Import from AlmaLinux stable repository

.gitignore

@@ -1 +1 @@
-SOURCES/jss-4.6.2.tar.gz
+SOURCES/jss-4.11.0.tar.gz

.jss.metadata

@@ -1 +1 @@
-4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz
+a068537cd958000dcd3b34847533101f95fc792b SOURCES/jss-4.11.0.tar.gz

SOURCES/0001-Fix-NativeProxy-reference-tracker.patch

@@ -1,53 +0,0 @@
-From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 29 Oct 2019 10:43:56 -0400
-Subject: [PATCH] Fix NativeProxy reference tracker
-
-In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
-setting mPointer after trying to add NativeProxy to the registry. In
-most instances this won't matter, however, if another instance exists in
-the HashSet with the same hash value, the equals comparator will be
-used, triggering a NPE.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index 1c6d1aa5..a0811f76 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public NativeProxy(byte[] pointer) {
- 		assert(pointer!=null);
--        registry.add(this);
-         mPointer = pointer;
-+        registry.add(this);
- 
-         if (saveStacktraces) {
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
-         if( ! (obj instanceof NativeProxy) ) {
-             return false;
-         }
--        if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
-+        if (((NativeProxy)obj).mPointer == null) {
-+            /* If mPointer is null, we have no way to compare the values
-+             * of the pointers, so assume they're unequal. */
-             return false;
-         }
--        for(int i=0; i < mPointer.length; i++) {
--            if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
--                return false;
--            }
--        }
--        return true;
-+        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-     }
- 
-     /**
--- 
-2.21.0
-

SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch

@@ -1,80 +0,0 @@
-From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:10:32 -0500
-Subject: [PATCH 1/2] Fix swapped parameter names with PBE
-
-Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
-related to extracting the parameter classes during PBE operations:
-previously, the classes of the underlying encryption algorithm were
-iterated over, instead of the classes of the PBE class itself. However,
-this commit iterated over the PBE parameter classes; no PBE algorithm
-accepts a IvParameterSpec, resulting in a null parameter passed to the
-later encryption or key wrap operation. This resulted in stack traces
-like the following:
-
-Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
-	at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
-	at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
-
-Resolves: rh-bz#1807371
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs7/EncryptedContentInfo.java             | 2 +-
- org/mozilla/jss/pkix/cms/EncryptedContentInfo.java          | 2 +-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-index 084752c3..0344b14d 100644
---- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals(
-                       javax.crypto.spec.IvParameterSpec.class ) ) {
-diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-index a4709070..d85eb0d3 100644
---- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
-                 params = new IVParameterSpec( kg.generatePBE_IV() );
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index b35714e3..ebd269f3 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
-                 params = new IVParameterSpec( kg.generatePBE_IV() );
-@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-         // generate IV
-         EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-         AlgorithmParameterSpec params=null;
--        Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+        Class<?> [] paramClasses = encAlg.getParameterClasses();
-         for (int i = 0; i < paramClasses.length; i ++) {
-             if ( paramClasses[i].equals(
-                       javax.crypto.spec.IvParameterSpec.class ) ) {
--- 
-2.24.1
-

SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch

@@ -1,60 +0,0 @@
-From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:39:29 -0500
-Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
-
-When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
-called, it would always request DES3_CBC_PAD as the key wrapping
-algorithm, regardless of the input PBE key type. However, the other form
-(with an implicit token) was correctly handling this case.
-
-Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
-instead of having to convert to/from a String form.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/crypto/KeyWrapAlgorithm.java                | 5 ++++-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-index 3113f614..3a106977 100644
---- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
- 
-     public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
-         OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
-+        return fromOID(oid);
-+    }
- 
-+    public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
-         if (oid.equals(AES_KEY_WRAP_PAD_OID))
-             return AES_KEY_WRAP_PAD;
- 
-@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
-         if (oid.equals(DES_CBC_PAD_OID))
-             return DES_CBC_PAD;
- 
--        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
-+        throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
-     }
- }
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index ebd269f3..abfc39a7 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
-             }
-         }
- 
--        KeyWrapper wrapper = token.getKeyWrapper(
--                KeyWrapAlgorithm.DES3_CBC_PAD);
-+        // wrap the key
-+        KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
-         wrapper.initWrap(key, params);
-         byte encrypted[] = wrapper.wrap(pri);
- 
--- 
-2.24.1
-

