4 changed files with 175 additions and 139 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/jss-4.6.0.tar.gz
+SOURCES/jss-4.9.4.tar.gz
--- a/.jss.metadata
+++ b/.jss.metadata
@ -1 +1 @@
-3d6d2d885129e0d7d8ebac5dfe9055c693a7a9b1 SOURCES/jss-4.6.0.tar.gz
+b99d8fd7a9296f7cf480ca92a097dcf18c41eb53 SOURCES/jss-4.9.4.tar.gz
--- a/SOURCES/jss-disable-buffer-based-tests.patch
+++ b/SOURCES/jss-disable-buffer-based-tests.patch
@ -1,71 +0,0 @@
-From d7d6d769b510118e40d9c0919317665c4c9feb8d Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <alexander.m.scheel@gmail.com>
-Date: Wed, 12 Jun 2019 17:17:45 -0400
-Subject: [PATCH] Disable buffer-based tests
-
-Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
---
- cmake/JSSTests.cmake | 33 ---------------------------------
- 1 file changed, 33 deletions(-)
-
-diff --git a/cmake/JSSTests.cmake b/cmake/JSSTests.cmake
-index b389be5c..473d7d4d 100644
--- a/cmake/JSSTests.cmake
-+++ b/cmake/JSSTests.cmake
-@@ -78,24 +78,6 @@ macro(jss_tests)
-         NAME "BigObjectIdentifier"
-         COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
-     )
-    jss_test_java(
-        NAME "JSS_Test_PR_FileDesc"
-        COMMAND "org.mozilla.jss.tests.TestPRFD"
-    )
-    jss_test_java(
-        NAME "JSS_Test_Raw_SSL"
-        COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
-        DEPENDS "Setup_DBs"
-    )
-    jss_test_java(
-        NAME "JSS_Test_Buffer"
-        COMMAND "org.mozilla.jss.tests.TestBuffer"
-    )
-    jss_test_java(
-        NAME "JSS_Test_BufferPRFD"
-        COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs"
-    )
-     if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
-         jss_test_java(
-             NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
-@@ -126,16 +108,6 @@ macro(jss_tests)
-         NAME "JUnit_UTF8StringTest"
-         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
-     )
-    jss_test_exec(
-        NAME "buffer_size_1"
-        COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
-        DEPENDS "generate_c_buffer_size_1"
-    )
-    jss_test_exec(
-        NAME "buffer_size_4"
-        COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
-        DEPENDS "generate_c_buffer_size_4"
-    )
-     jss_test_java(
-         NAME "JUnit_ChainSortingTest"
-         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
-@@ -180,11 +152,6 @@ macro(jss_tests)
-         COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
-         DEPENDS "List_CA_certs"
-     )
-    jss_test_exec(
-        NAME "TestBufferPRFD"
-        COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
-    )
-     jss_test_java(
-         NAME "Key_Generation"
-         COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
-- 
-2.21.0
-
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@ -2,13 +2,19 @@
 Name:           jss
 ################################################################################

+%global         major_version 4
+%global         minor_version 9
+%global         update_version 4
+
 Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+

-Version:        4.6.0
-Release:        2%{?_timestamp}%{?_commit_id}%{?dist}
-# global         _phase -a1
+# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
+# For official (i.e. supported) releases, use x.y.z-r where r >=1.
+Version:        %{major_version}.%{minor_version}.%{update_version}
+Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
+#global         _phase -alpha1

 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@ -24,52 +30,66 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     --stdout \
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
-Patch: jss-disable-buffer-based-tests.patch
+# Patch: jss-VERSION-RELEASE.patch
+
+################################################################################
+# Java
+################################################################################
+
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
+%else
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
+%endif
+
+################################################################################
+# Build Options
+################################################################################
+
+# By default the build will execute unit tests unless --without test
+# option is specified.
+
+%bcond_without test

 ################################################################################
 # Build Dependencies
 ################################################################################

