rpms/jss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode

Browse Source 
and ECC algorithms (support tokens that don't do ECDH)
This commit is contained in:
Kevin Wright 2011-05-20 14:54:39 -07:00
parent 99194bb413
commit fca747ec0d
3 changed files with 80 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
clog
View File

@ -1 +1,2 @@
- added missing patch line
Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
and ECC algorithms (support tokens that don't do ECDH)

62
jss-ECC-HSM-FIPS.patch Normal file
View File

@ -0,0 +1,62 @@
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700
@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
/* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG},
/* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
/* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
+/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
/* REMEMBER TO UPDATE NUM_ALGS!!! */
};
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700
@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
JSS_AlgType type;
} JSS_AlgInfo;
-#define NUM_ALGS 50
+#define NUM_ALGS 51
extern JSS_AlgInfo JSS_AlgTable[];
extern CK_ULONG JSS_symkeyUsage[];
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700
@@ -232,5 +232,6 @@ public class Algorithm {
protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
}
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700
@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al
DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA");
public static final Algorithm
- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC");
+
+// To support both ECDSA and ECDH, it is best to provide two EC Families;
+// However, since there is no token that does only CKM_DERIVE to
+// date, we will just do ECDSA for now as it is sufficient enough today.
+// This fix will support tokens that do not do ECDH
+ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC");
public static final KeyPairAlgorithm
RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily);
diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java
--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700
+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700
@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends
* operates on its input, which should be a hash.
*/
public static final SignatureAlgorithm
- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
"EC",
null, null, ANSI_X962_OID.subBranch(2).subBranch(1) );

17
jss.spec
View File

@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
Release: 14%{?dist}
Release: 17%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@ -32,6 +32,8 @@ Patch7: jss-ECC_keygen_byCurveName.patch
Patch8: jss-VerifyCertificate.patch
Patch9: jss-bad-error-string-pointer.patch
Patch10: jss-VerifyCertificateReturnCU.patch
#Patch11: jss-slots-not-freed.patch
Patch12: jss-ECC-HSM-FIPS.patch
%description
@ -59,6 +61,8 @@ This package contains the API documentation for JSS.
%patch8 -p1
%patch9 -p1
%patch10 -p1
#%patch11 -p1
%patch12 -p1
%build
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@ -142,6 +146,17 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Wed May 18 2011 Christina Fu <cfu@redhat.com> - 4.2.6-17
- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
and ECC algorithms (support tokens that don't do ECDH)
* Fri Apr 08 2011 Jack Magne <jmagne@redhat.com> - 4.2.6-15.99
- bug 694661 - TKS instance crash during token enrollment.
Back out of previous patch for #676083.
* Thu Feb 24 2011 Andrew Wnuk <awnuk@redhat.com> - 4.2.6-15
- bug 676083 - JSS: slots not freed
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild