From aee1ecfbd86c79c34858400f6431953bb5b07486 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:44:32 +0000 Subject: import jss-4.4.0-7.el7 --- diff --git a/.gitignore b/.gitignore index 9aa2e17..15d4ccb 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/jss-4.2.6.tar.gz +SOURCES/jss-4.4.0.tar.gz diff --git a/.jss.metadata b/.jss.metadata index bd356c5..21d2385 100644 --- a/.jss.metadata +++ b/.jss.metadata @@ -1 +1 @@ -4c7eb4e1bfcda535b4b4371f9389c0b77d717469 SOURCES/jss-4.2.6.tar.gz +44982c04810aebfa1528d10184380b2c8832d148 SOURCES/jss-4.4.0.tar.gz diff --git a/SOURCES/jss-ECC-HSM-FIPS.patch b/SOURCES/jss-ECC-HSM-FIPS.patch deleted file mode 100644 index 739c930..0000000 --- a/SOURCES/jss-ECC-HSM-FIPS.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700 -@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG}, - /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, - /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, -+/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 50 -+#define NUM_ALGS 51 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700 -@@ -232,5 +232,6 @@ public class Algorithm { - protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; -+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; - - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700 -@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al - DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA"); - - public static final Algorithm -- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC"); -+ -+// To support both ECDSA and ECDH, it is best to provide two EC Families; -+// However, since there is no token that does only CKM_DERIVE to -+// date, we will just do ECDSA for now as it is sufficient enough today. -+// This fix will support tokens that do not do ECDH -+ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC"); - - public static final KeyPairAlgorithm - RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily); -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700 -@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends - * operates on its input, which should be a hash. - */ - public static final SignatureAlgorithm -- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, -+ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, - "EC", - null, null, ANSI_X962_OID.subBranch(2).subBranch(1) ); - diff --git a/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch b/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch deleted file mode 100644 index 1bcc238..0000000 --- a/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch +++ /dev/null @@ -1,451 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl ---- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700 -@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm - org.mozilla.jss.crypto.EncryptionAlgorithm - org.mozilla.jss.crypto.PQGParams - org.mozilla.jss.crypto.SecretDecoderRing -+org.mozilla.jss.asn1.ASN1Util - org.mozilla.jss.pkcs11.CertProxy - org.mozilla.jss.pkcs11.CipherContextProxy - org.mozilla.jss.pkcs11.PK11Module -diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk ---- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700 -@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \ - ../org/mozilla/jss/SecretDecoderRing \ - ../org/mozilla/jss \ - ../org/mozilla/jss/pkcs11 \ -+ ../org/mozilla/jss/asn1 \ - ../org/mozilla/jss/ssl \ - ../org/mozilla/jss/util \ - ../org/mozilla/jss/provider/java/security \ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700 -@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; -+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk ---- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700 -@@ -41,6 +41,7 @@ release_sanitize:: - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) -+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) -@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) -+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) - -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700 -@@ -0,0 +1,97 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+#include "_jni/org_mozilla_jss_asn1_ASN1Util.h" -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+/*********************************************************************** -+ * -+ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid -+ * retrieves OID description by NSS's OID Tag identifier -+ * the OID byte array is expected to be without the OID Tag (6) and size -+ * (together 2 bytes) -+ */ -+JNIEXPORT jstring JNICALL -+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA) -+{ -+ SECItem *oid = NULL; -+ SECOidTag oidTag = SEC_OID_UNKNOWN; -+ char *oidDesc = NULL; -+ jstring description= ""; -+ -+ if (oidBA == NULL) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: oidBA null"); -+ goto finish; -+ } else { -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ oid = JSS_ByteArrayToSECItem(env, oidBA); -+ if (oid == NULL) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed"); -+ goto finish; -+ } -+ -+ /* -+ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match -+ */ -+ oidTag = SECOID_FindOIDTag(oid); -+ if (oidTag == SEC_OID_UNKNOWN) { -+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, -+ "JSS getTagDescriptionByOid: OID UNKNOWN"); -+ goto finish; -+ } -+ -+ oidDesc = SECOID_FindOIDTagDescription(oidTag); -+ if (oidDesc == NULL) { -+ oidDesc = ""; -+ } -+ description = (*env)->NewStringUTF(env, oidDesc); -+ } -+ -+finish: -+ return description; -+} -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700 -@@ -36,6 +36,8 @@ - package org.mozilla.jss.asn1; - - import java.io.*; -+import java.util.Arrays; -+ - import org.mozilla.jss.asn1.InvalidBERException; - import org.mozilla.jss.util.Assert; - -@@ -114,4 +116,71 @@ public class ASN1Util { - numRead += nr; - } - } -+ -+ /** -+ * returns the ECC curve byte array given the X509 public key byte array -+ * -+ * @param X509PubKeyBytes byte array of an X509PubKey -+ * @param withHeader tells if the return byes should inclulde the tag and size header or not -+ */ -+ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes, -+ boolean withHeader) -+ throws IllegalArgumentException, ArrayIndexOutOfBoundsException, -+ NullPointerException -+ { -+ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) { -+ throw new IllegalArgumentException("X509PubKeyBytes null"); -+ } -+ -+ /* EC public key OID complete with tag and size */ -+ byte[] EC_PubOIDBytes_full = -+ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID); -+ -+ /* EC public key OID without tag and size */ -+ byte[] EC_PubOIDBytes = -+ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length); -+ -+ int curveBeginIndex = 0; -+ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) { -+ byte[] tmp = -+ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length); -+ if (Arrays.equals(tmp, EC_PubOIDBytes)) { -+ curveBeginIndex = idx+ EC_PubOIDBytes.length; -+ break; -+ } -+ } -+ -+ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1]; -+ -+ if (withHeader) { -+ /* actual curve with tag and size */ -+ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2); -+ return curve; -+ } else { -+ /* actual curve without tag and size */ -+ byte curve[] = -+ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2, -+ curveBeginIndex + 2 + curveByteArraySize); -+ return curve; -+ } -+ } -+ -+ /** -+ * getOIDdescription() returns a text description of the OID -+ * from OID byte array -+ * the OID byte array is expected to be without the OID Tag (6) and size -+ * (together 2 bytes) -+ */ -+ public static String -+ getOIDdescription(byte[] oidBA) { -+ return getTagDescriptionByOid(oidBA); -+ } -+ -+ /** -+ * get OID description JNI method -+ */ -+ private native static String -+ getTagDescriptionByOid(byte[] oidBA); -+ -+ - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700 -@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c - ####################################################################### - # (4) Include "local" platform-dependent assignments (OPTIONAL). # - ####################################################################### --#include config.mk -+include config.mk - - - ####################################################################### -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700 -@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement - /////////////////////////////////////////////////////////////////////// - - /** -+ * The OID space for EC -+ */ -+ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID = -+ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} ); -+ -+ /** - * The OID space for RSA Data Security, Inc. - */ - public static final OBJECT_IDENTIFIER RSADSI = -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700 -@@ -0,0 +1,41 @@ -+# -+# ***** BEGIN LICENSE BLOCK ***** -+# Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+# -+# The contents of this file are subject to the Mozilla Public License Version -+# 1.1 (the "License"); you may not use this file except in compliance with -+# the License. You may obtain a copy of the License at -+# http://www.mozilla.org/MPL/ -+# -+# Software distributed under the License is distributed on an "AS IS" basis, -+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+# for the specific language governing rights and limitations under the -+# License. -+# -+# The Original Code is the Netscape Security Services for Java. -+# -+# The Initial Developer of the Original Code is -+# Netscape Communications Corporation. -+# Portions created by the Initial Developer are Copyright (C) 1998-2000 -+# the Initial Developer. All Rights Reserved. -+# -+# Contributor(s): -+# -+# Alternatively, the contents of this file may be used under the terms of -+# either the GNU General Public License Version 2 or later (the "GPL"), or -+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+# in which case the provisions of the GPL or the LGPL are applicable instead -+# of those above. If you wish to allow use of your version of this file only -+# under the terms of either the GPL or the LGPL, and not to allow others to -+# use your version of this file under the terms of the MPL, indicate your -+# decision by deleting the provisions above and replace them with the notice -+# and other provisions required by the GPL or the LGPL. If you do not delete -+# the provisions above, a recipient may use your version of this file under -+# the terms of any one of the MPL, the GPL or the LGPL. -+# -+# ***** END LICENSE BLOCK ***** -+TARGETS=$(LIBRARY) -+SHARED_LIBRARY= -+IMPORT_LIBRARY= -+ -+NO_MD_RELEASE = 1 -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700 -@@ -41,6 +41,8 @@ MODULE = jss - - NS_USE_JDK = 1 - -+REQUIRES = nspr20 nss -+ - PACKAGE = org/mozilla/jss/asn1 - - CLASSES = \ -@@ -112,3 +114,9 @@ JSRCS = \ - UTCTime.java \ - UTF8String.java \ - $(NULL) -+ -+CSRCS = \ -+ ASN1Util.c \ -+ $(NULL) -+ -+LIBRARY_NAME = jssasn1 -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700 -@@ -48,6 +48,7 @@ DIRS = \ - crypto \ - SecretDecoderRing \ - pkcs11 \ -+ asn1 \ - ssl \ - provider \ - $(NULL) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700 -@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten - // } - // } - // --// public BigInteger getW() { --// try { --// return new BigInteger( getWByteArray() ); --// } catch(NumberFormatException e) { --// Assert.notReached("Unable to decode DSA public value"); --// return null; --// } --// } --// --// private native byte[] getCurveByteArray(); --// private native byte[] getWByteArray(); -+ -+ public BigInteger getCurve() { -+ try { -+ return new BigInteger( getCurveByteArray() ); -+ } catch(NumberFormatException e) { -+ Assert.notReached("Unable to decode EC curve"); -+ return null; -+ } -+ } -+ -+ public byte[] getCurveBA() { -+ return getCurveByteArray(); -+ } -+ -+ public BigInteger getW() { -+ try { -+ return new BigInteger( getWByteArray() ); -+ } catch(NumberFormatException e) { -+ Assert.notReached("Unable to decode EC public value"); -+ return null; -+ } -+ } -+ -+ private native byte[] getCurveByteArray(); -+ private native byte[] getWByteArray(); - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700 -@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - numAttribs = 4; - } - break; -+ case CKK_EC: -+ numAttribs = 1; -+ attribs[0] = CKA_SIGN; -+ if (isExtractable) { -+ attribs[1] = CKA_EXTRACTABLE; -+ numAttribs = 2; -+ } -+ break; - case CKK_DSA: - attribs[0] = CKA_SIGN; - numAttribs = 1; -@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - attribs[0] = CKA_DERIVE; - numAttribs = 1; - break; -- case CKK_EC: -- attribs[0] = CKA_SIGN; -- attribs[1] = CKA_DERIVE; -- numAttribs = 2; -- break; - default: - /* unknown key type */ - PR_ASSERT(PR_FALSE); -@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { - char err[256] = {0}; -- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); -+ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType); - JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700 -@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke - if( type == PrivateKey.RSA ) { - if( !(publicKey instanceof RSAPublicKey)) { - throw new InvalidKeyException("Type of public key does not "+ -- "match type of private key"); -+ "match type of private key which is RSA"); - } - return ((RSAPublicKey)publicKey).getModulus().toByteArray(); -+ } else if(type == PrivateKey.EC) { -+ if( !(publicKey instanceof PK11ECPublicKey) ) { -+ throw new InvalidKeyException("Type of public key does not "+ -+ "match type of private key which is EC"); -+ } -+ return ((PK11ECPublicKey)publicKey).getW().toByteArray(); - } else if(type == PrivateKey.DSA) { - if( !(publicKey instanceof DSAPublicKey) ) { - throw new InvalidKeyException("Type of public key does not "+ -- "match type of private key"); -+ "match type of private key which is DSA"); - } - return ((DSAPublicKey)publicKey).getY().toByteArray(); - } else { diff --git a/SOURCES/jss-ECC-pop.patch b/SOURCES/jss-ECC-pop.patch deleted file mode 100644 index 48da89d..0000000 --- a/SOURCES/jss-ECC-pop.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -rupN jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2004-04-25 08:02:26.000000000 -0700 -+++ jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2009-07-27 13:38:38.197422000 -0700 -@@ -130,6 +130,16 @@ public class CertReqMsg implements ASN1V - /////////////////////////////////////////////////////////////////////// - - public void verify() throws SignatureException, -+ InvalidKeyFormatException, NoSuchAlgorithmException, -+ org.mozilla.jss.CryptoManager.NotInitializedException, -+ TokenException, java.security.InvalidKeyException, IOException{ -+ -+ CryptoToken token = CryptoManager.getInstance() -+ .getInternalCryptoToken(); -+ verify(token); -+ } -+ -+ public void verify(CryptoToken token) throws SignatureException, - InvalidKeyFormatException, NoSuchAlgorithmException, - org.mozilla.jss.CryptoManager.NotInitializedException, - TokenException, java.security.InvalidKeyException, IOException{ -@@ -149,8 +159,6 @@ public class CertReqMsg implements ASN1V - pubkey = (PublicKey) spi.toPublicKey(); - } - -- CryptoToken token = CryptoManager.getInstance() -- .getInternalCryptoToken(); - SignatureAlgorithm sigAlg = - SignatureAlgorithm.fromOID(alg.getOID()); - Signature sig = token.getSignatureContext(sigAlg); diff --git a/SOURCES/jss-ECC_keygen_byCurveName.patch b/SOURCES/jss-ECC_keygen_byCurveName.patch deleted file mode 100644 index 0617183..0000000 --- a/SOURCES/jss-ECC_keygen_byCurveName.patch +++ /dev/null @@ -1,490 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix 2010-10-20 09:54:35.189680000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2010-10-20 10:54:53.154835000 -0700 -@@ -196,7 +196,10 @@ public class KeyPairGenerator { - engine.setKeyPairUsages(usages,usages_mask); - } - -- -+ public int getCurveCodeByName(String curveName) -+ throws InvalidParameterException { -+ return engine.getCurveCodeByName(curveName); -+ } - - - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix 2010-10-20 09:54:52.393628000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2010-10-20 10:55:39.441698000 -0700 -@@ -94,4 +94,6 @@ public abstract class KeyPairGeneratorSp - - public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, - KeyPairGeneratorSpi.Usage[] usages_mask); -+ -+ public abstract int getCurveCodeByName(String curveName) throws InvalidParameterException; - } -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix 2010-10-15 10:30:57.832196000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2010-10-20 11:09:30.523208000 -0700 -@@ -44,6 +44,7 @@ import java.security.