-# autosetup
-BuildRequires:  git
 BuildRequires:  make
-BuildRequires:  cmake
+BuildRequires:  cmake >= 3.14
+BuildRequires:  zip
+BuildRequires:  unzip

 BuildRequires:  gcc-c++
-BuildRequires:  nspr-devel >= 4.13.1
-BuildRequires:  nss-devel >= 3.30
-BuildRequires:  nss-tools >= 3.30
-BuildRequires:  java-devel
+BuildRequires:  nss-devel >= 3.44
+BuildRequires:  nss-tools >= 3.44
+BuildRequires:  %{java_devel}
 BuildRequires:  jpackage-utils
 BuildRequires:  slf4j
 BuildRequires:  glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
 BuildRequires:  slf4j-jdk14
-%endif
-BuildRequires:  apache-commons-lang
-BuildRequires:  apache-commons-codec
+BuildRequires:  apache-commons-lang3

 BuildRequires:  junit

-Requires:       nss >= 3.30
-Requires:       java-headless
+Requires:       nss >= 3.44
+Requires:       %{java_headless}
 Requires:       jpackage-utils
 Requires:       slf4j
 Requires:       glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
 Requires:       slf4j-jdk14
-%endif
-Requires:       apache-commons-lang
-Requires:       apache-commons-codec
+Requires:       apache-commons-lang3
+
+Provides:       jss = %{major_version}.%{minor_version}

 Conflicts:      ldapjdk < 4.20
 Conflicts:      idm-console-framework < 1.2
-Conflicts:      tomcatjss < 7.3.4
-Conflicts:      pki-base < 10.6.5
+Conflicts:      tomcatjss < 7.6.0
+Conflicts:      pki-base < 10.10.0

 %description
 Java Security Services (JSS) is a java native interface which provides a bridge
@ -81,8 +101,8 @@ This only works with gcj. Other JREs require that JCE providers be signed.
 ################################################################################

 Summary:        Java Security Services (JSS) Javadocs
-Group:          Documentation
-Requires:       jss = %{version}-%{release}
+
+Provides:       javadoc = %{major_version}.%{minor_version}

 %description javadoc
 This package contains the API documentation for JSS.
@ -90,15 +110,13 @@ This package contains the API documentation for JSS.
 ################################################################################
 %prep

-%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git
+%autosetup -n %{name}-%{version}%{?_phase} -p 1

 ################################################################################
 %build

 %set_build_flags

-[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
-
 # Enable compiler optimizations
 export BUILD_OPT=1

@ -106,46 +124,54 @@ export BUILD_OPT=1
 CFLAGS="-g $RPM_OPT_FLAGS"
 export CFLAGS

+# Check if we're in FIPS mode
+modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+
 # The Makefile is not thread-safe
-rm -rf build && mkdir -p build && cd build
 %cmake \
+    -DVERSION=%{version} \
    -DJAVA_HOME=%{java_home} \
    -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-    ..
+    -DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \
+    -B %{_vpath_builddir}

-%{__make} all
-%{__make} javadoc || true
+cd %{_vpath_builddir}
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    all
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    javadoc
+
+%if %{with test}
 ctest --output-on-failure
+%endif

 ################################################################################
 %install

-# There is no install target so we'll do it by hand
+cd %{_vpath_builddir}

-# jars
-install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    DESTDIR=%{buildroot} \
+    INSTALL="install -p" \
+    --no-print-directory \
+    install

-# We have to use the name libjss4.so because this is dynamically
-# loaded by the jar file.
-install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
-pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
-    ln -fs %{_jnidir}/jss4.jar jss4.jar
-popd
-
-# javadoc
-install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-
-# No ldconfig is required since this library is loaded by Java itself.
 ################################################################################
 %files

 %defattr(-,root,root,-)
-%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss.html
+%license MPL-1.1.txt gpl.txt lgpl.txt
 %{_libdir}/*
 %{_jnidir}/*