SOURCES/0004-Remove-token-key-checks.patch

@@ -1,112 +0,0 @@
-From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 17 Mar 2020 12:54:49 -0400
-Subject: [PATCH 1/2] Remove token key checks
-
-Previously we enforced strict token key matching: the primary key used
-for the operation must strictly reside on the current PKCS#11 token,
-otherwise JSS would bail. However, NSS has the ability to move the key
-to whichever token best supports the given operation. This means that
-we'd prematurely bail when the operation would succeed if it were
-actually executed. By removing these checks, we still leave the ability
-to generate keys on a specific token, we just allow them to be used on
-whatever token supports the given operation (and the key is allowed to
-be moved to).
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs11/PK11Cipher.java        |  4 ----
- org/mozilla/jss/pkcs11/PK11KeyWrapper.java    | 22 -------------------
- org/mozilla/jss/pkcs11/PK11MessageDigest.java |  7 ------
- 3 files changed, 33 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
-index 81b600a4..aac411a4 100644
---- a/org/mozilla/jss/pkcs11/PK11Cipher.java
-+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
-@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
-         if( key==null ) {
-             throw new InvalidKeyException("Key is null");
-         }
--        if( ! key.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("Key does not reside on the "+
--                "current token");
--        }
-         if( ! (key instanceof PK11SymKey) ) {
-             throw new InvalidKeyException("Key is not a PKCS #11 key");
-         }
-diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-index 28840a87..eee2984d 100644
---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("Key is null");
-         }
-         try {
--            if( ! key.getOwningToken().equals(token) ) {
--                throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
--                    key.getOwningToken().getName());
--            }
-             if( ! (key instanceof PK11SymKey) ) {
-                 throw new InvalidKeyException("Key is not a PKCS #11 key");
-             }
-@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-         if( key==null ) {
-             throw new InvalidKeyException("Key is null");
-         }
--        if( ! key.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("Key does not reside on the "+
--                "current token");
--        }
-         if( ! (key instanceof PK11PrivKey) ) {
-             throw new InvalidKeyException("Key is not a PKCS #11 key");
-         }
-@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("key to be wrapped is not a "+
-                 "PKCS #11 key");
-         }
--/* NSS is capable of moving keys appropriately,
--   so this call is prematurely bailing
--        if( ! symKey.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("key to be wrapped does not live"+
--                " on the same token as the wrapping key");
--        }
--*/
-     }
- 
-     /**
-@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
-             throw new InvalidKeyException("key to be wrapped is not a "+
-                 "PKCS #11 key");
-         }
--/* NSS is capable of moving keys appropriately,
--   so this call is prematurely bailing
--        if( ! privKey.getOwningToken().equals(token) ) {
--            throw new InvalidKeyException("key to be wrapped does not live"+
--                " on the same token as the wrapping key");
--        }
--*/
-     }
- 
-     /**
-diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-index cd732788..7a1a6dad 100644
---- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
-         }
- 
-         hmacKey = (PK11SymKey) key;
--
--        if( ! key.getOwningToken().equals(token) ) {
--            hmacKey = null;
--            throw new InvalidKeyException(
--                "HMAC key does not live on the same token as this digest");
--        }
--
-         this.digestProxy = initHMAC(token, alg, hmacKey);
-     }
- 
--- 
-2.25.1
-