*; - import java.security.SecureRandom; - import java.security.spec.AlgorithmParameterSpec; - import java.security.spec.DSAParameterSpec; -+import java.util.Hashtable; - - - /** -@@ -55,6 +56,246 @@ public final class PK11KeyPairGenerator - extends org.mozilla.jss.crypto.KeyPairGeneratorSpi - { - -+ // curve code for getting the actual EC curve -+ private enum ECCurve_Code { -+ // NIST, SEC2 Prime curves -+ secp521r1 , // == nistp521 -+ nistp521 , -+ secp384r1 , // == nistp384 -+ nistp384 , -+ secp256r1 , // == nistp256 -+ nistp256 , -+ secp256k1 , -+ secp224r1 , // == nistp224 -+ nistp224 , -+ secp224k1 , -+ secp192r1 , // == nistp192 -+ nistp192 , -+ secp192k1 , -+ secp160r2 , -+ secp160r1 , -+ secp160k1 , -+ secp128r2 , -+ secp128r1 , -+ secp112r2 , -+ secp112r1 , -+ // NIST, SEC2 Binary curves -+ sect571r1 , // == nistb571 -+ nistb571 , -+ sect571k1 , // == nistk571 -+ nistk571 , -+ sect409r1 , // == nistb409 -+ nistb409 , -+ sect409k1 , // == nistk409 -+ nistk409 , -+ sect283r1 , // == nistb283 -+ nistb283 , -+ sect283k1 , // == nistk283 -+ nistk283 , -+ sect239k1 , -+ sect233r1 , // == nistb233 -+ nistb233 , -+ sect233k1 , // == nistk233 -+ nistk233 , -+ sect193r2 , -+ sect193r1 , -+ nistb163 , -+ sect163r2 , // == nistb163 -+ sect163r1 , -+ sect163k1 , // == nistk163 -+ nistk163 , -+ sect131r2 , -+ sect131r1 , -+ sect113r2 , -+ sect113r1 , -+ // ANSI X9.62 Prime curves -+ prime239v3 , -+ prime239v2 , -+ prime239v1 , -+ prime192v3 , -+ prime192v2 , -+ prime192v1 , // == nistp192 -+ // prime256v1 == nistp256 -+ // ANSI X9.62 Binary curves -+ c2pnb163v1 , -+ c2pnb163v2 , -+ c2pnb163v3 , -+ c2pnb176v1 , -+ c2tnb191v1 , -+ c2tnb191v2 , -+ c2tnb191v3 , -+ //c2onb191v4 , -+ //c2onb191v5 , -+ c2pnb208w1 , -+ c2tnb239v1 , -+ c2tnb239v2 , -+ c2tnb239v3 , -+ //c2onb239v4 , -+ //c2onb239v5 , -+ c2pnb272w1 , -+ c2pnb304w1 , -+ c2tnb359v1 , -+ c2pnb368w1 , -+ c2tnb431r1 -+ // no WTLS curves fo now -+ }; -+ -+ private static Hashtable ECCurve_NameToCode = new Hashtable(); -+ static { -+ // NIST, SEC2 Prime curves -+ ECCurve_NameToCode.put( -+ "secp521r1", ECCurve_Code.secp521r1); -+ ECCurve_NameToCode.put( -+ "nistp521", ECCurve_Code.nistp521); -+ ECCurve_NameToCode.put( -+ "secp384r1", ECCurve_Code.secp384r1); -+ ECCurve_NameToCode.put( -+ "nistp384", ECCurve_Code.nistp384); -+ ECCurve_NameToCode.put( -+ "secp256r1", ECCurve_Code.secp256r1); -+ ECCurve_NameToCode.put( -+ "nistp256", ECCurve_Code.nistp256); -+ ECCurve_NameToCode.put( -+ "secp256k1", ECCurve_Code.secp256k1); -+ ECCurve_NameToCode.put( -+ "secp224r1", ECCurve_Code.secp224r1); -+ ECCurve_NameToCode.put( -+ "nistp224", ECCurve_Code.nistp224); -+ ECCurve_NameToCode.put( -+ "secp224k1", ECCurve_Code.secp224k1); -+ ECCurve_NameToCode.put( -+ "secp192r1", ECCurve_Code.secp192r1); -+ ECCurve_NameToCode.put( -+ "nistp192", ECCurve_Code.nistp192); -+ ECCurve_NameToCode.put( -+ "secp192k1", ECCurve_Code.secp192k1); -+ ECCurve_NameToCode.put( -+ "secp160r2", ECCurve_Code.secp160r2); -+ ECCurve_NameToCode.put( -+ "secp160r1", ECCurve_Code.secp160r1); -+ ECCurve_NameToCode.put( -+ "secp160k1", ECCurve_Code.secp160k1); -+ ECCurve_NameToCode.put( -+ "secp128r2", ECCurve_Code.secp128r2); -+ ECCurve_NameToCode.put( -+ "secp128r1", ECCurve_Code.secp128r1); -+ ECCurve_NameToCode.put( -+ "secp112r2", ECCurve_Code.secp112r2); -+ ECCurve_NameToCode.put( -+ "secp112r1", ECCurve_Code.secp112r1); -+ // NIST, SEC2 Binary curves -+ ECCurve_NameToCode.put( -+ "sect571r1", ECCurve_Code.sect571r1); -+ ECCurve_NameToCode.put( -+ "nistb571", ECCurve_Code.nistb571); -+ ECCurve_NameToCode.put( -+ "sect571k1", ECCurve_Code.sect571k1); -+ ECCurve_NameToCode.put( -+ "nistk571", ECCurve_Code.nistk571); -+ ECCurve_NameToCode.put( -+ "sect409r1", ECCurve_Code.sect409r1); -+ ECCurve_NameToCode.put( -+ "nistb409", ECCurve_Code.nistb409); -+ ECCurve_NameToCode.put( -+ "sect409k1", ECCurve_Code.sect409k1); -+ ECCurve_NameToCode.put( -+ "nistk409", ECCurve_Code.nistk409); -+ ECCurve_NameToCode.put( -+ "sect283r1", ECCurve_Code.sect283r1); -+ ECCurve_NameToCode.put( -+ "nistb283", ECCurve_Code.nistb283); -+ ECCurve_NameToCode.put( -+ "sect283k1", ECCurve_Code.sect283k1); -+ ECCurve_NameToCode.put( -+ "nistk283", ECCurve_Code.nistk283); -+ ECCurve_NameToCode.put( -+ "sect239k1", ECCurve_Code.sect239k1); -+ ECCurve_NameToCode.put( -+ "sect233r1", ECCurve_Code.sect233r1); -+ ECCurve_NameToCode.put( -+ "nistb233", ECCurve_Code.nistb233); -+ ECCurve_NameToCode.put( -+ "sect233k1", ECCurve_Code.sect233k1); -+ ECCurve_NameToCode.put( -+ "nistk233", ECCurve_Code.nistk233); -+ ECCurve_NameToCode.put( -+ "sect193r2", ECCurve_Code.sect193r2); -+ ECCurve_NameToCode.put( -+ "sect193r1", ECCurve_Code.sect193r1); -+ ECCurve_NameToCode.put( -+ "nistb163", ECCurve_Code.nistb163); -+ ECCurve_NameToCode.put( -+ "sect163r2", ECCurve_Code.sect163r2); -+ ECCurve_NameToCode.put( -+ "sect163r1", ECCurve_Code.sect163r1); -+ ECCurve_NameToCode.put( -+ "sect163k1", ECCurve_Code.sect163k1); -+ ECCurve_NameToCode.put( -+ "nistk163", ECCurve_Code.nistk163); -+ ECCurve_NameToCode.put( -+ "sect131r2", ECCurve_Code.sect131r2); -+ ECCurve_NameToCode.put( -+ "sect131r1", ECCurve_Code.sect131r1); -+ ECCurve_NameToCode.put( -+ "sect113r2", ECCurve_Code.sect113r2); -+ ECCurve_NameToCode.put( -+ "sect113r1", ECCurve_Code.sect113r1); -+ // ANSI Prime curves -+ ECCurve_NameToCode.put( -+ "prime239v3", ECCurve_Code.prime239v3); -+ ECCurve_NameToCode.put( -+ "prime239v2", ECCurve_Code.prime239v2); -+ ECCurve_NameToCode.put( -+ "prime239v1", ECCurve_Code.prime239v1); -+ ECCurve_NameToCode.put( -+ "prime192v3", ECCurve_Code.prime192v3); -+ ECCurve_NameToCode.put( -+ "prime192v2", ECCurve_Code.prime192v2); -+ ECCurve_NameToCode.put( -+ "prime192v1", ECCurve_Code.prime192v1); -+ // ANSI Binary curves -+ ECCurve_NameToCode.put( -+ "c2pnb163v1", ECCurve_Code.c2pnb163v1); -+ ECCurve_NameToCode.put( -+ "c2pnb163v2", ECCurve_Code.c2pnb163v2); -+ ECCurve_NameToCode.put( -+ "c2pnb163v3", ECCurve_Code.c2pnb163v3); -+ ECCurve_NameToCode.put( -+ "c2pnb176v1", ECCurve_Code.c2pnb176v1); -+ ECCurve_NameToCode.put( -+ "c2tnb191v1", ECCurve_Code.c2tnb191v1); -+ ECCurve_NameToCode.put( -+ "c2tnb191v2", ECCurve_Code.c2tnb191v2); -+ ECCurve_NameToCode.put( -+ "c2tnb191v3", ECCurve_Code.c2tnb191v3); -+ //ECCurve_NameToCode.put( -+ // "c2onb191v4", ECCurve_Code.c2onb191v4); -+ //ECCurve_NameToCode.put( -+ // "c2onb191v5", ECCurve_Code.c2onb191v5); -+ ECCurve_NameToCode.put( -+ "c2pnb208w1", ECCurve_Code.c2pnb208w1); -+ ECCurve_NameToCode.put( -+ "c2tnb239v1", ECCurve_Code.c2tnb239v1); -+ ECCurve_NameToCode.put( -+ "c2tnb239v2", ECCurve_Code.c2tnb239v2); -+ ECCurve_NameToCode.put( -+ "c2tnb239v3", ECCurve_Code.c2tnb239v3); -+ //ECCurve_NameToCode.put( -+ // "c2onb239v4", ECCurve_Code.c2onb239v4); -+ //ECCurve_NameToCode.put( -+ // "c2onb239v5", ECCurve_Code.c2onb239v5); -+ ECCurve_NameToCode.put( -+ "c2pnb272w1", ECCurve_Code.c2pnb272w1); -+ ECCurve_NameToCode.put( -+ "c2pnb304w1", ECCurve_Code.c2pnb304w1); -+ ECCurve_NameToCode.put( -+ "c2tnb359v1", ECCurve_Code.c2tnb359v1); -+ ECCurve_NameToCode.put( -+ "c2pnb368w1", ECCurve_Code.c2pnb368w1); -+ ECCurve_NameToCode.put( -+ "c2tnb431r1", ECCurve_Code.c2tnb431r1); -+ } -+ - // opFlag constants: each of these flags specifies a crypto operation - // the key will support. Their values must match the same-named C - // preprocessor macros defined in the PKCS #11 header pkcs11t.h. -@@ -165,7 +406,15 @@ public final class PK11KeyPairGenerator - } - } else { - Assert._assert( algorithm == KeyPairAlgorithm.EC ); -- params = getCurve(strength); -+ if (strength < 112) { -+ // for EC, "strength" is actually a code for curves defined in -+ // ECCurve_Code -+ params = getECCurve(strength); -+ } else { -+ // this is the old method of strength to curve mapping, -+ // which is somewhat defective -+ params = getCurve(strength); -+ } - } - } - -@@ -642,6 +891,189 @@ public final class PK11KeyPairGenerator - static final OBJECT_IDENTIFIER CURVE_SECG_T571R1 - = SECG_EC_CURVE.subBranch(39); - -+ // the EC curvecode to oid hash table -+ private static Hashtable mECCurve_CodeToCurve = new Hashtable(); -+ static { -+ // SEG Prime curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp521r1.ordinal(), (Object) CURVE_SECG_P521R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp521.ordinal(), (Object) CURVE_SECG_P521R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp384r1.ordinal(), (Object) CURVE_SECG_P384R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp384.ordinal(), (Object) CURVE_SECG_P384R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp256r1.ordinal(), (Object) CURVE_ANSI_P256V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp256.ordinal(), (Object) CURVE_ANSI_P256V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp256k1.ordinal(), (Object) CURVE_SECG_P256K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp224r1.ordinal(), (Object) CURVE_SECG_P224R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp224.ordinal(), (Object) CURVE_SECG_P224R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp224k1.ordinal(), (Object) CURVE_SECG_P224K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp192r1.ordinal(), (Object) CURVE_ANSI_P192V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistp192.ordinal(), (Object) CURVE_ANSI_P192V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp192k1.ordinal(), (Object) CURVE_SECG_P192K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160r2.ordinal(), (Object) CURVE_SECG_P160R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160r1.ordinal(), (Object) CURVE_SECG_P160R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp160k1.ordinal(), (Object) CURVE_SECG_P160K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp128r2.ordinal(), (Object) CURVE_SECG_P128R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp128r1.ordinal(), (Object) CURVE_SECG_P128R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp112r2.ordinal(), (Object) CURVE_SECG_P112R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.secp112r1.ordinal(), (Object) CURVE_SECG_P112R1); -+ // SEG Binary curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect571r1.ordinal(), (Object) CURVE_SECG_T571R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb571.ordinal(), (Object) CURVE_SECG_T571R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect571k1.ordinal(), (Object) CURVE_SECG_T571K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk571.ordinal(), (Object) CURVE_SECG_T571K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect409r1.ordinal(), (Object) CURVE_SECG_T409R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb409.ordinal(), (Object) CURVE_SECG_T409R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect409k1.ordinal(), (Object) CURVE_SECG_T409K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk409.ordinal(), (Object) CURVE_SECG_T409K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect283r1.ordinal(), (Object) CURVE_SECG_T283R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb283.ordinal(), (Object) CURVE_SECG_T283R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect283k1.ordinal(), (Object) CURVE_SECG_T283K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk283.ordinal(), (Object) CURVE_SECG_T283K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect239k1.ordinal(), (Object) CURVE_SECG_T239K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect233r1.ordinal(), (Object) CURVE_SECG_T233R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb233.ordinal(), (Object) CURVE_SECG_T233R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect233k1.ordinal(), (Object) CURVE_SECG_T233K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk233.ordinal(), (Object) CURVE_SECG_T233K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect193r2.ordinal(), (Object) CURVE_SECG_T193R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect193r1.ordinal(), (Object) CURVE_SECG_T193R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistb163.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163r2.ordinal(), (Object) CURVE_SECG_T163R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163r1.ordinal(), (Object) CURVE_SECG_T163R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect163k1.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.nistk163.ordinal(), (Object) CURVE_SECG_T163K1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect131r2.ordinal(), (Object) CURVE_SECG_T131R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect131r1.ordinal(), (Object) CURVE_SECG_T131R1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect113r2.ordinal(), (Object) CURVE_SECG_T113R2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.sect113r1.ordinal(), (Object) CURVE_SECG_T113R1); -+ // ANSI Prime curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v3.ordinal(), (Object) CURVE_ANSI_P239V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v2.ordinal(), (Object) CURVE_ANSI_P239V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime239v1.ordinal(), (Object) CURVE_ANSI_P239V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v3.ordinal(), (Object) CURVE_ANSI_P192V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v2.ordinal(), (Object) CURVE_ANSI_P192V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.prime192v1.ordinal(), (Object) CURVE_ANSI_P192V1); -+ // ANSI Binary curves -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v1.ordinal(), (Object) CURVE_ANSI_PNB163V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v2.ordinal(), (Object) CURVE_ANSI_PNB163V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb163v3.ordinal(), (Object) CURVE_ANSI_PNB163V3); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb176v1.ordinal(), (Object) CURVE_ANSI_PNB176V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v1.ordinal(), (Object) CURVE_ANSI_TNB191V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v2.ordinal(), (Object) CURVE_ANSI_TNB191V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb191v3.ordinal(), (Object) CURVE_ANSI_TNB191V3); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb191v4.ordinal(), (Object) CURVE_ANSI_ONB191V4); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb191v5.ordinal(), (Object) CURVE_ANSI_ONB191V5); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb208w1.ordinal(), (Object) CURVE_ANSI_PNB208W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v1.ordinal(), (Object) CURVE_ANSI_TNB239V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v2.ordinal(), (Object) CURVE_ANSI_TNB239V2); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb239v3.ordinal(), (Object) CURVE_ANSI_TNB239V3); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb239v4.ordinal(), (Object) CURVE_ANSI_ONB239V4); -+ //mECCurve_CodeToCurve.put( -+ // ECCurve_Code.c2onb239v5.ordinal(), (Object) CURVE_ANSI_ONB239V5); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb272w1.ordinal(), (Object) CURVE_ANSI_PNB272W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb304w1.ordinal(), (Object) CURVE_ANSI_PNB304W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb359v1.ordinal(), (Object) CURVE_ANSI_TNB359V1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2pnb368w1.ordinal(), (Object) CURVE_ANSI_PNB368W1); -+ mECCurve_CodeToCurve.put( -+ ECCurve_Code.c2tnb431r1.ordinal(), (Object) CURVE_ANSI_TNB431R1); -+ } -+ -+ public int getCurveCodeByName(String curveName) -+ throws InvalidParameterException { -+ if (curveName == null) -+ throw new InvalidParameterException(); -+ ECCurve_Code c = (ECCurve_Code) ECCurve_NameToCode.get(curveName); -+ if (c == null) -+ throw new InvalidParameterException(curveName); -+ return c.ordinal(); -+ } -+ -+ /* -+ * getECCurve -+ * maps curvecode to the actual oid of the curve and -+ * returns the PK11ParameterSpec -+ */ -+ private AlgorithmParameterSpec getECCurve(int curvecode) -+ throws InvalidParameterException -+ { -+ OBJECT_IDENTIFIER oid; -+ -+ oid = (OBJECT_IDENTIFIER) mECCurve_CodeToCurve.get(curvecode); -+ if (oid == null) -+ throw new IllegalArgumentException("curvecode ="+curvecode); -+ return new PK11ParameterSpec(ASN1Util.encode(oid)); -+ } -+ - private AlgorithmParameterSpec getCurve(int strength) - throws InvalidParameterException - { diff --git a/SOURCES/jss-Fixed-build-failures.patch b/SOURCES/jss-Fixed-build-failures.patch deleted file mode 100644 index af11010..0000000 --- a/SOURCES/jss-Fixed-build-failures.patch +++ /dev/null @@ -1,349 +0,0 @@ -From 22092d1bde94dc8a1f6e8198fa2fcc597c36c32f Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 9 Dec 2015 00:30:50 +0100 -Subject: [PATCH] Fixed build failures. - -The Javadoc on various classes have been modified to fix build -failures on F23 and Rawhide due to stringent requirements on -those platforms. - -The Debug_debug.jnot has been renamed to Debug.java to fix build -failure in Eclipse. - -https://bugzilla.redhat.com/show_bug.cgi?id=1289799 ---- - .classpath | 7 +++++++ - .project | 17 +++++++++++++++++ - mozilla/security/jss/build_java.pl | 2 +- - mozilla/security/jss/org/mozilla/jss/CryptoManager.java | 14 +++++++------- - .../security/jss/org/mozilla/jss/asn1/ASN1Header.java | 2 +- - .../security/jss/org/mozilla/jss/pkcs11/PK11Token.java | 2 +- - .../security/jss/org/mozilla/jss/pkcs12/CertBag.java | 1 + - .../security/jss/org/mozilla/jss/pkcs7/ContentInfo.java | 1 - - .../security/jss/org/mozilla/jss/pkcs7/SignerInfo.java | 17 ++++++++++------- - .../jss/org/mozilla/jss/pkix/cms/ContentInfo.java | 1 - - .../jss/org/mozilla/jss/pkix/cms/SignerInfo.java | 17 ++++++++++------- - .../jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java | 2 +- - .../jss/org/mozilla/jss/ssl/SSLServerSocket.java | 3 --- - .../mozilla/jss/util/{Debug_debug.jnot => Debug.java} | 0 - 14 files changed, 56 insertions(+), 30 deletions(-) - create mode 100644 .classpath - create mode 100644 .project - rename mozilla/security/jss/org/mozilla/jss/util/{Debug_debug.jnot => Debug.java} (100%) - -diff --git a/.classpath b/.classpath -new file mode 100644 -index 0000000000000000000000000000000000000000..df092d3f7d8df936b753bea75c11bf4003e1a77f ---- /dev/null -+++ b/.classpath -@@ -0,0 +1,7 @@ -+ -+ -+ -+ -+ -+ -+ -diff --git a/.project b/.project -new file mode 100644 -index 0000000000000000000000000000000000000000..c0b616e95c7512076c9976374bda14e11d7cdd8c ---- /dev/null -+++ b/.project -@@ -0,0 +1,17 @@ -+ -+ -+ jss-4.2 -+ -+ -+ -+ -+ -+ org.eclipse.jdt.core.javabuilder -+ -+ -+ -+ -+ -+ org.eclipse.jdt.core.javanature -+ -+ -diff --git a/mozilla/security/jss/build_java.pl b/mozilla/security/jss/build_java.pl -index c34473e0eec883323b6b100e671018a9edafe442..379a5e05dbc0599c95d2228bd14f659d3e493d0b 100644 ---- a/mozilla/security/jss/build_java.pl -+++ b/mozilla/security/jss/build_java.pl -@@ -137,7 +137,7 @@ sub setup_vars { - $class_jar = "$dist_dir/$cmdline_vars{XPCLASS_DBG_JAR}"; - $class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DBG_DIR}"; - $javac_opt_flag = "-g"; -- $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot"; -+ $debug_source_file = "org/mozilla/jss/util/Debug.java"; - } - $jni_header_dir = "$dist_dir/private/jss/_jni"; - -diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -index 08aad8fe3c3a62ae8e233fc1035723690adf4581..6ef0256a3b777db48461f19da0fa64ec7857ed6b 100644 ---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -@@ -600,7 +600,7 @@ public final class CryptoManager implements TokenSupplier - * loaded cryptographic modules for the token. - * - * @param name The name of the token. -- * @exception org.mozilla.jss.crypto.NoSuchTokenException If no token -+ * @exception NoSuchTokenException If no token - * is found with the given name. - */ - public synchronized CryptoToken getTokenByName(String name) -@@ -855,9 +855,9 @@ public final class CryptoManager implements TokenSupplier - * initialize(). - * - * @param configDir The directory containing the security databases. -- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open -+ * @exception KeyDatabaseException Unable to open - * the key database, or it was currupted. -- * @exception org.mozilla.jss.util.CertDatabaseException Unable -+ * @exception CertDatabaseException Unable - * to open the certificate database, or it was currupted. - **/ - public static synchronized void initialize( String configDir ) -@@ -878,9 +878,9 @@ public final class CryptoManager implements TokenSupplier - * initialize(). - * - * @param values The options with which to initialize CryptoManager. -- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open -+ * @exception KeyDatabaseException Unable to open - * the key database, or it was currupted. -- * @exception org.mozilla.jss.util.CertDatabaseException Unable -+ * @exception CertDatabaseException Unable - * to open the certificate database, or it was currupted. - **/ - public static synchronized void initialize( InitializationValues values ) -@@ -1021,7 +1021,7 @@ public final class CryptoManager implements TokenSupplier - * @return The leaf certificate from the chain. - * @exception CertificateEncodingException If the package encoding - * was not recognized. -- * @exception CertificateNicknameConflictException If the leaf certificate -+ * @exception NicknameConflictException If the leaf certificate - * is a user certificate, and another certificate already has the - * given nickname. - * @exception UserCertConflictException If the leaf certificate -@@ -1059,7 +1059,7 @@ public final class CryptoManager implements TokenSupplier - * @return The leaf certificate from the chain. - * @exception CertificateEncodingException If the package encoding - * was not recognized. -- * @exception CertificateNicknameConflictException If the leaf certificate -+ * @exception NicknameConflictException If the leaf certificate - * another certificate already has the given nickname. - * @exception UserCertConflictException If the leaf certificate - * has already been imported. -diff --git a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -index bfa37c9f5eba1c5df9bb275cad16c1bf57c9c65d..d15be4922b52d16a25e3212b2b25809cd7ddf3b6 100644 ---- a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -+++ b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java -@@ -259,7 +259,7 @@ public class ASN1Header { - /** - * This constructor is to be called when we are constructing an ASN1Value - * rather than decoding it. -- * @param contentLength Must be >=0. Although indefinite length -+ * @param contentLength Must be >=0. Although indefinite length - * decoding is supported, indefinite length encoding - * is not. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -index e521b6108b90daeb7035413bba50a41e9b20ec49..98e93f0e858b09402364b4dc89c36a63e7ef0f7b 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java -@@ -236,7 +236,7 @@ public final class PK11Token implements CryptoToken { - * - * @param ssopwcb The security officer's current password callback. - * @param userpwcb The user's new password callback. -- * @exception IncorrectPinException If the security officer PIN is -+ * @exception IncorrectPasswordException If the security officer PIN is - * incorrect. - * @exception TokenException If the PIN was already initialized, - * or there was an unspecified error in the token. -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -index a1b08d2e9ee9dfcb4ee809e101f3074611664384..61ad979d65d5ecc6659281218c58e8ec9a48211c 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java -@@ -91,6 +91,7 @@ public class CertBag implements ASN1Value { - *
  • If the type is SDSI_CERT_TYPE, returns - * an IA5String. - *
  • For all other types, returns an ANY. -+ * - * - * @exception InvalidBERException If the cert is not encoded correctly. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -index 4db7a42c75cc21d71841e20dcb9a4c1494ff08c2..4578e9bcd8abdb4e7b6717b07aee932dd887d675 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java -@@ -169,7 +169,6 @@ public class ContentInfo implements ASN1Value { - * an OCTET_STRING will be returned. - *

    If the contentType is not one of the six standard types, - * the returned object will be an ANY. -- * - */ - public ASN1Value getInterpretedContent() throws InvalidBERException { - if(contentType.equals(DATA)) { -diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -index 300e993cffd9dcadaf996609abeebf8627eafde8..c49107c80543ec94fbb3117a1a9a1088f851a6b3 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java -@@ -129,7 +129,7 @@ public class SignerInfo implements ASN1Value { - /** - * Retrieves the DigestAlgorithm used in this SignerInfo. - * -- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS. -+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS. - */ - public DigestAlgorithm getDigestAlgorithm() - throws NoSuchAlgorithmException -@@ -402,10 +402,12 @@ public class SignerInfo implements ASN1Value { - /** - * Verifies that this SignerInfo contains a valid signature of the - * given message digest. If any authenticated attributes are present, -- * they are also validated. The verification algorithm is as follows:

      -- *

      Note that this does not verify the validity of the -- * the certificate itself, only the signature. -+ * they are also validated. The verification algorithm is as follows: - * -+ * Note that this does not verify the validity of the -+ * the certificate itself, only the signature. -+ * -+ *

        - *
      • If no authenticated attributes are present, the content type is - * verified to be data. Then it is verified that the message - * digest passed -@@ -413,24 +415,25 @@ public class SignerInfo implements ASN1Value { - * digest in the SignerInfo. - * - *
      • If authenticated attributes are present, -- * two particular attributes must be present:
          -+ * two particular attributes must be present: -+ *
            - *
          • PKCS #9 Content-Type, the type of content that is being signed. - * This must match the contentType parameter. - *
          • PKCS #9 Message-Digest, the digest of the content that is being - * signed. This must match the messageDigest parameter. - *
          -+ * - * After these two attributes are verified to be both present and correct, - * the encryptedDigest field of the SignerInfo is verified to be the - * signature of the contents octets of the DER encoding of the - * authenticatedAttributes field. -- * - *
        - * - * @param messageDigest The hash of the content that is signed by this - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @exception NoSuchObjectException If no certificate matching the -+ * @exception ObjectNotFoundException If no certificate matching the - * the issuer name and serial number can be found. - */ - public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType) -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -index 91ae770c94b3a8817c13e4cb86609c432ef682b8..9f61e605b416dffc38525ccec4dcce9f380c7dcc 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java -@@ -168,7 +168,6 @@ public class ContentInfo implements ASN1Value { - * an OCTET_STRING will be returned. - *

        If the contentType is not one of the six standard types, - * the returned object will be an ANY. -- *

      - */ - public ASN1Value getInterpretedContent() throws InvalidBERException { - if(contentType.equals(DATA)) { -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -index ff34a554e4d5f43b6ce18acfac01899858d62117..e7feb934dc0a78fbc40a6ff7d8db87f0af9177fe 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java -@@ -130,7 +130,7 @@ public class SignerInfo implements ASN1Value { - /** - * Retrieves the DigestAlgorithm used in this SignerInfo. - * -- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS. -+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS. - */ - public DigestAlgorithm getDigestAlgorithm() - throws NoSuchAlgorithmException -@@ -403,10 +403,12 @@ public class SignerInfo implements ASN1Value { - /** - * Verifies that this SignerInfo contains a valid signature of the - * given message digest. If any signed attributes are present, -- * they are also validated. The verification algorithm is as follows:
        -- *

        Note that this does not verify the validity of the -- * the certificate itself, only the signature. -+ * they are also validated. The verification algorithm is as follows: - * -+ * Note that this does not verify the validity of the -+ * the certificate itself, only the signature. -+ * -+ *

          - *
        • If no signed attributes are present, the content type is - * verified to be data. Then it is verified that the message - * digest passed -@@ -414,24 +416,25 @@ public class SignerInfo implements ASN1Value { - * digest in the SignerInfo. - * - *
        • If signed attributes are present, -- * two particular attributes must be present:
            -+ * two particular attributes must be present: -+ *
              - *
            • PKCS #9 Content-Type, the type of content that is being signed. - * This must match the contentType parameter. - *
            • PKCS #9 Message-Digest, the digest of the content that is being - * signed. This must match the messageDigest parameter. - *
            -+ * - * After these two attributes are verified to be both present and correct, - * the encryptedDigest field of the SignerInfo is verified to be the - * signature of the contents octets of the DER encoding of the - * signedAttributes field. -- * - *
