From 50aabda200f0334ede649d7ee3007da167c57bdb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 30 2017 13:43:38 +0000 Subject: import jss-4.4.0-9.el7_4 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..15d4ccb --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/jss-4.4.0.tar.gz diff --git a/.jss.metadata b/.jss.metadata new file mode 100644 index 0000000..21d2385 --- /dev/null +++ b/.jss.metadata @@ -0,0 +1 @@ +44982c04810aebfa1528d10184380b2c8832d148 SOURCES/jss-4.4.0.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/MPL-1.1.txt b/SOURCES/MPL-1.1.txt new file mode 100644 index 0000000..7714141 --- /dev/null +++ b/SOURCES/MPL-1.1.txt @@ -0,0 +1,470 @@ + MOZILLA PUBLIC LICENSE + Version 1.1 + + --------------- + +1. Definitions. + + 1.0.1. "Commercial Use" means distribution or otherwise making the + Covered Code available to a third party. + + 1.1. "Contributor" means each entity that creates or contributes to + the creation of Modifications. + + 1.2. "Contributor Version" means the combination of the Original + Code, prior Modifications used by a Contributor, and the Modifications + made by that particular Contributor. + + 1.3. "Covered Code" means the Original Code or Modifications or the + combination of the Original Code and Modifications, in each case + including portions thereof. + + 1.4. "Electronic Distribution Mechanism" means a mechanism generally + accepted in the software development community for the electronic + transfer of data. + + 1.5. "Executable" means Covered Code in any form other than Source + Code. + + 1.6. "Initial Developer" means the individual or entity identified + as the Initial Developer in the Source Code notice required by Exhibit + A. + + 1.7. "Larger Work" means a work which combines Covered Code or + portions thereof with code not governed by the terms of this License. + + 1.8. "License" means this document. + + 1.8.1. "Licensable" means having the right to grant, to the maximum + extent possible, whether at the time of the initial grant or + subsequently acquired, any and all of the rights conveyed herein. + + 1.9. "Modifications" means any addition to or deletion from the + substance or structure of either the Original Code or any previous + Modifications. When Covered Code is released as a series of files, a + Modification is: + A. Any addition to or deletion from the contents of a file + containing Original Code or previous Modifications. + + B. Any new file that contains any part of the Original Code or + previous Modifications. + + 1.10. "Original Code" means Source Code of computer software code + which is described in the Source Code notice required by Exhibit A as + Original Code, and which, at the time of its release under this + License is not already Covered Code governed by this License. + + 1.10.1. "Patent Claims" means any patent claim(s), now owned or + hereafter acquired, including without limitation, method, process, + and apparatus claims, in any patent Licensable by grantor. + + 1.11. "Source Code" means the preferred form of the Covered Code for + making modifications to it, including all modules it contains, plus + any associated interface definition files, scripts used to control + compilation and installation of an Executable, or source code + differential comparisons against either the Original Code or another + well known, available Covered Code of the Contributor's choice. The + Source Code can be in a compressed or archival form, provided the + appropriate decompression or de-archiving software is widely available + for no charge. + + 1.12. "You" (or "Your") means an individual or a legal entity + exercising rights under, and complying with all of the terms of, this + License or a future version of this License issued under Section 6.1. + For legal entities, "You" includes any entity which controls, is + controlled by, or is under common control with You. For purposes of + this definition, "control" means (a) the power, direct or indirect, + to cause the direction or management of such entity, whether by + contract or otherwise, or (b) ownership of more than fifty percent + (50%) of the outstanding shares or beneficial ownership of such + entity. + +2. Source Code License. + + 2.1. The Initial Developer Grant. + The Initial Developer hereby grants You a world-wide, royalty-free, + non-exclusive license, subject to third party intellectual property + claims: + (a) under intellectual property rights (other than patent or + trademark) Licensable by Initial Developer to use, reproduce, + modify, display, perform, sublicense and distribute the Original + Code (or portions thereof) with or without Modifications, and/or + as part of a Larger Work; and + + (b) under Patents Claims infringed by the making, using or + selling of Original Code, to make, have made, use, practice, + sell, and offer for sale, and/or otherwise dispose of the + Original Code (or portions thereof). + + (c) the licenses granted in this Section 2.1(a) and (b) are + effective on the date Initial Developer first distributes + Original Code under the terms of this License. + + (d) Notwithstanding Section 2.1(b) above, no patent license is + granted: 1) for code that You delete from the Original Code; 2) + separate from the Original Code; or 3) for infringements caused + by: i) the modification of the Original Code or ii) the + combination of the Original Code with other software or devices. + + 2.2. Contributor Grant. + Subject to third party intellectual property claims, each Contributor + hereby grants You a world-wide, royalty-free, non-exclusive license + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Contributor, to use, reproduce, modify, + display, perform, sublicense and distribute the Modifications + created by such Contributor (or portions thereof) either on an + unmodified basis, with other Modifications, as Covered Code + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using, or + selling of Modifications made by that Contributor either alone + and/or in combination with its Contributor Version (or portions + of such combination), to make, use, sell, offer for sale, have + made, and/or otherwise dispose of: 1) Modifications made by that + Contributor (or portions thereof); and 2) the combination of + Modifications made by that Contributor with its Contributor + Version (or portions of such combination). + + (c) the licenses granted in Sections 2.2(a) and 2.2(b) are + effective on the date Contributor first makes Commercial Use of + the Covered Code. + + (d) Notwithstanding Section 2.2(b) above, no patent license is + granted: 1) for any code that Contributor has deleted from the + Contributor Version; 2) separate from the Contributor Version; + 3) for infringements caused by: i) third party modifications of + Contributor Version or ii) the combination of Modifications made + by that Contributor with other software (except as part of the + Contributor Version) or other devices; or 4) under Patent Claims + infringed by Covered Code in the absence of Modifications made by + that Contributor. + +3. Distribution Obligations. + + 3.1. Application of License. + The Modifications which You create or to which You contribute are + governed by the terms of this License, including without limitation + Section 2.2. The Source Code version of Covered Code may be + distributed only under the terms of this License or a future version + of this License released under Section 6.1, and You must include a + copy of this License with every copy of the Source Code You + distribute. You may not offer or impose any terms on any Source Code + version that alters or restricts the applicable version of this + License or the recipients' rights hereunder. However, You may include + an additional document offering the additional rights described in + Section 3.5. + + 3.2. Availability of Source Code. + Any Modification which You create or to which You contribute must be + made available in Source Code form under the terms of this License + either on the same media as an Executable version or via an accepted + Electronic Distribution Mechanism to anyone to whom you made an + Executable version available; and if made available via Electronic + Distribution Mechanism, must remain available for at least twelve (12) + months after the date it initially became available, or at least six + (6) months after a subsequent version of that particular Modification + has been made available to such recipients. You are responsible for + ensuring that the Source Code version remains available even if the + Electronic Distribution Mechanism is maintained by a third party. + + 3.3. Description of Modifications. + You must cause all Covered Code to which You contribute to contain a + file documenting the changes You made to create that Covered Code and + the date of any change. You must include a prominent statement that + the Modification is derived, directly or indirectly, from Original + Code provided by the Initial Developer and including the name of the + Initial Developer in (a) the Source Code, and (b) in any notice in an + Executable version or related documentation in which You describe the + origin or ownership of the Covered Code. + + 3.4. Intellectual Property Matters + (a) Third Party Claims. + If Contributor has knowledge that a license under a third party's + intellectual property rights is required to exercise the rights + granted by such Contributor under Sections 2.1 or 2.2, + Contributor must include a text file with the Source Code + distribution titled "LEGAL" which describes the claim and the + party making the claim in sufficient detail that a recipient will + know whom to contact. If Contributor obtains such knowledge after + the Modification is made available as described in Section 3.2, + Contributor shall promptly modify the LEGAL file in all copies + Contributor makes available thereafter and shall take other steps + (such as notifying appropriate mailing lists or newsgroups) + reasonably calculated to inform those who received the Covered + Code that new knowledge has been obtained. + + (b) Contributor APIs. + If Contributor's Modifications include an application programming + interface and Contributor has knowledge of patent licenses which + are reasonably necessary to implement that API, Contributor must + also include this information in the LEGAL file. + + (c) Representations. + Contributor represents that, except as disclosed pursuant to + Section 3.4(a) above, Contributor believes that Contributor's + Modifications are Contributor's original creation(s) and/or + Contributor has sufficient rights to grant the rights conveyed by + this License. + + 3.5. Required Notices. + You must duplicate the notice in Exhibit A in each file of the Source + Code. If it is not possible to put such notice in a particular Source + Code file due to its structure, then You must include such notice in a + location (such as a relevant directory) where a user would be likely + to look for such a notice. If You created one or more Modification(s) + You may add your name as a Contributor to the notice described in + Exhibit A. You must also duplicate this License in any documentation + for the Source Code where You describe recipients' rights or ownership + rights relating to Covered Code. You may choose to offer, and to + charge a fee for, warranty, support, indemnity or liability + obligations to one or more recipients of Covered Code. However, You + may do so only on Your own behalf, and not on behalf of the Initial + Developer or any Contributor. You must make it absolutely clear than + any such warranty, support, indemnity or liability obligation is + offered by You alone, and You hereby agree to indemnify the Initial + Developer and every Contributor for any liability incurred by the + Initial Developer or such Contributor as a result of warranty, + support, indemnity or liability terms You offer. + + 3.6. Distribution of Executable Versions. + You may distribute Covered Code in Executable form only if the + requirements of Section 3.1-3.5 have been met for that Covered Code, + and if You include a notice stating that the Source Code version of + the Covered Code is available under the terms of this License, + including a description of how and where You have fulfilled the + obligations of Section 3.2. The notice must be conspicuously included + in any notice in an Executable version, related documentation or + collateral in which You describe recipients' rights relating to the + Covered Code. You may distribute the Executable version of Covered + Code or ownership rights under a license of Your choice, which may + contain terms different from this License, provided that You are in + compliance with the terms of this License and that the license for the + Executable version does not attempt to limit or alter the recipient's + rights in the Source Code version from the rights set forth in this + License. If You distribute the Executable version under a different + license You must make it absolutely clear that any terms which differ + from this License are offered by You alone, not by the Initial + Developer or any Contributor. You hereby agree to indemnify the + Initial Developer and every Contributor for any liability incurred by + the Initial Developer or such Contributor as a result of any such + terms You offer. + + 3.7. Larger Works. + You may create a Larger Work by combining Covered Code with other code + not governed by the terms of this License and distribute the Larger + Work as a single product. In such a case, You must make sure the + requirements of this License are fulfilled for the Covered Code. + +4. Inability to Comply Due to Statute or Regulation. + + If it is impossible for You to comply with any of the terms of this + License with respect to some or all of the Covered Code due to + statute, judicial order, or regulation then You must: (a) comply with + the terms of this License to the maximum extent possible; and (b) + describe the limitations and the code they affect. Such description + must be included in the LEGAL file described in Section 3.4 and must + be included with all distributions of the Source Code. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Application of this License. + + This License applies to code to which the Initial Developer has + attached the notice in Exhibit A and to related Covered Code. + +6. Versions of the License. + + 6.1. New Versions. + Netscape Communications Corporation ("Netscape") may publish revised + and/or new versions of the License from time to time. Each version + will be given a distinguishing version number. + + 6.2. Effect of New Versions. + Once Covered Code has been published under a particular version of the + License, You may always continue to use it under the terms of that + version. You may also choose to use such Covered Code under the terms + of any subsequent version of the License published by Netscape. No one + other than Netscape has the right to modify the terms applicable to + Covered Code created under this License. + + 6.3. Derivative Works. + If You create or use a modified version of this License (which you may + only do in order to apply it to code which is not already Covered Code + governed by this License), You must (a) rename Your license so that + the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", + "MPL", "NPL" or any confusingly similar phrase do not appear in your + license (except to note that your license differs from this License) + and (b) otherwise make it clear that Your version of the license + contains terms which differ from the Mozilla Public License and + Netscape Public License. (Filling in the name of the Initial + Developer, Original Code or Contributor in the notice described in + Exhibit A shall not of themselves be deemed to be modifications of + this License.) + +7. DISCLAIMER OF WARRANTY. + + COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, + WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF + DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. + THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE + IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, + YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE + COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER + OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF + ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. + +8. TERMINATION. + + 8.1. This License and the rights granted hereunder will terminate + automatically if You fail to comply with terms herein and fail to cure + such breach within 30 days of becoming aware of the breach. All + sublicenses to the Covered Code which are properly granted shall + survive any termination of this License. Provisions which, by their + nature, must remain in effect beyond the termination of this License + shall survive. + + 8.2. If You initiate litigation by asserting a patent infringement + claim (excluding declatory judgment actions) against Initial Developer + or a Contributor (the Initial Developer or Contributor against whom + You file such action is referred to as "Participant") alleging that: + + (a) such Participant's Contributor Version directly or indirectly + infringes any patent, then any and all rights granted by such + Participant to You under Sections 2.1 and/or 2.2 of this License + shall, upon 60 days notice from Participant terminate prospectively, + unless if within 60 days after receipt of notice You either: (i) + agree in writing to pay Participant a mutually agreeable reasonable + royalty for Your past and future use of Modifications made by such + Participant, or (ii) withdraw Your litigation claim with respect to + the Contributor Version against such Participant. If within 60 days + of notice, a reasonable royalty and payment arrangement are not + mutually agreed upon in writing by the parties or the litigation claim + is not withdrawn, the rights granted by Participant to You under + Sections 2.1 and/or 2.2 automatically terminate at the expiration of + the 60 day notice period specified above. + + (b) any software, hardware, or device, other than such Participant's + Contributor Version, directly or indirectly infringes any patent, then + any rights granted to You by such Participant under Sections 2.1(b) + and 2.2(b) are revoked effective as of the date You first made, used, + sold, distributed, or had made, Modifications made by that + Participant. + + 8.3. If You assert a patent infringement claim against Participant + alleging that such Participant's Contributor Version directly or + indirectly infringes any patent where such claim is resolved (such as + by license or settlement) prior to the initiation of patent + infringement litigation, then the reasonable value of the licenses + granted by such Participant under Sections 2.1 or 2.2 shall be taken + into account in determining the amount or value of any payment or + license. + + 8.4. In the event of termination under Sections 8.1 or 8.2 above, + all end user license agreements (excluding distributors and resellers) + which have been validly granted by You or any distributor hereunder + prior to termination shall survive termination. + +9. LIMITATION OF LIABILITY. + + UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT + (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL + DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, + OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR + ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY + CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, + WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER + COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN + INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF + LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY + RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW + PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE + EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO + THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. + +10. U.S. GOVERNMENT END USERS. + + The Covered Code is a "commercial item," as that term is defined in + 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer + software" and "commercial computer software documentation," as such + terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 + C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), + all U.S. Government End Users acquire Covered Code with only those + rights set forth herein. + +11. MISCELLANEOUS. + + This License represents the complete agreement concerning subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. This License shall be governed by + California law provisions (except to the extent applicable law, if + any, provides otherwise), excluding its conflict-of-law provisions. + With respect to disputes in which at least one party is a citizen of, + or an entity chartered or registered to do business in the United + States of America, any litigation relating to this License shall be + subject to the jurisdiction of the Federal Courts of the Northern + District of California, with venue lying in Santa Clara County, + California, with the losing party responsible for costs, including + without limitation, court costs and reasonable attorneys' fees and + expenses. The application of the United Nations Convention on + Contracts for the International Sale of Goods is expressly excluded. + Any law or regulation which provides that the language of a contract + shall be construed against the drafter shall not apply to this + License. + +12. RESPONSIBILITY FOR CLAIMS. + + As between Initial Developer and the Contributors, each party is + responsible for claims and damages arising, directly or indirectly, + out of its utilization of rights under this License and You agree to + work with Initial Developer and Contributors to distribute such + responsibility on an equitable basis. Nothing herein is intended or + shall be deemed to constitute any admission of liability. + +13. MULTIPLE-LICENSED CODE. + + Initial Developer may designate portions of the Covered Code as + "Multiple-Licensed". "Multiple-Licensed" means that the Initial + Developer permits you to utilize portions of the Covered Code under + Your choice of the NPL or the alternative licenses, if any, specified + by the Initial Developer in the file described in Exhibit A. + +EXHIBIT A -Mozilla Public License. + + ``The contents of this file are subject to the Mozilla Public License + Version 1.1 (the "License"); you may not use this file except in + compliance with the License. You may obtain a copy of the License at + http://www.mozilla.org/MPL/ + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the + License for the specific language governing rights and limitations + under the License. + + The Original Code is ______________________________________. + + The Initial Developer of the Original Code is ________________________. + Portions created by ______________________ are Copyright (C) ______ + _______________________. All Rights Reserved. + + Contributor(s): ______________________________________. + + Alternatively, the contents of this file may be used under the terms + of the _____ license (the "[___] License"), in which case the + provisions of [______] License are applicable instead of those + above. If you wish to allow use of your version of this file only + under the terms of the [____] License and not to allow others to use + your version of this file under the MPL, indicate your decision by + deleting the provisions above and replace them with the notice and + other provisions required by the [___] License. If you do not delete + the provisions above, a recipient may use your version of this file + under either the MPL or the [___] License." + + [NOTE: The text of this Exhibit A may differ slightly from the text of + the notices in the Source Code files of the Original Code. You should + use the text of this Exhibit A rather than the text found in the + Original Code Source Code for Your Modifications.] + diff --git a/SOURCES/gpl.txt b/SOURCES/gpl.txt new file mode 100644 index 0000000..d511905 --- /dev/null +++ b/SOURCES/gpl.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/SOURCES/jss-HMAC-test-for-AES-encrypt-unwrap.patch b/SOURCES/jss-HMAC-test-for-AES-encrypt-unwrap.patch new file mode 100644 index 0000000..435dfd0 --- /dev/null +++ b/SOURCES/jss-HMAC-test-for-AES-encrypt-unwrap.patch @@ -0,0 +1,196 @@ +# HG changeset patch +# User Jack Magne +# Date 1504307754 25200 +# Fri Sep 01 16:15:54 2017 -0700 +# Node ID eec15518fd61f1d988c25b4de589555796f9e65f +# Parent 17d1d7b740ca5777fbcf8ee817a2f26b9c93593a +unwrapping of HMAC-SHA1 secret keys using AES wrapping and unwrapping +cfu on behalf of jmagne + +diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11KeyWrapper.java +--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Mon May 01 10:39:50 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Fri Sep 01 16:15:54 2017 -0700 +@@ -588,6 +588,8 @@ + return EncryptionAlgorithm.RC4; + } else if( type == SymmetricKey.AES ) { + return EncryptionAlgorithm.AES_128_ECB; ++ } else if( type == SymmetricKey.SHA1_HMAC) { ++ return HMACAlgorithm.SHA1; + } else { + Assert._assert( type == SymmetricKey.RC2 ); + return EncryptionAlgorithm.RC2_CBC; +diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11MessageDigest.c +--- a/org/mozilla/jss/pkcs11/PK11MessageDigest.c Mon May 01 10:39:50 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.c Fri Sep 01 16:15:54 2017 -0700 +@@ -67,19 +67,19 @@ + } + + /* copy the key, setting the CKA_SIGN attribute */ +- /* ++ + newKey = PK11_CopySymKeyForSigning(origKey, mech); ++ ++ /* For some key on the hsm, this call could fail, but the key may work anyway */ ++ + if( newKey == NULL ) { +- JSS_throwMsg(env, DIGEST_EXCEPTION, +- "Unable to set CKA_SIGN attribute on symmetric key"); +- goto finish; ++ newKey = origKey; + } +- */ + + param.data = NULL; + param.len = 0; + +- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, ¶m); ++ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, ¶m); + if( context == NULL ) { + JSS_throwMsg(env, DIGEST_EXCEPTION, + "Unable to initialize digest context"); +@@ -88,7 +88,7 @@ + + contextObj = JSS_PK11_wrapCipherContextProxy(env, &context); + finish: +- if(newKey) { ++ if(newKey && (newKey != origKey)) { + /* SymKeys are ref counted, and the context will free it's ref + * when it is destroyed */ + PK11_FreeSymKey(newKey); +diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/HmacTest.