From 301f9b7dccecc38cb8be92d2ef9d5272d2707f87 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Fri, 10 Jul 2020 01:28:09 +0000
Subject: [PATCH] import tomcatjss-7.5.0-0.2.module+el8.3.0+7178+12af6fad

---
 .gitignore                                    |   1 +
 .tomcatjss.metadata                           |   1 +
 ...ry-for-JSSKeyManager-JSSTrustManager.patch |  89 +++++++
 SPECS/tomcatjss.spec                          | 231 ++++++++++++++++++
 4 files changed, 322 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .tomcatjss.metadata
 create mode 100644 SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
 create mode 100644 SPECS/tomcatjss.spec

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e5a3916
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/tomcatjss-7.5.0-a1.tar.gz
diff --git a/.tomcatjss.metadata b/.tomcatjss.metadata
new file mode 100644
index 0000000..0363b74
--- /dev/null
+++ b/.tomcatjss.metadata
@@ -0,0 +1 @@
+731bf76056488deb18c0794f921606af7a428900 SOURCES/tomcatjss-7.5.0-a1.tar.gz
diff --git a/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch b/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
new file mode 100644
index 0000000..8dcf646
--- /dev/null
+++ b/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
@@ -0,0 +1,89 @@
+From 54e26482643023a7fcbbba25376d691980ed6471 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Thu, 25 Jun 2020 13:41:59 -0400
+Subject: [PATCH] Use factory for JSSKeyManager, JSSTrustManager
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java | 12 ++++++++++--
+ tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java    | 11 +++++++----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
+index 1f2082e..a3630e2 100644
+--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
++++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
+@@ -9,6 +9,7 @@ import java.util.List;
+ import javax.net.ssl.KeyManager;
+ import javax.net.ssl.KeyManagerFactory;
+ import javax.net.ssl.TrustManager;
++import javax.net.ssl.TrustManagerFactory;
+ 
+ import org.apache.tomcat.util.net.SSLContext;
+ 
+@@ -36,8 +37,15 @@ public class JSSContext implements org.apache.tomcat.util.net.SSLContext {
+ 
+         /* These KeyManagers and TrustManagers aren't used with the SSLEngine;
+          * they're only used to implement certain function calls below. */
+-        jkm = new JSSKeyManager();
+-        jtm = new JSSTrustManager();
++        try {
++            KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++            jkm = (JSSKeyManager) kmf.getKeyManagers()[0];
++
++            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++            jtm = (JSSTrustManager) tmf.getTrustManagers()[0];
++        } catch (Exception e) {
++            throw new RuntimeException(e.getMessage(), e);
++        }
+     }
+ 
+     public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
+diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+index 8930bbd..cad3163 100644
+--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
++++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+@@ -26,7 +26,9 @@ import java.util.Set;
+ import java.util.HashSet;
+ 
+ import javax.net.ssl.KeyManager;
++import javax.net.ssl.KeyManagerFactory;
+ import javax.net.ssl.TrustManager;
++import javax.net.ssl.TrustManagerFactory;
+ import javax.net.ssl.SSLEngine;
+ 
+ import org.apache.juli.logging.Log;
+@@ -39,9 +41,7 @@ import org.apache.tomcat.util.net.SSLUtilBase;
+ 
+ import org.mozilla.jss.JSSProvider;
+ import org.mozilla.jss.crypto.Policy;
+-import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+ import org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager;
+-import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+ import org.mozilla.jss.ssl.SSLCipher;
+ import org.mozilla.jss.ssl.SSLVersion;
+ 
+@@ -86,15 +86,18 @@ public class JSSUtil extends SSLUtilBase {
+     @Override
+     public KeyManager[] getKeyManagers() throws Exception {
+         logger.debug("JSSUtil: getKeyManagers()");
+-        return new KeyManager[] { new JSSKeyManager() };
++        KeyManagerFactory jkm = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++        return jkm.getKeyManagers();
+     }
+ 
+     @Override
+     public TrustManager[] getTrustManagers() throws Exception {
+         logger.debug("JSSUtil: getTrustManagers()");