          - * - * @param messageDigest The hash of the content that is signed by this - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @exception NoSuchObjectException If no certificate matching the -+ * @exception ObjectNotFoundException If no certificate matching the - * the issuer name and serial number can be found. - */ - public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType) -diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -index 53d162b69673caeed3e998dc9c2e221b95dfc6db..c6637039c87043f36dd1a1e449a819edbcc816e3 100644 ---- a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -+++ b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java -@@ -112,7 +112,7 @@ public class CertReqMsg implements ASN1Value { - - /** - * Constructs a CertReqmsg from a CertRequest and, optionally, -- * a pop>/i> and a regInfo. -+ * a pop and a regInfo. - * @param pop May be NULL. - * @param regInfo May be NULL. - */ -diff --git a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -index 2043a598cf3e8d023287c0f7142045c1e4f68e4d..58d14496e5ad92aa91a966e119e14f470da4fd4a 100644 ---- a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -+++ b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java -@@ -174,9 +174,6 @@ public class SSLServerSocket extends java.net.ServerSocket { - * @return java.net.Socket Local socket for client communication - * - * @throws IOException If an input or output exception occurred -- * @throws SocketTimeoutException If the socket timesout trying to connect -- * @throws InterruptedIOException If an input or output is interrupted -- * @throws SSLSocketException JSS subclass of java.net.SocketException - */ - public Socket accept() throws IOException { - synchronized (acceptLock) { -diff --git a/mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot b/mozilla/security/jss/org/mozilla/jss/util/Debug.java -similarity index 100% -rename from mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot -rename to mozilla/security/jss/org/mozilla/jss/util/Debug.java --- -2.4.3 - diff --git a/SOURCES/jss-HSM-manufacturerID.patch b/SOURCES/jss-HSM-manufacturerID.patch deleted file mode 100644 index 2a7bdff..0000000 --- a/SOURCES/jss-HSM-manufacturerID.patch +++ /dev/null @@ -1,62 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800 -@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE - } - PR_GetErrorText(errBuf); - } -- msgBuf = PR_smprintf("Keypair Generation failed on token: %s", -+ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s", -+ PR_GetError(), - errLength>0? errBuf : ""); - if(errLength>0) { - PR_Free(errBuf); -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800 -@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - PRBool isExtractable = PR_FALSE; - - /* special case nethsm and lunasa*/ -- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; -+ const int numManufacturerIDchars = 7; -+ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'}; -+ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'}; - PRBool isNethsm = PR_TRUE; - PRBool isLunasa = PR_TRUE; - -+ tokenInfo.manufacturerID[0] = 0; -+ - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; - } - -- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { -+ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) && -+ (tokenInfo.manufacturerID[0] != 0)) { - int ix = 0; -- for(ix=0; ix < 4; ix++) { -- if (tokenInfo.label[ix] != nethsmLabel[ix]) { -+ -+ for(ix=0; ix < numManufacturerIDchars; ix++) { -+ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) { - isNethsm = PR_FALSE; - break; - } - } -- ix = 0; -- for(ix=0; ix < 4; ix++) { -- if (tokenInfo.label[ix] != lunasaLabel[ix]) { -+ -+ for(ix=0; ix < numManufacturerIDchars; ix++) { -+ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) { - isLunasa = PR_FALSE; - break; - } - } -- - } else { - isNethsm = PR_FALSE; - isLunasa = PR_FALSE; diff --git a/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch b/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch deleted file mode 100644 index 068e4d7..0000000 --- a/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch +++ /dev/null @@ -1,328 +0,0 @@ -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700 -@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, - /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, - /* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, -+/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG}, -+/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG}, -+/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 51 -+#define NUM_ALGS 54 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700 -@@ -233,5 +233,9 @@ public class Algorithm { - protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; - protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; - protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; -+ //PKCS5 V2 -+ protected static final short SEC_OID_PKCS5_PBKDF2=51; -+ protected static final short SEC_OID_PKCS5_PBES2=52; -+ protected static final short SEC_OID_PKCS5_PBMAC1=53; - - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700 -@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen - /////////////////////////////////////////////////////////////////////// - - ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBKDF2 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128, -+ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBES2 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBES2, "PBES2", 128, -+ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// -+ // PKCS 5 v2 -+ public static final PBEAlgorithm -+ PBE_PKCS5_PBMAC1 = new PBEAlgorithm( -+ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128, -+ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 ); -+ -+ ////////////////////////////////////////////////////////////// - public static final PBEAlgorithm - PBE_MD2_DES_CBC = new PBEAlgorithm( - SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56, -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700 -@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - } - /* print_secitem(pwitem); */ - -- - mech = JSS_getPK11MechFromAlg(env, alg); - - if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) { -@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - PR_ASSERT(oidTag != SEC_OID_UNKNOWN); - - /* create algid */ -- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt); -+ algid = PK11_CreatePBEV2AlgorithmID( -+ oidTag, -+ SEC_OID_DES_EDE3_CBC, -+ SEC_OID_HMAC_SHA1, -+ 168/8, -+ iterationCount, -+ salt); -+ - if( algid == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, - "Unable to process PBE parameters"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700 -@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL; - SECItem label; /* empty secitem, doesn't need to be freed */ - PRBool token; -- CK_ATTRIBUTE_TYPE attribs[4]; -- int numAttribs; -+ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0}; -+ int numAttribs = 0; -+ CK_TOKEN_INFO tokenInfo; -+ -+ PRBool isSensitive = PR_TRUE; -+ PRBool isExtractable = PR_FALSE; -+ /* special case nethsm*/ -+ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -+ PRBool isNethsm = PR_TRUE; - - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; - } - -+ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { -+ int ix = 0; -+ for(ix=0; ix < 4; ix++) { -+ if (tokenInfo.label[ix] != nethsmLabel[ix]) { -+ isNethsm = PR_FALSE; -+ break; -+ } -+ } -+ -+ } else { -+ isNethsm = PR_FALSE; -+ } -+ - /* get unwrapping key */ - if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey) - != PR_SUCCESS) { -@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - } - keyType = PK11_GetKeyType(keyTypeMech, 0); - -+ if( isNethsm ) { -+ isSensitive = PR_FALSE; -+ isExtractable = PR_FALSE; -+ } -+ -+setAttrs: - /* figure out which operations to enable for this key */ - switch (keyType) { - case CKK_RSA: - attribs[0] = CKA_SIGN; -- attribs[1] = CKA_DECRYPT; -- attribs[2] = CKA_SIGN_RECOVER; -- attribs[3] = CKA_UNWRAP; -- numAttribs = 4; -+ attribs[1] = CKA_SIGN_RECOVER; -+ attribs[2] = CKA_UNWRAP; -+ if (isExtractable) { -+ attribs[3] = CKA_EXTRACTABLE; -+ numAttribs = 4; -+ } else { -+ numAttribs = 3; -+ } - break; - case CKK_DSA: - attribs[0] = CKA_SIGN; -@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - - /* perform the unwrap */ - privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped, -- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType, -+ &label, pubValue, token, isSensitive /*sensitive*/, keyType, - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700 -@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke - if( key==null ) { - throw new InvalidKeyException("Key is null"); - } -- if( ! key.getOwningToken().equals(token) ) { -- throw new InvalidKeyException("Key does not reside on the "+ -- "current token"); -- } -- if( ! (key instanceof PK11SymKey) ) { -- throw new InvalidKeyException("Key is not a PKCS #11 key"); -- } - try { -+ if( ! key.getOwningToken().equals(token) ) { -+ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+ -+ key.getOwningToken().getName()); -+ } -+ if( ! (key instanceof PK11SymKey) ) { -+ throw new InvalidKeyException("Key is not a PKCS #11 key"); -+ } - if( ((PK11SymKey)key).getKeyType() != -- KeyType.getKeyTypeFromAlgorithm(algorithm) ) { -- throw new InvalidKeyException("Key is not the right type for"+ -+ KeyType.getKeyTypeFromAlgorithm(algorithm) ) { -+ throw new InvalidKeyException("Key is not the right type for"+ - " this algorithm"); - } - } catch( NoSuchAlgorithmException e ) { - Assert.notReached("Unknown algorithm"); -+ } catch (Exception e) { -+ Assert.notReached("Exception:"+ e.toString()); - } - } - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700 -@@ -106,10 +106,13 @@ public final class PK11Token implements - getKeyGenerator(KeyGenAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException - { -+/* NSS is capable of finding the right token to do algorithm, -+ so this call is prematurely bailing - if( ! doesAlgorithm(algorithm) ) { - throw new NoSuchAlgorithmException( - algorithm+" is not supported by this token"); - } -+*/ - return new PK11KeyGenerator(this, algorithm); - } - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ---- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700 -@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert; - import java.security.*; - import org.mozilla.jss.CryptoManager; - import org.mozilla.jss.util.Password; -+import org.mozilla.jss.crypto.PrivateKey; - import java.security.spec.AlgorithmParameterSpec; - - /** -@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp - return null; - } - -+ -+ /** -+ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted -+ * with a password-based key- -+ * with wrapping/unwrapping happening on token. -+ * -+ * @param keyGenAlg The algorithm for generating a symmetric key from -+ * a password, salt, and iteration count. -+ * @param password The password to use in generating the key. -+ * @param salt The salt to use in generating the key. -+ * @param iterationCount The number of hashing iterations to perform -+ * while generating the key. -+ * @param charToByteConverter The mechanism for converting the characters -+ * in the password into bytes. If null, the default mechanism -+ * will be used, which is UTF8. -+ * @param pri The PrivateKey to be encrypted and stored in the -+ * EncryptedContentInfo. -+ */ -+ public static EncryptedPrivateKeyInfo -+ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt, -+ int iterationCount, -+ KeyGenerator.CharToByteConverter charToByteConverter, -+ PrivateKey pri, CryptoToken token) -+ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, -+ InvalidKeyException, InvalidAlgorithmParameterException, TokenException, -+ CharConversionException -+ { -+ try { -+ -+ // check key gen algorithm -+ -+ if( ! (keyGenAlg instanceof PBEAlgorithm) ) { -+ throw new NoSuchAlgorithmException("Key generation algorithm"+ -+ " is not a PBE algorithm"); -+ } -+ -+ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg; -+ -+ // generate key -+ -+ KeyGenerator kg = token.getKeyGenerator( keyGenAlg ); -+ PBEKeyGenParams pbekgParams = new PBEKeyGenParams( -+ password, salt, iterationCount); -+ if( charToByteConverter != null ) { -+ kg.setCharToByteConverter( charToByteConverter ); -+ } -+ kg.initialize(pbekgParams); -+ kg.temporaryKeys(true); -+ SymmetricKey key = kg.generate(); -+ -+ // generate IV -+ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); -+ AlgorithmParameterSpec params=null; -+ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) { -+ params = new IVParameterSpec( kg.generatePBE_IV() ); -+ } -+ -+ KeyWrapper wrapper = token.getKeyWrapper( -+ KeyWrapAlgorithm.DES3_CBC); -+ wrapper.initWrap(key, params); -+ byte encrypted[] = wrapper.wrap(pri); -+ -+ // make encryption algorithm identifier -+ PBEParameter pbeParam = new PBEParameter( salt, iterationCount ); -+ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier( -+ keyGenAlg.toOID(), pbeParam); -+ -+ // create EncryptedPrivateKeyInfo -+ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo ( -+ encAlgID, -+ new OCTET_STRING(encrypted) ); -+ -+ return epki; -+ -+ } catch (Exception e) { -+ Assert.notReached("EncryptedPrivateKeyInfo exception:" -+ +".createPBE"); -+ } -+ -+ return null; -+ } -+ -+ - /** - * Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE - * algorithm. The algorithm and its parameters are extracted from diff --git a/SOURCES/jss-PKCS12-FIPS.patch b/SOURCES/jss-PKCS12-FIPS.patch deleted file mode 100644 index b2aa854..0000000 --- a/SOURCES/jss-PKCS12-FIPS.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700 -@@ -239,40 +239,47 @@ print_secitem(SECItem *item) { - * TokenException if an error occurs. - */ - static PK11SymKey* --constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt, -+constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt, - int iterationCount) - { -- PBEBitGenContext* pbeCtxt=NULL; -- SECItem *keyBits=NULL; - PK11SymKey *key=NULL; - -- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey, -- pwitem, salt, 160 /* SHA1 key length */, iterationCount); -- if( pbeCtxt == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context"); -+ unsigned char ivData[8]; -+ SECItem mechItem; -+ CK_PBE_PARAMS pbe_params; -+ -+ if( pwitem == NULL ) { -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "constructSHA1PAKey:" -+ " pwitem NULL"); - goto finish; - } -- -- keyBits = PBE_GenerateBits(pbeCtxt); -- if( keyBits == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from" -- "PBE context"); -+ if( salt == NULL ) { -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "constructSHA1PAKey:" -+ " salt NULL"); - goto finish; - } - -- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1, -- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL); -+ pbe_params.pInitVector = ivData; -+ pbe_params.pPassword = pwitem->data; -+ pbe_params.ulPasswordLen = pwitem->len; -+ pbe_params.pSalt = salt->data; -+ pbe_params.ulSaltLen = salt->len; -+ pbe_params.ulIteration = iterationCount; -+ mechItem.data = (unsigned char *) &pbe_params; -+ mechItem.len = sizeof(pbe_params); -+ -+ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL); -+ - if( key == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from" -- " PBA-generated bits"); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, -+ "PK11_RawPBEKeyGen:" -+ " failed to generate key"); - goto finish; - } - - finish: -- if( pbeCtxt ) { -- PBE_DestroyContext(pbeCtxt); -- } -- /* keyBits == pbeCtxt, so we don't need to free it */ - return key; - } - -@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener - - /* special case, construct key by hand. Bug #336587 */ - -- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount); -+ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount); - if( skey==NULL ) { - /* exception was thrown */ - goto finish; diff --git a/SOURCES/jss-RC4-strengh-verify.patch b/SOURCES/jss-RC4-strengh-verify.patch deleted file mode 100644 index 59b6577..0000000 --- a/SOURCES/jss-RC4-strengh-verify.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved 2014-09-26 14:40:03.452845047 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java 2014-09-26 14:41:02.101598146 -0700 -@@ -127,7 +127,7 @@ public class KeyGenAlgorithm extends Alg - RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4", - new KeyStrengthValidator() { - public boolean isValidKeyStrength(int strength) { -- return true; -+ return strength>=40 && strength <= (256*8); - } - }, null, null); - diff --git a/SOURCES/jss-SHA-OID-fix.patch b/SOURCES/jss-SHA-OID-fix.patch deleted file mode 100644 index fdda50f..0000000 --- a/SOURCES/jss-SHA-OID-fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn 2014-09-10 09:21:52.663959115 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2014-09-10 09:22:38.662788747 -0700 -@@ -117,7 +117,7 @@ public class OBJECT_IDENTIFIER implement - * The OID space for FIPS-180-2 SHA256/SHA384/SHA512 standardized algorithms. - */ - public static final OBJECT_IDENTIFIER HASH_ALGORITHM = -- new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4 } ); -+ new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4, 2 } ); - - - /** diff --git a/SOURCES/jss-VerifyCertificate-enhancement.patch b/SOURCES/jss-VerifyCertificate-enhancement.patch deleted file mode 100644 index 6582b41..0000000 --- a/SOURCES/jss-VerifyCertificate-enhancement.