SOURCES/0005-Fix-NativeProxy-release.patch

@@ -1,147 +0,0 @@
-From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 8 Apr 2020 12:21:49 -0400
-Subject: [PATCH] Fix NativeProxy registry tracking
-
-When the switch was made to a HashSet-based registry in
-eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
-hashCode(...). This resulted in calls to close() (and thus, finalize())
-not invoking the releaseNativeResources() function to release the
-underlying memory.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------
- 1 file changed, 44 insertions(+), 11 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index a0811f76..385c49f9 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -9,8 +9,10 @@ import java.util.HashSet;
- import java.lang.AutoCloseable;
- import java.lang.Thread;
- import java.util.Arrays;
-+import java.util.concurrent.atomic.AtomicInteger;
- 
- import org.mozilla.jss.CryptoManager;
-+import org.mozilla.jss.netscape.security.util.Utils;
- 
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
-@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable
-      * NativeProxy instance acts as a proxy for that native data structure.
-      */
-     public NativeProxy(byte[] pointer) {
--		assert(pointer!=null);
-+        assert(pointer!=null);
-+
-         mPointer = pointer;
--        registry.add(this);
-+        mHashCode = registryIndex.getAndIncrement();
- 
-         if (saveStacktraces) {
-+            registry.add(this);
-             mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-         }
-     }
-@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable
-      *      a different underlying native pointer.
-      */
-     public boolean equals(Object obj) {
--        if(obj==null) {
-+        if (obj == null) {
-             return false;
-         }
--        if( ! (obj instanceof NativeProxy) ) {
-+        if (!(obj instanceof NativeProxy)) {
-             return false;
-         }
--        if (((NativeProxy)obj).mPointer == null) {
--            /* If mPointer is null, we have no way to compare the values
--             * of the pointers, so assume they're unequal. */
-+        NativeProxy nObj = (NativeProxy) obj;
-+        if (this.mPointer == null || nObj.mPointer == null) {
-             return false;
-         }
--        return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-+
-+        return Arrays.equals(this.mPointer, nObj.mPointer);
-+    }
-+
-+    /**
-+     * Hash code based around mPointer value.
-+     *
-+     * Note that Object.hashCode() isn't sufficient as it tries to determine
-+     * the Object's value based on all internal variables. Because we want a
-+     * single static hashCode that is unique to each instance of nativeProxy,
-+     * we construct it up front based on an incrementing counter and cache it
-+     * throughout the lifetime of this object.
-+     */
-+    public int hashCode() {
-+        return mHashCode;
-     }
- 
-     /**
-@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public final void close() throws Exception {
-         try {
--            if (registry.remove(this)) {
-+            if (mPointer != null) {
-                 releaseNativeResources();
-             }
-         } finally {
--            mPointer = null;
-+            clear();
-         }
-     }
- 
-@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable
-      */
-     public final void clear() {
-         this.mPointer = null;
--        registry.remove(this);
-+        if (saveStacktraces) {
-+            registry.remove(this);
-+        }
-     }
- 
-     /**
-      * Byte array containing native pointer bytes.
-      */
-     private byte mPointer[];
-+    private int mHashCode;
- 
-     /**
-      * String containing backtrace of pointer generation.
-@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable
-      * releaseNativeResources() gets called.
-      */
-     static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
-+    static AtomicInteger registryIndex = new AtomicInteger();
-+
-+    public String toString() {
-+        if (mPointer == null) {
-+            return this.getClass().getName() + "[" + mHashCode + "@null]";
-+        }
-+
-+        return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]";
-+    }
- 
-     /**
-      * Internal helper to check whether or not assertions are enabled in the
-@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable
-      * is thrown.
-      */
-     public synchronized static void assertRegistryEmpty() {
-+        if (!saveStacktraces) {
-+            return;
-+        }
-+
-         if (!registry.isEmpty()) {
-             logger.warn(registry.size() + " NativeProxys are still registered.");
- 
--- 
-2.25.2
-

SOURCES/0006-Fix-SSLSocket-closure.patch

@@ -1,108 +0,0 @@
-From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 15 Apr 2020 08:20:37 -0400
-Subject: [PATCH] Fix SSLSocket closure
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++-
- org/mozilla/jss/ssl/common.c        | 34 +++++++++++++++++++----------
- 2 files changed, 36 insertions(+), 12 deletions(-)
-
-diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
-index 2c835913..27109369 100644
---- a/org/mozilla/jss/ssl/SocketBase.java
-+++ b/org/mozilla/jss/ssl/SocketBase.java
-@@ -106,7 +106,19 @@ class SocketBase {
-     static final int SSL_AF_INET6 = 51;
- 
-     void close() throws IOException {
--        socketClose();
-+        try {
-+            if (sockProxy != null) {
-+                socketClose();
-+                sockProxy.close();
-+            }
-+        } catch (Exception e) {
-+            String msg = "Unexpected exception while trying to finalize ";
-+            msg += "SocketProxy: " + e.getMessage();
-+
-+            throw new IOException(msg, e);
-+        } finally {
-+            sockProxy = null;
-+        }
-     }
- 
-     // SSLServerSocket and SSLSocket close methods
-diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
-index 2db9fda1..2c52a9d6 100644
---- a/org/mozilla/jss/ssl/common.c
-+++ b/org/mozilla/jss/ssl/common.c
-@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL
- Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources
-     (JNIEnv *env, jobject this)
- {
--    /* SSLSocket.close and SSLServerSocket.close call	  */
--    /* SocketBase.close to destroy all native Resources */
--    /* attached to the socket. There is no native resource */
--    /* to release after close has been called. This method  */
--    /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/
--    /* which defines releaseNativeResources as abstract and */
--    /* therefore must be implemented by SocketProxy */
-+    JSSL_SocketData *sockdata;
-+
-+    PR_ASSERT(env != NULL && this != NULL);
-+
-+    if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) {
-+        return;
-+    }
-+
-+    JSSL_DestroySocketData(env, sockdata);
- }
- 
- void
- JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
- {
--    PR_ASSERT(sd != NULL);
-+    if (sd == NULL) {
-+        return;
-+    }
- 
--    PR_Close(sd->fd);
-+    if (sd->fd != NULL) {
-+        PR_Close(sd->fd);
-+        sd->fd = NULL;
-+    }
- 
-     if( sd->socketObject != NULL ) {
-         DELETE_WEAK_GLOBAL_REF(env, sd->socketObject );
-@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
-     if( sd->lock != NULL ) {
-         PR_DestroyLock(sd->lock);
-     }
-+
-+    memset(sd, 0, sizeof(JSSL_SocketData));
-     PR_Free(sd);
- }
- 
-@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self)
-     JSSL_SocketData *sock = NULL;
- 
-     /* get the FD */
--    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
-+    if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
-         /* exception was thrown */
-         return;
-     }
- 
--    JSSL_DestroySocketData(env, sock);
-+    if (sock->fd != NULL) {
-+        PR_Close(sock->fd);
-+        sock->fd = NULL;
-+    }
- }
- 
- JNIEXPORT void JNICALL
--- 
-2.25.2
-

SPECS/jss.spec

@@ -2,13 +2,23 @@
 Name:           jss
 ################################################################################
 
+%global         product_id idm-jss
+
+# Upstream version number:
+%global         major_version 4
+%global         minor_version 11
+%global         update_version 0
+
 Summary:        Java Security Services (JSS)
-URL:            http://www.dogtagpki.org/wiki/JSS
+URL:            https://github.com/dogtagpki/jss
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.6.2
-Release:        6%{?_timestamp}%{?_commit_id}%{?dist}
-# global         _phase -a1
+# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
+# For official (i.e. supported) releases, use x.y.z-r where r >=1.
+%global         release_number 1
+Version:        %{major_version}.%{minor_version}.%{update_version}
+Release:        %{release_number}%{?_timestamp}%{?_commit_id}%{?dist}
+#global         _phase -alpha1
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@@ -17,7 +27,11 @@ Release:        6%{?_timestamp}%{?_commit_id}%{?dist}
 # $ git push origin v4.5.<z>
 # Then go to https://github.com/dogtagpki/jss/releases and download the source
 # tarball.
-Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phase}/%{name}-%{version}%{?_phase}.tar.gz
+Source:         https://github.com/dogtagpki/jss/archive/v%{version}%{?_phase}/jss-%{version}%{?_phase}.tar.gz
+
+# md2man not available on i686
+ExcludeArch: i686
+
 
 # To create a patch for all changes since a version tag:
 # $ git format-patch \
@@ -25,85 +39,111 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 #     <version tag> \
 #     > jss-VERSION-RELEASE.patch
 # Patch: jss-VERSION-RELEASE.patch
-Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
-Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
-Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
-Patch4: 0004-Remove-token-key-checks.patch
-Patch5: 0005-Fix-NativeProxy-release.patch
-Patch6: 0006-Fix-SSLSocket-closure.patch
+
+################################################################################
+# Java
+################################################################################
+
+%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
+%define java_devel java-1.8.0-openjdk-devel
+%define java_headless java-1.8.0-openjdk-headless
+%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
+%else
+%define java_devel java-11-openjdk-devel
+%define java_headless java-11-openjdk-headless
+%define java_home /usr/lib/jvm/jre-11-openjdk
+%endif
+
+################################################################################
+# Build Options
+################################################################################
+
+# By default the build will execute unit tests unless --without tests
+# option is specified.
+
+%bcond_without tests
 