+         if (!JSSProvider.ENABLE_JSSENGINE) {
+-            return new TrustManager[] { new JSSTrustManager() };
++            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509");
++            return tmf.getTrustManagers();
+         }
++
+         return new TrustManager[] { new JSSNativeTrustManager() };
+     }
+ 
+-- 
+2.26.2
+
diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec
new file mode 100644
index 0000000..0bbe4f0
--- /dev/null
+++ b/SPECS/tomcatjss.spec
@@ -0,0 +1,231 @@
+################################################################################
+Name:             tomcatjss
+################################################################################
+
+Summary:          JSS Connector for Apache Tomcat
+URL:              http://www.dogtagpki.org/wiki/TomcatJSS
+License:          LGPLv2+
+BuildArch:        noarch
+
+Version:          7.5.0
+Release:          0.2%{?_timestamp}%{?_commit_id}%{?dist}
+%global           _phase -a1
+
+# To generate the source tarball:
+# $ git clone https://github.com/dogtagpki/tomcatjss.git
+# $ cd tomcatjss
+# $ git archive \
+#     --format=tar.gz \
+#     --prefix tomcatjss-VERSION/ \
+#     -o tomcatjss-VERSION.tar.gz \
+#     <version tag>
+Source:           https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_phase}/tomcatjss-%{version}%{?_phase}.tar.gz
+
+# To create a patch for all changes since a version tag:
+# $ git format-patch \
+#     --stdout \
+#     <version tag> \
+#     > tomcatjss-VERSION-RELEASE.patch
+# Patch: tomcatjss-VERSION-RELEASE.patch
+Patch0: 0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
+
+################################################################################
+# Build Dependencies
+################################################################################
+
+# jpackage-utils requires versioning to meet both build and runtime requirements
+# jss requires versioning to meet both build and runtime requirements
+# tomcat requires versioning to meet both build and runtime requirements
+
+# autosetup
+BuildRequires:    git
+
+# Java
+BuildRequires:    ant
+BuildRequires:    apache-commons-lang
+BuildRequires:    java-devel
+BuildRequires:    jpackage-utils >= 0:1.7.5-15
+
+# SLF4J
+BuildRequires:    slf4j
+%if 0%{?rhel} && 0%{?rhel} <= 7
+# no slf4j-jdk14
+%else
+BuildRequires:    slf4j-jdk14
+%endif
+
+# JSS
+%if 0%{?rhel} && 0%{?rhel} <= 7
+BuildRequires:    jss >= 4.4.0-7
+%else
+BuildRequires:    jss >= 4.7.0
+%endif
+
+# Tomcat
+%if 0%{?rhel} && 0%{?rhel} <= 7
+BuildRequires:    tomcat >= 7.0.69
+%else
+%if 0%{?fedora} && 0%{?fedora} <= 27
+BuildRequires:    tomcat >= 8.0.49
+%else
+%if 0%{?fedora} && 0%{?fedora} <= 28
+BuildRequires:    tomcat >= 1:8.5.23
+%else
+%if 0%{?rhel}
+BuildRequires:    pki-servlet-engine >= 1:9.0.7
+%else
+BuildRequires:    tomcat >= 1:9.0.7
+%endif
+%endif
+%endif
+%endif
+
+################################################################################
+# Runtime Dependencies
+################################################################################
+
+# Java
+Requires:         apache-commons-lang
+%if 0%{?fedora} >= 21
+Requires:         java-headless
+%else
+Requires:         java
+%endif
+Requires:         jpackage-utils >= 0:1.7.5-15
+
+# SLF4J
+Requires:         slf4j
+%if 0%{?rhel}
+# no slf4j-jdk14
+%else
+Requires:         slf4j-jdk14
+%endif
+
+# JSS
+%if 0%{?rhel} && 0%{?rhel} <= 7
+Requires:         jss >= 4.4.0-7
+%else
+Requires:         jss >= 4.7.0
+%endif
+
+# Tomcat
+%if 0%{?rhel} && 0%{?rhel} <= 7
+Requires:         tomcat >= 7.0.69
+%else
+%if 0%{?fedora} && 0%{?fedora} <= 27
+Requires:         tomcat >= 8.0.49
+%else
+%if 0%{?fedora} && 0%{?fedora} <= 28
+Requires:         tomcat >= 1:8.5.23
+%else
+%if 0%{?rhel}
+Requires:         pki-servlet-engine >= 1:9.0.7
+%else
+Requires:         tomcat >= 1:9.0.7
+%endif
+%endif
+%endif
+%endif
+
+# PKI
+Conflicts:        pki-base < 10.6.5
+
+
+%if 0%{?rhel}
+# For EPEL, override the '_sharedstatedir' macro on RHEL
+%define           _sharedstatedir    /var/lib
+%endif
+
+%description
+JSS Connector for Apache Tomcat, installed via the tomcatjss package,
+is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
+uses Java Security Services (JSS), a Java interface to Network Security
+Services (NSS).