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 9 Dec 2015 00:30:50 +0100 -Subject: [PATCH] Added verifyCertificate() method. - -A new CryptoManager.verifyCertificate() method has been added as -an alternative to isCertValid(). If there is a certificate -validation problem, the method will throw a CertificateValidation -exception that contains the NSS error message and code. The -exception will also provide a stack trace to help troubleshoot -validation issues. - -https://fedorahosted.org/pki/ticket/850 ---- - .../jss/org/mozilla/jss/CryptoManager.java | 54 ++++++++------ - mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 83 +++++++++++++++++++--- - .../jss/org/mozilla/jss/util/jss_exceptions.h | 2 + - 3 files changed, 110 insertions(+), 29 deletions(-) - -diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644 ---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java -@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier - CertificateUsage certificateUsage) - throws ObjectNotFoundException, InvalidNicknameException - { -- if (nickname==null) { -- throw new InvalidNicknameException("Nickname must be non-null"); -- } -- // 0 certificate usage will get current usage -- // should call isCertValid() call above that returns certificate usage -- if ((certificateUsage == null) || -- (certificateUsage == CertificateUsage.CheckAllUsages)){ -- int currCertificateUsage = 0x0000; -- currCertificateUsage = verifyCertificateNowCUNative(nickname, -- checkSig); -+ try { -+ verifyCertificate(nickname, checkSig, certificateUsage); -+ return true; -+ -+ } catch (ObjectNotFoundException | InvalidNicknameException e) { -+ throw e; - -- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ -- // cert is good for nothing -- return false; -- } else -- return true; -- } else { -- return verifyCertificateNowNative(nickname, checkSig, -- certificateUsage.getUsage()); -+ } catch (CertificateException e) { -+ return false; - } - } - -- private native boolean verifyCertificateNowNative(String nickname, -- boolean checkSig, int certificateUsage) throws ObjectNotFoundException; -+ /** -+ * Verify a certificate that exists in the given cert database, -+ * check if it's valid and that we trust the issuer. Verify time -+ * against now. -+ * @param nickname nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificate usage defined to verify certificate -+ * -+ * @exception InvalidNicknameException If the nickname is null. -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ * @exception CertificateException If certificate is invalid. -+ */ -+ public void verifyCertificate(String nickname, -+ boolean checkSig, -+ CertificateUsage certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException { -+ int usage = certificateUsage == null ? 0 : certificateUsage.getUsage(); -+ verifyCertificateNowNative(nickname, checkSig, usage); -+ } -+ -+ private native void verifyCertificateNowNative( -+ String nickname, -+ boolean checkSig, -+ int certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException; - - /** - * note: this method calls obsolete function in NSS -diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644 ---- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -+++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c -@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, - /*********************************************************************** - * CryptoManager.verifyCertificateNowNative - * -- * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ * Verify a certificate that exists in the given cert database, -+ * check if it's valid and that we trust the issuer. Verify time -+ * against now. -+ * @param nickname nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificate usage defined to verify certificate -+ * -+ * @exception InvalidNicknameException If the nickname is null. -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ * @exception CertificateException If certificate is invalid. - */ --JNIEXPORT jboolean JNICALL -+JNIEXPORT void JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+ jobject self, jstring nickString, jboolean checkSig, jint certificateUsage) - { -- SECStatus rv = SECFailure; - SECCertificateUsage currUsage = 0x0000; -+ SECStatus rv = SECFailure; -+ CERTCertificate *cert = NULL; -+ char *nickname = NULL; - -- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); -+ if (nickString == NULL) { -+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); -+ goto finish; -+ } - -- if( rv == SECSuccess) { -- return JNI_TRUE; -- } else { -- return JNI_FALSE; -+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); -+ -+ if (nickname == NULL) { -+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); -+ goto finish; -+ } -+ -+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); -+ -+ if (cert == NULL) { -+ char *msgBuf; -+ msgBuf = PR_smprintf("Certificate not found: %s", nickname); -+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf); -+ PR_Free(msgBuf); -+ goto finish; -+ } -+ -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will -+ * retrieve the current valid usage into currUsage -+ */ -+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -+ checkSig, certificateUsage, NULL, &currUsage); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate"); -+ goto finish; -+ } -+ -+ if ((certificateUsage == 0x0000) && -+ (currUsage == -+ ( certUsageUserCertImport | -+ certUsageVerifyCA | -+ certUsageProtectedObjectSigner | -+ certUsageAnyCA ))) { -+ -+ /* The certificate is good for nothing. -+ * The following usages cannot be verified: -+ * certUsageAnyCA -+ * certUsageProtectedObjectSigner -+ * certUsageUserCertImport -+ * certUsageVerifyCA -+ * (0x0b80) -+ */ -+ -+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate"); -+ goto finish; -+ } -+ -+finish: -+ if (nickname != NULL) { -+ (*env)->ReleaseStringUTFChars(env, nickString, nickname); -+ } -+ if (cert != NULL) { -+ CERT_DestroyCertificate(cert); - } - } - -diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644 ---- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -+++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h -@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C - - #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException" - -+#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException" -+ - #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException" - - #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException" --- -2.5.0 - diff --git a/SOURCES/jss-VerifyCertificate.patch b/SOURCES/jss-VerifyCertificate.patch deleted file mode 100644 index a017b77..0000000 --- a/SOURCES/jss-VerifyCertificate.patch +++ /dev/null @@ -1,220 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700 -@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; - Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700 -@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec - public final class CryptoManager implements TokenSupplier - { - /** -+ * note: this is obsolete in NSS - * CertUsage options for validation - */ - public final static class CertUsage { -@@ -86,8 +87,6 @@ public final class CryptoManager impleme - return name; - } - -- -- - // certUsage, these must be kept in sync with nss/lib/certdb/certt.h - public static final CertUsage SSLClient = new CertUsage(0, "SSLClient"); - public static final CertUsage SSLServer = new CertUsage(1, "SSLServer"); -@@ -103,6 +102,63 @@ public final class CryptoManager impleme - public static final CertUsage AnyCA = new CertUsage(11, "AnyCA"); - } - -+ /** -+ * CertificateUsage options for validation -+ */ -+ public final static class CertificateUsage { -+ private int usage; -+ private String name; -+ -+ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h -+ private static final int certificateUsageCheckAllUsages = 0x0000; -+ private static final int certificateUsageSSLClient = 0x0001; -+ private static final int certificateUsageSSLServer = 0x0002; -+ private static final int certificateUsageSSLServerWithStepUp = 0x0004; -+ private static final int certificateUsageSSLCA = 0x0008; -+ private static final int certificateUsageEmailSigner = 0x0010; -+ private static final int certificateUsageEmailRecipient = 0x0020; -+ private static final int certificateUsageObjectSigner = 0x0040; -+ private static final int certificateUsageUserCertImport = 0x0080; -+ private static final int certificateUsageVerifyCA = 0x0100; -+ private static final int certificateUsageProtectedObjectSigner = 0x0200; -+ private static final int certificateUsageStatusResponder = 0x0400; -+ private static final int certificateUsageAnyCA = 0x0800; -+ -+ static private ArrayList list = new ArrayList(); -+ private CertificateUsage() {}; -+ private CertificateUsage(int usage, String name) { -+ this.usage = usage; -+ this.name = name; -+ this.list.add(this); -+ -+ } -+ public int getUsage() { -+ return usage; -+ } -+ -+ static public Iterator getCertificateUsages() { -+ return list.iterator(); -+ -+ } -+ public String toString() { -+ return name; -+ } -+ -+ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages"); -+ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient"); -+ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer"); -+ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp"); -+ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA"); -+ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner"); -+ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient"); -+ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner"); -+ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport"); -+ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA"); -+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); -+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); -+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); -+ } -+ - public final static class NotInitializedException extends Exception {} - public final static class NicknameConflictException extends Exception {} - public final static class UserCertConflictException extends Exception {} -@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme - } - return tok; - } -+ - ///////////////////////////////////////////////////////////// - // isCertValid - ///////////////////////////////////////////////////////////// -@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme - * against Now. - * @param nickname The nickname of the certificate to verify. - * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check -+ * @return true for success; false otherwise -+ * -+ * @exception InvalidNicknameException If the nickname is null -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ */ -+ -+ public boolean isCertValid(String nickname, boolean checkSig, -+ CertificateUsage certificateUsage) -+ throws ObjectNotFoundException, InvalidNicknameException -+ { -+ if (nickname==null) { -+ throw new InvalidNicknameException("Nickname must be non-null"); -+ } -+ // 0 certificate usage was supposed to get current usage, however, -+ // it is not exposed at this point -+ return verifyCertificateNowNative(nickname, -+ checkSig, -+ (certificateUsage == null) ? 0:certificateUsage.getUsage()); -+ } -+ -+ private native boolean verifyCertificateNowNative(String nickname, -+ boolean checkSig, int certificateUsage) throws ObjectNotFoundException; -+ -+ /** -+ * note: this method calls obsolete function in NSS -+ * -+ * Verify a certificate that exists in the given cert database, -+ * check if is valid and that we trust the issuer. Verify time -+ * against Now. -+ * @param nickname The nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate - * @param certUsage see exposed certUsage defines to verify Certificate - * @return true for success; false otherwise - * -@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme - return verifyCertNowNative(nickname, checkSig, certUsage.getUsage()); - } - -+ /* -+ * Obsolete in NSS -+ */ - private native boolean verifyCertNowNative(String nickname, - boolean checkSig, int cUsage) throws ObjectNotFoundException; - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700 -@@ -1575,11 +1575,62 @@ finish: - } - - /*********************************************************************** -- * CryptoManager.verifyCertNowNative -+ * CryptoManager.verifyCertificateNowNative - * - * Returns JNI_TRUE if success, JNI_FALSE otherwise - */ - JNIEXPORT jboolean JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage certificateUsage; -+ SECCertificateUsage currUsage; /* unexposed for now */ -+ CERTCertificate *cert=NULL; -+ char *nickname=NULL; -+ -+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); -+ if( nickname == NULL ) { -+ goto finish; -+ } -+ -+ certificateUsage = required_certificateUsage; -+ -+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); -+ -+ if (cert == NULL) { -+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); -+ goto finish; -+ } else { -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to -+ * just get the current usage (which we are not passing back for now -+ * but will bypass the certificate usage check -+ */ -+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -+ checkSig, certificateUsage, NULL, &currUsage ); -+ } -+ -+finish: -+ if(nickname != NULL) { -+ (*env)->ReleaseStringUTFChars(env, nickString, nickname); -+ } -+ if(cert != NULL) { -+ CERT_DestroyCertificate(cert); -+ } -+ if( rv == SECSuccess) { -+ return JNI_TRUE; -+ } else { -+ return JNI_FALSE; -+ } -+} -+ -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertNowNative -+ * note: this calls obsolete NSS function -+ * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ */ -+JNIEXPORT jboolean JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, - jobject self, jstring nickString, jboolean checkSig, jint cUsage) - { diff --git a/SOURCES/jss-VerifyCertificateReturnCU.patch b/SOURCES/jss-VerifyCertificateReturnCU.patch deleted file mode 100644 index 7d220ef..0000000 --- a/SOURCES/jss-VerifyCertificateReturnCU.patch +++ /dev/null @@ -1,227 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800 -@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; - Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800 -@@ -157,6 +157,19 @@ public final class CryptoManager impleme - public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); - public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); - public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); -+ -+ /* -+ The folllowing usages cannot be verified: -+ certUsageAnyCA -+ certUsageProtectedObjectSigner -+ certUsageUserCertImport -+ certUsageVerifyCA -+ */ -+ public static final int basicCertificateUsages = /*0x0b80;*/ -+ certificateUsageUserCertImport | -+ certificateUsageVerifyCA | -+ certificateUsageProtectedObjectSigner | -+ certificateUsageAnyCA ; - } - - public final static class NotInitializedException extends Exception {} -@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme - * against Now. - * @param nickname The nickname of the certificate to verify. - * @param checkSig verify the signature of the certificate -- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check -- * @return true for success; false otherwise -+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage - * - * @exception InvalidNicknameException If the nickname is null - * @exception ObjectNotFoundException If no certificate could be found - * with the given nickname. - */ -+ public int isCertValid(String nickname, boolean checkSig) -+ throws ObjectNotFoundException, InvalidNicknameException -+ { -+ if (nickname==null) { -+ throw new InvalidNicknameException("Nickname must be non-null"); -+ } -+ int currCertificateUsage = 0x0000; // initialize it to 0 -+ currCertificateUsage = verifyCertificateNowCUNative(nickname, -+ checkSig); -+ return currCertificateUsage; -+ } -+ -+ private native int verifyCertificateNowCUNative(String nickname, -+ boolean checkSig) throws ObjectNotFoundException; - -+ ///////////////////////////////////////////////////////////// -+ // isCertValid -+ ///////////////////////////////////////////////////////////// -+ /** -+ * Verify a certificate that exists in the given cert database, -+ * check if is valid and that we trust the issuer. Verify time -+ * against Now. -+ * @param nickname The nickname of the certificate to verify. -+ * @param checkSig verify the signature of the certificate -+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above -+ * @return true for success; false otherwise -+ * -+ * @exception InvalidNicknameException If the nickname is null -+ * @exception ObjectNotFoundException If no certificate could be found -+ * with the given nickname. -+ */ - public boolean isCertValid(String nickname, boolean checkSig, - CertificateUsage certificateUsage) - throws ObjectNotFoundException, InvalidNicknameException -@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme - if (nickname==null) { - throw new InvalidNicknameException("Nickname must be non-null"); - } -- // 0 certificate usage was supposed to get current usage, however, -- // it is not exposed at this point -- return verifyCertificateNowNative(nickname, -- checkSig, -- (certificateUsage == null) ? 0:certificateUsage.getUsage()); -+ // 0 certificate usage will get current usage -+ // should call isCertValid() call above that returns certificate usage -+ if ((certificateUsage == null) || -+ (certificateUsage == CertificateUsage.CheckAllUsages)){ -+ int currCertificateUsage = 0x0000; -+ currCertificateUsage = verifyCertificateNowCUNative(nickname, -+ checkSig); -+ -+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ -+ // cert is good for nothing -+ return false; -+ } else -+ return true; -+ } else { -+ return verifyCertificateNowNative(nickname, checkSig, -+ certificateUsage.getUsage()); -+ } - } - - private native boolean verifyCertificateNowNative(String nickname, -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800 -@@ -1574,18 +1574,16 @@ finish: - } - } - -+ - /*********************************************************************** -- * CryptoManager.verifyCertificateNowNative -- * -- * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ * CryptoManager.verifyCertificateNow - */ --JNIEXPORT jboolean JNICALL --Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, -+ jboolean checkSig, jint required_certificateUsage, -+ SECCertificateUsage *currUsage) - { - SECStatus rv = SECFailure; - SECCertificateUsage certificateUsage; -- SECCertificateUsage currUsage; /* unexposed for now */ - CERTCertificate *cert=NULL; - char *nickname=NULL; - -@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif - JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); - goto finish; - } else { -- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to -- * just get the current usage (which we are not passing back for now -- * but will bypass the certificate usage check -+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will -+ * retrieve the current valid usage into currUsage - */ - rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, -- checkSig, certificateUsage, NULL, &currUsage ); -+ checkSig, certificateUsage, NULL, currUsage ); -+ if ((rv == SECSuccess) && certificateUsage == 0x0000) { -+ if (*currUsage == -+ ( certUsageUserCertImport | -+ certUsageVerifyCA | -+ certUsageProtectedObjectSigner | -+ certUsageAnyCA )) { -+ -+ /* the cert is good for nothing -+ The folllowing usages cannot be verified: -+ certUsageAnyCA -+ certUsageProtectedObjectSigner -+ certUsageUserCertImport -+ certUsageVerifyCA -+ (0x0b80) */ -+ rv =SECFailure; -+ } -+ } - } - - finish: -@@ -1617,6 +1631,49 @@ finish: - if(cert != NULL) { - CERT_DestroyCertificate(cert); - } -+ -+ return rv; -+} -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertificateNowCUNative -+ * -+ * Returns jint which contains bits in SECCertificateUsage that reflects -+ * the cert usage(s) that the cert is good for -+ * if the cert is good for nothing, returned value is -+ * (0x0b80): -+ * certUsageUserCertImport | -+ * certUsageVerifyCA | -+ * certUsageProtectedObjectSigner | -+ * certUsageAnyCA -+ */ -+JNIEXPORT jint JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage currUsage = 0x0000; -+ -+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); -+ /* rv is ignored */ -+ -+ return currUsage; -+} -+ -+/*********************************************************************** -+ * CryptoManager.verifyCertificateNowNative -+ * -+ * Returns JNI_TRUE if success, JNI_FALSE otherwise -+ */ -+JNIEXPORT jboolean JNICALL -+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, -+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) -+{ -+ SECStatus rv = SECFailure; -+ SECCertificateUsage currUsage = 0x0000; -+ -+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); -+ - if( rv == SECSuccess) { - return JNI_TRUE; - } else { -@@ -1624,7 +1681,6 @@ finish: - } - } - -- - /*********************************************************************** - * CryptoManager.verifyCertNowNative - * note: this calls obsolete NSS function diff --git a/SOURCES/jss-WindowsCompileFix.patch b/SOURCES/jss-WindowsCompileFix.patch deleted file mode 100644 index 20e2ea3..0000000 --- a/SOURCES/jss-WindowsCompileFix.patch +++ /dev/null @@ -1,32 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu 2015-04-23 13:25:45.104249135 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-23 13:39:29.958813779 -0700 -@@ -49,10 +49,12 @@ - - #ifdef WINNT - #include -+#define AF_INET6 23 - #endif - - #ifdef WIN32 - #include -+#define AF_INET6 23 - #endif - - -@@ -66,6 +68,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS - { - SECStatus status; - SSLVersionRange vrange; -+ SSLVersionRange supported_range; - - if (ssl_variant <0 || ssl_variant >= JSSL_enums_size|| - min <0 || min >= JSSL_enums_size || -@@ -80,7 +83,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS - vrange.max = JSSL_enums[max]; - - /* get supported range */ -- SSLVersionRange supported_range; - status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant], - &supported_range); - if( status != SECSuccess ) { diff --git a/SOURCES/jss-WindowsLoadLibrary.patch b/SOURCES/jss-WindowsLoadLibrary.patch deleted file mode 100644 index 23b8913..0000000 --- a/SOURCES/jss-WindowsLoadLibrary.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu 2015-07-08 12:02:13.192000000 +0200 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2015-07-08 12:04:56.213000000 +0200 -@@ -1404,17 +1404,23 @@ public final class CryptoManager impleme - synchronized static void loadNativeLibraries() - { - if( ! mNativeLibrariesLoaded ) { -- try { -+ try { // 64 bit rhel/fedora - System.load( "/usr/lib64/jss/libjss4.so" ); - Debug.trace(Debug.VERBOSE, "jss library loaded"); - mNativeLibrariesLoaded = true; - } catch( UnsatisfiedLinkError e ) { -- try { -+ try { // 32 bit rhel/fedora - System.load( "/usr/lib/jss/libjss4.so" ); - Debug.trace(Debug.VERBOSE, "jss library loaded"); - mNativeLibrariesLoaded = true; - } catch( UnsatisfiedLinkError f ) { -- Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ try {// possibly other platforms -+ System.loadLibrary( "jss4" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError g ) { -+ Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ } - } - } - } diff --git a/SOURCES/jss-bad-error-string-pointer.patch b/SOURCES/jss-bad-error-string-pointer.patch deleted file mode 100644 index 05244c3..0000000 --- a/SOURCES/jss-bad-error-string-pointer.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-17 18:54:56.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-18 09:46:34.000000000 -0500 -@@ -124,20 +124,16 @@ - /* Clean up after PR_interrupt. */ - PR_NT_CancelIo(sock->fd); - #endif -- JSSL_throwSSLSocketException(env, -- "Accept operation interrupted with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation interrupted"); - } else if( err == PR_IO_TIMEOUT_ERROR ) { - #ifdef WINNT - PR_NT_CancelIo(sock->fd); - #endif -- JSSL_throwSSLSocketException(env, -- "Accept operation timed out with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation timed out"); - } else if( err == PR_IO_ERROR ) { -- JSSL_throwSSLSocketException(env, -- "Accept operation received IO error with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation received IO error"); - } else { -- JSSL_throwSSLSocketException(env, -- "Accept operation failed with error code " + err); -+ JSSL_throwSSLSocketException(env, "Accept operation failed"); - } - goto finish; - } diff --git a/SOURCES/jss-crmf-envelopedData.patch b/SOURCES/jss-crmf-envelopedData.patch deleted file mode 100644 index 13c21d7..0000000 --- a/SOURCES/jss-crmf-envelopedData.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh 2016-06-24 14:51:48.929122053 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java 2016-06-24 14:52:29.487027005 -0700 -@@ -127,7 +127,8 @@ public class EncryptedKey implements ASN - } else { - Assert._assert(type == ENVELOPED_DATA); - Assert._assert(envelopedData != null); -- envelopedData.encode(implicitTag, ostream); -+ EXPLICIT explicit = new EXPLICIT( new Tag(0), envelopedData ); -+ explicit.encode(tag, ostream); - } - } - -@@ -147,7 +148,9 @@ public class EncryptedKey implements ASN - choicet = new CHOICE.Template(); - - choicet.addElement( EncryptedValue.getTemplate() ); -- choicet.addElement( new Tag(0), ANY.getTemplate() ); -+ choicet.addElement( new EXPLICIT.Template( -+ new Tag(0), -+ ANY.getTemplate() )); - } - - public boolean tagMatch(Tag tag) { -@@ -164,7 +167,7 @@ public class EncryptedKey implements ASN - return new EncryptedKey( (EncryptedValue) choice.getValue() ); - } else { - Assert._assert( choice.getTag().equals(new Tag(0)) ); -- return new EncryptedKey( (ANY) choice.getValue() ); -+ return new EncryptedKey( (ANY) ((EXPLICIT) choice.getValue()).getContent() ); - } - - } catch(InvalidBERException e) { diff --git a/SOURCES/jss-eliminate-java-compiler-warnings.patch b/SOURCES/jss-eliminate-java-compiler-warnings.patch deleted file mode 100644 index 1df99d3..0000000 --- a/SOURCES/jss-eliminate-java-compiler-warnings.patch +++ /dev/null @@ -1,641 +0,0 @@ -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700 -@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme - * Imports a single certificate into the permanent certificate - * database. - * -- * @param derCert the certificate you want to add -+ * @param cert the certificate you want to add - * @param nickname the nickname you want to refer to the certificate as - * (must not be null) - */ -@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme - public static final String - JAR_JDK_VERSION = "JDK_VERSION = N/A"; - public static final String -- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM"; -+ JAR_NSS_VERSION = "NSS_VERSION = N/A"; - public static final String - JAR_DBM_VERSION = "DBM_VERSION = N/A"; - public static final String -- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM"; -+ JAR_NSPR_VERSION = "NSPR_VERSION = N/A"; - - /** - * Loads the JSS dynamic library if necessary. -@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme - * this thread's token to null will also cause the - * InternalKeyStorageToken to be used. - * -- * @param The token to use for crypto operations. Specifying null -- * will cause the InternalKeyStorageToken to be used. -+ * @param token The token to use for crypto operations. Specifying -+ * null will cause the InternalKeyStorageToken to be used. - */ - public void setThreadToken(CryptoToken token) { - if( token != null ) { -@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme - * Verify a certificate in memory. Check if - * valid and that we trust the issuer. Verify time - * against Now. -- * @param certificate in memory -+ * @param certPackage certificate in memory - * @param checkSig verify the signature of the certificate - * @param certUsage see exposed certUsage defines to verify Certificate - * @return true for success; false otherwise -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700 -@@ -51,7 +51,7 @@ public final class JSSProvider extends j - - private static int JSS_MAJOR_VERSION = 4; - private static int JSS_MINOR_VERSION = 2; -- private static int JSS_PATCH_VERSION = 5; -+ private static int JSS_PATCH_VERSION = 6; - private static double JSS_VERSION = JSS_MAJOR_VERSION + - (JSS_MINOR_VERSION * 100 + - JSS_PATCH_VERSION)/10000.0; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700 -@@ -144,8 +144,8 @@ public abstract class Cipher { - * B is the block size, the padding string consists of - * B - (M mod B) octets, each having the value - * B - (M mod B). -- * @param The block size of the encryption algorithm. Must be greater -- * than zero. -+ * @param blockSize The block size of the encryption algorithm. -+ * Must be greater than zero. - * @see #unPad - */ - public static byte[] -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700 -@@ -194,7 +194,7 @@ public interface CryptoToken { - * Login to the token. If a token is logged in, it will not trigger - * password callbacks. - * -- * @param password The password for this token. -+ * @param pwcb The password callback for this token. - * @exception IncorrectPasswordException If the supplied password is - * incorrect. - * @see #setLoginMode -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700 -@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest { - * Completes digestion. - * - * @return The, ahem, output of the digest operation. -- * @param If an error occurs while digesting. -+ * @exception DigestException If an error occurs while digesting. - */ - public byte[] digest() throws DigestException { - byte[] output = new byte[getOutputSize()]; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700 -@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements - * Must not be null. It is the responsibility of the caller to - * use the right salt length for the algorithm. Most algorithms - * use 8 bytes of salt. -- * @param The iteration count for the PBE algorithm. -+ * @param iterations The iteration count for the PBE algorithm. - */ - public PBEKeyGenParams(Password pass, byte[] salt, int iterations) { - if(pass==null || salt==null) { -@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements - * Must not be null. It is the responsibility of the caller to - * use the right salt length for the algorithm. Most algorithms - * use 8 bytes of salt. -- * @param The iteration count for the PBE algorithm. -+ * @param iterations The iteration count for the PBE algorithm. - */ - public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) { - if(pass==null || salt==null) { -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700 -@@ -228,8 +228,8 @@ public final class PK11Token implements - * Initialize PIN. This sets the user's new PIN, using the current - * security officer PIN for authentication. - * -- * @param ssopw The security officer's current password. -- * @param userpw The user's new password. -+ * @param ssopwcb The security officer's current password callback. -+ * @param userpwcb The user's new password callback. - * @exception IncorrectPinException If the security officer PIN is - * incorrect. - * @exception TokenException If the PIN was already initialized, -@@ -322,8 +322,8 @@ public final class PK11Token implements - * Change password. This changes the user's PIN after it has already - * been initialized. - * -- * @param oldPIN The user's old PIN. -- * @param newPIN The new PIN. -+ * @param oldPINcb The user's old PIN callback. -+ * @param newPINcb The new PIN callback. - * @exception IncorrectPasswordException If the old PIN is incorrect. - * @exception TokenException If some other error occurs on the token. - * -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700 -@@ -288,7 +288,7 @@ public final class SafeBag implements AS - * as the nickname of the associated cert. - * @param localKeyID The localKeyID for the key; should be the same as - * the localKeyID of the associated cert. -- * @param The password used to encrypt the private key. -+ * @param password The password used to encrypt the private key. - */ - public static SafeBag - createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName, -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700 -@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V - * SignerInfo. - * @param contentType The type of the content that is signed by this - * SignerInfo. -- * @param pubkey The public key to use to verify the signature. - * @exception NoSuchObjectException If no certificate matching the - * the issuer name and serial number can be found. - */ -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700 -@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS - * @param status A CMCStatus constant. - * @param bodyList The sequence of bodyPartID. - * @param statusString A String. -- * @param OtherInfo The OtherInfo choice. -+ * @param otherInfo