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/org/mozilla/jss/tests/HmacTest.java Fri Sep 01 16:15:54 2017 -0700 +@@ -0,0 +1,119 @@ ++ ++package org.mozilla.jss.tests; ++ ++ ++import java.security.Key; ++import javax.crypto.Cipher; ++import javax.crypto.KeyGenerator; ++import javax.crypto.Mac; ++import javax.crypto.SecretKey; ++import javax.crypto.spec.IvParameterSpec; ++ ++import org.mozilla.jss.CryptoManager; ++import org.mozilla.jss.crypto.CryptoToken; ++import org.mozilla.jss.crypto.SymmetricKey; ++ ++ ++public class HmacTest { ++ ++ private static final String INTERNAL_KEY_STORAGE_TOKEN = ++ new CryptoManager.InitializationValues("").getInternalKeyStorageTokenDescription().trim(); ++ ++ private static final String NSS_DATABASE_DIR = "sql:data"; ++ private static final String PROVIDER = "Mozilla-JSS"; ++ ++ ++ public static void main(String[] args) ++ { ++ ++ String algorithm = "hmac-sha1"; ++ ++ try { ++ configureCrypto(args); ++ ++ Mac mac = Mac.getInstance(algorithm, PROVIDER); ++ ++ byte[] keyData = new byte[16]; ++ Key key = importHmacSha1Key(keyData); ++ ++ mac.init(key); ++ ++ doHMAC(mac,"Dogtag rules!"); ++ ++ System.out.println("Done"); ++ ++ System.exit(0); ++ } catch (Exception e) { ++ System.exit(1); ++ } ++ } ++ ++ private static void configureCrypto(String[] args) ++ throws Exception { ++ ++ CryptoManager.InitializationValues initializationValues = ++ new CryptoManager.InitializationValues(args[0]); ++ ++ CryptoManager.initialize(initializationValues); ++ ++ CryptoManager cryptoManager = CryptoManager.getInstance(); ++ ++ CryptoToken cryptoToken = ++ cryptoManager.getTokenByName(INTERNAL_KEY_STORAGE_TOKEN); ++ ++ cryptoManager.setThreadToken(cryptoToken); ++ } ++ ++ private static Key importHmacSha1Key(byte[] key) ++ throws Exception { ++ ++ final String WRAPPING_ALGORITHM = "AES/CBC/PKCS5Padding"; ++ ++ Key wrappingKey = getWrappingKey(); ++ ++ byte[] iv = new byte[16]; ++ IvParameterSpec ivParameterSpec = new IvParameterSpec(iv); ++ ++ Cipher wrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER); ++ wrappingCipher.init(Cipher.ENCRYPT_MODE, wrappingKey, ivParameterSpec); ++ ++ byte[] wrappedKeyData = wrappingCipher.doFinal(key); ++ ++ Cipher unwrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER); ++ unwrappingCipher.init(Cipher.UNWRAP_MODE, wrappingKey, ivParameterSpec); ++ ++ return (SecretKey) unwrappingCipher.unwrap(wrappedKeyData, ++ SymmetricKey.SHA1_HMAC.toString(), ++ Cipher.SECRET_KEY); ++ } ++ ++ private static synchronized Key getWrappingKey() ++ throws Exception { ++ ++ final String keyGenAlgorithm = "AES"; ++ final int wrappingKeyLength = 256; ++ ++ KeyGenerator keyGen = KeyGenerator.getInstance(keyGenAlgorithm, PROVIDER); ++ keyGen.init(wrappingKeyLength); ++ return keyGen.generateKey(); ++ } ++ ++ public static void doHMAC(Mac mozillaHmac, String clearText) ++ throws Exception { ++ byte[] mozillaHmacOut; ++ ++ //Get the Mozilla HMAC ++ mozillaHmacOut = mozillaHmac.doFinal(clearText.getBytes()); ++ ++ if (mozillaHmacOut.length == mozillaHmac.getMacLength()) { ++ System.out.println(PROVIDER + " supports " + ++ mozillaHmac.getAlgorithm() + " and the output size is " + mozillaHmac.getMacLength()); ++ } else { ++ throw new Exception("ERROR: hmac output size is " + ++ mozillaHmacOut.length + ", should be " + ++ mozillaHmac.getMacLength()); ++ } ++ } ++ ++ ++} +diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/all.pl +--- a/org/mozilla/jss/tests/all.pl Mon May 01 10:39:50 2017 -0700 ++++ b/org/mozilla/jss/tests/all.pl Fri Sep 01 16:15:54 2017 -0700 +@@ -492,6 +492,10 @@ + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.HMACTest $testdir $pwfile"; + run_test($testname, $command); + ++$testname = "HMAC Unwrap"; ++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.HmacTest $testdir $pwfile"; ++run_test($testname, $command); ++ + $testname = "KeyWrapping "; + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCAKeyWrap $testdir $pwfile"; + run_test($testname, $command); diff --git a/SOURCES/jss-HMAC-unwrap-keywrap-FIPSMODE.patch b/SOURCES/jss-HMAC-unwrap-keywrap-FIPSMODE.patch new file mode 100644 index 0000000..529d33a --- /dev/null +++ b/SOURCES/jss-HMAC-unwrap-keywrap-FIPSMODE.patch @@ -0,0 +1,22 @@ +# HG changeset patch +# User Jack Magne +# Date 1506640850 25200 +# Thu Sep 28 16:20:50 2017 -0700 +# Node ID 252c10f448971b7ae087bde259505abd5dc5a03a +# Parent 3e9a5ae2149d04877dc19b117a8917c22854f8eb +Fix: Bug 1400884 - new JSS failures: HMAC Unwrap and KeyWrapping FIPSMODE. + +diff --git a/org/mozilla/jss/pkcs11/KeyType.java b/org/mozilla/jss/pkcs11/KeyType.java +--- a/org/mozilla/jss/pkcs11/KeyType.java ++++ b/org/mozilla/jss/pkcs11/KeyType.java +@@ -204,9 +204,7 @@ + EncryptionAlgorithm.AES_192_CBC, + EncryptionAlgorithm.AES_256_ECB, + EncryptionAlgorithm.AES_256_CBC, +- /* AES CBC PAD is the same as AES_256_CBC_PAD */ +- /* shouldn't break backward compatibility 313798*/ +- //EncryptionAlgorithm.AES_CBC_PAD, ++ EncryptionAlgorithm.AES_CBC_PAD, + EncryptionAlgorithm.AES_128_CBC_PAD, + EncryptionAlgorithm.AES_192_CBC_PAD, + EncryptionAlgorithm.AES_256_CBC_PAD diff --git a/SOURCES/jss-PBE-padded-block-cipher-enhancements.patch b/SOURCES/jss-PBE-padded-block-cipher-enhancements.patch new file mode 100644 index 0000000..8f43ec5 --- /dev/null +++ b/SOURCES/jss-PBE-padded-block-cipher-enhancements.patch @@ -0,0 +1,620 @@ +# HG changeset patch +# User Fraser Tweedale +# Date 1504894163 25200 +# Fri Sep 08 11:09:23 2017 -0700 +# Node ID 3629b598a9ce73e83c7896407e3ca820f6383750 +# Parent eec15518fd61f1d988c25b4de589555796f9e65f +Bug 1370778 PBE and padded block cipher enhancements and fixes - + patch jss-ftweedal-0006-PBEKeyGenParams-allow-specifying-encryption-algorith.patch + +Allow specifying an target encryption algorithm in PBEKeyGenParams; + if the PBE algorithm does not imply a particular cipher, this is needed + to determine the size of the key to generate + +cfu for ftweedale + +diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/crypto/PBEKeyGenParams.java +--- a/org/mozilla/jss/crypto/PBEKeyGenParams.java Fri Sep 01 16:15:54 2017 -0700 ++++ b/org/mozilla/jss/crypto/PBEKeyGenParams.java Fri Sep 08 11:09:23 2017 -0700 +@@ -13,6 +13,7 @@ + private Password pass; + private byte[] salt; + private int iterations; ++ private EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.DES3_CBC; + + private PBEKeyGenParams() { } + +@@ -40,7 +41,8 @@ + } + + /** +- * Creates PBE parameters. ++ * Creates PBE parameters using default encryption algorithm ++ * (DES3_EDE3_CBC). + * + * @param pass The password. It will be cloned, so the + * caller is still responsible for clearing it. It must not be null. +@@ -60,6 +62,33 @@ + } + + /** ++ * Creates PBE parameters using default encryption algorithm ++ * (DES3_EDE3_CBC). ++ * ++ * @param pass The password. It will be cloned, so the ++ * caller is still responsible for clearing it. It must not be null. ++ * @param salt The salt for the PBE algorithm. Will not be cloned. ++ * Must not be null. It is the responsibility of the caller to ++ * use the right salt length for the algorithm. Most algorithms ++ * use 8 bytes of salt. ++ * @param iterations The iteration count for the PBE algorithm. ++ * @param encAlg The encryption algorithm. This is used with SOME ++ * PBE algorithms for determining the KDF output length. ++ */ ++ public PBEKeyGenParams( ++ char[] pass, byte[] salt, int iterations, ++ EncryptionAlgorithm encAlg) { ++ if (pass == null || salt == null) { ++ throw new NullPointerException(); ++ } ++ this.pass = new Password((char[]) pass.clone()); ++ this.salt = salt; ++ this.iterations = iterations; ++ if (encAlg != null) ++ this.encryptionAlgorithm = encAlg; ++ } ++ ++ /** + * Returns a reference to the password, not a copy. + */ + public Password getPassword() { +@@ -81,6 +110,14 @@ + } + + /** ++ * The encryption algorithm is used with SOME PBE algorithms for ++ * determining the KDF output length. ++ */ ++ public EncryptionAlgorithm getEncryptionAlgorithm() { ++ return encryptionAlgorithm; ++ } ++ ++ /** + * Clears the password. This should be called when this object is no + * longer needed so the password is not left around in memory. + */ +diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/pkcs11/PK11KeyGenerator.c +--- a/org/mozilla/jss/pkcs11/PK11KeyGenerator.c Fri Sep 01 16:15:54 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11KeyGenerator.c Fri Sep 08 11:09:23 2017 -0700 +@@ -246,9 +246,9 @@ + * + */ + JNIEXPORT jobject JNICALL +-Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generatePBE +- (JNIEnv *env, jclass clazz, jobject token, jobject alg, jbyteArray passBA, +- jbyteArray saltBA, jint iterationCount) ++Java_org_mozilla_jss_pkcs11_PK11KeyGenerator_generatePBE( ++ JNIEnv *env, jclass clazz, jobject token, jobject alg, jobject encAlg, ++ jbyteArray passBA, jbyteArray saltBA, jint iterationCount) + { + PK11SlotInfo *slot=NULL; + PK11SymKey *skey=NULL; +@@ -299,12 +299,15 @@ + oidTag = JSS_getOidTagFromAlg(env, alg); + PR_ASSERT(oidTag != SEC_OID_UNKNOWN); + ++ SECOidTag encAlgOidTag = JSS_getOidTagFromAlg(env, encAlg); ++ PR_ASSERT(encAlgOidTag != SEC_OID_UNKNOWN); ++ + /* create algid */ + algid = PK11_CreatePBEV2AlgorithmID( + oidTag, +- SEC_OID_DES_EDE3_CBC, ++ encAlgOidTag, + SEC_OID_HMAC_SHA1, +- 168/8, ++ 0, + iterationCount, + salt); + +diff -r eec15518fd61 -r 3629b598a9ce org/mozilla/jss/pkcs11/PK11KeyGenerator.java +--- a/org/mozilla/jss/pkcs11/PK11KeyGenerator.java Fri Sep 01 16:15:54 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11KeyGenerator.java Fri Sep 08 11:09:23 2017 -0700 +@@ -178,8 +178,9 @@ + byte[] pwbytes=null; + try { + pwbytes = charToByte.convert( kgp.getPassword().getChars() ); +- return generatePBE(token, algorithm, pwbytes, +- kgp.getSalt(), kgp.getIterations()); ++ return generatePBE( ++ token, algorithm, kgp.getEncryptionAlgorithm(), ++ pwbytes, kgp.getSalt(), kgp.getIterations()); + } finally { + if( pwbytes!=null ) { + Password.wipeBytes(pwbytes); +@@ -296,7 +297,9 @@ + * be null. + */ + private static native SymmetricKey +- generatePBE(PK11Token token, KeyGenAlgorithm algorithm, byte[] pass, +- byte[] salt, int iterationCount) throws TokenException; ++ generatePBE( ++ PK11Token token, KeyGenAlgorithm algorithm, EncryptionAlgorithm encAlg, ++ byte[] pass, byte[] salt, int iterationCount) ++ throws TokenException; + + } +# HG changeset patch +# User Fraser Tweedale +# Date 1504894529 25200 +# Fri Sep 08 11:15:29 2017 -0700 +# Node ID bada1409d2bb67cd92c3b7c292b8bb4ae6388513 +# Parent 3629b598a9ce73e83c7896407e3ca820f6383750 +Bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0007-Support-the-CKK_GENERIC_SECRET-symmetric-key-type.patch +Subject: Support the CKK_GENERIC_SECRET symmetric key type +From: Fraser Tweedale +Content-Type: text/plain +found patch at byte 873 +message: +Support the CKK_GENERIC_SECRET symmetric key type +The NSS PBKDF2 generation produces a key with the CKK_GENERIC_SECRET +key type. The underlying PKCS #11 object *does* record the intended +encryption algorithm that was specified when generating the key via +PK11_PBEKeyGen, but this information is not exposed via the PKCS #11 +interface. When initialising a cipher, JSS checks the key type +against the encryption algorithm and fails if they do not match, +which is always the case with PBKDF2-derived keys. + +To work around this problem, properly record the key type for +CKK_GENERIC_SECRET keys, and update the cipher initialisation key +type check to always accept such keys. + +cfu for ftweedal + +diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/KeyType.java +--- a/org/mozilla/jss/pkcs11/KeyType.java Fri Sep 08 11:09:23 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/KeyType.java Fri Sep 08 11:15:29 2017 -0700 +@@ -242,4 +242,7 @@ + "SHA1_HMAC" + ); + ++ static public final KeyType GENERIC_SECRET = ++ new KeyType(new Algorithm[] { }, "GENERIC_SECRET"); ++ + } +diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/PK11Cipher.java +--- a/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:09:23 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:15:29 2017 -0700 +@@ -243,8 +243,11 @@ + } + + try { +- if( ((PK11SymKey)key).getKeyType() != +- KeyType.getKeyTypeFromAlgorithm(algorithm) ) { ++ KeyType keyType = ((PK11SymKey) key).getKeyType(); ++ if ( ++ keyType != KeyType.GENERIC_SECRET ++ && keyType != KeyType.getKeyTypeFromAlgorithm(algorithm) ++ ) { + throw new InvalidKeyException("Key is not the right type for"+ + " this algorithm: " + ((PK11SymKey)key).getKeyType() + ":" + KeyType.getKeyTypeFromAlgorithm(algorithm) +";"); + } +diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/pkcs11/PK11SymKey.c +--- a/org/mozilla/jss/pkcs11/PK11SymKey.c Fri Sep 08 11:09:23 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11SymKey.c Fri Sep 08 11:15:29 2017 -0700 +@@ -305,6 +305,9 @@ + case CKK_DES2: + typeFieldName = DES3_KEYTYPE_FIELD; + break; ++ case CKK_GENERIC_SECRET: ++ typeFieldName = GENERIC_SECRET_KEYTYPE_FIELD; ++ break; + default: + PR_ASSERT(PR_FALSE); + typeFieldName = DES_KEYTYPE_FIELD; +diff -r 3629b598a9ce -r bada1409d2bb org/mozilla/jss/util/java_ids.h +--- a/org/mozilla/jss/util/java_ids.h Fri Sep 08 11:09:23 2017 -0700 ++++ b/org/mozilla/jss/util/java_ids.h Fri Sep 08 11:15:29 2017 -0700 +@@ -87,6 +87,7 @@ + #define RC2_KEYTYPE_FIELD "RC2" + #define SHA1_HMAC_KEYTYPE_FIELD "SHA1_HMAC" + #define AES_KEYTYPE_FIELD "AES" ++#define GENERIC_SECRET_KEYTYPE_FIELD "GENERIC_SECRET" + + /* + * NativeProxy +# HG changeset patch +# User Fraser Tweedale +# Date 1504894882 25200 +# Fri Sep 08 11:21:22 2017 -0700 +# Node ID 890216599f21df4c6d07815604aaac526823a892 +# Parent bada1409d2bb67cd92c3b7c292b8bb4ae6388513 +Bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0008-PK11Cipher-improve-error-reporting.patch +Subject: PK11Cipher: improve error reporting +From: Fraser Tweedale +message: +PK11Cipher: improve error reporting + +cfu for ftweedal + +diff -r bada1409d2bb -r 890216599f21 org/mozilla/jss/pkcs11/PK11Cipher.c +--- a/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:15:29 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:21:22 2017 -0700 +@@ -152,7 +152,9 @@ + /* do the operation */ + if( PK11_CipherOp(context, outbuf, (int*)&outlen, outlen, + (unsigned char*)inbuf, inlen) != SECSuccess) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Cipher Operation failed"); ++ JSS_throwMsgPrErrArg( ++ env, TOKEN_EXCEPTION, "Cipher context update failed", ++ PR_GetError()); + goto finish; + } + PR_ASSERT(outlen >= 0); +@@ -209,7 +211,9 @@ + /* perform the finalization */ + status = PK11_DigestFinal(context, outBuf, &newOutLen, outLen); + if( (status != SECSuccess) ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Cipher operation failed on token"); ++ JSS_throwMsgPrErrArg( ++ env, TOKEN_EXCEPTION, "Cipher context finalization failed", ++ PR_GetError()); + goto finish; + } + +# HG changeset patch +# User Fraser Tweedale +# Date 1504895552 25200 +# Fri Sep 08 11:32:32 2017 -0700 +# Node ID d39e9b373798ea9d6ae7f35089b07143845b210e +# Parent 890216599f21df4c6d07815604aaac526823a892 +Bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0009-Update-AES-CBC-PAD-cipher-definitions.patch +Subject: Update AES-CBC-PAD cipher definitions +From: Fraser Tweedale +message: +Update AES-CBC-PAD cipher definitions +The AES_{128,192,256}_CBC_PAD EncryptionAlgorithm definitions declare +the correct PKCS #11 cipher mechanism and padding, but do not declare +the relevant OIDs. They are also unusable as target algorithms in +PBE key generation because they declare a PK11_MECH instead of a +SEC_OID_TAG. + +Update these algorithms definitions to declare a SEC_OID_TAG instead +of a PK11_MECH (JSS_getOidTagFromAlg() will still return the correct +mechanism) and declare the associated OIDs. + +cfu for ftweedal + +diff -r 890216599f21 -r d39e9b373798 org/mozilla/jss/crypto/EncryptionAlgorithm.java +--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java Fri Sep 08 11:21:22 2017 -0700 ++++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java Fri Sep 08 11:32:32 2017 -0700 +@@ -359,8 +359,10 @@ + AES_ROOT_OID.subBranch(2), 128); + + public static final EncryptionAlgorithm +- AES_128_CBC_PAD = new EncryptionAlgorithm(CKM_AES_CBC_PAD, Alg.AES, Mode.CBC, +- Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid ++ AES_128_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_128_CBC, ++ Alg.AES, Mode.CBC, ++ Padding.PKCS5, IVParameterSpecClasses, 16, ++ AES_ROOT_OID.subBranch(2), 128); + + public static final EncryptionAlgorithm + AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB, +@@ -374,8 +376,10 @@ + AES_ROOT_OID.subBranch(22), 192); + + public static final EncryptionAlgorithm +- AES_192_CBC_PAD = new EncryptionAlgorithm(CKM_AES_CBC_PAD, Alg.AES, Mode.CBC, +- Padding.PKCS5, IVParameterSpecClasses, 16, null, 192); // no oid ++ AES_192_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_192_CBC, ++ Alg.AES, Mode.CBC, ++ Padding.PKCS5, IVParameterSpecClasses, 16, ++ AES_ROOT_OID.subBranch(22), 192); + + public static final EncryptionAlgorithm + AES_256_ECB = new EncryptionAlgorithm(SEC_OID_AES_256_ECB, +@@ -393,6 +397,9 @@ + Padding.PKCS5, IVParameterSpecClasses, 16, null, 256); // no oid + + public static final EncryptionAlgorithm +- AES_256_CBC_PAD = AES_CBC_PAD; ++ AES_256_CBC_PAD = new EncryptionAlgorithm(SEC_OID_AES_256_CBC, ++ Alg.AES, Mode.CBC, ++ Padding.PKCS5, IVParameterSpecClasses, 16, ++ AES_ROOT_OID.subBranch(42), 256); + + } +# HG changeset patch +# User Fraser Tweedale +# Date 1504896621 25200 +# Fri Sep 08 11:50:21 2017 -0700 +# Node ID 0b8a6e84b6c736743f2184b2b858fda6be740544 +# Parent d39e9b373798ea9d6ae7f35089b07143845b210e +Bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0010-PK11Cipher-use-pad-mechanism-for-algorithms-that-use.patch +Subject: PK11Cipher: use pad mechanism for algorithms that use padding +From: Fraser Tweedale +message: +PK11Cipher: use pad mechanism for algorithms that use padding +The PK11Cipher implementation, when initialising a cipher context, +uses JSS_getPK11MechFromAlg() to retrieve the PKCS #11 mechanism to +use. When a JSS EncryptionAlgorithm uses a SEC_OID_TAG, this will +return the non-padded mechanism. Then, if the size of the data is +not a multiple of the cipher block size, a padding error occurs. + +When the EncryptionAlgorithm indicates that padding is to be used, +call PK11_GetPadMechanism() on the result of JSS_getPK11MechFromAlg() +to get the padding variant of the mechanism. + +cfu for ftweedal + +diff -r d39e9b373798 -r 0b8a6e84b6c7 org/mozilla/jss/pkcs11/PK11Cipher.c +--- a/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:32:32 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Cipher.c Fri Sep 08 11:50:21 2017 -0700 +@@ -24,16 +24,16 @@ + JNIEXPORT jobject JNICALL + Java_org_mozilla_jss_pkcs11_PK11Cipher_initContext + (JNIEnv *env, jclass clazz, jboolean encrypt, jobject keyObj, +- jobject algObj, jbyteArray ivBA) ++ jobject algObj, jbyteArray ivBA, jboolean padded) + { + return Java_org_mozilla_jss_pkcs11_PK11Cipher_initContextWithKeyBits +- ( env, clazz, encrypt, keyObj, algObj, ivBA, 0); ++ ( env, clazz, encrypt, keyObj, algObj, ivBA, 0, padded); + } + + JNIEXPORT jobject JNICALL + Java_org_mozilla_jss_pkcs11_PK11Cipher_initContextWithKeyBits + (JNIEnv *env, jclass clazz, jboolean encrypt, jobject keyObj, +- jobject algObj, jbyteArray ivBA, jint keyBits) ++ jobject algObj, jbyteArray ivBA, jint keyBits, jboolean padded) + { + CK_MECHANISM_TYPE mech; + PK11SymKey *key=NULL; +@@ -53,6 +53,9 @@ + goto finish; + } + ++ if (padded) ++ mech = PK11_GetPadMechanism(mech); ++ + /* get operation type */ + if( encrypt ) { + op = CKA_ENCRYPT; +diff -r d39e9b373798 -r 0b8a6e84b6c7 org/mozilla/jss/pkcs11/PK11Cipher.java +--- a/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:32:32 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Cipher.java Fri Sep 08 11:50:21 2017 -0700 +@@ -90,10 +90,13 @@ + state = ENCRYPT; + + if( parameters instanceof RC2ParameterSpec ) { +- contextProxy = initContextWithKeyBits( true, key, algorithm, IV, +- ((RC2ParameterSpec)parameters).getEffectiveKeyBits() ); ++ contextProxy = initContextWithKeyBits( ++ true, key, algorithm, IV, ++ ((RC2ParameterSpec)parameters).getEffectiveKeyBits(), ++ algorithm.isPadded()); + } else { +- contextProxy = initContext( true, key, algorithm, IV ); ++ contextProxy = initContext( ++ true, key, algorithm, IV, algorithm.isPadded()); + } + } + +@@ -112,10 +115,13 @@ + state = DECRYPT; + + if( parameters instanceof RC2ParameterSpec ) { +- contextProxy = initContextWithKeyBits(false, key, algorithm, IV, +- ((RC2ParameterSpec)parameters).getEffectiveKeyBits() ); ++ contextProxy = initContextWithKeyBits( ++ false, key, algorithm, IV, ++ ((RC2ParameterSpec)parameters).getEffectiveKeyBits(), ++ algorithm.isPadded()); + } else { +- contextProxy = initContext(false, key, algorithm, IV); ++ contextProxy = initContext( ++ false, key, algorithm, IV, algorithm.isPadded()); + } + } + +@@ -182,13 +188,13 @@ + + private static native CipherContextProxy + initContext(boolean encrypt, SymmetricKey key, EncryptionAlgorithm alg, +- byte[] IV) ++ byte[] IV, boolean padded) + throws TokenException; + + // This version accepts the number of effective key bits for RC2 CBC. + private static native CipherContextProxy + initContextWithKeyBits(boolean encrypt, SymmetricKey key, +- EncryptionAlgorithm alg, byte[] IV, int keyBits) ++ EncryptionAlgorithm alg, byte[] IV, int keyBits, boolean padded) + throws TokenException; + + private static native byte[] +# HG changeset patch +# User Fraser Tweedale +# Date 1504896816 25200 +# Fri Sep 08 11:53:36 2017 -0700 +# Node ID b3b653faef8475ae03c670766429fd4dfab37a5e +# Parent 0b8a6e84b6c736743f2184b2b858fda6be740544 +bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0012-2-Add-method-EncryptedPrivateKeyInfo.createPBES2.patch +Subject: Add method EncryptedPrivateKeyInfo.createPBES2 +From: Fraser Tweedale +Content-Type: text/plain +found patch at byte 404 +message: +Add method EncryptedPrivateKeyInfo.createPBES2 +The createPBE method does not support PBES2 (it is necessary to know +the desired encrypted algorithm to derive the key and build the +parameters data). Add the createPBES2 method, which uses PBKDF2 to +derive the symmetric key and allows the caller to specify the +encryption algorithm. + +cfu for ftweedal + +diff -r 0b8a6e84b6c7 -r b3b653faef84 org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +--- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java Fri Sep 08 11:50:21 2017 -0700 ++++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java Fri Sep 08 11:53:36 2017 -0700 +@@ -155,6 +155,100 @@ + + + /** ++ * Export a private key in PBES2 format, using a random PBKDF2 salt. ++ * ++ * Token must support the CKM_PKCS5_PBKD2 mechanism. ++ * ++ * @param saltLen Length of salt in bytes (default: 16) ++ * @param kdfIterations PBKDF2 iterations (default: 2000) ++ * @param encAlg The symmetric encryption algorithm for enciphering the ++ * private key. Determines the size of derived key. ++ * @param pwd Password ++ * @param charToByteConverter The mechanism for converting the characters ++ * in the password into bytes. If null, the default mechanism ++ * will be used, which is UTF8. ++ * @param privateKeyInfo The encoded PrivateKeyInfo to be encrypted and ++ * stored in the EncryptedContentInfo. ++ */ ++ public static EncryptedPrivateKeyInfo createPBES2( ++ int saltLen, ++ int kdfIterations, ++ EncryptionAlgorithm encAlg, ++ Password pwd, ++ KeyGenerator.CharToByteConverter charToByteConverter, ++ PrivateKeyInfo privateKeyInfo) ++ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, ++ InvalidKeyException, InvalidAlgorithmParameterException, TokenException, ++ CharConversionException ++ { ++ if (encAlg == null) ++ throw new IllegalArgumentException("encAlg cannot be null"); ++ if (pwd == null) ++ throw new IllegalArgumentException("pwd cannot be null"); ++ if (privateKeyInfo == null) ++ throw new IllegalArgumentException("privateKeyInfo cannot be null"); ++ ++ if (kdfIterations < 1) ++ kdfIterations = 2000; ++ if (saltLen < 1) ++ saltLen = 16; ++ ++ try { ++ // generate random PBKDF2 salt ++ SecureRandom random = new SecureRandom(); ++ byte salt[] = new byte[saltLen]; ++ random.nextBytes(salt); ++ ++ // derive symmetric key from passphrase using PBKDF2 ++ CryptoManager cm = CryptoManager.getInstance(); ++ CryptoToken token = cm.getInternalCryptoToken(); ++ KeyGenerator kg = token.getKeyGenerator( ++ PBEAlgorithm.PBE_PKCS5_PBKDF2); ++ PBEKeyGenParams pbekgParams = new PBEKeyGenParams( ++ pwd.getChars(), salt, kdfIterations, encAlg); ++ if (charToByteConverter != null) ++ kg.setCharToByteConverter(charToByteConverter); ++ kg.initialize(pbekgParams); ++ SymmetricKey sk = kg.generate(); ++ ++ // encrypt PrivateKeyInfo ++ byte iv[] = new byte[encAlg.getBlockSize()]; ++ random.nextBytes(iv); ++ Cipher cipher = token.getCipherContext(encAlg); ++ cipher.initEncrypt(sk, new IVParameterSpec(iv)); ++ byte[] encData = cipher.doFinal(ASN1Util.encode(privateKeyInfo)); ++ ++ // construct KDF AlgorithmIdentifier ++ SEQUENCE paramsKdf = new SEQUENCE(); ++ paramsKdf.addElement(new OCTET_STRING(salt)); ++ paramsKdf.addElement(new INTEGER((long) kdfIterations)); ++ paramsKdf.addElement(new INTEGER((long) sk.getLength())); ++ AlgorithmIdentifier algIdKdf = new AlgorithmIdentifier( ++ PBEAlgorithm.PBE_PKCS5_PBKDF2.toOID(), paramsKdf); ++ ++ // construct encryption AlgorithmIdentifier ++ AlgorithmIdentifier algIdEnc = new AlgorithmIdentifier( ++ encAlg.toOID(), new OCTET_STRING(iv)); ++ ++ // construct "composite" PBES2 AlgorithmIdentifier ++ SEQUENCE paramsPBES2 = new SEQUENCE(); ++ paramsPBES2.addElement(algIdKdf); ++ paramsPBES2.addElement(algIdEnc); ++ AlgorithmIdentifier algIdPBES2 = new AlgorithmIdentifier( ++ PBEAlgorithm.PBE_PKCS5_PBES2.toOID(), paramsPBES2); ++ ++ // construct EncryptedPrivateKeyInfo ++ return new EncryptedPrivateKeyInfo(algIdPBES2, new OCTET_STRING(encData)); ++ } catch (IllegalBlockSizeException e) { ++ Assert.notReached("IllegalBlockSizeException in EncryptedContentInfo.createPBES2"); ++ } catch (BadPaddingException e) { ++ Assert.notReached("BadPaddingException in EncryptedContentInfo.createPBES2"); ++ } ++ return null; // unreachable ++ } ++ ++ ++ /** + * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted + * with a password-based key- + * with wrapping/unwrapping happening on token. +# HG changeset patch +# User Fraser Tweedale +# Date 1504896964 25200 +# Fri Sep 08 11:56:04 2017 -0700 +# Node ID 87dca07f7529463398734d1279bcfd7023a43d4c +# Parent b3b653faef8475ae03c670766429fd4dfab37a5e +Bug 1370778 PBE and padded block cipher enhancements and fixes - +patch jss-ftweedal-0013-Improve-error-reporting.patch +Subject: Improve error reporting +From: Fraser Tweedale +Content-Type: text/plain +found patch at byte 157 +message: +Improve error reporting + +cfu for ftweedal + +diff -r b3b653faef84 -r 87dca07f7529 org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c Fri Sep 08 11:53:36 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c Fri Sep 08 11:56:04 2017 -0700 +@@ -251,9 +251,7 @@ + status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param, + &wrapped, NULL /* wincx */ ); + if(status != SECSuccess) { +- char err[256] = {0}; +- PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError()); +- JSS_throwMsg(env, TOKEN_EXCEPTION, err); ++ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Wrapping operation failed on token"); + goto finish; + } + PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL); +@@ -450,8 +448,8 @@ + attribs, numAttribs, NULL /*wincx*/); + if( privk == NULL ) { + char err[256] = {0}; +- PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType); +- JSS_throwMsg(env, TOKEN_EXCEPTION, err); ++ PR_snprintf(err, 256, "Key Unwrap failed on token; keyType=%d", keyType); ++ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, err); + goto finish; + } + +diff -r b3b653faef84 -r 87dca07f7529 org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:53:36 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:56:04 2017 -0700 +@@ -734,7 +734,7 @@ + PR_TRUE /* isperm */, PR_TRUE /* isprivate */, + pubKey->keyType, keyUsage, NULL /* wincx */); + if (result != SECSuccess) { +- JSS_throwMsg( ++ JSS_throwMsgPrErr( + env, TOKEN_EXCEPTION, + "Failed to import EncryptedPrivateKeyInfo to token"); + goto finish; diff --git a/SOURCES/jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch b/SOURCES/jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch new file mode 100644 index 0000000..fb93dc0 --- /dev/null +++ b/SOURCES/jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch @@ -0,0 +1,35 @@ +# HG changeset patch +# User Fraser Tweedale +# Date 1505175862 25200 +# Mon Sep 11 17:24:22 2017 -0700 +# Node ID 3e9a5ae2149d04877dc19b117a8917c22854f8eb +# Parent 87dca07f7529463398734d1279bcfd7023a43d4c +Bug 1371147 PK11Store.getEncryptedPrivateKeyInfo() segfault if export fails - +patch jss-ftweedal-0011-Don-t-crash-if-PK11_ExportEncryptedPrivKeyInfo-retur.patch +Subject: Don't crash if PK11_ExportEncryptedPrivKeyInfo returns NULL +From: Fraser Tweedale +Content-Type: text/plain +found patch at byte 239 +message: +Don't crash if PK11_ExportEncryptedPrivKeyInfo returns NULL +PK11_ExportEncryptedPrivKeyInfo returning NULL is not being handled +properly, causing segfault. Detect this condition and raise a +TokenException instead. + +cfu for ftweedal + +diff -r 87dca07f7529 -r 3e9a5ae2149d org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c Fri Sep 08 11:56:04 2017 -0700 ++++ b/org/mozilla/jss/pkcs11/PK11Store.c Mon Sep 11 17:24:22 2017 -0700 +@@ -581,6 +581,11 @@ + // export the epki + epki = PK11_ExportEncryptedPrivKeyInfo( + slot, algTag, pwItem, privk, iterations, NULL /*wincx*/); ++ if (epki == NULL) { ++ JSS_throwMsgPrErr( ++ env, TOKEN_EXCEPTION, "Failed to export EncryptedPrivateKeyInfo"); ++ goto finish; ++ } + + // DER-encode the epki + if (SEC_ASN1EncodeItem(NULL, &epkiItem, epki, diff --git a/SOURCES/jss-post-rebase.patch b/SOURCES/jss-post-rebase.patch new file mode 100644 index 0000000..225ee96 --- /dev/null +++ b/SOURCES/jss-post-rebase.patch @@ -0,0 +1,5484 @@ +From e06171a21b19b1f6f5ce1749cebe2ecf942da614 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:45:18 -0700 +Subject: [PATCH 01/11] Added Eclipse project files. Eclipse project file, + classpath, settings have been added to automate cleanups and certain + formattings which will simplify and standardize the development. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347394 +--- + .classpath | 7 + + .gitignore | 1 + + .project | 17 +++ + .settings/org.eclipse.jdt.core.prefs | 282 +++++++++++++++++++++++++++++++++++ + .settings/org.eclipse.jdt.ui.prefs | 56 +++++++ + 5 files changed, 363 insertions(+) + create mode 100644 .classpath + create mode 100644 .gitignore + create mode 100644 .project + create mode 100644 .settings/org.eclipse.jdt.core.prefs + create mode 100644 .settings/org.eclipse.jdt.ui.prefs + +diff --git a/.classpath b/.classpath +new file mode 100644 +index 0000000..68f6f4f +--- /dev/null ++++ b/.classpath +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +diff --git a/.gitignore b/.gitignore +new file mode 100644 +index 0000000..ba077a4 +--- /dev/null ++++ b/.gitignore +@@ -0,0 +1 @@ ++bin +diff --git a/.project b/.project +new file mode 100644 +index 0000000..7f7adff +--- /dev/null ++++ b/.project +@@ -0,0 +1,17 @@ ++ ++ ++ jss ++ ++ ++ ++ ++ ++ org.eclipse.jdt.core.javabuilder ++ ++ ++ ++ ++ ++ org.eclipse.jdt.core.javanature ++ ++ +diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs +new file mode 100644 +index 0000000..d2fbe82 +--- /dev/null ++++ b/.settings/org.eclipse.jdt.core.prefs +@@ -0,0 +1,282 @@ ++eclipse.preferences.version=1 ++org.eclipse.jdt.core.formatter.align_type_members_on_columns=false ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation=0 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_assignment=0 ++org.eclipse.jdt.core.formatter.alignment_for_binary_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_compact_if=16 ++org.eclipse.jdt.core.formatter.alignment_for_conditional_expression=80 ++org.eclipse.jdt.core.formatter.alignment_for_enum_constants=0 ++org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer=16 ++org.eclipse.jdt.core.formatter.alignment_for_method_declaration=0 ++org.eclipse.jdt.core.formatter.alignment_for_multiple_fields=16 ++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_resources_in_try=80 ++org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation=16 ++org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_union_type_in_multicatch=16 ++org.eclipse.jdt.core.formatter.blank_lines_after_imports=1 ++org.eclipse.jdt.core.formatter.blank_lines_after_package=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_field=0 ++org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration=0 ++org.eclipse.jdt.core.formatter.blank_lines_before_imports=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_member_type=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_method=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_package=0 ++org.eclipse.jdt.core.formatter.blank_lines_between_import_groups=1 ++org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations=1 ++org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_array_initializer=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_block=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_block_in_case=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_enum_constant=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_method_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_switch=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment=false ++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment=false ++org.eclipse.jdt.core.formatter.comment.format_block_comments=false ++org.eclipse.jdt.core.formatter.comment.format_header=false ++org.eclipse.jdt.core.formatter.comment.format_html=true ++org.eclipse.jdt.core.formatter.comment.format_javadoc_comments=true ++org.eclipse.jdt.core.formatter.comment.format_line_comments=false ++org.eclipse.jdt.core.formatter.comment.format_source_code=true ++org.eclipse.jdt.core.formatter.comment.indent_parameter_description=true ++org.eclipse.jdt.core.formatter.comment.indent_root_tags=true ++org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags=insert ++org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter=do not insert ++org.eclipse.jdt.core.formatter.comment.line_length=120 ++org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries=true ++org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries=true ++org.eclipse.jdt.core.formatter.comment.preserve_white_space_between_code_and_line_comments=false ++org.eclipse.jdt.core.formatter.compact_else_if=true ++org.eclipse.jdt.core.formatter.continuation_indentation=2 ++org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer=2 ++org.eclipse.jdt.core.formatter.disabling_tag=@formatter\:off ++org.eclipse.jdt.core.formatter.enabling_tag=@formatter\:on ++org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line=false ++org.eclipse.jdt.core.formatter.format_line_comment_starting_on_first_column=false ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header=true ++org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases=true ++org.eclipse.jdt.core.formatter.indent_empty_lines=false ++org.eclipse.jdt.core.formatter.indent_statements_compare_to_block=true ++org.eclipse.jdt.core.formatter.indent_statements_compare_to_body=true ++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases=true ++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=false ++org.eclipse.jdt.core.formatter.indentation.size=8 ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_field=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_local_variable=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_member=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_method=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_package=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_parameter=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_type=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_label=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_annotation_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_anonymous_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_block=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_constant=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_method_body=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter=insert ++org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_binary_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_ellipsis=insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_try=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_try_resources=insert ++org.eclipse.jdt.core.formatter.insert_space_after_unary_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter=insert ++org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_binary_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_try=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_ellipsis=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_try=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while=insert ++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return=insert ++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw=insert ++org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_try_resources=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_unary_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.join_lines_in_comments=false ++org.eclipse.jdt.core.formatter.join_wrapped_lines=false ++org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line=false ++org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line=false ++org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line=false ++org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line=false ++org.eclipse.jdt.core.formatter.lineSplit=120 ++org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column=false ++org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column=false ++org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body=0 ++org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve=1 ++org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line=true ++org.eclipse.jdt.core.formatter.tabulation.char=space ++org.eclipse.jdt.core.formatter.tabulation.size=4 ++org.eclipse.jdt.core.formatter.use_on_off_tags=false ++org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations=false ++org.eclipse.jdt.core.formatter.wrap_before_binary_operator=true ++org.eclipse.jdt.core.formatter.wrap_before_or_operator_multicatch=true ++org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested=true +diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs +new file mode 100644 +index 0000000..40b7812 +--- /dev/null ++++ b/.settings/org.eclipse.jdt.ui.prefs +@@ -0,0 +1,56 @@ ++eclipse.preferences.version=1 ++editor_save_participant_org.eclipse.jdt.ui.postsavelistener.cleanup=true ++formatter_profile=_PKI Project Profile ++formatter_settings_version=12 ++sp_cleanup.add_default_serial_version_id=true ++sp_cleanup.add_generated_serial_version_id=false ++sp_cleanup.add_missing_annotations=false ++sp_cleanup.add_missing_deprecated_annotations=true ++sp_cleanup.add_missing_methods=false ++sp_cleanup.add_missing_nls_tags=false ++sp_cleanup.add_missing_override_annotations=true ++sp_cleanup.add_missing_override_annotations_interface_methods=true ++sp_cleanup.add_serial_version_id=false ++sp_cleanup.always_use_blocks=true ++sp_cleanup.always_use_parentheses_in_expressions=false ++sp_cleanup.always_use_this_for_non_static_field_access=false ++sp_cleanup.always_use_this_for_non_static_method_access=false ++sp_cleanup.convert_to_enhanced_for_loop=false ++sp_cleanup.correct_indentation=false ++sp_cleanup.format_source_code=false ++sp_cleanup.format_source_code_changes_only=false ++sp_cleanup.make_local_variable_final=false ++sp_cleanup.make_parameters_final=false ++sp_cleanup.make_private_fields_final=true ++sp_cleanup.make_type_abstract_if_missing_method=false ++sp_cleanup.make_variable_declarations_final=false ++sp_cleanup.never_use_blocks=false ++sp_cleanup.never_use_parentheses_in_expressions=true ++sp_cleanup.on_save_use_additional_actions=true ++sp_cleanup.organize_imports=true ++sp_cleanup.qualify_static_field_accesses_with_declaring_class=false ++sp_cleanup.qualify_static_member_accesses_through_instances_with_declaring_class=true ++sp_cleanup.qualify_static_member_accesses_through_subtypes_with_declaring_class=true ++sp_cleanup.qualify_static_member_accesses_with_declaring_class=false ++sp_cleanup.qualify_static_method_accesses_with_declaring_class=false ++sp_cleanup.remove_private_constructors=true ++sp_cleanup.remove_trailing_whitespaces=true ++sp_cleanup.remove_trailing_whitespaces_all=true ++sp_cleanup.remove_trailing_whitespaces_ignore_empty=false ++sp_cleanup.remove_unnecessary_casts=true ++sp_cleanup.remove_unnecessary_nls_tags=false ++sp_cleanup.remove_unused_imports=true ++sp_cleanup.remove_unused_local_variables=false ++sp_cleanup.remove_unused_private_fields=true ++sp_cleanup.remove_unused_private_members=false ++sp_cleanup.remove_unused_private_methods=true ++sp_cleanup.remove_unused_private_types=true ++sp_cleanup.sort_members=false ++sp_cleanup.sort_members_all=false ++sp_cleanup.use_blocks=false ++sp_cleanup.use_blocks_only_for_return_and_throw=false ++sp_cleanup.use_parentheses_in_expressions=false ++sp_cleanup.use_this_for_non_static_field_access=false ++sp_cleanup.use_this_for_non_static_field_access_only_if_necessary=true ++sp_cleanup.use_this_for_non_static_method_access=false ++sp_cleanup.use_this_for_non_static_method_access_only_if_necessary=true +-- +2.9.3 + + +From 8019c869865593a8fc078ca6dd555191711dad7b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:45:25 -0700 +Subject: [PATCH 02/11] Cleaned up SSLSocket class. The SSLSocket class has + been cleaned up using Eclipse to remove trailing white spaces and wildcards + in import statements. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347394 +--- + org/mozilla/jss/ssl/SSLSocket.java | 179 +++++++++++++++++++------------------ + 1 file changed, 90 insertions(+), 89 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index f91b218..642a3e6 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -4,12 +4,13 @@ + + package org.mozilla.jss.ssl; + +-import java.lang.IllegalArgumentException; +-import java.net.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.net.InetAddress; + import java.net.SocketException; + import java.net.SocketTimeoutException; +-import java.io.*; +-import java.io.IOException; ++import java.net.UnknownHostException; + import java.util.Vector; + + /** +@@ -41,13 +42,13 @@ public class SSLSocket extends java.net.Socket { + private boolean open = false; + private boolean handshakeAsClient = true; + private SocketBase base = new SocketBase(); +- static final public int SSL_REQUIRE_NEVER = ++ static final public int SSL_REQUIRE_NEVER = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NEVER; +- static final public int SSL_REQUIRE_ALWAYS = ++ static final public int SSL_REQUIRE_ALWAYS = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_ALWAYS; +- static final public int SSL_REQUIRE_FIRST_HANDSHAKE = ++ static final public int SSL_REQUIRE_FIRST_HANDSHAKE = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_FIRST_HANDSHAKE; +- static final public int SSL_REQUIRE_NO_ERROR = ++ static final public int SSL_REQUIRE_NO_ERROR = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NO_ERROR; + static final public int SSL_RENEGOTIATE_NEVER = + org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_NEVER; +@@ -411,12 +412,12 @@ public class SSLSocket extends java.net.Socket { + */ + public native void setReceiveBufferSize(int size) throws SocketException; + +- /** ++ /** + * Returnst he size (in bytes) of the receive buffer. + */ + public native int getReceiveBufferSize() throws SocketException; + +- /** ++ /** + * Closes this socket. + */ + public void close() throws IOException { +@@ -488,7 +489,7 @@ public class SSLSocket extends java.net.Socket { + l.handshakeCompleted(event); + } + } +- ++ + + /** + * Enables SSL v2 on this socket. It is enabled by default, unless the +@@ -534,10 +535,10 @@ public class SSLSocket extends java.net.Socket { + static public void enableTLSDefault(boolean enable) throws SocketException{ + setSSLDefaultOption(SocketBase.SSL_ENABLE_TLS, enable); + } +- ++ + /** +- * Enables Session tickets on this socket. It is disabled by default, +- * unless the default has been changed with ++ * Enables Session tickets on this socket. It is disabled by default, ++ * unless the default has been changed with + * enableSessionTicketsDefault. + */ + public void enableSessionTickets(boolean enable) throws SocketException { +@@ -547,7 +548,7 @@ public class SSLSocket extends java.net.Socket { + /** + * Sets the default for Session Tickets for all new sockets. + */ +- static public void enableSessionTicketsDefault(boolean enable) ++ static public void enableSessionTicketsDefault(boolean enable) + throws SocketException{ + setSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS, enable); + } +@@ -643,26 +644,26 @@ public class SSLSocket extends java.net.Socket { + + /** + * Enable rollback detection for this socket. +- * It is enabled by default, unless the default has been changed ++ * It is enabled by default, unless the default has been changed + * with enableRollbackDetectionDefault. + */ +- public void enableRollbackDetection(boolean enable) +- throws SocketException ++ public void enableRollbackDetection(boolean enable) ++ throws SocketException + { + base.enableRollbackDetection(enable); + } +- ++ + /** + * Sets the default rollback detection for all new sockets. + */ +- static void enableRollbackDetectionDefault(boolean enable) +- throws SocketException ++ static void enableRollbackDetectionDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION, enable); + } +- ++ + /** +- * This option, enableStepDown, is concerned with the generation ++ * This option, enableStepDown, is concerned with the generation + * of step-down keys which are used with export suites. + * If the server cert's public key is 512 bits or less + * this option is ignored because step-down keys don't +@@ -673,15 +674,15 @@ public class SSLSocket extends java.net.Socket { + * enable=false: don't generate step-down keys; disable + * export cipher suites + * +- * This option is enabled by default; unless the default has ++ * This option is enabled by default; unless the default has + * been changed with SSLSocket.enableStepDownDefault. + */ + public void enableStepDown(boolean enable) throws SocketException { + base.enableStepDown(enable); + } + /** +- * This option, enableStepDownDefault, is concerned with the +- * generation of step-down keys which are used with export suites. ++ * This option, enableStepDownDefault, is concerned with the ++ * generation of step-down keys which are used with export suites. + * This options will set the default for all sockets. + * If the server cert's public key is 512 bits of less, + * this option is ignored because step-down keys don't +@@ -694,92 +695,92 @@ public class SSLSocket extends java.net.Socket { + * + * This option is enabled by default for all sockets. + */ +- static void enableStepDownDefault(boolean enable) +- throws SocketException ++ static void enableStepDownDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN, enable); + } + + /** +- * Enable simultaneous read/write by separate read and write threads ++ * Enable simultaneous read/write by separate read and write threads + * (full duplex) for this socket. +- * It is disabled by default, unless the default has been changed ++ * It is disabled by default, unless the default has been changed + * with enableFDXDefault. + */ +- public void enableFDX(boolean enable) +- throws SocketException ++ public void enableFDX(boolean enable) ++ throws SocketException + { + base.enableFDX(enable); + } +- ++ + /** +- * Sets the default to permit simultaneous read/write ++ * Sets the default to permit simultaneous read/write + * by separate read and write threads (full duplex) + * for all new sockets. + */ +- static void enableFDXDefault(boolean enable) +- throws SocketException ++ static void enableFDXDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_ENABLE_FDX, enable); + } + + /** + * Enable sending v3 client hello in v2 format for this socket. +- * It is enabled by default, unless the default has been changed ++ * It is enabled by default, unless the default has been changed + * with enableV2CompatibleHelloDefault. + */ +- public void enableV2CompatibleHello(boolean enable) +- throws SocketException ++ public void enableV2CompatibleHello(boolean enable) ++ throws SocketException + { + base.enableV2CompatibleHello(enable); + } +- +- /** ++ ++ /** + * Sets the default to send v3 client hello in v2 format + * for all new sockets. + */ +- static void enableV2CompatibleHelloDefault(boolean enable) +- throws SocketException ++ static void enableV2CompatibleHelloDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO, enable); + } +- ++ + /** + * @return a String listing the current SSLOptions for this SSLSocket. + */ + public String getSSLOptions() { + return base.getSSLOptions(); + } +- ++ + /** +- * +- * @param option +- * @return 0 for option disabled 1 for option enabled. ++ * ++ * @param option ++ * @return 0 for option disabled 1 for option enabled. + */ + static private native int getSSLDefaultOption(int option) + throws SocketException; + + /** +- * ++ * + * @return a String listing the Default SSLOptions for all SSLSockets. + */ + static public String getSSLDefaultOptions() { + StringBuffer buf = new StringBuffer(); + try { + buf.append("Default Options configured for all SSLSockets: "); +- buf.append("\nSSL_ENABLE_SSL2" + ++ buf.append("\nSSL_ENABLE_SSL2" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL2) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_SSL3" + +- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0) ++ buf.append("\nSSL_ENABLE_SSL3" + ++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_TLS" + +- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0) ++ buf.append("\nSSL_ENABLE_TLS" + ++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0) + ? "=on" : "=off")); + buf.append("\nSSL_ENABLE_SESSION_TICKETS" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) + != 0) ? "=on" : "=off")); +- buf.append("\nSSL_REQUIRE_CERTIFICATE"); ++ buf.append("\nSSL_REQUIRE_CERTIFICATE"); + switch (getSSLDefaultOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) { + case 0: + buf.append("=Never"); +@@ -797,23 +798,23 @@ public class SSLSocket extends java.net.Socket { + buf.append("=Report JSS Bug this option has a status."); + break; + } //end switch +- buf.append("\nSSL_REQUEST_CERTIFICATE" + +- ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) ++ buf.append("\nSSL_REQUEST_CERTIFICATE" + ++ ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_NO_CACHE" + ++ buf.append("\nSSL_NO_CACHE" + + ((getSSLDefaultOption(SocketBase.SSL_NO_CACHE) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ROLLBACK_DETECTION" + ++ buf.append("\nSSL_ROLLBACK_DETECTION" + + ((getSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_NO_STEP_DOWN" + ++ buf.append("\nSSL_NO_STEP_DOWN" + + ((getSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_FDX" + ++ buf.append("\nSSL_ENABLE_FDX" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_FDX) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_V2_COMPATIBLE_HELLO" + +- ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) ++ buf.append("\nSSL_V2_COMPATIBLE_HELLO" + ++ ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) + ? "=on" : "=off")); + buf.append("\nSSL_ENABLE_SESSION_TICKETS" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) +@@ -845,7 +846,7 @@ public class SSLSocket extends java.net.Socket { + } + return buf.toString(); + } +- ++ + /** + * Sets whether the socket requires client authentication from the remote + * peer. If requestClientAuth() has not already been called, this +@@ -863,19 +864,19 @@ public class SSLSocket extends java.net.Socket { + * Sets whether the socket requires client authentication from the remote + * peer. If requestClientAuth() has not already been called, this method + * will tell the socket to request client auth as well as requiring it. +- * This is only meaningful for the server end of the SSL connection. +- * During the next handshake, the remote peer will be asked to ++ * This is only meaningful for the server end of the SSL connection. ++ * During the next handshake, the remote peer will be asked to + * authenticate itself with the requirement that was set. + * +- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, +- * SSLSocket.SSL_REQUIRE_ALWAYS, +- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, ++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, ++ * SSLSocket.SSL_REQUIRE_ALWAYS, ++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, + * SSLSocket.SSL_REQUIRE_NO_ERROR + */ + public void requireClientAuth(int mode) + throws SocketException + { +- if (mode >= SocketBase.SSL_REQUIRE_NEVER && ++ if (mode >= SocketBase.SSL_REQUIRE_NEVER && + mode <= SocketBase.SSL_REQUIRE_NO_ERROR) { + base.requireClientAuth(mode); + } else { +@@ -900,15 +901,15 @@ public class SSLSocket extends java.net.Socket { + * All subsequently created sockets will use this default setting + * This is only meaningful for the server end of the SSL connection. + * +- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, +- * SSLSocket.SSL_REQUIRE_ALWAYS, +- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, ++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, ++ * SSLSocket.SSL_REQUIRE_ALWAYS, ++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, + * SSLSocket.SSL_REQUIRE_NO_ERROR + */ + static public void requireClientAuthDefault(int mode) + throws SocketException + { +- if (mode >= SocketBase.SSL_REQUIRE_NEVER && ++ if (mode >= SocketBase.SSL_REQUIRE_NEVER && + mode <= SocketBase.SSL_REQUIRE_NO_ERROR) { + setSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE, true); + setSSLDefaultOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE,mode); +@@ -924,7 +925,7 @@ public class SSLSocket extends java.net.Socket { + */ + public native void forceHandshake() throws SocketException; + +- /** ++ /** + * Determines whether this end of the socket is the client or the server + * for purposes of the SSL protocol. By default, it is the client. + * @param b true if this end of the socket is the SSL slient, false +@@ -1031,7 +1032,7 @@ public class SSLSocket extends java.net.Socket { + base.useCache(b); + } + +- /** ++ /** + * Sets the default setting for use of the session cache. + */ + public void useCacheDefault(boolean b) throws SocketException { +@@ -1090,7 +1091,7 @@ public class SSLSocket extends java.net.Socket { + setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum()); + } + +- /** ++ /** + * Sets SSL Version Range Default + */ + private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max) +@@ -1102,13 +1103,13 @@ public class SSLSocket extends java.net.Socket { + setSSLDefaultOption(option, on ? 1 : 0); + } + +- /** ++ /** + * Sets SSL Default options that have simple enable/disable values. + */ + private static native void setSSLDefaultOption(int option, int on) + throws SocketException; + +- /** ++ /** + * Set SSL default options that have more modes than enable/disable. + */ + private static native void setSSLDefaultOptionMode(int option, int mode) +@@ -1141,19 +1142,19 @@ public class SSLSocket extends java.net.Socket { + native int socketAvailable() + throws IOException; + +- int read(byte[] b, int off, int len) ++ int read(byte[] b, int off, int len) + throws IOException, SocketTimeoutException { + synchronized (readLock) { + synchronized (this) { + if ( isClosed ) { /* abort read if socket is closed */ + throw new IOException( +- "Socket has been closed, and cannot be reused."); ++ "Socket has been closed, and cannot be reused."); + } +- inRead = true; ++ inRead = true; + } + int iRet; + try { +- iRet = socketRead(b, off, len, base.getTimeout()); ++ iRet = socketRead(b, off, len, base.getTimeout()); + } catch (SocketTimeoutException ste) { + throw new SocketTimeoutException( + "SocketTimeoutException cannot read on socket"); +@@ -1169,13 +1170,13 @@ public class SSLSocket extends java.net.Socket { + } + } + +- void write(byte[] b, int off, int len) ++ void write(byte[] b, int off, int len) + throws IOException, SocketTimeoutException { + synchronized (writeLock) { + synchronized (this) { + if ( isClosed ) { /* abort write if socket is closed */ + throw new IOException( +- "Socket has been closed, and cannot be reused."); ++ "Socket has been closed, and cannot be reused."); + } + inWrite = true; + } +@@ -1284,9 +1285,9 @@ public class SSLSocket extends java.net.Socket { + } + + /** +- * isFipsCipherSuite ++ * isFipsCipherSuite + * +- *@return true if the ciphersuite isFIPS, false otherwise ++ *@return true if the ciphersuite isFIPS, false otherwise + */ + public static boolean isFipsCipherSuite(int ciphersuite) throws SocketException { + return isFipsCipherSuiteNative(ciphersuite); +@@ -1364,12 +1365,12 @@ public class SSLSocket extends java.net.Socket { + + public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; + public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +- ++ + public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; + public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; + public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; + +-// New TLS cipher suites in NSS 3.4 ++// New TLS cipher suites in NSS 3.4 + public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; + public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; + public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +-- +2.9.3 + + +From 0138f3f47e061c088ca231f9b177363beb2c2f62 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:58:28 -0700 +Subject: [PATCH 03/11] Reformatted cipher definitions in SSLSocket class. The + cipher definitions in SSLSocket class have been moved to the top of the class + and reformatted for better readability. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347429 +--- + org/mozilla/jss/ssl/SSLSocket.java | 289 ++++++++++++++++++------------------- + 1 file changed, 144 insertions(+), 145 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index 642a3e6..ce39987 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -18,6 +18,150 @@ import java.util.Vector; + */ + public class SSLSocket extends java.net.Socket { + ++ /** ++ * ++ * Note the following cipher-suites constants are not all implemented. ++ * You need to call getImplementedCiphersuites. ++ * ++ */ ++ ++ public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01; ++ public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02; ++ public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03; ++ public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04; ++ public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05; ++ public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; ++ public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; ++ ++ public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; ++ public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; ++ public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; ++ public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; ++ public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; ++ public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; ++ public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; ++ public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; ++ public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; ++ ++ public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; ++ public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; ++ public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; ++ ++ public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; ++ public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; ++ public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; ++ ++ public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; ++ public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; ++ public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; ++ public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; ++ public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA ++ * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for ++ * backward compatibility. ++ */ ++ public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; ++ public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d; ++ public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; ++ ++ public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; ++ public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe; ++ ++ public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; ++ public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; ++ ++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; ++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; ++ public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; ++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; ++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; ++ ++ // New TLS cipher suites in NSS 3.4 ++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; ++ public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; ++ public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; ++ public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; ++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; ++ public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; ++ ++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; ++ public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; ++ public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; ++ public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; ++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; ++ public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; ++ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; ++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; ++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; ++ ++ public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; ++ public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; ++ public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; ++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; ++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; ++ public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; ++ ++ public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; ++ public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; ++ public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; ++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; ++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; ++ public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; ++ ++ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; ++ ++ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; ++ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; ++ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; ++ ++ public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; ++ public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; ++ public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006; ++ public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007; ++ public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a; ++ ++ public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b; ++ public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c; ++ public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d; ++ public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e; ++ public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f; ++ ++ public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010; ++ public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011; ++ public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013; ++ public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014; ++ ++ public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015; ++ public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016; ++ public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017; ++ public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; ++ public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; ++ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; ++ + /* + * Locking strategy of SSLSocket + * +@@ -1303,149 +1447,4 @@ public class SSLSocket extends java.net.Socket { + * TLS_RSA_WITH_AES_128_CBC_SHA). + */ + public static native int[] getImplementedCipherSuites(); +- +- /** +- * +- * Note the following cipher-suites constants are not all implemented. +- * You need to call getImplementedCiphersuites. +- * +- */ +- +- public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01; +- public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02; +- public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03; +- public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04; +- public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05; +- public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; +- public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; +- +- public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; +- public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; +- public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; +- public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; +- public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; +- public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; +- public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; +- public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; +- public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; +- public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; +- +- public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; +- public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; +- public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; +- public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; +- public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; +- public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; +- +- public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; +- public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; +- public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; +- public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; +- public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; +- public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; +- +- public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; +- public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; +- public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; +- public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; +- public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; +- +- /** +- * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. +- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA +- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for +- * backward compatibility. +- */ +- public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; +- public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA= 0x001d; +- public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; +- +- public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; +- public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe; +- +- public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; +- public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +- +- public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; +- public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; +- public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; +- +-// New TLS cipher suites in NSS 3.4 +- public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; +- public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; +- public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +- public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; +- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; +- public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; +- +- public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; +- public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; +- public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; +- public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; +- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; +- public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003a; +- public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003b; +- public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003c; +- public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003d; +- +- public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; +- public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; +- public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; +- public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; +- public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; +- public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; +- +- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; +- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006b; +- +- public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; +- public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; +- public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; +- public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; +- public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; +- public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; +- +- public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; +- +- public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009c; +- public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009e; +- public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; +- +- public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; +- public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; +- public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; +- public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004; +- public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005; +- +- public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006; +- public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007; +- public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a; +- +- public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b; +- public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c; +- public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d; +- public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e; +- public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f; +- +- public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010; +- public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011; +- public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013; +- public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014; +- +- public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015; +- public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016; +- public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017; +- public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; +- public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; +- +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02b; +- public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f; +- public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; + } +- +-- +2.9.3 + + +From 71f8cd5a15610690f6e8f226fc081b10f9dd9cb6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:59:11 -0700 +Subject: [PATCH 04/11] Added annotations for deprecated SSL 3.0 ciphers. Some + SSL 3.0 ciphers have deprecated according to this list: + https://github.com/nss-dev/nss/blob/master/lib/ssl/sslproto.h + +The deprecated cipher definitions have been marked accordingly +in the SSLSocket class. The replacement cipher definitions (if +any) have been added with the same cipher IDs. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347429 +--- + org/mozilla/jss/ssl/SSLSocket.java | 152 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 149 insertions(+), 3 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index ce39987..2e1ac54 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -33,45 +33,166 @@ public class SSLSocket extends java.net.Socket { + public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; + public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; + ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; ++ public final static int TLS_RSA_WITH_NULL_MD5 = 0x0001; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; ++ public final static int TLS_RSA_WITH_NULL_SHA = 0x0002; ++ + public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; ++ public final static int TLS_RSA_WITH_RC4_128_MD5 = 0x0004; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; ++ public final static int TLS_RSA_WITH_RC4_128_SHA = 0x0005; ++ + public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ public final static int TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ + public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; ++ public final static int TLS_RSA_WITH_DES_CBC_SHA = 0x0009; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; ++ public final static int TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; + + public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ public final static int TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ public final static int TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ + public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ public final static int TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; ++ public final static int TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; + + public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ public final static int TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ public final static int TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ + public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ public final static int TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; ++ public final static int TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; + + public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; ++ public final static int TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018; ++ + public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; ++ public final static int TLS_DH_anon_WITH_DES_CBC_SHA = 0x001a; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; ++ public final static int TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001b; + + /** + * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. +- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA +- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for +- * backward compatibility. + */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; + + public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; +@@ -92,14 +213,27 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; + public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; + public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; ++ public final static int TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034; + + public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; + public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; + public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; + public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; + public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; ++ public final static int TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A; ++ + public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; + public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; + public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; +@@ -109,14 +243,26 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; + public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; + public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; ++ public final static int TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046; + + public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; + public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; + public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; + public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; + public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; ++ public final static int TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089; + + public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; + +-- +2.9.3 + + +From 7027cbab0757376f4719674173206df0cdadd592 Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Tue, 21 Mar 2017 13:09:37 -0700 +Subject: [PATCH 05/11] Added SSLSocketListener. The SSLSocket has been + modified to support SSLSocketListener which will be invoked when an SSL alert + has been sent or received, also when an SSL handshake has been completed. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1348856 +--- + org/mozilla/jss/ssl/SSLAlertDescription.java | 64 ++++++++++++++ + org/mozilla/jss/ssl/SSLAlertEvent.java | 39 +++++++++ + org/mozilla/jss/ssl/SSLAlertLevel.java | 29 +++++++ + org/mozilla/jss/ssl/SSLSocket.java | 53 ++++++++---- + org/mozilla/jss/ssl/SSLSocketListener.java | 11 +++ + org/mozilla/jss/ssl/callbacks.c | 119 +++++++++++++++++++++++++++ + org/mozilla/jss/ssl/common.c | 19 +++++ + org/mozilla/jss/ssl/jssl.h | 8 ++ + org/mozilla/jss/util/java_ids.h | 8 ++ + 9 files changed, 332 insertions(+), 18 deletions(-) + create mode 100644 org/mozilla/jss/ssl/SSLAlertDescription.java + create mode 100644 org/mozilla/jss/ssl/SSLAlertEvent.java + create mode 100644 org/mozilla/jss/ssl/SSLAlertLevel.java + create mode 100644 org/mozilla/jss/ssl/SSLSocketListener.java + +diff --git a/org/mozilla/jss/ssl/SSLAlertDescription.java b/org/mozilla/jss/ssl/SSLAlertDescription.java +new file mode 100644 +index 0000000..c2ed060 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertDescription.java +@@ -0,0 +1,64 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public enum SSLAlertDescription { ++ ++ // see lib/ssl/ssl3prot.h in NSS ++ CLOSE_NOTIFY (0), ++ END_OF_EARLY_DATA (1), // TLS 1.3 ++ UNEXPECTED_MESSAGE (10), ++ BAD_RECORD_MAC (20), ++ DECRYPTION_FAILED (21), // RFC 5246 ++ RECORD_OVERFLOW (22), // TLS only ++ DECOMPRESSION_FAILURE (30), ++ HANDSHAKE_FAILURE (40), ++ NO_CERTIFICATE (41), // SSL3 only, NOT TLS ++ BAD_CERTIFICATE (42), ++ UNSUPPORTED_CERTIFICATE (43), ++ CERTIFICATE_REVOKED (44), ++ CERTIFICATE_EXPIRED (45), ++ CERTIFICATE_UNKNOWN (46), ++ ILLEGAL_PARAMETER (47), ++ ++ // All alerts below are TLS only. ++ UNKNOWN_CA (48), ++ ACCESS_DENIED (49), ++ DECODE_ERROR (50), ++ DECRYPT_ERROR (51), ++ EXPORT_RESTRICTION (60), ++ PROTOCOL_VERSION (70), ++ INSUFFICIENT_SECURITY (71), ++ INTERNAL_ERROR (80), ++ INAPPROPRIATE_FALLBACK (86), // could also be sent for SSLv3 ++ USER_CANCELED (90), ++ NO_RENEGOTIATION (100), ++ ++ // Alerts for client hello extensions ++ MISSING_EXTENSION (109), ++ UNSUPPORTED_EXTENSION (110), ++ CERTIFICATE_UNOBTAINABLE (111), ++ UNRECOGNIZED_NAME (112), ++ BAD_CERTIFICATE_STATUS_RESPONSE (113), ++ BAD_CERTIFICATE_HASH_VALUE (114), ++ NO_APPLICATION_PROTOCOL (120); ++ ++ private int id; ++ ++ private SSLAlertDescription(int id) { ++ this.id = id; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public static SSLAlertDescription valueOf(int id) { ++ for (SSLAlertDescription description : SSLAlertDescription.class.getEnumConstants()) { ++ if (description.id == id) return description; ++ } ++ return null; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLAlertEvent.java b/org/mozilla/jss/ssl/SSLAlertEvent.java +new file mode 100644 +index 0000000..bfa42e1 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertEvent.java +@@ -0,0 +1,39 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++import java.util.EventObject; ++ ++public class SSLAlertEvent extends EventObject { ++ ++ private static final long serialVersionUID = 1L; ++ ++ int level; ++ int description; ++ ++ public SSLAlertEvent(SSLSocket socket) { ++ super(socket); ++ } ++ ++ public SSLSocket getSocket() { ++ return (SSLSocket)getSource(); ++ } ++ ++ public int getLevel() { ++ return level; ++ } ++ ++ public void setLevel(int level) { ++ this.level = level; ++ } ++ ++ public int getDescription() { ++ return description; ++ } ++ ++ public void setDescription(int description) { ++ this.description = description; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLAlertLevel.java b/org/mozilla/jss/ssl/SSLAlertLevel.java +new file mode 100644 +index 0000000..f7f44f2 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertLevel.java +@@ -0,0 +1,29 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public enum SSLAlertLevel { ++ ++ // see lib/ssl/ssl3prot.h in NSS ++ WARNING (1), ++ FATAL (2); ++ ++ private int id; ++ ++ private SSLAlertLevel(int id) { ++ this.id = id; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public static SSLAlertLevel valueOf(int id) { ++ for (SSLAlertLevel level : SSLAlertLevel.class.getEnumConstants()) { ++ if (level.id == id) return level; ++ } ++ return null; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index 2e1ac54..0dd39fd 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -11,7 +11,8 @@ import java.net.InetAddress; + import java.net.SocketException; + import java.net.SocketTimeoutException; + import java.net.UnknownHostException; +-import java.util.Vector; ++import java.util.ArrayList; ++import java.util.Collection; + + /** + * SSL client socket. +@@ -349,6 +350,9 @@ public class SSLSocket extends java.net.Socket { + static final public int SSL_RENEGOTIATE_TRANSITIONAL = + org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_TRANSITIONAL; + ++ private Collection socketListeners = new ArrayList<>(); ++ private Collection handshakeCompletedListeners = new ArrayList<>(); ++ + /** + * For sockets that get created by accept(). + */ +@@ -749,38 +753,51 @@ public class SSLSocket extends java.net.Socket { + //////////////////////////////////////////////////////////////////// + // SSL-specific stuff + //////////////////////////////////////////////////////////////////// +- private Vector handshakeCompletedListeners = new Vector(); ++ ++ public void addSocketListener(SSLSocketListener listener) { ++ socketListeners.add(listener); ++ addHandshakeCompletedListener(listener); ++ } ++ ++ public void removeSocketListener(SSLSocketListener listener) { ++ socketListeners.remove(listener); ++ removeHandshakeCompletedListener(listener); ++ } ++ ++ private void fireAlertReceivedEvent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertReceived(event); ++ } ++ } ++ ++ private void fireAlertSentEvent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertSent(event); ++ } ++ } + + /** + * Adds a listener to be notified when an SSL handshake completes. + */ +- public void addHandshakeCompletedListener(SSLHandshakeCompletedListener l) { +- handshakeCompletedListeners.addElement(l); ++ public void addHandshakeCompletedListener(SSLHandshakeCompletedListener listener) { ++ handshakeCompletedListeners.add(listener); + } + + /** + * Removes a previously registered listener for handshake completion. + */ +- public void removeHandshakeCompletedListener( +- SSLHandshakeCompletedListener l) { +- handshakeCompletedListeners.removeElement(l); ++ public void removeHandshakeCompletedListener(SSLHandshakeCompletedListener listener) { ++ handshakeCompletedListeners.remove(listener); + } + + private void notifyAllHandshakeListeners() { +- SSLHandshakeCompletedEvent event = +- new SSLHandshakeCompletedEvent(this); +- +- /* XXX NOT THREAD SAFE */ +- int i; +- for( i=0; i < handshakeCompletedListeners.size(); ++i) { +- SSLHandshakeCompletedListener l = +- (SSLHandshakeCompletedListener) +- handshakeCompletedListeners.elementAt(i); +- l.handshakeCompleted(event); ++ SSLHandshakeCompletedEvent event = new SSLHandshakeCompletedEvent(this); ++ ++ for (SSLHandshakeCompletedListener listener : handshakeCompletedListeners) { ++ listener.handshakeCompleted(event); + } + } + +- + /** + * Enables SSL v2 on this socket. It is enabled by default, unless the + * default has been changed with enableSSL2Default. +diff --git a/org/mozilla/jss/ssl/SSLSocketListener.java b/org/mozilla/jss/ssl/SSLSocketListener.java +new file mode 100644 +index 0000000..e653f66 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLSocketListener.java +@@ -0,0 +1,11 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public interface SSLSocketListener extends SSLHandshakeCompletedListener { ++ ++ public void alertReceived(SSLAlertEvent event); ++ public void alertSent(SSLAlertEvent event); ++} +diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c +index d691363..0738e79 100644 +--- a/org/mozilla/jss/ssl/callbacks.c ++++ b/org/mozilla/jss/ssl/callbacks.c +@@ -271,6 +271,125 @@ loser: + return rv; + } + ++void ++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert) ++{ ++ JSSL_SocketData *socket = (JSSL_SocketData*) arg; ++ ++ jint rc; ++ JNIEnv *env; ++ jclass socketClass, eventClass; ++ jmethodID eventConstructor, eventSetLevel, eventSetDescription; ++ jobject event; ++ jmethodID fireEvent; ++ ++ PR_ASSERT(socket != NULL); ++ PR_ASSERT(socket->socketObject != NULL); ++ ++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL); ++ PR_ASSERT(rc == JNI_OK); ++ PR_ASSERT(env != NULL); ++ ++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */ ++ ++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS); ++ PR_ASSERT(socketClass != NULL); ++ ++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS); ++ PR_ASSERT(eventClass != NULL); ++ ++ eventConstructor = (*env)->GetMethodID(env, eventClass, "", "(L" SSLSOCKET_CLASS ";)V"); ++ PR_ASSERT(eventConstructor != NULL); ++ ++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject); ++ PR_ASSERT(event != NULL); ++ ++ /* event.setLevel(level); */ ++ ++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V"); ++ PR_ASSERT(eventSetLevel != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level); ++ ++ /* event.setDescription(description); */ ++ ++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V"); ++ PR_ASSERT(eventSetDescription != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description); ++ ++ /* socket.fireAlertReceivedEvent(event); */ ++ ++ fireEvent = (*env)->GetMethodID(env, ++ socketClass, ++ "fireAlertReceivedEvent", ++ "(L" SSL_ALERT_EVENT_CLASS ";)V"); ++ PR_ASSERT(fireEvent != NULL); ++ ++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event); ++ ++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM); ++} ++ ++void ++JSSL_AlertSentCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert) ++{ ++ JSSL_SocketData *socket = (JSSL_SocketData*) arg; ++ ++ jint rc; ++ JNIEnv *env; ++ jclass socketClass, eventClass; ++ jmethodID eventConstructor, eventSetLevel, eventSetDescription; ++ jobject event; ++ jmethodID fireEvent; ++ ++ PR_ASSERT(socket != NULL); ++ PR_ASSERT(socket->socketObject != NULL); ++ ++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL); ++ PR_ASSERT(rc == JNI_OK); ++ PR_ASSERT(env != NULL); ++ ++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */ ++ ++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS); ++ PR_ASSERT(socketClass != NULL); ++ ++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS); ++ PR_ASSERT(eventClass != NULL); ++ ++ eventConstructor = (*env)->GetMethodID(env, eventClass, "", "(L" SSLSOCKET_CLASS ";)V"); ++ PR_ASSERT(eventConstructor != NULL); ++ ++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject); ++ PR_ASSERT(event != NULL); ++ ++ /* event.setLevel(level); */ ++ ++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V"); ++ PR_ASSERT(eventSetLevel != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level); ++ ++ /* event.setDescription(description); */ ++ ++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V"); ++ PR_ASSERT(eventSetDescription != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description); ++ ++ /* socket.fireAlertSentEvent(event); */ ++ ++ fireEvent = (*env)->GetMethodID(env, ++ socketClass, ++ "fireAlertSentEvent", ++ "(L" SSL_ALERT_EVENT_CLASS ";)V"); ++ PR_ASSERT(fireEvent != NULL); ++ ++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event); ++ ++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM); ++} + + void + JSSL_HandshakeCallback(PRFileDesc *fd, void *arg) +diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c +index be35c57..84a4332 100644 +--- a/org/mozilla/jss/ssl/common.c ++++ b/org/mozilla/jss/ssl/common.c +@@ -261,6 +261,7 @@ JSSL_SocketData* + JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, + PRFilePrivate *priv) + { ++ SECStatus status; + JSSL_SocketData *sockdata = NULL; + + /* make a JSSL_SocketData structure */ +@@ -297,6 +298,24 @@ JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, + sockdata->socketObject = NEW_WEAK_GLOBAL_REF(env, sockObj); + if( sockdata->socketObject == NULL ) goto finish; + ++ /* registering alert received callback */ ++ ++ status = SSL_AlertReceivedCallback(sockdata->fd, JSSL_AlertReceivedCallback, sockdata); ++ ++ if (status != SECSuccess) { ++ JSSL_throwSSLSocketException(env, "Unable to install alert received callback"); ++ goto finish; ++ } ++ ++ /* registering alert sent callback */ ++ ++ status = SSL_AlertSentCallback(sockdata->fd, JSSL_AlertSentCallback, sockdata); ++ ++ if (status != SECSuccess) { ++ JSSL_throwSSLSocketException(env, "Unable to install alert sent callback"); ++ goto finish; ++ } ++ + finish: + if( (*env)->ExceptionOccurred(env) != NULL ) { + if( sockdata != NULL ) { +diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h +index 616c755..571c2a4 100644 +--- a/org/mozilla/jss/ssl/jssl.h ++++ b/org/mozilla/jss/ssl/jssl.h +@@ -5,6 +5,8 @@ + #ifndef ORG_MOZILLA_JSS_SSL_JSSL_H + #define ORG_MOZILLA_JSS_SSL_JSSL_H + ++#include ++ + struct JSSL_SocketData { + PRFileDesc *fd; + jobject socketObject; /* weak global ref */ +@@ -26,6 +28,12 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + PRBool isServer); + + void ++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert); ++ ++void ++JSSL_AlertSentCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert); ++ ++void + JSSL_HandshakeCallback(PRFileDesc *fd, void *arg); + + SECStatus +diff --git a/org/mozilla/jss/util/java_ids.h b/org/mozilla/jss/util/java_ids.h +index 3ceebaa..7ec9ea9 100644 +--- a/org/mozilla/jss/util/java_ids.h ++++ b/org/mozilla/jss/util/java_ids.h +@@ -285,6 +285,11 @@ PR_BEGIN_EXTERN_C + #define SUPPORTS_IPV6_SIG "()Z" + + /* ++ * SSLAlertEvent ++ */ ++#define SSL_ALERT_EVENT_CLASS "org/mozilla/jss/ssl/SSLAlertEvent" ++ ++/* + * SSLCertificateApprovalCallback + */ + #define SSLCERT_APP_CB_APPROVE_NAME "approve" +@@ -300,8 +305,11 @@ PR_BEGIN_EXTERN_C + /* + * SSLSocket + */ ++#define SSLSOCKET_CLASS "org/mozilla/jss/ssl/SSLSocket" ++ + #define SSLSOCKET_HANDSHAKE_NOTIFIER_NAME "notifyAllHandshakeListeners" + #define SSLSOCKET_HANDSHAKE_NOTIFIER_SIG "()V" ++ + #define SSLSOCKET_PROXY_FIELD "sockProxy" + #define SSLSOCKET_PROXY_SIG "Lorg/mozilla/jss/ssl/SocketProxy;" + +-- +2.9.3 + + +From 1a83476dbbd54c87ffcf54fac7fdfa093812997f Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Tue, 21 Mar 2017 13:21:43 -0700 +Subject: [PATCH 06/11] Added SSLCipher enumeration. The cipher constants in + SSLSocket have been copied and converted into SSLCipher enumeration. The + enumeration provides a mechanism to convert between cipher ID and cipher + constant, also a flag to indicate whether it is an ECC cipher. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1349278 +--- + org/mozilla/jss/ssl/SSLCipher.java | 328 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 328 insertions(+) + create mode 100644 org/mozilla/jss/ssl/SSLCipher.java + +diff --git a/org/mozilla/jss/ssl/SSLCipher.java b/org/mozilla/jss/ssl/SSLCipher.java +new file mode 100644 +index 0000000..30acdd7 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLCipher.java +@@ -0,0 +1,328 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++/** ++ * SSL cipher. ++ */ ++public enum SSLCipher { ++ ++ /** ++ * ++ * Note the following cipher-suites constants are not all implemented. ++ * You need to call SSLSocket.getImplementedCiphersuites(). ++ * ++ */ ++ ++ SSL2_RC4_128_WITH_MD5 (0xFF01), ++ SSL2_RC4_128_EXPORT40_WITH_MD5 (0xFF02), ++ SSL2_RC2_128_CBC_WITH_MD5 (0xFF03), ++ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 (0xFF04), ++ SSL2_IDEA_128_CBC_WITH_MD5 (0xFF05), ++ SSL2_DES_64_CBC_WITH_MD5 (0xFF06), ++ SSL2_DES_192_EDE3_CBC_WITH_MD5 (0xFF07), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_NULL_MD5 (0x0001), ++ TLS_RSA_WITH_NULL_MD5 (0x0001), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_NULL_SHA (0x0002), ++ TLS_RSA_WITH_NULL_SHA (0x0002), ++ ++ SSL3_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_RC4_128_MD5 (0x0004), ++ TLS_RSA_WITH_RC4_128_MD5 (0x0004), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_RC4_128_SHA (0x0005), ++ TLS_RSA_WITH_RC4_128_SHA (0x0005), ++ ++ SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_IDEA_CBC_SHA (0x0007), ++ TLS_RSA_WITH_IDEA_CBC_SHA (0x0007), ++ ++ SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_DES_CBC_SHA (0x0009), ++ TLS_RSA_WITH_DES_CBC_SHA (0x0009), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_3DES_EDE_CBC_SHA (0x000a), ++ TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a), ++ ++ SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000b), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_DSS_WITH_DES_CBC_SHA (0x000c), ++ TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d), ++ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d), ++ ++ SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000e), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_RSA_WITH_DES_CBC_SHA (0x000f), ++ TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010), ++ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010), ++ ++ SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_DSS_WITH_DES_CBC_SHA (0x0012), ++ TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013), ++ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013), ++ ++ SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_RSA_WITH_DES_CBC_SHA (0x0015), ++ TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016), ++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016), ++ ++ SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 (0x0017), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_RC4_128_MD5 (0x0018), ++ TLS_DH_anon_WITH_RC4_128_MD5 (0x0018), ++ ++ SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA (0x0019), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_DES_CBC_SHA (0x001a), ++ TLS_DH_anon_WITH_DES_CBC_SHA (0x001a), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA (0x001b), ++ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_NULL_SHA (0x001c), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA (0x001d), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA (0x001e), ++ ++ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff), ++ SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe), ++ ++ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062), ++ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064), ++ ++ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063), ++ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065), ++ TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066), ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067), ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B), ++ ++ // New TLS cipher suites in NSS 3.4 ++ TLS_RSA_WITH_AES_128_CBC_SHA (0x002F), ++ TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030), ++ TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031), ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032), ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_AES_128_CBC_SHA (0x0034), ++ TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034), ++ ++ TLS_RSA_WITH_AES_256_CBC_SHA (0x0035), ++ TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036), ++ TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037), ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038), ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_AES_256_CBC_SHA (0x003A), ++ TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003A), ++ ++ TLS_RSA_WITH_NULL_SHA256 (0x003B), ++ TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), ++ TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), ++ ++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041), ++ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042), ++ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043), ++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044), ++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA (0x0046), ++ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046), ++ ++ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084), ++ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085), ++ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086), ++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087), ++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA (0x0089), ++ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089), ++ ++ TLS_RSA_WITH_SEED_CBC_SHA (0x0096), ++ ++ TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), ++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E), ++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00A2), ++ ++ TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001, true), ++ TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002, true), ++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003, true), ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004, true), ++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005, true), ++ ++ TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006, true), ++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007, true), ++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008, true), ++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009, true), ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a, true), ++ ++ TLS_ECDH_RSA_WITH_NULL_SHA (0xc00b, true), ++ TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c, true), ++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d, true), ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e, true), ++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f, true), ++ ++ TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010, true), ++ TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011, true), ++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012, true), ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013, true), ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014, true), ++ ++ TLS_ECDH_anon_WITH_NULL_SHA (0xc015, true), ++ TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016, true), ++ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017, true), ++ TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018, true), ++ TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019, true), ++ ++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023, true), ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027, true), ++ ++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02B, true), ++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02D, true), ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02F, true), ++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031, true); ++ ++ private int id; ++ private boolean ecc; ++ ++ private SSLCipher(int id) { ++ this.id = id; ++ } ++ ++ private SSLCipher(int id, boolean ecc) { ++ this.id = id; ++ this.ecc = ecc; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public boolean isECC() { ++ return ecc; ++ } ++ ++ public static SSLCipher valueOf(int id) { ++ for (SSLCipher cipher : SSLCipher.class.getEnumConstants()) { ++ if (cipher.id == id) return cipher; ++ } ++ return null; ++ } ++} +-- +2.9.3 + + +From 5c09c644caf9849dd1602dc6df56c0691a2d25f8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Wed, 22 Mar 2017 19:17:19 -0700 +Subject: [PATCH 07/11] Replaced Password.readPasswordFromConsole() + implementation. + +The native implementation of Password.readPasswordFromConsole() has +been replaced with platform independent code using System.console() +which does not cause a problem if the program is interrupted while +waiting for password input. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1349349 +--- + org/mozilla/jss/util/Password.java | 24 +++-- + org/mozilla/jss/util/jssutil.c | 212 ------------------------------------- + 2 files changed, 17 insertions(+), 219 deletions(-) + +diff --git a/org/mozilla/jss/util/Password.java b/org/mozilla/jss/util/Password.java +index 9e6a3bb..47bc8a1 100644 +--- a/org/mozilla/jss/util/Password.java ++++ b/org/mozilla/jss/util/Password.java +@@ -5,6 +5,7 @@ + package org.mozilla.jss.util; + + import java.io.CharConversionException; ++import java.io.Console; + + /** + * Stores a password. clear should be +@@ -114,7 +115,7 @@ public class Password implements PasswordCallback, Cloneable, + * for example using wipeChars. + */ + public synchronized char[] getCharCopy() { +- return (char[]) password.clone(); ++ return password.clone(); + } + + /** +@@ -125,7 +126,7 @@ public class Password implements PasswordCallback, Cloneable, + * for example using wipeChars. + */ + synchronized byte[] getByteCopy() { +- return charToByte( (char[]) password.clone() ); ++ return charToByte( password.clone() ); + } + + /** +@@ -150,11 +151,11 @@ public class Password implements PasswordCallback, Cloneable, + public synchronized Object clone() { + Password dolly = new Password(); + +- dolly.password = (char[]) password.clone(); ++ dolly.password = password.clone(); + dolly.cleared = cleared; + return dolly; + } +- ++ + + /** + * The finalizer clears the sensitive information before releasing +@@ -230,9 +231,18 @@ public class Password implements PasswordCallback, Cloneable, + * <enter>). + * @return The password the user entered at the command line. + */ +- public synchronized static native Password readPasswordFromConsole() +- throws PasswordCallback.GiveUpException; +- ++ public static Password readPasswordFromConsole() throws PasswordCallback.GiveUpException { ++ ++ Console console = System.console(); ++ char[] password = console.readPassword(); ++ ++ if (password == null || password.length == 0) { ++ throw new PasswordCallback.GiveUpException(); ++ } ++ ++ return new Password(password); ++ } ++ + // The password, stored as a char[] so we can clear it. Passwords + // should never be stored in Strings because Strings can't be cleared. + private char[] password; +diff --git a/org/mozilla/jss/util/jssutil.c b/org/mozilla/jss/util/jssutil.c +index 609eeb3..0d19a84 100644 +--- a/org/mozilla/jss/util/jssutil.c ++++ b/org/mozilla/jss/util/jssutil.c +@@ -462,218 +462,6 @@ JSS_wipeCharArray(char* array) + } + } + +-/*********************************************************************** +- * platform-dependent definitions for getting passwords from console. +- ***********************************************************************/ +- +-#ifdef XP_UNIX +- +-#include +-#include +-#define GETCH getchar +-#define PUTCH putchar +- +-#else +- +-#include +-#define GETCH _getch +-#define PUTCH _putch +- +-#endif +- +-/*********************************************************************** +- * g e t P W F r o m C o n s o l e +- * +- * Does platform-dependent stuff to retrieve a char* from the console. +- * Retrieves up to the first newline character, but does not return +- * the newline. Maximum length is 200 chars. +- * Stars (*) are echoed to the screen. Backspacing works. +- * WARNING: This function is NOT thread-safe!!! This should be OK because +- * the Java method that calls it is synchronized. +- * +- * RETURNS +- * The password in a buffer owned by the caller, or NULL if the +- * user did not enter a password (just hit ). +- */ +-static char* getPWFromConsole() +-{ +- int c; +- char *ret; +- int i; +- char buf[200]; /* no buffer overflow: we bail after 200 chars */ +- int length=200; +-#ifdef XP_UNIX +- int fd = fileno(stdin); +- struct termios save_tio; +- struct termios tio; +-#endif +- +- +- /* +- * In Win32, the default is for _getch to not echo and to not be buffered. +- * In UNIX, we have to set this explicitly. +- */ +-#ifdef XP_UNIX +- if ( isatty(fd) ) { +- tcgetattr(fd, &save_tio); +- tio = save_tio; +- tio.c_lflag &= ~(ECHO|ICANON); /* no echo, non-canonical mode */ +- tio.c_cc[VMIN] = 1; /* 1 char at a time */ +- tio.c_cc[VTIME] = 0; /* wait forever */ +- tcsetattr(fd, TCSAFLUSH, &tio); +- } else { +- /* no reading from a file allowed. Windows enforces this automatically*/ +- return NULL; +- } +-#endif +- +- /* +- * Retrieve up to length characters, or the first newline character. +- */ +- for(i=0; i < length-1; i++) { +- PR_ASSERT(i >= 0); +- c = GETCH(); +- if( c == '\b' ) { +- /* +- * backspace. Back up the buffer and the cursor. +- */ +- if( i==0 ) { +- /* backspace is first char, do nothing */ +- i--; +- } else { +- /* backspace is not first char, backup one */ +- i -= 2; +- PUTCH('\b'); PUTCH(' '); PUTCH('\b'); +- } +- } else if( c == '\r' || c == '\n' ) { +- /* newline, we're done */ +- break; +- } else { +- /* normal password char. Echo an asterisk. */ +- buf[i] = c; +- PUTCH('*'); +- } +- } +- buf[i] = '\0'; +- PUTCH('\n'); +- +- /* +- * Restore the saved terminal settings. +- */ +-#ifdef XP_UNIX +- tcsetattr(fd, TCSAFLUSH, &save_tio); +-#endif +- +- /* If password is empty, return NULL to signal the user giving up */ +- if(buf[0] == '\0') { +- ret = NULL; +- } else { +- ret = PL_strdup(buf); +- } +- +- /* Clear the input buffer */ +- memset(buf, 0, length); +- +- return ret; +-} +- +- +-/*********************************************************************** +- * Class: org_mozilla_jss_util_Password +- * Method: readPasswordFromConsole +- * Signature: ()Lorg/mozilla/jss/util/Password; +- */ +-JNIEXPORT jobject JNICALL Java_org_mozilla_jss_util_Password_readPasswordFromConsole +- (JNIEnv *env, jclass clazz) +-{ +- char *pw=NULL; +- int pwlen; +- jclass pwClass; +- jmethodID pwConstructor; +- jcharArray pwCharArray=NULL; +- jchar *pwChars=NULL; +- jobject password=NULL; +- jboolean pwIsCopy; +- int i; +- +- /*************************************************** +- * Get JNI IDs +- ***************************************************/ +- pwClass = (*env)->FindClass(env, PASSWORD_CLASS_NAME); +- if(pwClass == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- pwConstructor = (*env)->GetMethodID(env, +- pwClass, +- PLAIN_CONSTRUCTOR, +- PASSWORD_CONSTRUCTOR_SIG); +- if(pwConstructor == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- +- /*************************************************** +- * Get the password from the console +- ***************************************************/ +- pw = getPWFromConsole(); +- +- if(pw == NULL) { +- JSS_throw(env, GIVE_UP_EXCEPTION); +- goto finish; +- } +- pwlen = strlen(pw); +- PR_ASSERT(pwlen > 0); +- +- /*************************************************** +- * Put the password into a char array +- ***************************************************/ +- pwCharArray = (*env)->NewCharArray(env, pwlen); +- if(pwCharArray == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- pwChars = (*env)->GetCharArrayElements(env, pwCharArray, &pwIsCopy); +- if(pwChars == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- for(i=0; i < pwlen; i++) { +- /* YUK! Only works for ASCII. */ +- pwChars[i] = pw[i]; +- } +- +- if( pwIsCopy ) { +- /* copy back the changes */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_COMMIT); +- /* clear the copy */ +- memset(pwChars, 0, pwlen); +- /* release the copy */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_ABORT); +- } else { +- /* pwChars is not a copy, so this should be a no-op, but we include +- * it anyway */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, 0); +- } +- pwChars = NULL; +- +- /*************************************************** +- * Construct a new Password from the char array +- ***************************************************/ +- password = (*env)->NewObject(env, pwClass, pwConstructor, pwCharArray); +- if(password == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- +-finish: +- if(pw != NULL) { +- memset(pw, 0, strlen(pw)); +- PR_Free(pw); +- } +- return password; +-} +- + #ifdef DEBUG + static int debugLevel = JSS_TRACE_VERBOSE; + #else +-- +2.9.3 + + +From bee3bc6cfef28f39b8abb1fd7e8505e5a9880716 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 23 Mar 2017 10:48:29 -0700 +Subject: [PATCH 08/11] Bug 1349831 - Revise top-level README file, r=emaldona + +--- + README | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 110 insertions(+), 24 deletions(-) + +diff --git a/README b/README +index 4ceb0fd..cfc0244 100644 +--- a/README ++++ b/README +@@ -4,8 +4,8 @@ + + (1) Prepare a work area + +- (a) For upstream builds which checkout and utilize the current NSPR and NSS +- source repositories: ++ (a) For upstream builds which checkout and utilize ++ the current NSPR and NSS source repositories: + + # mkdir sandbox + # cd sandbox +@@ -20,13 +20,20 @@ + cd jss; hg pull -u -v; cd .. + ) + +- (b) Alternatively, for upstream builds which use the NSPR and NSS installed +- on the system: ++ (b) Alternatively, for upstream builds which use ++ the NSPR and NSS installed on the system: + + # mkdir sandbox + # cd sandbox + # export USE_INSTALLED_NSPR=1 + # export USE_INSTALLED_NSS=1 ++ # export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 ++ # export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 ++ # export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` ++ # export NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` ++ # export NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` ++ # export NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'` ++ # export XCFLAGS="-g" + # hg clone https://hg.mozilla.org/projects/jss + # cd .. + +@@ -41,9 +48,32 @@ + # export JAVA_HOME=/etc/alternatives/java_sdk_1.8.0_openjdk + # export USE_64=1 + +- NOTE: JSS will now attempt to verify whether or not these two environment +- variables have been set (JAVA_HOME is mandatory; USE_64 is mandatory +- on 64-bit platforms when building 64-bit). ++ NOTE: JSS will now attempt to verify whether or not these two ++ environment variables have been set (JAVA_HOME is mandatory; ++ USE_64 is mandatory on 64-bit platforms when building 64-bit). ++ ++ The following steps are optional, and left to the discretion of the user: ++ ++ Debug vs. Optimized jar files: ++ ++ By default, JSS will be built as a debuggable jar ++ (xpclass_dbg.jar - generally recommended for test builds); ++ to create an optimized jar (xpclass.jar), set the following ++ environment variable: ++ ++ # export BUILD_OPT=1 ++ ++ Beta vs. Non-Beta builds: ++ ++ Finally, by default, JSS is not built as a "beta" release (as ++ specified in 'org/mozilla/jss/util/jssver.h'): ++ ++ #define JSS_BETA PR_FALSE ++ ++ If a "beta" version of JSS is desired, reset this #define (as ++ specified in 'org/mozilla/jss/util/jssver.h') to: ++ ++ #define JSS_BETA PR_TRUE + + + (3) Build JSS +@@ -52,30 +82,88 @@ + # make clean all + # cd ../.. + +- (or you can run "# script -c 'make clean all' typescript.build') ++ (or you can run "# script -c 'make clean all' typescript.build") + + NOTE: When build method (1)(a) is being utilized, if nss has not been + built, it will now automatically be built before jss; if nss has + already been built, only jss will be built/re-built. + + +-(4) Run JSS Tests ++(4) Install JSS on the System (Optional) + +- # cd sandbox/jss +- # make test_jss +- # cd ../.. ++ If JSS already exists on the system, run something similar to the ++ following command(s): ++ ++ # sudo mv /usr/lib/java/jss4.jar /usr/lib/java/jss4.jar.orig ++ ++ If the platform is 32-bit Linux: ++ ++ # sudo mv /usr/lib/jss/libjss4.so /usr/lib/jss/libjss4.so.orig ++ ++ else if the platform is 64-bit Linux: ++ ++ # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig ++ ++ If BUILD_OPT is undefined (default Debuggable Jar): ++ ++ # sudo cp sandbox/dist/xpclass_dbg.jar /usr/lib/java/jss4.jar ++ ++ else if BUILD_OPT is defined (Optimized Jar): + +- (or you can run "# script -c 'make test_jss' typescript.tests) ++ # sudo cp sandbox/dist/xpclass.jar /usr/lib/java/jss4.jar ++ ++ # sudo chown root:root /usr/lib/java/jss4.jar ++ # sudo chmod 644 /usr/lib/java/jss4.jar ++ ++ # sudo cp sandbox/jss/lib/Linux*.OBJ/libjss4.so /usr/lib64/jss/libjss4.so ++ # sudo chown root:root /usr/lib64/jss/libjss4.so ++ # sudo chmod 755 /usr/lib64/jss/libjss4.so ++ ++ ++(5) Run JSS Tests (Optional, but only if build method (1)(a) was utilized) ++ ++ If build method (1)(a) is being utilized, it is possible to run the ++ built-in JSS tests: ++ ++ # cd sandbox/jss ++ # make test_jss ++ # cd ../.. ++ ++ (or you can run "# script -c 'make test_jss' typescript.tests") + + NOTE: This command is currently only available on Linux and Macintosh +- platforms; currenty JSS must be built via 'make clean all' before ++ platforms when method (1)(a) has been utilized to build JSS ++ since the tests are dependent upon the work area as setup in ++ this method; currenty JSS must be built via 'make clean all' before + execution of this command (e.g. - build is separate from test). + + +-(5) Known Issues ++(6) Restoration of non-Test-Only Systems (Optional) ++ ++ If step (4) above was run, and the system is being used for purposes ++ other than test, the user may wish to restore the original system JSS ++ by running the following commands: ++ ++ # sudo mv /usr/lib/java/jss4.jar.orig /usr/lib/java/jss4.jar ++ ++ If the platform is 32-bit Linux: ++ ++ # sudo mv /usr/lib/jss/libjss4.so.orig /usr/lib/jss/libjss4.so ++ ++ else if the platform is 64-bit Linux: ++ ++ # sudo mv /usr/lib64/jss/libjss4.so.orig /usr/lib64/jss/libjss4.so ++ ++ NOTE: For this procedure, no ownership or permission changes should ++ be necessary. ++ ++ ++(7) Known Issues + + * Mozilla Bug #1346410 - Load JSS libraries appropriately + ++ NOTE: This issue should not occur unless step (4) above was skipped. ++ + Testing failures were found while working on Bug 1346410 when loading the + JSS libraries to meet requirements of certain operating systems. Our + investigation revealed that due to the nature of the changes made via this +@@ -83,16 +171,14 @@ + that a failure may be encountered on one or more of the HMAC algorithms + causing these two tests to fail. On 64-bit Linux, for example, the + workaround for this issue is to perform the following steps before +- re-running the tests: ++ re-running the tests: ++ ++ (a) Install the new JSS builds by executing step (4) above ++ ++ (b) Execute the following commands: + +- # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig +- # sudo cp -p +- sandbox/dist/Linux3.10_x86_64_cc_glibc_PTH_64_DBG.OBJ/lib/libjss4.so +- /usr/lib64/jss/libjss4.so +- # sudo chown root:root /usr/lib64/jss/libjss4.so +- # sudo chmod 755 /usr/lib64/jss/libjss4.so +- # cd sandbox/jss; make test_jss ++ # cd sandbox/jss; make test_jss + + NOTE: If the system is being used for purposes other than test, the user +- may wish to restore 'libjss4.so.orig' back to 'libjss4.so'. ++ may wish to restore the original JSS by executing step (6) above. + +-- +2.9.3 + + +From 382d6611ee2208c0bbe03afac33b96bf7a34047a Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 23 Mar 2017 10:52:15 -0700 +Subject: [PATCH 09/11] Bug 1349836 - Changes to JSS Version Block, r=emaldona + +--- + lib/manifest.mn | 4 ++-- + manifest.mn | 8 ++------ + org/mozilla/jss/CryptoManager.c | 4 ++-- + org/mozilla/jss/CryptoManager.java | 4 ++-- + org/mozilla/jss/JSSProvider.java | 4 ++-- + org/mozilla/jss/util/jssver.h | 5 ++--- + 6 files changed, 12 insertions(+), 17 deletions(-) + +diff --git a/lib/manifest.mn b/lib/manifest.mn +index d37cb68..6f03301 100644 +--- a/lib/manifest.mn ++++ b/lib/manifest.mn +@@ -7,11 +7,11 @@ + #/* The VERSION Strings should be updated in the following */ + #/* files everytime a new release of JSS is generated: */ + #/* */ ++#/* lib/manifest.mn */ ++#/* org/mozilla/jss/CryptoManager.c */ + #/* org/mozilla/jss/CryptoManager.java */ + #/* org/mozilla/jss/JSSProvider.java */ + #/* org/mozilla/jss/util/jssver.h */ +-#/* lib/manifest.mn */ +-#/* jss/manifest.mn */ + #/* */ + #/********************************************************************/ + +diff --git a/manifest.mn b/manifest.mn +index 9338108..07cabce 100644 +--- a/manifest.mn ++++ b/manifest.mn +@@ -12,18 +12,14 @@ MODULE = jss + #/* The VERSION Strings should be updated in the following */ + #/* files everytime a new release of JSS is generated: */ + #/* */ ++#/* lib/manifest.mn */ ++#/* org/mozilla/jss/CryptoManager.c */ + #/* org/mozilla/jss/CryptoManager.java */ + #/* org/mozilla/jss/JSSProvider.java */ + #/* org/mozilla/jss/util/jssver.h */ +-#/* lib/manifest.mn */ +-#/* mozilla/security/jss/manifest.mn */ + #/* */ + #/********************************************************************/ + +-IMPORTS = nss/NSS_3_12_RTM \ +- nspr20/v4.7 \ +- $(NULL) +- + DIRS = coreconf \ + org \ + lib \ +diff --git a/org/mozilla/jss/CryptoManager.c b/org/mozilla/jss/CryptoManager.c +index 3eb9ae7..56e66b2 100644 +--- a/org/mozilla/jss/CryptoManager.c ++++ b/org/mozilla/jss/CryptoManager.c +@@ -49,11 +49,11 @@ const char * jss_sccsid() { + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++/* lib/manifest.mn */ ++/* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +-/* lib/manifest.mn */ +-/* mozilla/security/jss/manifest.mn */ + /* */ + /********************************************************************/ + +diff --git a/org/mozilla/jss/CryptoManager.java b/org/mozilla/jss/CryptoManager.java +index 9cc50d9..9e5503d 100644 +--- a/org/mozilla/jss/CryptoManager.java ++++ b/org/mozilla/jss/CryptoManager.java +@@ -1449,11 +1449,11 @@ public final class CryptoManager implements TokenSupplier + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++ /* lib/manifest.mn */ ++ /* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +- /* lib/manifest.mn */ +- /* jss/manifest.mn */ + /* */ + /********************************************************************/ + +diff --git a/org/mozilla/jss/JSSProvider.java b/org/mozilla/jss/JSSProvider.java +index 687e88b..a8205ab 100644 +--- a/org/mozilla/jss/JSSProvider.java ++++ b/org/mozilla/jss/JSSProvider.java +@@ -9,11 +9,11 @@ public final class JSSProvider extends java.security.Provider { + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++ /* lib/manifest.mn */ ++ /* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +- /* lib/manifest.mn */ +- /* jss/manifest.mn */ + /* */ + /********************************************************************/ + /* QUESTION: When do we change MINOR and PATCH to 4 and 0? */ +diff --git a/org/mozilla/jss/util/jssver.h b/org/mozilla/jss/util/jssver.h +index bd8a492..df67620 100644 +--- a/org/mozilla/jss/util/jssver.h ++++ b/org/mozilla/jss/util/jssver.h +@@ -17,12 +17,11 @@ + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ +-/* org/mozilla/jss/CryptoManager.java */ ++/* lib/manifest.mn */ + /* org/mozilla/jss/CryptoManager.c */ ++/* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +-/* lib/manifest.mn */ +-/* jss/manifest.mn */ + /* */ + /********************************************************************/ + +-- +2.9.3 + + +From 434c9d5253d6f1e32c4f29cf66cb43d8ca7bf569 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Sat, 25 Mar 2017 12:08:51 -0400 +Subject: [PATCH 10/11] Bug 1337092 CMC conformance update: Implement required + ASN.1 code for RFC5272+, r=jmagne + +From: Christina Fu +Date: Thu, 16 Mar 2017 09:54:01 -0700 +Subject: [PATCH] bugzilla.mozilla#1337092 cmc RFC5272 ASN.1 +This patch provides the required ASN.1 code for updating cmc to RFC5272, +as well as adding some needed missing controls from earlier rfc 2797. +The major cmc control structures added are: IdentityProofV2, EncryptedPOP, +DecryptedPOP, PopLinkWitnessV2, CMCStatusInfoV2 and their underelying +support structures. +--- + org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java | 21 ++ + org/mozilla/jss/crypto/HMACAlgorithm.java | 2 +- + org/mozilla/jss/pkix/cmc/BodyPartReference.java | 198 +++++++++++++++ + org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java | 270 ++++++++++++++++++++ + org/mozilla/jss/pkix/cmc/DecryptedPOP.java | 165 ++++++++++++ + org/mozilla/jss/pkix/cmc/EncryptedPOP.java | 185 ++++++++++++++ + org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java | 145 +++++++++++ + org/mozilla/jss/pkix/cmc/IdentityProofV2.java | 163 ++++++++++++ + org/mozilla/jss/pkix/cmc/OtherInfo.java | 150 ++++++++--- + org/mozilla/jss/pkix/cmc/OtherReqMsg.java | 167 ++++++++++++ + org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java | 163 ++++++++++++ + org/mozilla/jss/pkix/cmc/RevokeRequest.java | 323 ++++++++++++++++++++++++ + org/mozilla/jss/pkix/cmc/TaggedRequest.java | 78 +++++- + org/mozilla/jss/pkix/cmmf/RevRequest.java | 3 + + org/mozilla/jss/pkix/crmf/CertRequest.java | 7 + + 15 files changed, 1995 insertions(+), 45 deletions(-) + create mode 100644 org/mozilla/jss/pkix/cmc/BodyPartReference.java + create mode 100644 org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/DecryptedPOP.java + create mode 100644 org/mozilla/jss/pkix/cmc/EncryptedPOP.java + create mode 100644 org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java + create mode 100644 org/mozilla/jss/pkix/cmc/IdentityProofV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/OtherReqMsg.java + create mode 100644 org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/RevokeRequest.java + +diff --git a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +index 399b555..d55dcfc 100644 +--- a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ++++ b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +@@ -140,6 +140,27 @@ public class OBJECT_IDENTIFIER implements ASN1Value { + id_cmc_idPOPLinkWitness = id_cmc.subBranch(23); + public static final OBJECT_IDENTIFIER + id_cmc_idConfirmCertAcceptance = id_cmc.subBranch(24); ++ // rfc 5272 ++ public static final OBJECT_IDENTIFIER ++ id_cmc_statusInfoV2 = id_cmc.subBranch(25); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_trustedAnchors = id_cmc.subBranch(26); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_authData = id_cmc.subBranch(27); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_batchRequests = id_cmc.subBranch(28); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_batchResponses = id_cmc.subBranch(29); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_publishCert = id_cmc.subBranch(30); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_modCertTemplate = id_cmc.subBranch(31); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_controlProcessed = id_cmc.subBranch(32); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_popLinkWitnessV2 = id_cmc.subBranch(33); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_identityProofV2 = id_cmc.subBranch(34); + + public static final OBJECT_IDENTIFIER + id_cct = PKIX.subBranch( 12 ); +diff --git a/org/mozilla/jss/crypto/HMACAlgorithm.java b/org/mozilla/jss/crypto/HMACAlgorithm.java +index aec57c8..24ed2ea 100644 +--- a/org/mozilla/jss/crypto/HMACAlgorithm.java ++++ b/org/mozilla/jss/crypto/HMACAlgorithm.java +@@ -34,7 +34,7 @@ public class HMACAlgorithm extends DigestAlgorithm { + * @exception NoSuchAlgorithmException If no registered HMAC algorithm + * has the given OID. + */ +- public static DigestAlgorithm fromOID(OBJECT_IDENTIFIER oid) ++ public static HMACAlgorithm fromOID(OBJECT_IDENTIFIER oid) + throws NoSuchAlgorithmException + { + Object alg = oidMap.get(oid); +diff --git a/org/mozilla/jss/pkix/cmc/BodyPartReference.java b/org/mozilla/jss/pkix/cmc/BodyPartReference.java +new file mode 100644 +index 0000000..e7358dc +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/BodyPartReference.java +@@ -0,0 +1,198 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 2004 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.util.Assert; ++import org.mozilla.jss.asn1.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.util.BitSet; ++ ++/** ++ * CMC BodyPartReference: ++ * 