+
+NOTE:  The 'tomcatjss' package conflicts with the 'tomcat-native' package
+       because it uses an underlying NSS security model rather than the
+       OpenSSL security model, so these two packages may not co-exist.
+
+################################################################################
+%prep
+################################################################################
+
+%autosetup -n tomcatjss-%{version}%{?_phase} -p 1 -S git
+
+################################################################################
+%install
+################################################################################
+
+# get Tomcat <major>.<minor> version number
+tomcat_version=`/usr/sbin/tomcat version | sed -n 's/Server number: *\([0-9]\+\.[0-9]\+\).*/\1/p'`
+
+if [ $tomcat_version == "9.0" ]; then
+    app_server=tomcat-8.5
+else
+    app_server=tomcat-$tomcat_version
+fi
+
+ant -f build.xml \
+    -Dversion=%{version} \
+    -Dsrc.dir=$app_server \
+    -Djnidir=%{_jnidir} \
+    -Dinstall.doc.dir=%{buildroot}%{_docdir}/%{name} \
+    -Dinstall.jar.dir=%{buildroot}%{_javadir} \
+    install
+
+################################################################################
+%files
+################################################################################
+
+%license LICENSE
+
+%defattr(-,root,root)
+%doc README
+%doc LICENSE
+%{_javadir}/*
+
+################################################################################
+%changelog
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 7.5.0-0.2
+- Rebased to TomcatJSS 7.5.0-a2
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 7.5.0-0.1
+- Rebased to TomcatJSS 7.5.0-a1
+
+* Thu Oct 31 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 7.4.1-2
+- Bumping min requirement for jss to 4.6.0
+
+* Wed Jun 12 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 7.4.1-1
+- Rebased to TomcatJSS 7.4.1
+
+* Wed Apr 24 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 7.4.0-1
+- Rebased to TomcatJSS 7.4.0
+
+* Fri Oct 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.6-1
+- Rebased to TomcatJSS 7.3.6
+
+* Mon Aug 13 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.5-1
+- Rebased to TomcatJSS 7.3.5
+
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.4-1
+- Rebased to TomcatJSS 7.3.4
+
+* Tue Aug 07 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.3-2
+- Red Hat Bugzilla #1612063 - Do not override system crypto policy (support TLS 1.3)
+
+* Fri Jul 20 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.3-1
+- Rebased to TomcatJSS 7.3.3
+
+* Thu Jul 05 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.2-1
+- Rebased to TomcatJSS 7.3.2
+
+* Fri Jun 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.1-1
+- Fixed Tomcat dependencies
+- Rebased to TomcatJSS 7.3.1
+
+* Thu Apr 12 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.0-1
+- Cleaned up spec file
+- Rebased to TomcatJSS 7.3.0 final
+
+* Thu Mar 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 7.3.0-0.2
+- Rebased to TomcatJSS 7.3.0 beta