The OtherInfo choice. - */ - public CMCStatusInfo(int status, SEQUENCE bodyList, String - statusString, OtherInfo otherInfo) { -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700 -@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS - /** - * Create a PKIStatusInfo with no failure info. - * @param status A PKIStatus constant. -- * @param failInfo The bitwise AND of the PKIFailureInfo constants. - */ - public PKIStatusInfo(int status) { - this.status = new INTEGER(status); -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700 -@@ -115,10 +115,6 @@ public class DirectoryString implements - - /** - * Converts an ASN.1 DirectoryString to a Java string. -- * -- * @param dirstr An ANY containing a BER-encoded DirectoryString. -- * @exception InvalidBERException If the encoding does not contain a -- * valid DirectoryString. - */ - public String toString() { - return asn1String.toString(); -@@ -176,6 +172,8 @@ public class DirectoryString implements - /** - * @param implicitTag This paramter is ignored, because - * DirectoryStrings (being CHOICEs) cannot have implicit tags. -+ * @exception InvalidBERException If the encoding does not contain a -+ * valid DirectoryString. - */ - public ASN1Value decode(Tag implicitTag, InputStream istream) - throws IOException, InvalidBERException -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700 -@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec - // versions is to use the reflection API. - Class specClass = spec.getClass(); - try { -- Method getSaltMethod = specClass.getMethod("getSalt", null); -+ Method getSaltMethod = specClass.getMethod("getSalt", -+ (java.lang.Class) null); - Method getIterationMethod = -- specClass.getMethod("getIterationCount", null); -+ specClass.getMethod("getIterationCount", -+ (java.lang.Class) null); - -- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null); -+ byte[] salt = (byte[]) getSaltMethod.invoke(spec, -+ (java.lang.Class) null); - - Integer itCountObj = -- (Integer) getIterationMethod.invoke(spec,null); -+ (Integer) getIterationMethod.invoke(spec, -+ (java.lang.Class) null); - int iterationCount = itCountObj.intValue(); - - Password pass = new Password(spec.getPassword()); -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700 -@@ -182,11 +182,11 @@ public class SSLSocket extends java.net. - } - - /** -- * Creates an SSL client socket and connects to the specified host and -+ * Creates an SSL client socket and connects to the specified address and - * port. Binds to the given local address and port. Installs the given - * callbacks for certificate approval and client certificate selection. - * -- * @param host The hostname to connect to. -+ * @param address The IP address to connect to. - * @param port The port to connect to. - * @param localAddr The local address to bind to. It can be null, in which - * case an unspecified local address will be chosen. -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700 -@@ -96,7 +96,7 @@ public class HMACTest { - - /** - * Main test method. -- * @params args[] -+ * @param argv - */ - public static void main(String []argv) { - -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700 -@@ -116,9 +116,9 @@ public class JCASymKeyGen { - } - /** - * -- * @param key -- * @param kg -- * @return -+ * @param keyType -+ * @param provider -+ * @return javax.crypto.SecretKey key - */ - public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ - javax.crypto.SecretKey key = null; -@@ -155,7 +155,7 @@ public class JCASymKeyGen { - * - * @param keyType - * @param provider -- * @return -+ * @return javax.crypto.SecretKey key - */ - public javax.crypto.SecretKey genPBESecretKey(String keyType, - String provider){ -@@ -197,8 +197,10 @@ public class JCASymKeyGen { - /** - * - * @param sKey -- * @param AlgType -- * @param provider -+ * @param algFamily -+ * @param algType -+ * @param providerForEncrypt -+ * @param providerForDecrypt - */ - public void testCipher(javax.crypto.SecretKey sKey, String algFamily, - String algType, String providerForEncrypt, String providerForDecrypt) -@@ -304,8 +306,10 @@ public class JCASymKeyGen { - /** - * - * @param sKey -- * @param AlgType -- * @param provider -+ * @param algFamily -+ * @param algType -+ * @param providerForEncrypt -+ * @param providerForDecrypt - */ - public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily, - String algType, String providerForEncrypt, String providerForDecrypt) -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700 -@@ -78,7 +78,7 @@ public class JSSE_SSLClient { - - /** - * Set the protocol type and revision -- * @param String sslRevision -+ * @param fSslRevision - */ - public void setSslRevision(String fSslRevision) { - -@@ -91,7 +91,7 @@ public class JSSE_SSLClient { - - /** - * Set the host name to connect to. -- * @param String hostname -+ * @param fHost - */ - public void setHost(String fHost) { - this.host = fHost; -@@ -99,7 +99,7 @@ public class JSSE_SSLClient { - - /** - * Set the port number to connect to. -- * @param int portnumber -+ * @param fPort - */ - public void setPort(int fPort) { - this.port = fPort; -@@ -107,7 +107,7 @@ public class JSSE_SSLClient { - - /** - * Set the cipher suite name to use. -- * @param String cipherSuiteName -+ * @param fCipherSuite - */ - public void setCipherSuite(String fCipherSuite) { - this.cipherName = fCipherSuite; -@@ -115,7 +115,7 @@ public class JSSE_SSLClient { - - /** - * Set the location of rsa.pfx -- * @param String fKeystoreLoc -+ * @param fKeystoreLoc - */ - public void setKeystoreLoc(String fKeystoreLoc) { - keystoreLoc = fKeystoreLoc + "/" + keystoreLoc; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700 -@@ -75,7 +75,7 @@ public class JSSE_SSLServer { - - /** - * Set the provider to use. -- * @param String p -+ * @param p - */ - public void setProvider(String p) { - provider = p; -@@ -90,7 +90,7 @@ public class JSSE_SSLServer { - } - /** - * Set the location of keystore file. -- * @param String fconfigDir -+ * @param fconfigDir - */ - public void setKeystore(String fconfigDir) { - configDir = fconfigDir; -@@ -117,7 +117,7 @@ public class JSSE_SSLServer { - - /** - * Start SSLServer and accept connections. -- * @param args[] -+ * @param args - */ - public void startSSLServer(String[] args) throws Exception { - String configDir = ""; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700 -@@ -79,7 +79,7 @@ public class JSS_FileUploadClient { - /** - * Initialize the desired cipher to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - fCipher = aCipher; -@@ -87,7 +87,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -95,7 +95,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -103,7 +103,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -111,7 +111,7 @@ public class JSS_FileUploadClient { - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -120,7 +120,7 @@ public class JSS_FileUploadClient { - /** - * Initialize the name of the file to - * be used for testing along with full path. -- * @param String UploadFile -+ * @param aUploadFile - */ - public void setUploadFile(String aUploadFile) { - fUploadFile = aUploadFile; -@@ -128,7 +128,7 @@ public class JSS_FileUploadClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -136,7 +136,7 @@ public class JSS_FileUploadClient { - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -@@ -170,7 +170,7 @@ public class JSS_FileUploadClient { - - /** - * Set EOF for closinng server socket -- * @param null for closing server socket -+ * @param fEof null for closing server socket - */ - public void setEOF(String fEof) { - this.EOF = fEof; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700 -@@ -99,7 +99,7 @@ public class JSS_SSLClient { - /** - * Initialize the desired cipher to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - fCipher = aCipher; -@@ -107,7 +107,7 @@ public class JSS_SSLClient { - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -115,7 +115,7 @@ public class JSS_SSLClient { - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -123,7 +123,7 @@ public class JSS_SSLClient { - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -131,7 +131,7 @@ public class JSS_SSLClient { - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public static void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -147,7 +147,7 @@ public class JSS_SSLClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param bypass - */ - public void setBypass(boolean bypass) { - testBypass = bypass; -@@ -155,7 +155,7 @@ public class JSS_SSLClient { - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -163,7 +163,7 @@ public class JSS_SSLClient { - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -@@ -197,7 +197,7 @@ public class JSS_SSLClient { - - /** - * Set EOF for closinng server socket -- * @param null for closing server socket -+ * @param fEof null for closing server socket - */ - public void setEOF(String fEof) { - this.EOF = fEof; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700 -@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen - /** - * Initialize the desired ciphersuite to be set - * on the socket. -- * @param int Cipher -+ * @param aCipher - */ - public void setCipher(int aCipher) { - -@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the hostname to run the server -- * @param String ServerName -+ * @param aHostName - */ - public void setHostName(String aHostName) { - serverHost = aHostName; -@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the port to run the server -- * @param int port -+ * @param aPort - */ - public void setPort(int aPort) { - port = aPort; -@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the passwords file name -- * @param String passwords -+ * @param aPasswordFile - */ - public void setPasswordFile(String aPasswordFile) { - fPasswordFile = aPasswordFile; -@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen - - /** - * Initialize the cert db path name -- * @param String CertDbPath -+ * @param aCertDbPath - */ - public void setCertDbPath(String aCertDbPath) { - fCertDbPath = aCertDbPath; -@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen - - /** - * Enable/disable Test Cert Callback. -- * @param boolean -+ * @param aTestCertCallback - */ - public void setTestCertCallback(boolean aTestCertCallback) { - TestCertCallBack = aTestCertCallback; -@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen - - /** - * Set client certificate -- * @param String Certificate Nick Name -+ * @param aClientCertNick Certificate Nick Name - */ - public void setClientCertNick(String aClientCertNick) { - clientCertNick = aClientCertNick; -diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java ---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700 -+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700 -@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru - * @param rand - * @param extensions - * @throws java.lang.Exception -- * @return -+ * @return Certificate - */ - public static Certificate makeCert(String issuerName, String subjectName, - int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand, diff --git a/SOURCES/jss-eliminate-native-compiler-warnings.patch b/SOURCES/jss-eliminate-native-compiler-warnings.patch deleted file mode 100644 index d981eb7..0000000 --- a/SOURCES/jss-eliminate-native-compiler-warnings.patch +++ /dev/null @@ -1,621 +0,0 @@ -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700 -@@ -55,7 +55,7 @@ - - #include "pk11util.h" - --#if defined(AIX) || defined(HPUX) || defined(LINUX) -+#if defined(AIX) || defined(HPUX) - #include - #endif - -@@ -90,11 +90,11 @@ const char * jss_sccsid() { - /********************************************************************/ - - /* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */ --static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; - /* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */ --static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; - /* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */ --static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; -+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; - - - -@@ -106,13 +106,13 @@ static char* - getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg); - - /************************************************************* -- * AIX, HP, and Linux signal handling madness -+ * AIX and HP signal handling madness - * - * In order for the JVM, kernel, and NSPR to work together, we setup - * a signal handler for SIGCHLD that does nothing. This is only done -- * on AIX, HP, and Linux. -+ * on AIX and HP. - *************************************************************/ --#if defined(AIX) || defined(HPUX) || defined(LINUX) -+#if defined(AIX) || defined(HPUX) - - static PRStatus - handleSigChild(JNIEnv *env) { -@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi - jboolean initializeJavaOnly ) - { - SECStatus rv = SECFailure; -- JavaVM *VMs[5]; -- jint numVMs; - char *szConfigDir = NULL; - char *szCertPrefix = NULL; - char *szKeyPrefix = NULL; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700 -@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative - (JNIEnv *env, jobject this, jobject Cert) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; - CERTCertificate *cert; - PK11SlotInfo *slot; - SECKEYPrivateKey *privKey=NULL; -@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL - Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative - (JNIEnv *env, jobject this, jobject leafCert) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; - CERTCertificate *leaf; - jobjectArray chainArray=NULL; - CERTCertDBHandle *certdb; -@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor - SECItem *derCerts=NULL; - int certi= -1; - SECItem theDerCert; -- int numCerts; -+ int numCerts = 0; - jbyte *packageBytes=NULL; - jsize packageLen; - SECStatus status; -@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor - CERTSignedCrl *crl = NULL; - SECItem *packageItem = NULL; - int status = SECFailure; -- char *url; -+ char *url = NULL; - char *errmsg = NULL; - - /*************************************************** -@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, - jobject self, jstring nickString, jboolean checkSig) - { -- SECStatus rv = SECFailure; -+ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; - SECCertificateUsage currUsage = 0x0000; - - rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); -@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif - SECStatus rv = SECFailure; - SECCertUsage certUsage; - SECItem *derCerts[2]; -- SECStatus status; - CERTCertificate **certArray = NULL; - CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700 -@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K - { - PK11SlotInfo *slot = NULL; - PK11SymKey *symk = NULL; -- SECStatus status; - - /* get the slot */ - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700 -@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa - /*********************************************************************** - * Perform the verification. - */ -- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) { -+ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) { - JSS_throw(env, OUT_OF_MEMORY_ERROR); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700 -@@ -62,7 +62,7 @@ - JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - CERTCertificate *cert; - SECItem *derCert; - jbyteArray derArray=NULL; -@@ -118,9 +118,9 @@ finish: - JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - CERTCertificate *cert; -- long lVersion; -+ long lVersion = 0; - - pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL); - PR_ASSERT(pThread != NULL); -@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get - { - CERTCertificate *cert; - SECKEYPublicKey *pubk=NULL; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - jobject pubKey=NULL; - - PR_ASSERT(env!=NULL && this!