++ *      BodyPartReference::= CHOICE { 
++ *          bodyPartID       BodyPartID
++ *          bodyPartPath     SEQUENCE SIZE (1..MAX) OF BodyPartID, 
++ *     } 
++ *
++ * @author Christina Fu (cfu)
++ *
++ */ ++public class BodyPartReference implements ASN1Value { ++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295"); ++ ++ /** ++ * The type of BodyPartReference. ++ */ ++ public static class Type { ++ private Type() { } ++ ++ static Type BodyPartID = new Type(); ++ static Type BodyPartPath = new Type(); ++ } ++ public static Type BodyPartID = Type.BodyPartID; ++ public static Type BodyPartPath = Type.BodyPartPath; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members ++ /////////////////////////////////////////////////////////////////////// ++ private Type type; ++ private INTEGER bodyPartID; ++ private SEQUENCE bodyPartPath; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private BodyPartReference() { } ++ ++ /** ++ * @param type The type of the BodyPartReference ++ * @param bodyPartID A BodyPartID. ++ * @param bodyPartPath The sequence of bodyPartIDs. ++ */ ++ public BodyPartReference(Type type, ++ INTEGER bodyPartID, ++ SEQUENCE bodyPartPath) { ++ this.bodyPartID = bodyPartID; ++ this.bodyPartPath = bodyPartPath; ++ } ++ ++ /** ++ * Adds a BodyPartID to the bodyPartPath SEQUENCE. ++ */ ++ public void addBodyPartId(int id) { ++ INTEGER id1 = new INTEGER(id); ++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0); ++ bodyPartPath.addElement( id1 ); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // member access ++ /////////////////////////////////////////////////////////////////////// ++ ++ /** ++ * Returns the type of BodyPartReference:
    ++ *
  • BodyPartID ++ *
  • BodyPartPath ++ *
++ */ ++ public Type getType() { ++ return type; ++ } ++ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ public SEQUENCE getBodyPartPath() { ++ return bodyPartPath; ++ } ++ /////////////////////////////////////////////////////////////////////// ++ // decoding/encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ public Tag getTag() { ++ //return the subType's tag ++ if (type == BodyPartID ) { ++ return INTEGER.TAG; ++ } else { ++ Assert._assert( type == BodyPartPath); ++ return SEQUENCE.TAG; ++ } ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ if (type == BodyPartID ) { ++ bodyPartID.encode(ostream); ++ } else { ++ Assert._assert( type == BodyPartPath); ++ bodyPartPath.encode(ostream); ++ } ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException ++ { ++ encode(ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ ++ /** ++ * A Template for decoding a BodyPartReference. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private CHOICE.Template choicet; ++ ++ public Template() { ++ choicet = new CHOICE.Template(); ++ choicet.addElement( INTEGER.getTemplate() ); ++ choicet.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return choicet.tagMatch(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ CHOICE c = (CHOICE) choicet.decode(istream); ++ ++ if( c.getTag().equals(INTEGER.TAG) ) { ++ return new BodyPartReference(BodyPartID, (INTEGER) c.getValue() , null); ++ } else { ++ Assert._assert( c.getTag().equals(SEQUENCE.TAG) ); ++ return new BodyPartReference(BodyPartPath, null, (SEQUENCE) c.getValue()); ++ } ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ //A CHOICE cannot be implicitly tagged ++ return decode(istream); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java +new file mode 100644 +index 0000000..9b6aeb9 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java +@@ -0,0 +1,270 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.util.Assert; ++import org.mozilla.jss.asn1.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.util.BitSet; ++ ++/** ++ * CMCStatusInfoV2 replaces CMCStatusInfo in rfc 5272 ++ * CMC CMCStatusInfoV2: ++ * 
++ *     CMCStatusInfoV2 ::= SEQUENCE { 
++ *          cMCStatus           CMCStatus, 
++ *          bodyList            SEQUENCE SIZE (1..MAX)
++ *                                       BodyPartReference,
++ *          statusString        UTF8String OPTIONAL, 
++ *          otherInfo           CHOICE {  // defined in updated OtherInfo
++ *            failInfo            CMCFailInfo, 
++ *            pendInfo            PendInfo,
++ *            extendedFailInfo       SEQUENCE {
++ *              failInfoOID            OBJECT IDENTIFIER,
++ *              failInfoValue          AttributeValue
++ *            } OPTIONAL 
++ *         }
++ *     } 
++ *     PendInfo ::= SEQUENCE { 
++ *          pendToken           OCTET STRING, 
++ *          pendTime            GeneralizedTime 
++ *     }
++ *
++ * @author Christina Fu (cfu)
++ *
++ */ ++public class CMCStatusInfoV2 implements ASN1Value { ++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295"); ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER status; ++ private SEQUENCE bodyList; ++ private UTF8String statusString; ++ private OtherInfo otherInfo; ++ ++ // CMCStatus constants ++ public static final int SUCCESS = 0; ++ public static final int RESERVED = 1; ++ public static final int FAILED = 2; ++ public static final int PENDING = 3; ++ public static final int NOSUPPORT = 4; ++ public static final int CONFIRM_REQUIRED = 5; ++ public static final int POP_REQUIRED = 6; ++ public static final int PARTIAL = 7; ++ ++ public static final String[] STATUS = {"success", ++ "reserved", ++ "failed", ++ "pending", ++ "not supported", ++ "confirm required", ++ "pop required", ++ "partial"}; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private CMCStatusInfoV2() { } ++ ++ /** ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ */ ++ public CMCStatusInfoV2(int status, SEQUENCE bodyList) { ++ this.status = new INTEGER(status); ++ this.bodyList = bodyList; ++ this.statusString = null; ++ this.otherInfo = null; ++ } ++ ++ /** ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ * @param statusString A String. ++ * @param otherInfo The OtherInfo choice. ++ */ ++ public CMCStatusInfoV2(int status, SEQUENCE bodyList, String ++ statusString, OtherInfo otherInfo) { ++ this.status = new INTEGER(status); ++ this.bodyList = bodyList; ++ if (statusString != null){ ++ try { ++ this.statusString = new UTF8String(statusString); ++ } catch (Exception e){} ++ } else ++ this.statusString = null; ++ this.otherInfo = otherInfo; ++ } ++ ++ /** ++ * Create a CMCStatusInfoV2 from decoding. ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ * @param statusString A UTF8String. ++ * @param otherInfo A CHOICE. ++ */ ++ public CMCStatusInfoV2(INTEGER status, SEQUENCE bodyList, UTF8String ++ statusString, OtherInfo otherInfo) { ++ this.status = status; ++ this.bodyList = bodyList; ++ this.statusString = statusString; ++ this.otherInfo = otherInfo; ++ } ++ ++ /** ++ * Sets the statusString field. May be null, since this ++ * field is optional. ++ */ ++ public void setStatusString(String statusString) { ++ if (statusString != null){ ++ try { ++ this.statusString = new UTF8String(statusString); ++ } catch (Exception e){} ++ } else{ ++ this.statusString = null; ++ } ++ } ++ ++ /** ++ * Adds a BodyPartID to the bodyList SEQUENCE. ++ */ ++ public void addBodyPartID(int id) { ++ INTEGER id1 = new INTEGER(id); ++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0); ++ bodyList.addElement( id1 ); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // member access ++ /////////////////////////////////////////////////////////////////////// ++ public int getStatus() { ++ return status.intValue(); ++ } ++ ++ public SEQUENCE getBodyList() { ++ return bodyList; ++ } ++ ++ public String getStatusString() { ++ if (statusString != null) ++ return statusString.toString(); ++ return null; ++ } ++ ++ public OtherInfo getOtherInfo() { ++ return otherInfo; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // decoding/encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ public static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ encode(TAG, ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException ++ { ++ SEQUENCE seq = new SEQUENCE(); ++ ++ seq.addElement(status); ++ seq.addElement(bodyList); ++ if( statusString != null ) { ++ seq.addElement( statusString ); ++ } ++ ++ if ( otherInfo != null) { ++ seq.addElement( otherInfo ); ++ } ++ ++ seq.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement( INTEGER.getTemplate() ); ++ seqt.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) ); ++ seqt.addOptionalElement( UTF8String.getTemplate()); ++ ++ seqt.addOptionalElement( OtherInfo.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ CMCStatusInfoV2 psi; ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new CMCStatusInfoV2((INTEGER)seq.elementAt(0), ++ (SEQUENCE)seq.elementAt(1), ++ (UTF8String)seq.elementAt(2), ++ (OtherInfo)seq.elementAt(3)); ++ } ++ } ++} ++ +diff --git a/org/mozilla/jss/pkix/cmc/DecryptedPOP.java b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java +new file mode 100644 +index 0000000..14013aa +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java +@@ -0,0 +1,165 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC DecryptedPOP: ++ * 
++ *     DecryptedPOP ::= SEQUENCE {
++ *         bodyPartID      BodyPartID,
++ *         thePOPAlgID     AlgorithmIdentifier,
++ *         thePOP         OCTET STRING
++ *     }
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class DecryptedPOP implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER bodyPartID; ++ private AlgorithmIdentifier thePOPAlgID; ++ private OCTET_STRING thePOP; ++ private SEQUENCE sequence; // for DER encoding ++ ++ /** ++ * Returns the bodyPartID field. ++ */ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ public AlgorithmIdentifier getThePOPAlgID() { ++ return thePOPAlgID; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return thePOP; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private DecryptedPOP() { } ++ ++ public DecryptedPOP( ++ INTEGER bodyPartID, ++ AlgorithmIdentifier thePOPAlgID, ++ OCTET_STRING thePOP) ++ { ++ if( bodyPartID==null || thePOPAlgID==null || ++ thePOP==null ) { ++ throw new IllegalArgumentException("DecryptedPOP constructor" ++ +" parameter is null"); ++ } ++ ++ this.bodyPartID = bodyPartID; ++ this.thePOPAlgID = thePOPAlgID; ++ this.thePOP = thePOP; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(bodyPartID); ++ sequence.addElement(thePOPAlgID); ++ sequence.addElement(thePOP); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded DecryptedPOP items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( INTEGER.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new DecryptedPOP( ++ (INTEGER) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/EncryptedPOP.java b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java +new file mode 100644 +index 0000000..58a3f4c +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java +@@ -0,0 +1,185 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import org.mozilla.jss.pkix.cms.*; ++import java.io.*; ++ ++/** ++ * CMC EncryptedPOP: ++ * 
++ *     EncryptedPOP ::= SEQUENCE {
++ *         request       TaggedRequest,
++ *         cms             ContentInfo,
++ *         thePOPAlgID     AlgorithmIdentifier,
++ *         witnessAlgID    AlgorithmIdentifier,
++ *         witness         OCTET STRING
++ *     }
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class EncryptedPOP implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private TaggedRequest request; ++ private ContentInfo cms; ++ private AlgorithmIdentifier thePOPAlgID; ++ private AlgorithmIdentifier witnessAlgID; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public TaggedRequest getRequest() { ++ return request; ++ } ++ ++ public ContentInfo getContentInfo() { ++ return cms; ++ } ++ ++ public AlgorithmIdentifier getThePOPAlgID() { ++ return thePOPAlgID; ++ } ++ ++ public AlgorithmIdentifier getWitnessAlgID() { ++ return witnessAlgID; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private EncryptedPOP() { } ++ ++ public EncryptedPOP( ++ TaggedRequest request, ++ ContentInfo cms, ++ AlgorithmIdentifier thePOPAlgID, ++ AlgorithmIdentifier witnessAlgID, ++ OCTET_STRING witness) ++ { ++ if( request==null || cms==null || thePOPAlgID==null || witnessAlgID==null || ++ witness==null ) { ++ throw new IllegalArgumentException("EncryptedPOP constructor" ++ +" parameter is null"); ++ } ++ ++ this.request = request; ++ this.cms = cms; ++ this.thePOPAlgID = thePOPAlgID; ++ this.witnessAlgID = witnessAlgID; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(request); ++ sequence.addElement(cms); ++ sequence.addElement(thePOPAlgID); ++ sequence.addElement(witnessAlgID); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded EncryptedPOP items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( TaggedRequest.getTemplate() ); ++ seqt.addElement( ContentInfo.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new EncryptedPOP( ++ (TaggedRequest) seq.elementAt(0), ++ (ContentInfo) seq.elementAt(1), ++ (AlgorithmIdentifier) seq.elementAt(2), ++ (AlgorithmIdentifier) seq.elementAt(3), ++ (OCTET_STRING) seq.elementAt(4) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java +new file mode 100644 +index 0000000..34a10a8 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java +@@ -0,0 +1,145 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.io.IOException; ++import org.mozilla.jss.util.Assert; ++ ++/** ++ * ExtendedFailInfo per rfc 5272 ++ * It is to be used in CMCStatusInfoV2 as a CHOICE of otherInfo ++ * ++ * 
++ *      ExtendedFailInfo ::= SEQUENCE {
++ *          failInfoOID        OBJECT IDENTIFIER,
++ *          failInfoValue       ANY DEFINED BY failInfoOID }
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class ExtendedFailInfo implements ASN1Value { ++ ++ private OBJECT_IDENTIFIER failInfoOID; ++ private ANY failInfoValue; ++ ++ public static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ private ExtendedFailInfo() { } ++ ++ public ExtendedFailInfo(OBJECT_IDENTIFIER failInfoOID, ASN1Value failInfoValue) { ++ this.failInfoOID = failInfoOID; ++ if( failInfoValue instanceof ANY ) { ++ this.failInfoValue = (ANY) failInfoValue; ++ } else { ++ byte[] encoded = ASN1Util.encode(failInfoValue); ++ try { ++ this.failInfoValue = (ANY) ASN1Util.decode(ANY.getTemplate(), encoded); ++ } catch( InvalidBERException e ) { ++ Assert.notReached("InvalidBERException while decoding as ANY"); ++ } ++ } ++ } ++ ++ public OBJECT_IDENTIFIER getOID() { ++ return failInfoOID; ++ } ++ ++ /** ++ * Returns the failInfoValue of this ExtendedFailInfo, encoded as an ANY. ++ */ ++ public ANY getValue() { ++ return failInfoValue; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ encode(TAG, ostream); ++ } ++ ++ public void encode(Tag implicit, OutputStream ostream) ++ throws IOException ++ { ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(failInfoOID); ++ seq.addElement(failInfoValue); ++ ++ seq.encode(implicit, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding an ExtendedFailInfo. ++ */ ++ public static class Template implements ASN1Template { ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws IOException, InvalidBERException ++ { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicit, InputStream istream) ++ throws IOException, InvalidBERException ++ { ++ SEQUENCE.Template seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( new OBJECT_IDENTIFIER.Template() ); ++ seqt.addElement( new ANY.Template() ); ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicit, istream); ++ ++ // The template should have enforced this ++ Assert._assert(seq.size() == 2); ++ ++ return new ExtendedFailInfo( (OBJECT_IDENTIFIER) seq.elementAt(0), ++ seq.elementAt(1) ); ++ } ++ } ++ ++} +diff --git a/org/mozilla/jss/pkix/cmc/IdentityProofV2.java b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java +new file mode 100644 +index 0000000..f0daaaa +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java +@@ -0,0 +1,163 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC IdentityProofV2: ++ * per rfc 5272 ++ * 
++ *     IdentityProofV2 ::= SEQUENCE {
++ *         hashAlgID      AlgorithmIdentifier,
++ *         macAlgId       AlgorithmIdentifier,
++ *         witness        OCTET STRING
++ *     }
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class IdentityProofV2 implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private AlgorithmIdentifier hashAlgID; ++ private AlgorithmIdentifier macAlgId; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public AlgorithmIdentifier getHashAlgID() { ++ return hashAlgID; ++ } ++ ++ public AlgorithmIdentifier getMacAlgId() { ++ return macAlgId; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private IdentityProofV2() { } ++ ++ public IdentityProofV2( ++ AlgorithmIdentifier hashAlgID, ++ AlgorithmIdentifier macAlgId, ++ OCTET_STRING witness) ++ { ++ if( hashAlgID==null || macAlgId==null || ++ witness==null ) { ++ throw new IllegalArgumentException("IdentityProofV2 constructor" ++ +" parameter is null"); ++ } ++ ++ this.hashAlgID = hashAlgID; ++ this.macAlgId = macAlgId; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(hashAlgID); ++ sequence.addElement(macAlgId); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded IdentityProofV2 items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new IdentityProofV2( ++ (AlgorithmIdentifier) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/OtherInfo.java b/org/mozilla/jss/pkix/cmc/OtherInfo.java +index b93c193..3c83932 100644 +--- a/org/mozilla/jss/pkix/cmc/OtherInfo.java ++++ b/org/mozilla/jss/pkix/cmc/OtherInfo.java +@@ -9,13 +9,20 @@ import java.io.*; + import org.mozilla.jss.util.Assert; + + /** +- * CMCStatusInfo OtherInfo: ++ * CMCStatusInfoV2 OtherInfo: ++ * + * 
+  *   OtherInfo ::= CHOICE { 
+  *       failInfo INTEGER, 
+- *       pendInfo PendInfo 
+- *   } 
++ *       pendInfo PendInfo,
++ *       extendedFailInfo       SEQUENCE {  // ExtendedFailInfo
++ *           failInfoOID            OBJECT IDENTIFIER,
++ *           failInfoValue          AttributeValue
++ *       } OPTIONAL
++ *   }
+  *
++ * ++ * @author Christina Fu (cfu) - updated for rfc5272 + */ + public class OtherInfo implements ASN1Value { + // CMCFailInfo constants +@@ -32,20 +39,23 @@ public class OtherInfo implements ASN1Value { + public static final int NO_KEY_REUSE = 10; + public static final int INTERNAL_CA_ERROR = 11; + public static final int TRY_LATER = 12; ++ public static final int authDataFail = 13; + +- public static final String[] FAIL_INFO = {"bad algorithm", +- "bad message check", +- "bad request", +- "bad time", +- "bad certificate id", +- "unsupported extensions", +- "must archive keys", +- "bad identity", +- "POP required", +- "POP failed", +- "no key reuse", +- "internal ca error", +- "try later"}; ++ public static final String[] FAIL_INFO = { ++ "bad algorithm", ++ "bad message check", ++ "bad request", ++ "bad time", ++ "bad certificate id", ++ "unsupported extensions", ++ "must archive keys", ++ "bad identity", ++ "POP required", ++ "POP failed", ++ "no key reuse", ++ "internal ca error", ++ "try later", ++ "authenticated data fail"}; + /** + * The type of OtherInfo. + */ +@@ -54,9 +64,11 @@ public class OtherInfo implements ASN1Value { + + static Type FAIL = new Type(); + static Type PEND = new Type(); ++ static Type EXTENDED = new Type(); + } + public static Type FAIL = Type.FAIL; + public static Type PEND = Type.PEND; ++ public static Type EXTENDED = Type.EXTENDED; + + /////////////////////////////////////////////////////////////////////// + // members and member access +@@ -65,6 +77,7 @@ public class OtherInfo implements ASN1Value { + private Type type; + private INTEGER failInfo; // if type == FAIL + private PendInfo pendInfo; // if type == PEND ++ private ExtendedFailInfo extendedFailInfo; // if type == EXTENDED + + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -73,17 +86,76 @@ public class OtherInfo implements ASN1Value { + // no default constructor + public OtherInfo() { } + +- /** ++ /** + * Constructs a OtherInfo from its components. + * + * @param type The type of the otherInfo. + * @param failInfo the CMCFailInfo code. + * @param pendInfo the pending information. ++ * ++ * Note: kept for backward compatibility for now; new code don't use + */ + public OtherInfo(Type type, INTEGER failInfo, PendInfo pendInfo) { ++ if (type == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter is null"); ++ } ++ ++ if ( type == FAIL ) { ++ if (failInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter failInfo is null"); ++ } ++ } else { ++ Assert._assert( type == PEND ); ++ if (pendInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter pendInfo is null"); ++ } ++ } ++ this.type = type; ++ this.failInfo = failInfo; ++ this.pendInfo = pendInfo; ++ } ++ ++ /** ++ * Constructs a OtherInfo from its components. ++ * ++ * @param type The type of the otherInfo. ++ * @param failInfo the CMCFailInfo code. ++ * @param pendInfo the pending information. ++ * @param extendedFailInfo the extendedFailInfo information. ++ */ ++ public OtherInfo(Type type, ++ INTEGER failInfo, ++ PendInfo pendInfo, ++ ExtendedFailInfo extendedFailInfo) { ++ if (type == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter is null"); ++ } ++ ++ if ( type == FAIL ) { ++ if (failInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter failInfo is null"); ++ } ++ } else if ( type == PEND ) { ++ if (pendInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter pendInfo is null"); ++ } ++ } else { ++ Assert._assert( type == EXTENDED ); ++ if (extendedFailInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter extendedFailInfo is null"); ++ } ++ } + this.type = type; + this.failInfo = failInfo; + this.pendInfo = pendInfo; ++ this.extendedFailInfo = extendedFailInfo; + } + + /////////////////////////////////////////////////////////////////////// +@@ -94,6 +166,7 @@ public class OtherInfo implements ASN1Value { + * Returns the type of OtherInfo:
    + *
  • FAIL + *
  • PEND ++ *
  • EXTENDED + *
+ */ + public Type getType() { +@@ -116,17 +189,27 @@ public class OtherInfo implements ASN1Value { + return pendInfo; + } + ++ /** ++ * If type == EXTENDED, returns the extendedFailInfo field. Otherwise, ++ * returns null. ++ */ ++ public ExtendedFailInfo getExtendedFailInfo() { ++ return extendedFailInfo; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // DER decoding/encoding + /////////////////////////////////////////////////////////////////////// + + public Tag getTag() { +- // return the subType's tag ++ // return the subType's tag + if( type == FAIL ) { + return INTEGER.TAG; +- } else { +- Assert._assert( type == PEND ); ++ } else if( type == PEND ){ + return PendInfo.TAG; ++ } else { ++ Assert._assert( type == EXTENDED ); ++ return ExtendedFailInfo.TAG; + } + } + +@@ -134,16 +217,18 @@ public class OtherInfo implements ASN1Value { + + if( type == FAIL ) { + failInfo.encode(ostream); +- } else { +- Assert._assert( type == PEND ); ++ } else if( type == PEND ){ + pendInfo.encode(ostream); ++ } else { ++ Assert._assert( type == EXTENDED ); ++ extendedFailInfo.encode(ostream); + } + } + + public void encode(Tag implicitTag, OutputStream ostream) + throws IOException { +- //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum()); +- encode(ostream); ++ //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum()); ++ encode(ostream); + } + + private static final Template templateInstance = new Template(); +@@ -162,6 +247,7 @@ public class OtherInfo implements ASN1Value { + choicet = new CHOICE.Template(); + choicet.addElement( INTEGER.getTemplate() ); + choicet.addElement( PendInfo.getTemplate() ); ++ choicet.addElement( ExtendedFailInfo.getTemplate() ); + } + + public boolean tagMatch(Tag tag) { +@@ -173,17 +259,19 @@ public class OtherInfo implements ASN1Value { + CHOICE c = (CHOICE) choicet.decode(istream); + + if( c.getTag().equals(INTEGER.TAG) ) { +- return new OtherInfo(FAIL, (INTEGER) c.getValue() , null); ++ return new OtherInfo(FAIL, (INTEGER) c.getValue() , null, null); ++ } else if( c.getTag().equals(PendInfo.TAG) ) { ++ return new OtherInfo(PEND, null, (PendInfo) c.getValue(), null); + } else { +- Assert._assert( c.getTag().equals(PendInfo.TAG) ); +- return new OtherInfo(PEND, null, (PendInfo) c.getValue()); ++ Assert._assert( c.getTag().equals(ExtendedFailInfo.TAG) ); ++ return new OtherInfo(EXTENDED, null, null, (ExtendedFailInfo) c.getValue()); + } + } + + public ASN1Value decode(Tag implicitTag, InputStream istream) + throws InvalidBERException, IOException { +- //Assert.notReached("A CHOICE cannot be implicitly tagged"); +- return decode(istream); +- } +- } ++ //Assert.notReached("A CHOICE cannot be implicitly tagged"); ++ return decode(istream); ++ } ++ } + } +diff --git a/org/mozilla/jss/pkix/cmc/OtherReqMsg.java b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java +new file mode 100644 +index 0000000..d1100b4 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java +@@ -0,0 +1,167 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 2004 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.*; ++ ++/** ++ * CMC OtherReqMsg. ++ * 
++ * OtherReqMsg is to be used by the "orm" field of the TaggedRequest per
++ *     definition in RFC 5272.
++ *
++ * OtherReqMsg ::= SEQUENCE {
++ *      bodyPartID      BodyPartID,
++ *      requestMessageType    Object Identifier,
++ *      requestMessageValue   ANY defined by requestMessageType}
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class OtherReqMsg implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER bodyPartID; ++ private OBJECT_IDENTIFIER requestMessageType; ++ private ANY requestMessageValue; ++ private SEQUENCE sequence; ++ ++ /** ++ * Returns the bodyPartID field. ++ */ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ /** ++ * Returns the requestMessageType field. ++ */ ++ public OBJECT_IDENTIFIER getOtherReqMsgType() { ++ return requestMessageType; ++ } ++ ++ /** ++ * Returns the requestMessageValue field. ++ */ ++ public ANY getOtherReqMsgValue() { ++ return requestMessageValue; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ private OtherReqMsg() { } ++ ++ /** ++ * Constructs a new OtherReqMsg from its components. ++ */ ++ public OtherReqMsg(INTEGER bodyPartID, OBJECT_IDENTIFIER requestMessageType, ++ ANY requestMessageValue) { ++ if (bodyPartID == null || requestMessageType == null ++ || requestMessageValue == null) { ++ throw new IllegalArgumentException( ++ "parameter to OtherReqMsg constructor is null"); ++ } ++ sequence = new SEQUENCE(); ++ ++ this.bodyPartID = bodyPartID; ++ sequence.addElement(bodyPartID); ++ ++ this.requestMessageType = requestMessageType; ++ sequence.addElement(requestMessageType); ++ ++ this.requestMessageValue = requestMessageValue; ++ sequence.addElement(requestMessageValue); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // encoding/decoding ++ /////////////////////////////////////////////////////////////////////// ++ private static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding a OtherReqMsg. ++ */ ++ public static class Template implements ASN1Template { ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement(INTEGER.getTemplate()); ++ seqt.addElement(OBJECT_IDENTIFIER.getTemplate()); ++ seqt.addElement(ANY.getTemplate()); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new OtherReqMsg((INTEGER)seq.elementAt(0), ++ (OBJECT_IDENTIFIER)seq.elementAt(1), ++ (ANY)seq.elementAt(2)); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java +new file mode 100644 +index 0000000..637c316 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java +@@ -0,0 +1,163 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC PopLinkWitnessV2: ++ * per rfc 5272 ++ * 
++ *     PopLinkWitnessV2 ::= SEQUENCE {
++ *         keyGenAlgorithm     AlgorithmIdentifier,
++ *         macAlgorithm       AlgorithmIdentifier,
++ *         witness        OCTET STRING
++ *     }
++ *
++ * ++ * @author Christina Fu (cfu) ++ */ ++public class PopLinkWitnessV2 implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private AlgorithmIdentifier keyGenAlgorithm; ++ private AlgorithmIdentifier macAlgorithm; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public AlgorithmIdentifier getKeyGenAlgorithm() { ++ return keyGenAlgorithm; ++ } ++ ++ public AlgorithmIdentifier getMacAlgorithm() { ++ return macAlgorithm; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private PopLinkWitnessV2() { } ++ ++ public PopLinkWitnessV2( ++ AlgorithmIdentifier keyGenAlgorithm, ++ AlgorithmIdentifier macAlgorithm, ++ OCTET_STRING witness) ++ { ++ if( keyGenAlgorithm==null || macAlgorithm==null || ++ witness==null ) { ++ throw new IllegalArgumentException("PopLinkWitnessV2 constructor" ++ +" parameter is null"); ++ } ++ ++ this.keyGenAlgorithm = keyGenAlgorithm; ++ this.macAlgorithm = macAlgorithm; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(keyGenAlgorithm); ++ sequence.addElement(macAlgorithm); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded PopLinkWitnessV2 items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new PopLinkWitnessV2( ++ (AlgorithmIdentifier) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/RevokeRequest.java b/org/mozilla/jss/pkix/cmc/RevokeRequest.java +new file mode 100644 +index 0000000..d8444b6 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/RevokeRequest.java +@@ -0,0 +1,323 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.*; ++ ++/** ++ * CMC RevokeRequest. ++ * 
++ * RevokeRequest ::= SEQUENCE {
++ *      issuerName      Name,
++ *      serialNumber    INTEGER,
++ *      reason          CRLReason,
++ *      invalidityDate  GeneralizedTime OPTIONAL,
++ *      passphrase    OCTET STRING OPTIONAL,
++ *      comment         UTF8String OPTIONAL }
++ *
++ * ++ * For maintenance and conformance reasons, this code is brought over ++ * and mildly updated and renamed from cmmf/RevRequest during the process ++ * of CMC update to rfc 5272 ++ * @author Christina Fu (cfu) ++ */ ++public class RevokeRequest implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constants ++ /////////////////////////////////////////////////////////////////////// ++ ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED unspecified = new ENUMERATED(0); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED keyCompromise = new ENUMERATED(1); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED cACompromise = new ENUMERATED(2); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED affiliationChanged = new ENUMERATED(3); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED superseded = new ENUMERATED(4); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED cessationOfOperation = new ENUMERATED(5); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED certificateHold = new ENUMERATED(6); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED removeFromCRL = new ENUMERATED(8); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED privilegeWithdrawn = new ENUMERATED(9); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED aACompromise = new ENUMERATED(10); ++ ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private ANY issuerName; ++ private INTEGER serialNumber; ++ private ENUMERATED reason; ++ private GeneralizedTime invalidityDate; // may be null ++ private OCTET_STRING passphrase; // may be null ++ private UTF8String comment; // may be null ++ private SEQUENCE sequence; ++ ++ /** ++ * Returns the issuerName field as an ANY. ++ */ ++ public ANY getIssuerName() { ++ return issuerName; ++ } ++ ++ /** ++ * Returns the serialNumber field. ++ */ ++ public INTEGER getSerialNumber() { ++ return serialNumber; ++ } ++ ++ /** ++ * Returns the reason field, which should indicate the ++ * reason for the revocation. The currently supported reasons are: ++ * 
++     * CRLReason ::= ENUMERATED {
++     *      unspecified             (0),
++     *      keyCompromise           (1),
++     *      cACompromise            (2),
++     *      affiliationChanged      (3),
++     *      superseded              (4),
++     *      cessationOfOperation    (5),
++     *      certificateHold         (6),
++     *      removeFromCRL           (8),
++     *      privilegeWithdrawn      (9),
++     *      aACompromise            (10) }
++     *
++ * These are all defined as constants in this class. ++ */ ++ public ENUMERATED getReason() { ++ return reason; ++ } ++ ++ /** ++ * Returns the invalidityDate field. Returns null ++ * if the field is not present. ++ */ ++ public GeneralizedTime getInvalidityDate() { ++ return invalidityDate; ++ } ++ ++ /** ++ * Returns the passphrase field. Returns ++ * null if the field is not present. ++ */ ++ public OCTET_STRING getSharedSecret() { ++ return passphrase; ++ } ++ ++ /** ++ * Returns the comment field. Returns null ++ * if the field is not present. ++ */ ++ public UTF8String getComment() { ++ return comment; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private RevokeRequest() { } ++ ++ ++ /** ++ * Constructs a new RevokeRequest from its components, ++ * omitting the invalidityDate field. ++ * ++ * @deprecated This constructor is obsolete now that ++ * invalidityDate has been added to the class. ++ * ++ * @param issuerName The issuerName field. ++ * @param serialNumber The serialNumber field. ++ * @param reason The reason field. The constants defined ++ * in this class may be used. ++ * @param passphrase The passphrase field. This field is ++ * optional, so null may be used. ++ * @param comment The comment field. This field is optional, ++ * so null may be used. ++ */ ++ public RevokeRequest(ANY issuerName, INTEGER serialNumber, ++ ENUMERATED reason, OCTET_STRING passphrase, ++ UTF8String comment) ++ { ++ this(issuerName, serialNumber, reason, null, passphrase, comment); ++ } ++ ++ /** ++ * Constructs a new RevokeRequest from its components. ++ * ++ * @param issuerName The issuerName field. ++ * @param serialNumber The serialNumber field. ++ * @param reason The reason field. The constants defined ++ * in this class may be used. ++ * @param invalidityDate The suggested value for the Invalidity Date ++ * CRL extension. This field is optional, so null may be ++ * used. ++ * @param passphrase The passphrase field. This field is ++ * optional, so null may be used. ++ * @param comment The comment field. This field is optional, ++ * so null may be used. ++ */ ++ public RevokeRequest(ANY issuerName, INTEGER serialNumber, ++ ENUMERATED reason, GeneralizedTime invalidityDate, ++ OCTET_STRING passphrase, UTF8String comment) ++ { ++ if( issuerName==null || serialNumber==null || reason==null ) { ++ throw new IllegalArgumentException( ++ "parameter to RevokeRequest constructor is null"); ++ } ++ sequence = new SEQUENCE(); ++ ++ this.issuerName = issuerName; ++ sequence.addElement(issuerName); ++ ++ this.serialNumber = serialNumber; ++ sequence.addElement(serialNumber); ++ ++ this.reason = reason; ++ sequence.addElement(reason); ++ ++ this.invalidityDate = invalidityDate; ++ sequence.addElement(invalidityDate); ++ ++ this.passphrase = passphrase; ++ sequence.addElement(passphrase); ++ ++ this.comment = comment; ++ sequence.addElement(comment); ++ } ++ ++ ++ /////////////////////////////////////////////////////////////////////// ++ // encoding/decoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ ++ ++ /** ++ * A Template class for decoding a RevokeRequest. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement(ANY.getTemplate()); ++ seqt.addElement(INTEGER.getTemplate()); ++ seqt.addElement(ENUMERATED.getTemplate()); ++ seqt.addOptionalElement(GeneralizedTime.getTemplate()); ++ seqt.addOptionalElement(OCTET_STRING.getTemplate()); ++ seqt.addOptionalElement(UTF8String.getTemplate()); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new RevokeRequest( (ANY) seq.elementAt(0), ++ (INTEGER) seq.elementAt(1), ++ (ENUMERATED) seq.elementAt(2), ++ (GeneralizedTime) seq.elementAt(3), ++ (OCTET_STRING) seq.elementAt(4), ++ (UTF8String) seq.elementAt(5) ); ++ ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/TaggedRequest.java b/org/mozilla/jss/pkix/cmc/TaggedRequest.java +index e616660..e71b57c 100644 +--- a/org/mozilla/jss/pkix/cmc/TaggedRequest.java ++++ b/org/mozilla/jss/pkix/cmc/TaggedRequest.java +@@ -15,6 +15,11 @@ import org.mozilla.jss.util.Assert; + * TaggedRequest ::= CHOICE { + * tcr [0] TaggedCertificationRequest, + * crm [1] CertReqMsg ++ * orm [2] SEQUENCE { ++ * bodyPartID BodyPartID, ++ * requestMessageType OBJECT IDENTIFIER, ++ * requestMessageValue ANY DEFINED BY requestMessageType ++ * } // added for rfc 5272; defined in OtherReqMsg + * } + * + */ +@@ -27,9 +32,11 @@ public class TaggedRequest implements ASN1Value { + + static Type PKCS10 = new Type(); + static Type CRMF = new Type(); ++ static Type OTHER = new Type(); + } + public static Type PKCS10 = Type.PKCS10; + public static Type CRMF = Type.CRMF; ++ public static Type OTHER = Type.OTHER; + + /////////////////////////////////////////////////////////////////////// + // members and member access +@@ -38,6 +45,7 @@ public class TaggedRequest implements ASN1Value { + private Type type; + private TaggedCertificationRequest tcr; // if type == PKCS10 + private CertReqMsg crm; // if type == CRMF ++ private OtherReqMsg orm; // if type == OTHER + + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -48,7 +56,7 @@ public class TaggedRequest implements ASN1Value { + + /** + * Constructs a TaggedRequest from its components. +- * ++ * kept for backward compatibility for now + * @param type The type of the request. + * @param tcr Tagged pkcs10 request. + * @param crm CRMF request. +@@ -59,6 +67,24 @@ public class TaggedRequest implements ASN1Value { + this.crm = crm; + } + ++ /** ++ * Constructs a TaggedRequest from its components. ++ * rfc 5272 ++ * @param type The type of the request. ++ * @param tcr Tagged pkcs10 request. ++ * @param crm CRMF request. ++ * @param orm OTHER request. ++ */ ++ public TaggedRequest(Type type, ++ TaggedCertificationRequest tcr, ++ CertReqMsg crm, ++ OtherReqMsg orm) { ++ this.type = type; ++ this.tcr = tcr; ++ this.crm = crm; ++ this.orm = orm; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // accessors + /////////////////////////////////////////////////////////////////////// +@@ -67,6 +93,7 @@ public class TaggedRequest implements ASN1Value { + * Returns the type of TaggedRequest:
    + *
  • PKCS10 + *
  • CRMF ++ *
  • OTHER + *
+ */ + public Type getType() { +@@ -89,6 +116,14 @@ public class TaggedRequest implements ASN1Value { + return crm; + } + ++ /** ++ * If type == OTHER, returns the orm field. Otherwise, ++ * returns null. ++ */ ++ public OtherReqMsg getOrm() { ++ return orm; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // DER decoding/encoding + /////////////////////////////////////////////////////////////////////// +@@ -96,9 +131,11 @@ public class TaggedRequest implements ASN1Value { + public Tag getTag() { + if( type == PKCS10 ) { + return Tag.get(0); +- } else { +- Assert._assert( type == CRMF ); ++ } else if( type == CRMF ){ + return Tag.get(1); ++ } else { ++ Assert._assert( type == OTHER ); ++ return Tag.get(2); + } + } + +@@ -109,12 +146,17 @@ public class TaggedRequest implements ASN1Value { + // a CHOICE must be explicitly tagged + //EXPLICIT e = new EXPLICIT( Tag.get(0), tcr ); + //e.encode(ostream); +- } else { +- Assert._assert( type == CRMF ); ++ } else if( type == CRMF ) { + crm.encode(Tag.get(1), ostream); + // a CHOICE must be explicitly tagged + //EXPLICIT e = new EXPLICIT( Tag.get(1), crm ); + //e.encode(ostream); ++ } else { ++ Assert._assert( type == OTHER ); ++ orm.encode(Tag.get(2), ostream); ++ // a CHOICE must be explicitly tagged ++ //EXPLICIT e = new EXPLICIT( Tag.get(2), orm ); ++ //e.encode(ostream); + } + } + +@@ -142,12 +184,16 @@ public class TaggedRequest implements ASN1Value { + + //EXPLICIT.Template et = new EXPLICIT.Template( + // Tag.get(0), TaggedCertificationRequest.getTemplate() ); +- //choicet.addElement( et ); ++ //choicet.addElement( et ); + choicet.addElement( Tag.get(0), TaggedCertificationRequest.getTemplate() ); + //et = new EXPLICIT.Template( + // Tag.get(1), CertReqMsg.getTemplate() ); +- //choicet.addElement( et ); ++ //choicet.addElement( et ); + choicet.addElement( Tag.get(1), CertReqMsg.getTemplate() ); ++ //et = new EXPLICIT.Template( ++ // Tag.get(2), CertReqMsg.getTemplate() ); ++ //choicet.addElement( et ); ++ choicet.addElement( Tag.get(2), OtherReqMsg.getTemplate() ); + } + + public boolean tagMatch(Tag tag) { +@@ -161,15 +207,21 @@ public class TaggedRequest implements ASN1Value { + if( c.getTag().equals(Tag.get(0)) ) { + //EXPLICIT e = (EXPLICIT) c.getValue(); + //return new TaggedRequest(PKCS10, +- // (TaggedCertificationRequest) +- // e.getContent(), null ); ++ // (TaggedCertificationRequest) ++ // e.getContent(), null ); + return new TaggedRequest(PKCS10, (TaggedCertificationRequest) c.getValue() , null); ++ } if( c.getTag().equals(Tag.get(1)) ) { ++ //EXPLICIT e = (EXPLICIT) c.getValue(); ++ //return new TaggedRequest(CRMF, ++ // (CertReqMsg) ++ // e.getContent(), null ); ++ return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue() , null); + } else { +- Assert._assert( c.getTag().equals(Tag.get(1)) ); ++ Assert._assert( c.getTag().equals(Tag.get(2)) ); + //EXPLICIT e = (EXPLICIT) c.getValue(); +- //return new TaggedRequest(CRMF, null, +- // (CertReqMsg) e.getContent() ); +- return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue()); ++ //return new TaggedRequest(OTHER, null, ++ // (CertReqMsg) e.getContent() ); ++ return new TaggedRequest(OTHER, null, null, (OtherReqMsg) c.getValue()); + } + } + +diff --git a/org/mozilla/jss/pkix/cmmf/RevRequest.java b/org/mozilla/jss/pkix/cmmf/RevRequest.java +index 3fd1342..578548b 100644 +--- a/org/mozilla/jss/pkix/cmmf/RevRequest.java ++++ b/org/mozilla/jss/pkix/cmmf/RevRequest.java +@@ -18,6 +18,9 @@ import java.io.*; + * sharedSecret OCTET STRING OPTIONAL, + * comment UTF8String OPTIONAL } + * ++ * For maintenance and conformance reasons, this code has been brought ++ * over and renamed to cmc/RevokeRequest during the CMC update to rfc 5272. ++ * All new code should use cmc/RevokeRequest instead + */ + public class RevRequest implements ASN1Value { + +diff --git a/org/mozilla/jss/pkix/crmf/CertRequest.java b/org/mozilla/jss/pkix/crmf/CertRequest.java +index ee0868c..90aab0d 100644 +--- a/org/mozilla/jss/pkix/crmf/CertRequest.java ++++ b/org/mozilla/jss/pkix/crmf/CertRequest.java +@@ -57,6 +57,13 @@ public class CertRequest implements ASN1Value { + } + + /** ++ * Returns the controls field. ++ */ ++ public SEQUENCE getControls() { ++ return controls; ++ } ++ ++ /** + * Returns the number of optional Controls in the cert request. + * The number may be zero. + */ +-- +2.9.3 + + +From 9462edf264ae6da5aad113b293af9f5345542caa Mon Sep 17 00:00:00 2001 +From: Elio Maldonado +Date: Mon, 27 Mar 2017 12:01:30 -0700 +Subject: [PATCH 11/11] Bug 1350130 - Missing + CryptoManager.verifyCertificateNowCUNative() implementation, r=edewata + +--- + org/mozilla/jss/PK11Finder.c | 87 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 87 insertions(+) + +diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c +index a488c4f..9e234e6 100644 +--- a/org/mozilla/jss/PK11Finder.c ++++ b/org/mozilla/jss/PK11Finder.c +@@ -1554,6 +1554,68 @@ finish: + } + + /*********************************************************************** ++ * CryptoManager.verifyCertificateNow ++ * ++ * Called by java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative ++ */ ++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, ++ jboolean checkSig, jint required_certificateUsage, ++ SECCertificateUsage *currUsage) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage certificateUsage; ++ CERTCertificate *cert=NULL; ++ char *nickname=NULL; ++ ++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); ++ if( nickname == NULL ) { ++ goto finish; ++ } ++ ++ certificateUsage = required_certificateUsage; ++ ++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); ++ ++ if (cert == NULL) { ++ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ goto finish; ++ } else { ++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will ++ * retrieve the current valid usage into currUsage ++ */ ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, currUsage ); ++ if ((rv == SECSuccess) && certificateUsage == 0x0000) { ++ if (*currUsage == ++ ( certUsageUserCertImport | ++ certUsageVerifyCA | ++ certUsageProtectedObjectSigner | ++ certUsageAnyCA )) { ++ ++ /* the cert is good for nothing ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ (0x0b80) */ ++ rv =SECFailure; ++ } ++ } ++ } ++ ++finish: ++ if(nickname != NULL) { ++ (*env)->ReleaseStringUTFChars(env, nickString, nickname); ++ } ++ if(cert != NULL) { ++ CERT_DestroyCertificate(cert); ++ } ++ ++ return rv; ++} ++ ++/*********************************************************************** + * CryptoManager.verifyCertificateNowNative + * + * Returns JNI_TRUE if success, JNI_FALSE otherwise +@@ -1604,6 +1666,31 @@ finish: + } + + /*********************************************************************** ++ * CryptoManager.verifyCertificateNowCUNative ++ * ++ * Returns jint which contains bits in SECCertificateUsage that reflects ++ * the cert usage(s) that the cert is good for ++ * if the cert is good for nothing, returned value is ++ * (0x0b80): ++ * certUsageUserCertImport | ++ * certUsageVerifyCA | ++ * certUsageProtectedObjectSigner | ++ * certUsageAnyCA ++ */ ++JNIEXPORT jint JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig) ++{ ++ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); ++ /* rv is ignored */ ++ ++ return currUsage; ++} ++ ++/*********************************************************************** + * CryptoManager.verifyCertificateNowNative2 + * + * Verify a certificate that exists in the given cert database, +-- +2.9.3 + diff --git a/SOURCES/jss-rhel-7-4-beta.patch b/SOURCES/jss-rhel-7-4-beta.patch new file mode 100644 index 0000000..5bfe995 --- /dev/null +++ b/SOURCES/jss-rhel-7-4-beta.patch @@ -0,0 +1,844 @@ +# HG changeset patch +# User Fraser Tweedale +# Date 1493324725 25200 +# Thu Apr 27 13:25:25 2017 -0700 +# Node ID c8885dd6787639d74a1c9d634fd289ff17fa6f02 +# Parent b2306481f30dcc8c0c060520805d405dd2546d14 +Bug 1355358 - CryptoStore: add methods for importing and exporting EncryptedPrivateKeyInfo, r=cfu + +diff --git a/lib/jss.def b/lib/jss.def +--- a/lib/jss.def ++++ b/lib/jss.def +@@ -324,3 +324,9 @@ + ;+ local: + ;+ *; + ;+}; ++;+JSS_4.4.1 { # JSS 4.4.1 release ++;+ global: ++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo; ++;+ local: ++;+ *; ++;+}; +diff --git a/org/mozilla/jss/crypto/Algorithm.c b/org/mozilla/jss/crypto/Algorithm.c +--- a/org/mozilla/jss/crypto/Algorithm.c ++++ b/org/mozilla/jss/crypto/Algorithm.c +@@ -86,7 +86,13 @@ + /* 55 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, + /* 56 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, + /* 57 */ {CKM_NSS_AES_KEY_WRAP, PK11_MECH}, +-/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH} ++/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}, ++/* 59 */ {SEC_OID_AES_128_ECB, SEC_OID_TAG}, ++/* 60 */ {SEC_OID_AES_128_CBC, SEC_OID_TAG}, ++/* 61 */ {SEC_OID_AES_192_ECB, SEC_OID_TAG}, ++/* 62 */ {SEC_OID_AES_192_CBC, SEC_OID_TAG}, ++/* 63 */ {SEC_OID_AES_256_ECB, SEC_OID_TAG}, ++/* 64 */ {SEC_OID_AES_256_CBC, SEC_OID_TAG} + /* REMEMBER TO UPDATE NUM_ALGS!!! */ + }; + +diff --git a/org/mozilla/jss/crypto/Algorithm.h b/org/mozilla/jss/crypto/Algorithm.h +--- a/org/mozilla/jss/crypto/Algorithm.h ++++ b/org/mozilla/jss/crypto/Algorithm.h +@@ -24,7 +24,7 @@ + JSS_AlgType type; + } JSS_AlgInfo; + +-#define NUM_ALGS 59 ++#define NUM_ALGS 65 + + extern JSS_AlgInfo JSS_AlgTable[]; + extern CK_ULONG JSS_symkeyUsage[]; +diff --git a/org/mozilla/jss/crypto/Algorithm.java b/org/mozilla/jss/crypto/Algorithm.java +--- a/org/mozilla/jss/crypto/Algorithm.java ++++ b/org/mozilla/jss/crypto/Algorithm.java +@@ -212,4 +212,12 @@ + protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56; + protected static final short CKM_NSS_AES_KEY_WRAP=57; + protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58; ++ ++ // AES Encryption Algorithms ++ protected static final short SEC_OID_AES_128_ECB = 59; ++ protected static final short SEC_OID_AES_128_CBC = 60; ++ protected static final short SEC_OID_AES_192_ECB = 61; ++ protected static final short SEC_OID_AES_192_CBC = 62; ++ protected static final short SEC_OID_AES_256_ECB = 63; ++ protected static final short SEC_OID_AES_256_CBC = 64; + } +diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java +--- a/org/mozilla/jss/crypto/CryptoStore.java ++++ b/org/mozilla/jss/crypto/CryptoStore.java +@@ -4,6 +4,7 @@ + + package org.mozilla.jss.crypto; + ++import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.util.*; + import java.security.*; + import java.security.cert.CertificateEncodingException; +@@ -68,9 +69,50 @@ + public void deletePrivateKey(org.mozilla.jss.crypto.PrivateKey key) + throws NoSuchItemOnTokenException, TokenException; + ++ /** ++ * Get an encrypted private key for the given cert. ++ * ++ * @param cert Certificate of key to be exported ++ * @param pbeAlg The PBEAlgorithm to use ++ * @param pw The password to encrypt with ++ * @param iteration Iteration count; default of 2000 if le 0 ++ */ ++ public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, ++ PBEAlgorithm pbeAlg, Password pw, int iteration) ++ throws CryptoManager.NotInitializedException, ++ ObjectNotFoundException, TokenException; + +- public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, +- PBEAlgorithm pbeAlg, Password pw, int iteration); ++ /** ++ * Get an encrypted private key, with optional password ++ * conversion. ++ * ++ * @param conv Password converter. If null, pw.getByteCopy() ++ * will be used to get password bytes. ++ * @param pw The password ++ * @param alg The encryption algorithm ++ * @param n Iteration count; default of 2000 if le 0 ++ * @param k The private key ++ */ ++ public byte[] getEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ Algorithm alg, ++ int n, ++ PrivateKey k); ++ ++ /** ++ * @param conv Password converter. If null, pw.getByteCopy() ++ * will be used to get password bytes. ++ * @param pw The password ++ * @param nickname Nickname to use for private key ++ * @param pubKey Public key corresponding to private key ++ */ ++ public void importEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ String nickname, ++ PublicKey pubKey, ++ byte[] epkiBytes); + + //////////////////////////////////////////////////////////// + // Certs +diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java b/org/mozilla/jss/crypto/EncryptionAlgorithm.java +--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java ++++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java +@@ -347,12 +347,14 @@ + { 2, 16, 840, 1, 101, 3, 4, 1 } ); + + public static final EncryptionAlgorithm +- AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, + AES_ROOT_OID.subBranch(1), 128); + + public static final EncryptionAlgorithm +- AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(2), 128); + +@@ -361,11 +363,13 @@ + Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid + + public static final EncryptionAlgorithm +- AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192); + + public static final EncryptionAlgorithm +- AES_192_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_192_CBC = new EncryptionAlgorithm(SEC_OID_AES_192_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(22), 192); + +@@ -374,11 +378,13 @@ + Padding.PKCS5, IVParameterSpecClasses, 16, null, 192); // no oid + + public static final EncryptionAlgorithm +- AES_256_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_256_ECB = new EncryptionAlgorithm(SEC_OID_AES_256_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(41), 256); + + public static final EncryptionAlgorithm +- AES_256_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_256_CBC = new EncryptionAlgorithm(SEC_OID_AES_256_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(42), 256); + +diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c ++++ b/org/mozilla/jss/pkcs11/PK11Store.c +@@ -31,6 +31,8 @@ + char *data; + } secuPWData; + ++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj); ++ + /********************************************************************** + * PK11Store.putSymKeysInVector + */ +@@ -533,103 +535,293 @@ + + + JNIEXPORT jbyteArray JNICALL +-Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo +-(JNIEnv *env, jobject this, jobject certObj, jobject algObj, +- jobject pwObj, jint iteration) ++Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo( ++ JNIEnv *env, ++ jobject this, ++ jobject conv, ++ jobject pwObj, ++ jobject algObj, ++ jint iterations, ++ jobject key) ++{ ++ // initialisations so we can goto finish ++ SECItem *pwItem = NULL; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ SECItem epkiItem; ++ epkiItem.data = NULL; ++ epkiItem.len = 0; + +-{ +- SECKEYEncryptedPrivateKeyInfo *epki = NULL; +- jbyteArray encodedEpki = NULL; ++ PR_ASSERT(env != NULL && this != NULL); ++ ++ if (pwObj == NULL || algObj == NULL || key == NULL) { ++ JSS_throw(env, NULL_POINTER_EXCEPTION); ++ goto finish; ++ } ++ ++ if (iterations <= 0) { ++ iterations = 2000; // set default iterations ++ } ++ ++ // get slot + PK11SlotInfo *slot = NULL; +- SECOidTag algTag; +- jclass passwordClass = NULL; +- jmethodID getByteCopyMethod = NULL; +- jbyteArray pwArray = NULL; +- jbyte* pwchars = NULL; +- SECItem pwItem; +- CERTCertificate *cert = NULL; +- SECItem epkiItem; +- +- epkiItem.data = NULL; +- +- /* get slot */ + if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { + ASSERT_OUTOFMEM(env); + goto finish; + } + PR_ASSERT(slot!=NULL); +- +- /* get algorithm */ +- algTag = JSS_getOidTagFromAlg(env, algObj); +- if( algTag == SEC_OID_UNKNOWN ) { +- JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized PBE algorithm"); ++ ++ // get algorithm ++ SECOidTag algTag = JSS_getOidTagFromAlg(env, algObj); ++ if (algTag == SEC_OID_UNKNOWN) { ++ JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized algorithm"); + goto finish; + } + +- /* +- * get password +- */ +- passwordClass = (*env)->GetObjectClass(env, pwObj); +- if(passwordClass == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- getByteCopyMethod = (*env)->GetMethodID( +- env, +- passwordClass, +- PW_GET_BYTE_COPY_NAME, +- PW_GET_BYTE_COPY_SIG); +- if(getByteCopyMethod==NULL) { ++ pwItem = preparePassword(env, conv, pwObj); ++ if (pwItem == NULL) { + ASSERT_OUTOFMEM(env); + goto finish; + } +- pwArray = (*env)->CallObjectMethod( env, pwObj, getByteCopyMethod); +- pwchars = (*env)->GetByteArrayElements(env, pwArray, NULL); +- /* !!! Include the NULL byte or not? */ +- pwItem.data = (unsigned char*) pwchars; +- pwItem.len = strlen((const char*)pwchars) + 1; + +- /* +- * get cert +- */ +- if( JSS_PK11_getCertPtr(env, certObj, &cert) != PR_SUCCESS ) { +- /* exception was thrown */ ++ // get key ++ SECKEYPrivateKey *privk; ++ if (JSS_PK11_getPrivKeyPtr(env, key, &privk) != PR_SUCCESS) { ++ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); + goto finish; + } + +- /* +- * export the epki +- */ +- epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algTag, &pwItem, +- cert, iteration, NULL /*wincx*/); +- ++ // export the epki ++ epki = PK11_ExportEncryptedPrivKeyInfo( ++ slot, algTag, pwItem, privk, iterations, NULL /*wincx*/); + +- /* +- * DER-encode the epki +- */ +- epkiItem.data = NULL; +- epkiItem.len = 0; +- if( SEC_ASN1EncodeItem(NULL, &epkiItem, epki, +- SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate) ) == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to ASN1-encode " +- "EncryptedPrivateKeyInfo"); ++ // DER-encode the epki ++ if (SEC_ASN1EncodeItem(NULL, &epkiItem, epki, ++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate)) == NULL) { ++ JSS_throwMsg( ++ env, TOKEN_EXCEPTION, ++ "Failed to ASN1-encode EncryptedPrivateKeyInfo"); + goto finish; + } + +- /* +- * convert to Java byte array +- */ +- encodedEpki = JSS_SECItemToByteArray(env, &epkiItem); ++ // convert to Java byte array ++ jbyteArray encodedEpki = JSS_SECItemToByteArray(env, &epkiItem); + + finish: +- if( epki != NULL ) { ++ if (epki != NULL) { + SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/); + } +- if( pwchars != NULL ) { +- (*env)->ReleaseByteArrayElements(env, pwArray, pwchars, JNI_ABORT); ++ if (epkiItem.data != NULL) { ++ SECITEM_FreeItem(&epkiItem, PR_FALSE /*freeit*/); + } +- if(epkiItem.data != NULL) { +- PR_Free(epkiItem.data); ++ if (pwItem != NULL) { ++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/); + } + return encodedEpki; + } ++ ++ ++JNIEXPORT void JNICALL ++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo( ++ JNIEnv *env, ++ jobject this, ++ jobject conv, ++ jobject pwObj, ++ jstring nickname, ++ jobject pubKeyObj, ++ jbyteArray epkiBytes) ++{ ++ // initialisations so we can goto finish ++ SECItem *epkiItem = NULL; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ SECItem *pwItem = NULL; ++ SECItem *spkiItem = NULL; ++ CERTSubjectPublicKeyInfo *spki = NULL; ++ SECKEYPublicKey *pubKey = NULL; ++ const char *nicknameChars = NULL; ++ ++ PR_ASSERT(env != NULL && this != NULL); ++ ++ if (pwObj == NULL || nickname == NULL || pubKeyObj == NULL) { ++ JSS_throw(env, NULL_POINTER_EXCEPTION); ++ goto finish; ++ } ++ ++ // get slot ++ PK11SlotInfo *slot = NULL; ++ if (JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ PR_ASSERT(slot != NULL); ++ ++ // decode EncryptedPrivateKeyInfo ++ epkiItem = JSS_ByteArrayToSECItem(env, epkiBytes); ++ epki = PR_Calloc(1, sizeof(SECKEYEncryptedPrivateKeyInfo)); ++ if (SEC_ASN1DecodeItem( ++ NULL, ++ epki, ++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), ++ epkiItem ++ ) != SECSuccess) { ++ JSS_throwMsg(env, INVALID_DER_EXCEPTION, ++ "Failed to decode EncryptedPrivateKeyInfo"); ++ goto finish; ++ } ++ ++ pwItem = preparePassword(env, conv, pwObj); ++ if (pwItem == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ // get public key value ++ jclass pubKeyClass = (*env)->GetObjectClass(env, pubKeyObj); ++ if (pubKeyClass == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ jmethodID getEncoded = (*env)->GetMethodID( ++ env, pubKeyClass, "getEncoded", "()[B"); ++ if (getEncoded == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ jbyteArray spkiBytes = (*env)->CallObjectMethod( ++ env, pubKeyObj, getEncoded); ++ spkiItem = JSS_ByteArrayToSECItem(env, spkiBytes); ++ spki = PR_Calloc(1, sizeof(CERTSubjectPublicKeyInfo)); ++ if (SEC_ASN1DecodeItem( ++ NULL, ++ spki, ++ SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate), ++ spkiItem ++ ) != SECSuccess) { ++ JSS_throwMsg(env, INVALID_DER_EXCEPTION, ++ "Failed to decode SubjectPublicKeyInfo"); ++ goto finish; ++ } ++ ++ pubKey = SECKEY_ExtractPublicKey(spki); ++ if (pubKey == NULL) { ++ JSS_throwMsgPrErr(env, INVALID_DER_EXCEPTION, ++ "Failed to extract public key from SubjectPublicKeyInfo"); ++ goto finish; ++ } ++ ++ SECItem *pubValue; ++ switch (pubKey->keyType) { ++ case dsaKey: ++ pubValue = &pubKey->u.dsa.publicValue; ++ break; ++ case dhKey: ++ pubValue = &pubKey->u.dh.publicValue; ++ break; ++ case rsaKey: ++ pubValue = &pubKey->u.rsa.modulus; ++ break; ++ case ecKey: ++ pubValue = &pubKey->u.ec.publicValue; ++ break; ++ default: ++ pubValue = NULL; ++ } ++ ++ // prepare nickname ++ nicknameChars = (*env)->GetStringUTFChars(env, nickname, NULL); ++ if (nicknameChars == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ SECItem nickItem; ++ nickItem.data = nicknameChars; ++ nickItem.len = (*env)->GetStringUTFLength(env, nickname); ++ ++ // if keyUsage = 0, defaults to signing and encryption/key agreement. ++ // see pk11akey.c in NSS ++ int keyUsage = 0; ++ ++ // perform import ++ SECStatus result = PK11_ImportEncryptedPrivateKeyInfo( ++ slot, epki, pwItem, &nickItem, pubValue, ++ PR_TRUE /* isperm */, PR_TRUE /* isprivate */, ++ pubKey->keyType, keyUsage, NULL /* wincx */); ++ if (result != SECSuccess) { ++ JSS_throwMsg( ++ env, TOKEN_EXCEPTION, ++ "Failed to import EncryptedPrivateKeyInfo to token"); ++ goto finish; ++ } ++ ++finish: ++ if (epkiItem != NULL) { ++ SECITEM_FreeItem(epkiItem, PR_TRUE /*freeit*/); ++ } ++ if (epki != NULL) { ++ SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/); ++ } ++ if (spkiItem != NULL) { ++ SECITEM_FreeItem(spkiItem, PR_TRUE /*freeit*/); ++ } ++ if (spki != NULL) { ++ SECKEY_DestroySubjectPublicKeyInfo(spki); ++ } ++ if (pwItem != NULL) { ++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/); ++ } ++ if (pubKey != NULL) { ++ SECKEY_DestroyPublicKey(pubKey); ++ } ++ if (nicknameChars != NULL) { ++ (*env)->ReleaseStringUTFChars(env, nickname, nicknameChars); ++ } ++} ++ ++/* Process the given password through the given PasswordConverter, ++ * returning a new SECItem* on success. ++ * ++ * After use, the caller should free the SECItem: ++ * ++ * SECITEM_FreeItem(pwItem, PR_TRUE). ++ */ ++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj) { ++ jclass passwordClass = (*env)->GetObjectClass(env, pwObj); ++ if (passwordClass == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ ++ jbyteArray pwBytes; ++ ++ if (conv == NULL) { ++ jmethodID getByteCopy = (*env)->GetMethodID( ++ env, passwordClass, PW_GET_BYTE_COPY_NAME, PW_GET_BYTE_COPY_SIG); ++ if (getByteCopy == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ pwBytes = (*env)->CallObjectMethod(env, pwObj, getByteCopy); ++ } else { ++ jmethodID getChars = (*env)->GetMethodID( ++ env, passwordClass, "getChars", "()[C"); ++ if (getChars == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ jcharArray pwChars = (*env)->CallObjectMethod(env, pwObj, getChars); ++ ++ jclass convClass = (*env)->GetObjectClass(env, conv); ++ if (conv == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ jmethodID convert = (*env)->GetMethodID( ++ env, convClass, "convert", "([C)[B"); ++ if (convert == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ pwBytes = (*env)->CallObjectMethod(env, conv, convert, pwChars); ++ } ++ ++ return JSS_ByteArrayToSECItem(env, pwBytes); ++} +diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java +--- a/org/mozilla/jss/pkcs11/PK11Store.java ++++ b/org/mozilla/jss/pkcs11/PK11Store.java +@@ -4,8 +4,10 @@ + + package org.mozilla.jss.pkcs11; + ++import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.*; + import org.mozilla.jss.util.*; ++import java.security.PublicKey; + import java.security.cert.CertificateEncodingException; + import java.util.Vector; + +@@ -53,8 +55,35 @@ + public native void deletePrivateKey(PrivateKey key) + throws NoSuchItemOnTokenException, TokenException; + +- public native byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, +- PBEAlgorithm pbeAlg, Password pw, int iteration); ++ public byte[] getEncryptedPrivateKeyInfo( ++ X509Certificate cert, ++ PBEAlgorithm pbeAlg, ++ Password pw, ++ int iteration) ++ throws CryptoManager.NotInitializedException, ++ ObjectNotFoundException, TokenException { ++ return getEncryptedPrivateKeyInfo( ++ null, ++ pw, ++ pbeAlg, ++ iteration, ++ CryptoManager.getInstance().findPrivKeyByCert(cert) ++ ); ++ } ++ ++ public native byte[] getEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ Algorithm alg, ++ int n, ++ PrivateKey k); ++ ++ public native void importEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ String nickname, ++ PublicKey pubKey, ++ byte[] epkiBytes); + + //////////////////////////////////////////////////////////// + // Certs +diff --git a/org/mozilla/jss/util/jss_exceptions.h b/org/mozilla/jss/util/jss_exceptions.h +--- a/org/mozilla/jss/util/jss_exceptions.h ++++ b/org/mozilla/jss/util/jss_exceptions.h +@@ -47,6 +47,8 @@ + + #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException" + ++#define INVALID_DER_EXCEPTION "org/mozilla/jss/crypto/InvalidDERException" ++ + #define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException" + + #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException" +# HG changeset patch +# User Fraser Tweedale +# Date 1493335326 25200 +# Thu Apr 27 16:22:06 2017 -0700 +# Node ID ead2ea094c98ddc708169c3de411ca8d8883cab8 +# Parent c8885dd6787639d74a1c9d634fd289ff17fa6f02 +Bug 1359731 - CryptoStore.importPrivateKey enhancements, r=cfu + +- Enhance CryptoStore.importPrivateKey to support temporary import, and +- returning the private key to the caller. +- Also remove some validation of the unused keyType argument. + +diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java +--- a/org/mozilla/jss/crypto/CryptoStore.java ++++ b/org/mozilla/jss/crypto/CryptoStore.java +@@ -21,17 +21,30 @@ + //////////////////////////////////////////////////////////// + + /** +- * Imports a raw private key into this token. ++ * Imports a raw private key into this token (permanently). + * + * @param key The private key. + * @exception TokenException If the key cannot be imported to this token. + * @exception KeyAlreadyImportedException If the key already exists on this token. + */ +- public void ++ public PrivateKey + importPrivateKey( byte[] key, + PrivateKey.Type type ) + throws TokenException, KeyAlreadyImportedException; + ++ /** ++ * Imports a raw private key into this token. ++ * ++ * @param key The private key. ++ * @param temporary Whether the key should be temporary. ++ * @exception TokenException If the key cannot be imported to this token. ++ * @exception KeyAlreadyImportedException If the key already exists on this token. ++ */ ++ public PrivateKey ++ importPrivateKey( byte[] key, ++ PrivateKey.Type type, boolean temporary) ++ throws TokenException, KeyAlreadyImportedException; ++ + + /** + * Returns all private keys stored on this token. +diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c ++++ b/org/mozilla/jss/pkcs11/PK11Store.c +@@ -429,22 +429,22 @@ + int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int); + + /*********************************************************************** +- * importPrivateKey ++ * PK11Store.importdPrivateKey + */ +-static void +-importPrivateKey ++JNIEXPORT jobject JNICALL ++Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey + ( JNIEnv *env, + jobject this, + jbyteArray keyArray, + jobject keyTypeObj, +- PRBool temporary ) ++ jboolean temporary ) + { + SECItem derPK; + PK11SlotInfo *slot; + jthrowable excep; +- KeyType keyType; + SECStatus status; + SECItem nickname; ++ jobject privkObj = NULL; + + /* + * initialize so we can goto finish +@@ -452,13 +452,6 @@ + derPK.data = NULL; + derPK.len = 0; + +- +- keyType = JSS_PK11_getKeyType(env, keyTypeObj); +- if( keyType == nullKey ) { +- /* exception was thrown */ +- goto finish; +- } +- + PR_ASSERT(env!=NULL && this!=NULL); + + if(keyArray == NULL) { +@@ -492,14 +485,22 @@ + nickname.len = 0; + nickname.data = NULL; + +- status = PK11_ImportDERPrivateKeyInfo(slot, &derPK, &nickname, +- NULL /*public value*/, PR_TRUE /*isPerm*/, +- PR_TRUE /*isPrivate*/, 0 /*keyUsage*/, NULL /*wincx*/); ++ SECKEYPrivateKey *privk = NULL; ++ status = PK11_ImportDERPrivateKeyInfoAndReturnKey( ++ slot, &derPK, &nickname, ++ NULL /*public value*/, !temporary /*isPerm*/, ++ PR_TRUE /*isPrivate*/, 0 /*keyUsage*/, ++ &privk, NULL /*wincx*/); + if(status != SECSuccess) { + JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import private key info"); + goto finish; + } + ++ privkObj = JSS_PK11_wrapPrivKey(env, &privk); ++ if (privkObj == NULL) { ++ goto finish; ++ } ++ + finish: + /* Save any exceptions */ + if( (excep=(*env)->ExceptionOccurred(env)) ) { +@@ -515,24 +516,11 @@ + if( excep ) { + (*env)->Throw(env, excep); + } ++ return privkObj; + } + + extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; + +-/*********************************************************************** +- * PK11Store.importdPrivateKey +- */ +-JNIEXPORT void JNICALL +-Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey +- ( JNIEnv *env, +- jobject this, +- jbyteArray keyArray, +- jobject keyTypeObj ) +-{ +- importPrivateKey(env, this, keyArray, +- keyTypeObj, PR_FALSE /* not temporary */); +-} +- + + JNIEXPORT jbyteArray JNICALL + Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo( +diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java +--- a/org/mozilla/jss/pkcs11/PK11Store.java ++++ b/org/mozilla/jss/pkcs11/PK11Store.java +@@ -23,9 +23,15 @@ + * @exception TokenException If the key cannot be imported to this token. + * @exception KeyAlreadyImportedException If the key already on this token. + */ +- public native void +- importPrivateKey( byte[] key, +- PrivateKey.Type type ) ++ public PrivateKey ++ importPrivateKey(byte[] key, PrivateKey.Type type) ++ throws TokenException,KeyAlreadyImportedException { ++ return importPrivateKey(key, type, false); ++ } ++ ++ public native PrivateKey ++ importPrivateKey( ++ byte[] key, PrivateKey.Type type, boolean temporary) + throws TokenException,KeyAlreadyImportedException; + + public synchronized PrivateKey[] +# HG changeset patch +# User Matthew Harmsen +# Date 1493389838 25200 +# Fri Apr 28 07:30:38 2017 -0700 +# Node ID 4ee5af07d6d8fd7efe60d130d3e7593f6e12e642 +# Parent ead2ea094c98ddc708169c3de411ca8d8883cab8 +Bug 1352476 - RFE: Document on the README how to create a release tag, r=emaldona + +diff --git a/README b/README +--- a/README ++++ b/README +@@ -158,7 +158,40 @@ + be necessary. + + +-(7) Known Issues ++(7) Tagging the Source Code for a Release ++ ++ During development, several releases may be made. Consequently, it is ++ good practice to create a "regular tag" to the source code at these ++ various points in time using the following format: ++ ++ # hg tag -m "message" JSS___YYYYMMDD ++ ++ where: = JSS Major Version Number ++ = JSS Minor Version Number ++ YYYY = 4-digit year (e. g. - 2017) ++ MM = 2-digit month (e. g. - 01, ..., 12) ++ DD = 2-digit day of the month (e. g. - 01, ..., 31) ++ ++ For example: ++ ++ # hg id ++ b3e864205ff0+ tip ++ ++ # hg tag -m "Added tag JSS_4_4_20170328 for changeset b3e864205ff0" JSS_4_4_20170328 ++ ++ At the appropriate time, a new major.minor version may be created. At this ++ time, it is important to create a maintenance branch for any future changes ++ to the previous major.minor version: ++ ++ For example: ++ ++ # hg id ++ f00f00f00f00+ tip ++ ++ # hg branch -m "Created branch JSS_4_4_BRANCH for changeset f00f00f00f00" JSS_4_4_BRANCH ++ ++ ++(8) Known Issues + + * Mozilla Bug #1346410 - Load JSS libraries appropriately + diff --git a/SOURCES/lgpl.txt b/SOURCES/lgpl.txt new file mode 100644 index 0000000..5ab7695 --- /dev/null +++ b/SOURCES/lgpl.txt @@ -0,0 +1,504 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + + diff --git a/SPECS/jss.spec b/SPECS/jss.spec new file mode 100644 index 0000000..ec2a94b --- /dev/null +++ b/SPECS/jss.spec @@ -0,0 +1,476 @@ +Name: jss +Version: 4.4.0 +#Release: 8%{?dist} +Release: 9.el7_4 +Summary: Java Security Services (JSS) + +Group: System Environment/Libraries +License: MPLv1.1 or GPLv2+ or LGPLv2+ +URL: http://www.mozilla.org/projects/security/pki/jss/ +# The source for this package was pulled from upstream's hg. Use the +# following commands to generate the tarball: +# +# hg clone https://hg.mozilla.org/projects/jss +# cd jss +# hg archive --prefix jss-4.4.0/jss/ ../jss-4.4.0.tar.gz +# +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{name}-%{version}.tar.gz +Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/MPL-1.1.txt +Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/gpl.txt +Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/lgpl.txt +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +Conflicts: idm-console-framework < 1.1.17-4 +Conflicts: pki-base < 10.4.0 +Conflicts: tomcatjss < 7.2.1 + +BuildRequires: nss-devel >= 3.28.4-6 +BuildRequires: nspr-devel >= 4.13.1 +BuildRequires: java-devel +%if 0%{?fedora} >= 25 +BuildRequires: perl +%endif +Requires: java-headless +Requires: nss >= 3.28.4-6 + +Patch1: jss-post-rebase.patch +Patch2: jss-rhel-7-4-beta.patch +Patch3: jss-HMAC-test-for-AES-encrypt-unwrap.patch +Patch4: jss-PBE-padded-block-cipher-enhancements.patch +Patch5: jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch +Patch6: jss-HMAC-unwrap-keywrap-FIPSMODE.patch + +%description +Java Security Services (JSS) is a java native interface which provides a bridge +for java-based applications to use native Network Security Services (NSS). +This only works with gcj. Other JREs require that JCE providers be signed. + +%package javadoc +Summary: Java Security Services (JSS) Javadocs +Group: Documentation +Requires: jss = %{version}-%{release} + +%description javadoc +This package contains the API documentation for JSS. + +%prep +%setup -q -n %{name}-%{version} +pushd jss +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +popd + +%build +[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java +[ -z "$USE_INSTALLED_NSPR" ] && export USE_INSTALLED_NSPR=1 +[ -z "$USE_INSTALLED_NSS" ] && export USE_INSTALLED_NSS=1 + +# Enable compiler optimizations and disable debugging code +# NOTE: If you ever need to create a debug build with optimizations disabled +# just comment out this line and change in the %%install section below the +# line that copies jars xpclass.jar to be xpclass_dbg.jar +export BUILD_OPT=1 + +# Generate symbolic info for debuggers +XCFLAGS="-g $RPM_OPT_FLAGS" +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` +NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR +export NSS_INCLUDE_DIR +export NSS_LIB_DIR + +%if 0%{?__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif + +# The Makefile is not thread-safe +make -C jss/coreconf +make -C jss +make -C jss javadoc + +%check + +%install +rm -rf $RPM_BUILD_ROOT docdir + +# Copy the license files here so we can include them in %%doc +cp -p %{SOURCE1} . +cp -p %{SOURCE2} . +cp -p %{SOURCE3} . + +# There is no install target so we'll do it by hand + +# jars +install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} +# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_dbg.jar +install -m 644 dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar + +# We have to use the name libjss4.so because this is dynamically +# loaded by the jar file. +install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss +install -m 0755 dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ +pushd ${RPM_BUILD_ROOT}%{_libdir}/jss + ln -fs %{_jnidir}/jss4.jar jss4.jar +popd + +# javadoc +install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -rp dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -p jss/jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} + +%clean +rm -rf $RPM_BUILD_ROOT + +# No ldconfig is required since this library is loaded by Java itself. +%files +%defattr(-,root,root,-) +%doc jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt +%{_libdir}/jss/* +%{_jnidir}/* +%{_libdir}/jss/lib*.so + +%files javadoc +%defattr(-,root,root,-) +%dir %{_javadocdir}/%{name}-%{version} +%{_javadocdir}/%{name}-%{version}/* + +%changelog +* Fri Oct 27 2017 Dogtag Team 4.4.0-9 +- Bugzilla #1505690 - new JSS failures: HMAC Unwrap and KeyWrapping + FIPSMODE [rhel-7.4.z] (jmagne) + +* Mon Sep 11 2017 Dogtag Team 4.4.0-8 +- Bugzilla #1488846 - Fix HmacTest code for AES encrypt/unwrap [rhel-7.4.z] + (jmagne) +- Bugzilla #1490494 - PKCS12: (JSS) upgrade to at least AES and SHA2 (FIPS) + [RHEL-7.4.z] (ftweedal) +- Bugzilla #1490740 - PK11Store.getEncryptedPrivateKeyInfo() segfault if + export fails [rhel-7.4.z] (ftweedal) + +* Tue May 9 2017 Matthew Harmsen - 4.4.0-7 +- Bump NSS dependencies from 4.28.3 to 4.28.4-6 to pick-up fix in + Mozilla Bugzilla #1360207 - Fix incorrect if (ss->...) in SSL_ReconfigFD + +* Mon May 1 2017 Matthew Harmsen - 4.4.0-6 +- Mozilla Bugzilla #1352476 - RFE: Document on the README how to create a + release tag (mharmsen) +- Mozilla Bugzilla #1355358 - CryptoStore: add methods for importing and + exporting EncryptedPrivateKeyInfo (ftweedal) +- Mozilla Bugzilla #1359731 - CryptoStore.importPrivateKey enhancements + (ftweedal) + +* Mon Apr 17 2017 Matthew Harmsen - 4.4.0-5 +- Mozilla Bugzilla #1355268 - JSS 4.4 is incompatible with versions of + idm-console-framework < 1.1.17-4 +- Red Hat Bugzilla #1435076 - Remove unused legacy lines from JSS spec files + +* Mon Mar 27 2017 Matthew Harmsen - 4.4.0-4 +- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4 +- Updated build requirements for NSPR +- Updated build and runtime requirements for NSS +- ## 'jss-post-rebase.patch' resolves the following issues ported from + ## upstream: +- Mozilla Bugzilla #1337092 - CMC conformance update: Implement required ASN.1 + code for RFC5272+ (cfu) +- Mozilla Bugzilla #1347394 - Eclipse project files for JSS (edewata) +- Mozilla Bugzilla #1347429 - Deprecated SSL 3.0 cipher names in SSLSocket + class. (edewata) +- Mozilla Bugzilla #1348856 - SSL alert callback (edewata) +- Mozilla Bugzilla #1349278 - SSL cipher enumeration (edewata) +- Mozilla Bugzilla #1349349 - Problem with Password.readPasswordFromConsole(). + (edewata) +- Mozilla Bugzilla #1349831 - Revise top-level README file (mharmsen) +- Mozilla Bugzilla #1349836 - Changes to JSS Version Block (mharmsen) +- Mozilla Bugzilla #1350130 - Missing + CryptoManager.verifyCertificateNowCUNative() implementation. (emaldona) + +* Tue Mar 21 2017 Matthew Harmsen - 4.4.0-3 +- Added Conflicts statement due to incompatibility with pki-base < 10.4.0 + +* Wed Mar 15 2017 Matthew Harmsen - 4.4.0-2 +- Added Conflicts statement due to incompatibility with tomcatjss < 7.2.1 + +* Mon Mar 13 2017 Elio Maldonado - 4.4.0-1 +- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4 +- ## JSS 4.4.0 includes the following patches ported from downstream: +- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS +- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings +- Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS and + CS interface +- Mozilla Bugzilla #1307993 - Expose updated certificate verification function + in JSS +- Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to bad + pointer arithmetic +- Mozilla Bugzilla #1308001 - Verification should fail when a revoked + certificate is added +- Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build +- Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode + (HSM + NSS) +- Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan +- Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PKCS12 +- Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping + unwrapping keys should be done in the token +- Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for + manufacturer identifier +- Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in + JSS 4.2.6 +- Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and + TLS v1.2 via NSS through JSS +- Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up exact + error from NSS +- Mozilla Bugzilla #1308027 - Merge pki-symkey into jss +- Mozilla Bugzilla #1308029 - Resolve Javadoc build issues +- Mozilla Bugzilla #1308047 - support ECC encryption key archival and recovery +- Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed + PKCS#11 bypass support +- Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on token +- Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA HSM + in FIPS Mode and ECC algorithms +- Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID + functions +- Mozilla Bugzilla #1346410 - Load JSS libraries appropriately +- ## JSS 4.4.0 includes the following changes for building and testing: +- Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test +- Mozilla Bugzilla #1346420 - Document steps required to use the proper + libjss4.so when running certain HMAC Algorithms tests + +* Wed Feb 22 2017 Jack Magne - 4.2.6-44 +- Bugzilla Bug #1425971 - Simple problem unwrapping AES sym keys on token + +* Fri Feb 10 2017 Fedora Release Engineering - 4.2.6-43 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Tue Aug 9 2016 Christina Fu - 4.2.6-42 +- Sync up patches from both Fedora and RHEL; adding two patches + (cfu, edewata, mharmsen) from RHEL: +- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows (cfu) +- make it compile on Windows platforms (cfu for nhosoi) + +* Fri Jun 24 2016 Christina Fu - 4.2.6-41 +- Bugzilla 1221295 jss fails to decode EncryptedKey >> EnvelopedData + (cfu for roysjosh@gmail.com) + +* Thu May 19 2016 Christina Fu - 4.2.6-40 +- Bugzilla 1074208 - pass up exact JSS certificate validation errors from NSS + (edewata) +- Bugzilla 1331596 - Key archival fails when KRA is configured with lunasa. + (cfu) +- PKI ticket 801 - Merge pki-symkey into jss (phase 1) + (jmagne) + +* Wed Dec 09 2015 Endi Dewata - 4.2.6-38 +- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata) + +* Thu Apr 09 2015 Marcin Juszkiewicz - 4.2.6-37 +- Fix use of __isa_bits macro so it does not fail during srpm generation on koji + +* Thu Apr 09 2015 Marcin Juszkiewicz - 4.2.6-36 +- Use __isa_bits macro to check for 64-bit arch. Unblocks aarch64 and ppc64le. + +* Tue Sep 30 2014 Christina Fu - 4.2.6-35 +- Bugzilla Bug #1040640 - Incorrect OIDs for SHA2 algorithms + (cfu for jnimeh@gmail.com) +- Bugzilla Bug #1133718 - Key strength validation is not performed for RC4 + algorithm (nkinder) +- Bugzilla Bug #816396 - Provide Tomcat support for TLS v1.1 and + TLS v1.2 via NSS through JSS (cfu) + +* Sat Aug 16 2014 Fedora Release Engineering - 4.2.6-34 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 4.2.6-33 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri Mar 28 2014 Michael Simacek - 4.2.6-32 +- Use Requires: java-headless rebuild (#1067528) + +* Sat Aug 03 2013 Fedora Release Engineering - 4.2.6-31 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Nathan Kinder - 4.2.6-30 +- Bugzilla Bug #847120 - Unable to build JSS on F17 or newer + +* Thu Feb 14 2013 Fedora Release Engineering - 4.2.6-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 19 2012 Stanislav Ochotnicky - 4.2.6-28 +- revbump after jnidir change + +* Wed Dec 12 2012 Stanislav Ochotnicky - 4.2.6-27 +- Simple rebuild + +* Mon Nov 19 2012 Christina Fu - 4.2.6-26 +- added source URLs in spec file to pass Package Wrangler + +* Thu Jul 19 2012 Fedora Release Engineering - 4.2.6-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Mar 30 2012 Matthew Harmsen - 4.2.6-24 +- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in + JSS 4.2.6 . . . BadPaddingException (mharmsen) + +* Tue Mar 20 2012 Christina Fu - 4.2.6-23 +- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer + identifier (cfu) +- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived + ECC phase2 work - support for ECC encryption key archival and recovery (cfu) +- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in + JSS 4.2.6 . . . (mharmsen) +- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add + benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen) + +* Fri Jan 13 2012 Fedora Release Engineering - 4.2.6-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Oct 19 2011 Christina Fu - 4.2.6-21 +- Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping + unwrapping keys should be done in the token +- support for PKCS5v2; support for secure PKCS12 +- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the + in-place upgrade( CS 8.0->8.1) + +* Mon Sep 19 2011 Matthew Harmsen - 4.2.6-20 +- Bugzilla Bug #715621 - Defects revealed by Coverity scan + +* Wed Aug 31 2011 Matthew Harmsen - 4.2.6-19.1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Mon Aug 15 2011 Christina Fu - 4.2.6-19 +- Bugzilla Bug 733550 - DRM failed to recovery keys when in FIPS mode + (HSM + NSS) + +* Fri Aug 12 2011 Matthew Harmsen - 4.2.6-18 +- Bugzilla Bug #660436 - Warnings should be cleaned up in JSS build + (jdennis, mharmsen) + +* Wed May 18 2011 Christina Fu - 4.2.6-17 +- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode + and ECC algorithms (support tokens that don't do ECDH) + +* Fri Apr 08 2011 Jack Magne - 4.2.6-15.99 +- bug 694661 - TKS instance crash during token enrollment. + Back out of previous patch for #676083. + +* Thu Feb 24 2011 Andrew Wnuk - 4.2.6-15 +- bug 676083 - JSS: slots not freed + +* Wed Feb 09 2011 Fedora Release Engineering - 4.2.6-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 John Dennis - 4.2.6-13 +- remove misleading comment in spec file concerning jar signing + +* Tue Jan 11 2011 Kevin Wright - 4.2.6-12 +- added missing patch line + +* Tue Dec 21 2010 Christina Fu - 4.2.6-11 +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 661142 - + Verification should fail when a revoked certificate is added + +* Thu Dec 16 2010 John Dennis - 4.2.6-10 +- Resolves: bug 656094 - + Rebase jss to at least jss-4.2.6-9 +- + merge in updates from Fedora + move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this: + /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar + /usr/lib/jss/jss4-.jar + /usr/lib/jss/jss4.jar -> jss4-.jar + /usr/lib/jss/libjss4.so +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 647364 - + Expose updated certificate verification function in JSS +- bug 529945 - + expose NSS calls for OCSP settings +- bug 638833 - + rfe ecc - add ec curve name support in JSS and CS +- + Need to explicitly catch UnsatisfiedLinkError exception for System.load() +- bug 533304 - + Move location of libjss4.so to subdirectory and use System.load() to + load it instead of System.loadLibrary() for Fedora packaging compliance + +* Mon Nov 30 2009 Dennis Gregorovic - 4.2.6-4.1 +- Rebuilt for RHEL 6 + +* Fri Jul 31 2009 Rob Crittenden 4.2.6-4 +- Resolves: bug 224688 - + Support ECC POP on the server +- Resolves: bug 469456 - + Server Sockets are hard coded to IPV4 +- Resolves: bug 509183 - + Set NSS dependency >= 3.12.3.99 + +* Fri Jul 24 2009 Fedora Release Engineering - 4.2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jun 5 2009 Rob Crittenden 4.2.6-2 +- Include patch to fix missing @param so javadocs will build + +* Fri Jun 5 2009 Rob Crittenden 4.2.6-1 +- Resolves: bug 455305 - + CA ECC Signing Key Failure +- Resolves: bug 502111 - + Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function +- Resolves: bug 503809 - + Update JSS version to 4.2.6 +- Resolves: bug 503817 - + Create JSS Javadocs as their own RPM + +* Wed Feb 25 2009 Fedora Release Engineering - 4.2.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 5 2008 Tom "spot" Callaway - 4.2.5-3 +- fix license tag + +* Tue Feb 19 2008 Fedora Release Engineering - 4.2.5-2 +- Autorebuild for GCC 4.3 + +* Fri Aug 3 2007 Rob Crittenden 4.2.5-1 +- update to 4.2.5 + +* Thu May 24 2007 Rob Crittenden 4.2.4-6 +- Use _jnidir macro instead of _javadir for the jar files. This will break + multilib installs but adheres to the jpackage spec. + +* Wed May 16 2007 Rob Crittenden 4.2.4-5 +- Include the 3 license files +- Remove Requires for nss and nspr. These libraries have versioned symbols + so BuildRequires is enough to set the minimum. +- Add sparc64 for the 64-bit list + +* Mon May 14 2007 Rob Crittenden 4.2.4-4 +- Included additional comments on jar signing and why ldconfig is not + required. + +* Thu May 10 2007 Rob Crittenden 4.2.4-3 +- Added information on how to pull the source into a tar.gz + +* Thu Mar 15 2007 Rob Crittenden 4.2.4-2 +- Added RPM_OPT_FLAGS to XCFLAGS +- Added link to Sun JCE information + +* Tue Feb 27 2007 Rob Crittenden 4.2.4-1 +- Initial build