@ -157,33 +183,114 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}

 ################################################################################
 %changelog
-* Wed Jun 12 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.6.0-2
+* Wed Jun 01 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.4-1
+- Rebase to JSS 4.9.4
+- Bug 2013674 - JSS cannot be properly initialized after using another NSS-backed security provider
+
+* Tue Feb 15 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.3-1
+- Rebase to JSS 4.9.3
+- Bug 2046022 - CVE-2021-4213 pki-core:10.6/jss: memory leak in TLS connection leads to OOM [rhel-8]
+
+* Mon Nov 15 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.2-1
+- Rebase to JSS 4.9.2
+
+* Tue Sep 21 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.1-1
+- Rebase to JSS 4.9.1
+
+* Mon Jul 26 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-1
+- Rebase to JSS 4.9.0
+
+* Fri Jun 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.2
+- Rebase to JSS 4.9.0-alpha2
+
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.1
+- Rebase to JSS 4.9.0-alpha1
+
+* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
+- Rebase to upstream JSS v4.8.1
+- Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class
+- Red Hat Bugilla #1489256 - [RFE] jss should support RSA with OAEP padding
+
+* Wed Nov 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-2
+- Only check PKCS11Constants on beta builds
+- Bump tomcatjss, pki-core conflicts due to lang3
+
+* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-1
+- Rebase to upstream JSS v4.8.0
+
+* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-0.1
+- Rebase to upstream JSS v4.8.0-b1
+
+* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
+- Rebase to upstream stable release JSS v4.7.3
+- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
+- Rebase to upstream stable release JSS v4.7.2
+- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
+- Rebase to upstream stable release JSS v4.7.1
+
+* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
+- Rebase to upstream stable release JSS v4.7.0
+- Fixed TestSSLEngine
+
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
+- Rebased to JSS 4.7.0-b4
+
+* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
+- Rebased to JSS 4.7.0-b3
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
+- Rebased to JSS 4.7.0-b1
+
+* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
+- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
+
+* Mon Mar 02 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-3
+- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing
+
+* Tue Oct 29 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-2
+- Red Hat Bugzilla #1730767 - JSS: Wrap NSS CMAC + KDF implementations
+- Rebased to JSS 4.6.2
+
+* Wed Sep 11 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-5
+- Red Hat Bugzilla #1747987 - CVE 2019-14823 jss: OCSP policy "Leaf and Chain" implicitly trusts the root certificate
+
+* Wed Aug 14 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-4
+- Red Hat Bugzilla #1698059 - pki-core implements crypto
+
+* Tue Jul 16 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-3
+- Red Hat Bugzilla #1721135 - JSS - LD_FLAGS support
+
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-2
 - Minor updates to release

-* Wed Jun 12 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.6.0-1
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.0-1
 - Rebased to JSS 4.6.0

-* Thu Apr 25 2019 Dogtag PKI Team <pki-devel@redhat.com> 4.5.3-1
+* Thu Apr 25 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.3-1
 - Rebased to JSS 4.5.3

-* Fri Aug 10 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-1
+* Fri Aug 10 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-1
 - Rebased to JSS 4.5.0

-* Tue Aug 07 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.6
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.6
 - Rebased to JSS 4.5.0-b1

-* Tue Aug 07 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.5
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.5
 - Red Hat Bugzilla #1612063 - Do not override system crypto policy (support TLS 1.3)

-* Fri Jul 20 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.4
+* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.4
 - Rebased to JSS 4.5.0-a4
 - Red Hat Bugzilla #1604462 - jss: FTBFS in Fedora rawhide

-* Thu Jul 05 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.3
+* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.3
 - Rebased to JSS 4.5.0-a3

-* Fri Jun 22 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.2
+* Fri Jun 22 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.2
 - Rebased to JSS 4.5.0-a2

-* Fri Jun 15 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0.1
+* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 4.5.0-0.1
 - Rebased to JSS 4.5.0-a1