 ################################################################################
 # Build Dependencies
 ################################################################################
 
-# autosetup
-BuildRequires:  git
 BuildRequires:  make
-BuildRequires:  cmake
+BuildRequires:  cmake >= 3.14
+BuildRequires:  zip
+BuildRequires:  unzip
 
 BuildRequires:  gcc-c++
-BuildRequires:  nspr-devel >= 4.13.1
-BuildRequires:  nss-devel >= 3.30
-BuildRequires:  nss-tools >= 3.30
-BuildRequires:  java-devel
+BuildRequires:  nss-devel >= 3.44
+BuildRequires:  nss-tools >= 3.44
+BuildRequires:  %{java_devel}
 BuildRequires:  jpackage-utils
 BuildRequires:  slf4j
 BuildRequires:  glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
 BuildRequires:  slf4j-jdk14
-%endif
-BuildRequires:  apache-commons-lang
-BuildRequires:  apache-commons-codec
+BuildRequires:  apache-commons-lang3
 
 BuildRequires:  junit
 
-Requires:       nss >= 3.30
-Requires:       java-headless
-Requires:       jpackage-utils
-Requires:       slf4j
-Requires:       glassfish-jaxb-api
-%if 0%{?rhel} && 0%{?rhel} <= 7
-# no slf4j-jdk14
-%else
-Requires:       slf4j-jdk14
-%endif
-Requires:       apache-commons-lang
-Requires:       apache-commons-codec
-
-Conflicts:      ldapjdk < 4.20
-Conflicts:      idm-console-framework < 1.2
-Conflicts:      tomcatjss < 7.3.4
-Conflicts:      pki-base < 10.6.5
-
 %description
 Java Security Services (JSS) is a java native interface which provides a bridge
 for java-based applications to use native Network Security Services (NSS).
 This only works with gcj. Other JREs require that JCE providers be signed.
 
 ################################################################################
-%package javadoc
+%package -n %{product_id}
+################################################################################
+
+Summary:        Java Security Services (JSS)
+
+Requires:       nss >= 3.44
+Requires:       %{java_headless}
+Requires:       jpackage-utils
+Requires:       slf4j
+Requires:       glassfish-jaxb-api
+Requires:       slf4j-jdk14
+Requires:       apache-commons-lang3
+
+Obsoletes:      jss < %{version}-%{release}
+Provides:       jss = %{version}-%{release}
+Provides:       jss = %{major_version}.%{minor_version}
+Provides:       %{product_id} = %{major_version}.%{minor_version}
+
+Conflicts:      ldapjdk < 4.20
+Conflicts:      idm-console-framework < 1.2
+Conflicts:      tomcatjss < 7.6.0
+Conflicts:      pki-base < 10.10.0
+
+%description -n %{product_id}
+Java Security Services (JSS) is a java native interface which provides a bridge
+for java-based applications to use native Network Security Services (NSS).
+This only works with gcj. Other JREs require that JCE providers be signed.
+
+################################################################################
+%package -n %{product_id}-javadoc
 ################################################################################
 
 Summary:        Java Security Services (JSS) Javadocs
-Requires:       jss = %{version}-%{release}
 
-%description javadoc
+Obsoletes:      jss-javadoc < %{version}-%{release}
+Provides:       jss-javadoc = %{version}-%{release}
+Provides:       jss-javadoc = %{major_version}.%{minor_version}
+Provides:       %{product_id}-javadoc = %{major_version}.%{minor_version}
+
+%description -n %{product_id}-javadoc
 This package contains the API documentation for JSS.
 
 ################################################################################
 %prep
+################################################################################
 
-%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git
+%autosetup -n jss-%{version}%{?_phase} -p 1
 
 ################################################################################
 %build
+################################################################################
 
 %set_build_flags
 
-[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
-
 # Enable compiler optimizations
 export BUILD_OPT=1
 
@@ -115,64 +155,134 @@ export CFLAGS
 modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
 
 # The Makefile is not thread-safe
-rm -rf build && mkdir -p build && cd build
 %cmake \
+    -DVERSION=%{version} \
     -DJAVA_HOME=%{java_home} \
     -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-    ..
+    -DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \
+    -B %{_vpath_builddir}
 
-%{__make} all
-%{__make} javadoc || true
+cd %{_vpath_builddir}
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    all
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    --no-print-directory \
+    javadoc
+
+%if %{with tests}
 ctest --output-on-failure
+%endif
 
 ################################################################################
 %install
-
-# There is no install target so we'll do it by hand
-
-# jars
-install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
-
-# We have to use the name libjss4.so because this is dynamically
-# loaded by the jar file.
-install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
-pushd  ${RPM_BUILD_ROOT}%{_libdir}/jss
-    ln -fs %{_jnidir}/jss4.jar jss4.jar
-popd
-
-# javadoc
-install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-
-# No ldconfig is required since this library is loaded by Java itself.
 ################################################################################
-%files
+
+cd %{_vpath_builddir}
+
+%{__make} \
+    VERBOSE=%{?_verbose} \
+    CMAKE_NO_VERBOSE=1 \
+    DESTDIR=%{buildroot} \
+    INSTALL="install -p" \
+    --no-print-directory \
+    install
+
+################################################################################
+%files -n %{product_id}
+################################################################################
 
 %defattr(-,root,root,-)
-%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss.html
+%license MPL-1.1.txt gpl.txt lgpl.txt
 %{_libdir}/*
 %{_jnidir}/*
 
 ################################################################################
-%files javadoc
+%files -n %{product_id}-javadoc
+################################################################################
 
 %defattr(-,root,root,-)
-%{_javadocdir}/%{name}-%{version}/
+%{_javadocdir}/jss-%{version}/
 
 ################################################################################
 %changelog
-* Wed Apr 15 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-6
-- NativeProxy never calls releaseNativeResources - Memory Leak
-  Additional patch to fix SSLSocket resource freeing
-  Bugzilla #1822402
+* Thu Feb 08 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 4.11.0-1
+- Rebase to JSS 4.11.0
 
-* Tue Apr 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-5
-- NativeProxy never calls releaseNativeResources - Memory Leak
-  Bugzilla #1822402
+* Tue Jan 16 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 4.10.0-0.1
+- Rebase to JSS 4.10.0-alpha1
+
+* Fri Jan 12 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.8-1
+- Rebase to JSS 4.9.8
+
+* Wed Jun 01 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.4-1
+- Rebase to JSS 4.9.4
+- Bug 2013674 - JSS cannot be properly initialized after using another NSS-backed security provider
+
+* Tue Feb 15 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.3-1
+- Rebase to JSS 4.9.3
+- Bug 2046022 - CVE-2021-4213 pki-core:10.6/jss: memory leak in TLS connection leads to OOM [rhel-8]
+
+* Mon Nov 15 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.2-1
+- Rebase to JSS 4.9.2
+
+* Tue Sep 21 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.1-1
+- Rebase to JSS 4.9.1
+
+* Mon Jul 26 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-1
+- Rebase to JSS 4.9.0
+
+* Fri Jun 11 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.2
+- Rebase to JSS 4.9.0-alpha2
+
+* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.9.0-0.1
+- Rebase to JSS 4.9.0-alpha1
+
+* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
+- Rebase to upstream JSS v4.8.1
+- Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class
+- Red Hat Bugilla #1489256 - [RFE] jss should support RSA with OAEP padding
+
+* Wed Nov 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-2
+- Only check PKCS11Constants on beta builds
+- Bump tomcatjss, pki-core conflicts due to lang3
+
+* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-1
+- Rebase to upstream JSS v4.8.0
+
+* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-0.1
+- Rebase to upstream JSS v4.8.0-b1
+
+* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
+- Rebase to upstream stable release JSS v4.7.3
+- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
+- Rebase to upstream stable release JSS v4.7.2
+- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
+- Rebase to upstream stable release JSS v4.7.1
+
+* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
+- Rebase to upstream stable release JSS v4.7.0
+- Fixed TestSSLEngine
+
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
+- Rebased to JSS 4.7.0-b4
+
+* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
+- Rebased to JSS 4.7.0-b3
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
+- Rebased to JSS 4.7.0-b1
 
 * Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
 - Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing