tests/BadSSL.java
@@ -0,0 +1,208 @@
+package org.mozilla.jss.tests;
+
+import org.mozilla.jss.CryptoManager;
+
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketException;
+
+import org.mozilla.jss.util.NativeErrcodes;
+
+/**
+ * The BadSSL test case maintains an internal mapping from badssl.com
+ * subdomains to expected exceptions and validates they occur.
+ *
+ * Since badssl.com offers no guaranteed SLA or availability, we likely
+ * shouldn't add this site to automated tests.
+ */
+
+public class BadSSL {
+ public static void main(String[] args) throws Exception {
+ boolean ocsp = false;
+
+ if (args.length < 1) {
+ System.out.println("Usage: BadSSL nssdb [LEAF_AND_CHAIN]");
+ return;
+ }
+
+ if (args.length >= 2 && args[1].equals("LEAF_AND_CHAIN")) {
+ System.out.println("Enabling leaf and chain policy...");
+ ocsp = true;
+ }
+
+ CryptoManager.initialize(args[0]);
+ CryptoManager cm = CryptoManager.getInstance();
+
+ if (ocsp) {
+ cm.setOCSPPolicy(CryptoManager.OCSPPolicy.LEAF_AND_CHAIN);
+ }
+
+
+ // Test cases which should fail due to various certificate errors.
+ testExpired();
+ testWrongHost();
+ testSelfSigned();
+ testUntrustedRoot();
+
+ // The following test cases depend on crypto-policies or local NSS
+ // configuration.
+ testSHA1();
+ testRC4MD5();
+ testRC4();
+ test3DES();
+ testNULL();
+
+ // The following test cases depend on OCSP being enabled.
+ if (ocsp) {
+ testRevoked();
+ }
+
+ // Test cases which should pass given the correct root certs.
+ testSHA256();
+ testSHA384();
+ testSHA512();
+
+ testECC256();
+ testECC384();
+
+ testRSA2048();
+ testRSA4096();
+ testRSA8192();
+
+ testExtendedValidation();
+ }
+
+ /* Test cases whose handshakes should fail below. */
+
+ public static void testExpired() throws Exception {
+ testHelper("expired.badssl.com", 443, new String[]{ "(-8181)", "has expired" });
+ }
+
+ public static void testWrongHost() throws Exception {
+ testHelper("wrong.host.badssl.com", 443, new String[]{ "(-12276)", "domain name does not match" });
+ }
+
+ public static void testSelfSigned() throws Exception {
+ testHelper("self-signed.badssl.com", 443, new String[]{ "(-8101)", "(-8156)", "type not approved", "issuer certificate is invalid" });
+ }
+
+ public static void testUntrustedRoot() throws Exception {
+ testHelper("untrusted-root.badssl.com", 443, new String[]{ "(-8172)", "certificate issuer has been marked as not trusted" });
+ }
+
+ public static void testRevoked() throws Exception {
+ testHelper("revoked.badssl.com", 443, new String[]{ "(-8180)", "has been revoked" });
+ }
+
+ public static void testSHA1() throws Exception {
+ testHelper("sha1-intermediate.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4MD5() throws Exception {
+ testHelper("rc4-md5.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testRC4() throws Exception {
+ testHelper("rc4.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void test3DES() throws Exception {
+ testHelper("3des.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ public static void testNULL() throws Exception {
+ testHelper("null.badssl.com", 443, new String[] { "(-12286)", "Cannot communicate securely" });
+ }
+
+ /* Test cases which should handshake successfully below. */
+
+ public static void testSHA256() throws Exception {
+ testHelper("sha256.badssl.com", 443);
+ }
+
+ public static void testSHA384() throws Exception {
+ testHelper("sha384.badssl.com", 443);
+ }
+
+ public static void testSHA512() throws Exception {
+ testHelper("sha512.badssl.com", 443);
+ }
+
+ public static void testECC256() throws Exception {
+ testHelper("ecc256.badssl.com", 443);
+ }
+
+ public static void testECC384() throws Exception {
+ testHelper("ecc384.badssl.com", 443);
+ }
+
+ public static void testRSA2048() throws Exception {
+ testHelper("rsa2048.badssl.com", 443);
+ }
+
+ public static void testRSA4096() throws Exception {
+ testHelper("rsa4096.badssl.com", 443);
+ }
+
+ public static void testRSA8192() throws Exception {
+ testHelper("rsa8192.badssl.com", 443);
+ }
+
+ public static void testExtendedValidation() throws Exception {
+ testHelper("extended-validation.badssl.com", 443);
+ }
+
+ /* Test case helpers. */
+
+ public static void testHelper(String host, int port) throws Exception {
+ testSite(host, port);
+ System.out.println("\t...ok");
+ }
+
+ public static void testHelper(String host, int port, String[] substrs) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ String actual = sse.getMessage().toLowerCase();
+
+ for (String expected : substrs) {
+ if (actual.contains(expected.toLowerCase())) {
+ System.out.println("\t...got expected error message.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error message: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testHelper(String host, int port, int[] codes) throws Exception {
+ try {
+ testSite(host, port);
+ } catch (SSLSocketException sse) {
+ int actual = sse.getErrcode();
+ for (int expected : codes) {
+ if (actual == expected) {
+ System.out.println("\t...got expected error code.");
+ return;
+ }
+ }
+
+ System.err.println("\tUnexpected error code: " + actual);
+ throw sse;
+ }
+
+ throw new RuntimeException("Expected to get an exception, but didn't!");
+ }
+
+ public static void testSite(String host, int port) throws Exception {
+ System.out.println("Testing connection to " + host + ":" + port);
+ SSLSocket sock = new SSLSocket(host, 443);
+ sock.forceHandshake();
+ sock.shutdownOutput();
+ sock.shutdownInput();
+ sock.close();
+ }
+}
--
2.21.0

205
SPECS/jss.spec Normal file
View File

@ -0,0 +1,205 @@
################################################################################
Name: jss
################################################################################
Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.0
Release: 5%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
# $ cd jss
# $ git tag v4.5.<z>
# $ git push origin v4.5.<z>
# Then go to https://github.com/dogtagpki/jss/releases and download the source
# tarball.
Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phase}/%{name}-%{version}%{?_phase}.tar.gz
# To create a patch for all changes since a version tag:
# $ git format-patch \
# --stdout \
# <version tag> \
# > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch
Patch1: 0001-Disable-buffer-based-tests.patch
Patch2: 0002-Support-LD_FLAGS-from-environment.patch
Patch3: 0003-Remove-legacy-DSA-implementation.patch
Patch4: 0004-JSS-CVE-2019-14823-fix.patch
Patch5: 0005-Add-helper-to-run-a-single-test-case.patch
Patch6: 0006-Add-script-to-add-common-root-CAs.patch
Patch7: 0007-Add-optional-test-case-against-badssl.com.patch
################################################################################
# Build Dependencies
################################################################################
# autosetup
BuildRequires: git
BuildRequires: make
BuildRequires: cmake
BuildRequires: gcc-c++
BuildRequires: nspr-devel >= 4.13.1
BuildRequires: nss-devel >= 3.30
BuildRequires: nss-tools >= 3.30
BuildRequires: java-devel
BuildRequires: jpackage-utils
BuildRequires: slf4j
BuildRequires: glassfish-jaxb-api
%if 0%{?rhel} && 0%{?rhel} <= 7
# no slf4j-jdk14
%else
BuildRequires: slf4j-jdk14
%endif
BuildRequires: apache-commons-lang
BuildRequires: apache-commons-codec
BuildRequires: junit
Requires: nss >= 3.30
Requires: java-headless
Requires: jpackage-utils
Requires: slf4j
Requires: glassfish-jaxb-api
%if 0%{?rhel} && 0%{?rhel} <= 7
# no slf4j-jdk14
%else
Requires: slf4j-jdk14
%endif
Requires: apache-commons-lang
Requires: apache-commons-codec
Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2
Conflicts: tomcatjss < 7.3.4
Conflicts: pki-base < 10.6.5
%description
Java Security Services (JSS) is a java native interface which provides a bridge
for java-based applications to use native Network Security Services (NSS).
This only works with gcj. Other JREs require that JCE providers be signed.
################################################################################
%package javadoc
################################################################################
Summary: Java Security Services (JSS) Javadocs
Group: Documentation
Requires: jss = %{version}-%{release}
%description javadoc
This package contains the API documentation for JSS.
################################################################################
%prep
%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git
################################################################################
%build
%set_build_flags
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
# Enable compiler optimizations
export BUILD_OPT=1
# Generate symbolic info for debuggers
CFLAGS="-g $RPM_OPT_FLAGS"
export CFLAGS
# The Makefile is not thread-safe
rm -rf build && mkdir -p build && cd build
%cmake \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
..
%{__make} all
%{__make} javadoc || true
ctest --output-on-failure
################################################################################
%install
# There is no install target so we'll do it by hand
# jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar
popd
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
# No ldconfig is required since this library is loaded by Java itself.
################################################################################
%files
%defattr(-,root,root,-)
%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
%{_libdir}/*
%{_jnidir}/*
################################################################################
%files javadoc
%defattr(-,root,root,-)
%{_javadocdir}/%{name}-%{version}/
################################################################################
%changelog
* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
- Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
- Red Hat Bugzilla #1698059 - pki-core implements crypto
* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
- Red Hat Bugilla #1721135 - JSS - LD_FLAGS support
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
- Minor updates to release
* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-1
- Rebased to JSS 4.6.0
* Thu Apr 25 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.3-1
- Rebased to JSS 4.5.3
* Fri Aug 10 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-1
- Rebased to JSS 4.5.0
* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.6
- Rebased to JSS 4.5.0-b1
* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.5
- Red Hat Bugzilla #1612063 - Do not override system crypto policy (support TLS 1.3)
* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.4
- Rebased to JSS 4.5.0-a4
- Red Hat Bugzilla #1604462 - jss: FTBFS in Fedora rawhide
* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.3
- Rebased to JSS 4.5.0-a3
* Fri Jun 22 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.2
- Rebased to JSS 4.5.0-a2
* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.1
- Rebased to JSS 4.5.0-a1