=NULL); -@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re - (JNIEnv *env, jobject this) - { - CERTCertificate *cert; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700 -@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i - SECItem *iv=NULL; - PK11Context *context=NULL; - CK_ATTRIBUTE_TYPE op; -- jobject contextObj; -+ jobject contextObj = NULL; - - PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL); - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700 -@@ -207,7 +207,7 @@ finish: - } - #endif - --static void -+static void FUNCTION_MAY_NOT_BE_USED - print_secitem(SECItem *item) { - int i; - int online; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700 -@@ -450,7 +450,7 @@ DumpItem(SECItem *item) - for (i=0; i < item->len; i++) { - printf(" %02x",data[i]); - } -- printf(" : 0x%08x %d\n", data, item->len); -+ printf(" : %8p %d\n", data, item->len); - } - - /********************************************************************** -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700 -@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - jint keyLen, jbyteArray ivBA, jint usageEnum) - { - PK11SymKey *symKey=NULL; -- CK_MECHANISM_TYPE wrappingMech, keyTypeMech; -+ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0; - SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL; - jobject keyObj=NULL; - SECKEYPrivateKey *wrappingKey=NULL; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700 -@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - PK11Context *context = NULL; - CK_MECHANISM_TYPE mech; - SECItem param; -- PK11SlotInfo *slot=NULL; - jobject contextObj=NULL; - - mech = JSS_getPK11MechFromAlg(env, algObj); -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700 -@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_ - { - SECMODModule *module; - -- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) { -+ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) { - ASSERT_OUTOFMEM(env); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700 -@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPrivateKey *privk; - KeyType keyType; - char* keyTypeFieldName; -@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr - (JNIEnv *env, jobject this) - { - SECKEYPrivateKey *privk; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_ - (JNIEnv *env, jobject this) - { - SECKEYPrivateKey *key = NULL; -- PK11SlotInfo *slot = NULL; - SECItem *idItem = NULL; - jbyteArray byteArray = NULL; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700 -@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_ - (JNIEnv *env, jobject this) - { - SECKEYPublicKey *pubk; -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL - Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken - (JNIEnv *env, jobject this, jobject token) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPublicKey *key = NULL; - PK11SlotInfo *slot = NULL; - PK11SlotInfo *keySlot = NULL; -@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType - (JNIEnv *env, jobject this) - { -- PRThread *pThread; -+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; - SECKEYPublicKey *pubk; - KeyType keyType; - char* keyTypeFieldName; -@@ -454,7 +454,7 @@ get_public_key_info - { - SECKEYPublicKey *pubk; - jbyteArray byteArray=NULL; -- SECItem *item; -+ SECItem *item=NULL; - - PR_ASSERT(env!=NULL && this!=NULL); - -@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ - { - jobject pubkObj=NULL; - SECKEYPublicKey *pubk=NULL; -- SECStatus rv; - SECItem *pubkDER=NULL; - - /* validate args */ -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700 -@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa - * "C" data members - */ - -- PRThread* pThread = NULL; -+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; - SECStatus status = PR_FALSE; - PK11SlotInfo* slot = NULL; - -@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa - * "C" data members - */ - -- PRThread* pThread = NULL; -+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; - SECStatus status = PR_FALSE; - - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700 -@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - (JNIEnv *env, jobject this, jobject certObject) - { - CERTCertificate *cert; -- SECStatus status; -+ SECStatus VARIABLE_MAY_NOT_BE_USED status; - - PR_ASSERT(env!=NULL && this!=NULL); - if(certObject == NULL) { -@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - (JNIEnv *env, jobject this, jobject certObject) - { - CERTCertificate *cert; -- SECStatus status; -+ SECStatus VARIABLE_MAY_NOT_BE_USED status; - - PR_ASSERT(env!=NULL && this!=NULL); - if(certObject == NULL) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700 -@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g - jfieldID typeField=NULL; - jobject typeObject=NULL; - -- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) { -+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700 -@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil - jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G) - { - PK11SlotInfo *slot; -- const char* c_subject; -+ const char* c_subject=NULL; - jboolean isCopy; -- unsigned char *b64request; -+ unsigned char *b64request=NULL; - SECItem p, q, g; - PQGParams *dsaParams=NULL; - const char* c_keyType; -@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env, - SECStatus rv; - PRArenaPool *arena; - SECItem result_der, result; -- SECItem *blob; -+ SECItem * VARIABLE_MAY_NOT_BE_USED blob; - CK_MECHANISM_TYPE signMech; - CK_MECHANISM_TYPE keygenMech; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700 -@@ -89,7 +89,6 @@ traverseTokenObjects - SECKEYPublicKeyList* pubkList = NULL; - PK11SymKey *symKey = NULL; - CERTCertList *certList = NULL; -- SECStatus secstat; - - /* - * Get all private keys -@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec - { - PK11SlotInfo *slot; - EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; -- jbyteArray derCertBA = NULL; - PRStatus status = PR_FAILURE; - - if( alias == NULL ) goto finish; -@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur - PK11SlotInfo *slot; - EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; - jboolean retVal = JNI_FALSE; -- SECKEYPrivateKey *privk = NULL; - - if( alias == NULL ) goto finish; - -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700 -@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo - { - PRSocketOptionData sockOptions; - JSSL_SocketData *sock = NULL; -- jint retval; -+ jint retval=-1; - PRStatus status; - - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL - Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable( - JNIEnv *env, jobject self) - { -- jint available; -+ jint available=0; - JSSL_SocketData *sock = NULL; - - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700 -@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env - jmethodID excepCons; - jobject excepObj; - jstring msgString; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - /* - * get the error code and error string -@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - jbyteArray sdArray = NULL; - JSSL_SocketData *sockdata = NULL; - SECStatus status; -- PRFileDesc *newFD; -- PRFileDesc *tmpFD; -+ PRFileDesc *newFD = NULL; -+ PRFileDesc *tmpFD = NULL; - PRFilePrivate *priv = NULL; - int socketFamily = 0; - -@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS - SECStatus status = SECSuccess; - PRBool bOption = PR_FALSE; - -- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) { -+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { - goto finish; - } - -@@ -649,7 +649,7 @@ JSSL_getSockAddr - (JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer) - { - JSSL_SocketData *sock = NULL; -- PRStatus status; -+ PRStatus status=PR_FAILURE; - - /* get my fd */ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P - - finish: - if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) { -- int ret = (*env)->Throw(env, currentExcep); -+ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep); - PR_ASSERT(ret == 0); - } - } -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700 -@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo - jmethodID getOutputStream, writeMethod; - jclass sockClass, osClass; - jobject outputStream; -- jint arrayLen; -+ jint arrayLen=-1; - PRInt32 retval; - - /* -@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe - jobject sockObj; - JNIEnv *env; - jbyteArray outbufArray; -- PRInt32 retval; -+ PRInt32 retval=-1; - - if( GET_ENV(fd->secret->javaVM, env) ) goto finish; - -@@ -500,7 +500,7 @@ static PRInt32 - jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount, - PRIntn flags, PRIntervalTime timeout) - { -- PRInt32 retval; -+ PRInt32 retval=-1; - JNIEnv *env; - jobject sockObj; - jbyteArray byteArray; -@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock - { - jclass sockClass; - jmethodID method; -- jint retval; -+ jint retval=0; - - sockClass = (*env)->GetObjectClass(env, sock); - if( sockClass == NULL ) goto finish; -@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods = - (PRReservedFN) invalidInt - }; - --static const PRIOMethods* --getJsockMethods() --{ -- return &jsockMethods; --} -- - static void - jsockDestructor(PRFileDesc *fd) - { -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700 -@@ -115,7 +115,7 @@ void - JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) { - - jclass throwableClass; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - /* validate arguments */ - PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL); -@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl - jclass throwableClass; - jobject throwable; - jmethodID constructor; -- jint result; -+ jint VARIABLE_MAY_NOT_BE_USED result; - - PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL ); - -@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl - PRStatus - JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr) - { -+#ifdef DEBUG - jclass nativeProxyClass; -+#endif - jclass proxyClass; - jfieldID byteArrayField; - jbyteArray byteArray; -@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char - void - JSS_assertOutOfMem(JNIEnv *env) - { -- jclass memErrClass; -+ jclass VARIABLE_MAY_NOT_BE_USED memErrClass; - jthrowable excep; - - PR_ASSERT(env != NULL); -@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI - goto finish; - } - -- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data); -+ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data); - - finish: - return array; -diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h ---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700 -+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700 -@@ -36,6 +36,19 @@ - #ifndef JSS_NATIVE_UTIL_H - #define JSS_NATIVE_UTIL_H - -+/* The following #defines are used to suppress undesired compiler warnings -+ * that have been deemed inappropriate. -+ * -+ * IMPORTANT: These are ONLY used on an "as-needed" basis! -+ */ -+#ifdef __GNUC__ -+#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused)) -+#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused)) -+#else -+#define FUNCTION_MAY_NOT_BE_USED -+#define VARIABLE_MAY_NOT_BE_USED -+#endif -+ - /* Need to include these first. - * #include - * #include diff --git a/SOURCES/jss-eliminate-native-coverity-defects.patch b/SOURCES/jss-eliminate-native-coverity-defects.patch deleted file mode 100644 index 68e0fad..0000000 --- a/SOURCES/jss-eliminate-native-coverity-defects.patch +++ /dev/null @@ -1,253 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c ---- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700 -+++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700 -@@ -275,9 +275,11 @@ diagnosePath(const char * path) - rv = readlink(myPath, buf, sizeof buf); - if (rv < 0) { - perror("readlink"); -- buf[0] = 0; -- } else { -+ buf[0] = 0; -+ } else if ( rv < BUFSIZ ) { - buf[rv] = 0; -+ } else { -+ buf[BUFSIZ-1] = 0; - } - fprintf(stderr, "%s is a link to %s\n", myPath, buf); - } else if (S_ISDIR(sb.st_mode)) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700 -@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR - } - - finish: -- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { - #ifdef DEBUG -+ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { - jclass giveupClass; - jmethodID printStackTrace; - jclass excepClass; --#endif -+ - (*env)->ExceptionClear(env); --#ifdef DEBUG -+ - giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION); - PR_ASSERT(giveupClass != NULL); - if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) { -@@ -746,8 +746,12 @@ finish: - PR_ASSERT( PR_FALSE ); - } - PR_ASSERT(returnchars==NULL); --#endif - } -+#else -+ if( ((*env)->ExceptionOccurred(env)) != NULL) { -+ (*env)->ExceptionClear(env); -+ } -+#endif - return returnchars; - } - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700 -@@ -768,6 +768,10 @@ static int find_leaf_cert( - int *linked = NULL; - - linked = PR_Malloc( sizeof(int) * numCerts ); -+ if (linked == NULL) { -+ status = 0; -+ goto finish; -+ } - - /* initialize the bitmap */ - for (i = 0; i < numCerts; i++) { -@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif - { - SECStatus rv = SECFailure; - SECCertUsage certUsage; -- SECItem *derCerts[2]; -+ SECItem *derCerts[2] = { NULL, NULL }; - CERTCertificate **certArray = NULL; - CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); - -@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif - } - PR_ASSERT(certdb != NULL); - -- derCerts[0] = NULL; - derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray); - derCerts[1] = NULL; - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700 -@@ -235,7 +235,7 @@ static PRStatus - getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info) - { - jint index; -- PRStatus status; -+ PRStatus status = PR_FAILURE; - - PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL); - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700 -@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - PK11Context *context=NULL; - jbyte *bytes=NULL; - SECStatus status; -- unsigned int outLen; -+ unsigned int outLen = 0; - - if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) { - /* exception was thrown */ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700 -@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g - break; - case keaKey: - keyTypeFieldName = KEA_KEYTYPE_FIELD; -+ break; - default: - PR_ASSERT(PR_FALSE); - keyTypeFieldName = NULL_KEYTYPE_FIELD; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700 -@@ -390,12 +390,6 @@ importPrivateKey - SECStatus status; - SECItem nickname; - -- keyType = JSS_PK11_getKeyType(env, keyTypeObj); -- if( keyType == nullKey ) { -- /* exception was thrown */ -- goto finish; -- } -- - /* - * initialize so we can goto finish - */ -@@ -403,6 +397,12 @@ importPrivateKey - derPK.len = 0; - - -+ keyType = JSS_PK11_getKeyType(env, keyTypeObj); -+ if( keyType == nullKey ) { -+ /* exception was thrown */ -+ goto finish; -+ } -+ - PR_ASSERT(env!=NULL && this!=NULL); - - if(keyArray == NULL) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700 -@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil - { - PK11SlotInfo *slot; - const char* c_subject=NULL; -- jboolean isCopy; -+ jboolean isCopy = JNI_FALSE; - unsigned char *b64request=NULL; - SECItem p, q, g; - PQGParams *dsaParams=NULL; - const char* c_keyType; -- jboolean k_isCopy; -+ jboolean k_isCopy = JNI_FALSE; - SECOidTag signType = SEC_OID_UNKNOWN; - PK11RSAGenParams rsaParams; - void *params = NULL; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700 -@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - goto finish; - } - -- if( addrBAelems == NULL ) { -- ASSERT_OUTOFMEM(env); -- goto finish; -- } -- - if(addrBALen != 4 && addrBALen != 16) { - JSSL_throwSSLSocketException(env, "Invalid address in connect!"); - goto finish; -@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi - { - JSSL_SocketData *sock=NULL; - SECStatus status; -- PRBool enabled; -+ PRBool enabled = PR_FAILURE; - - /* get the fd */ - if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) { -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700 -@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P - * Now check the name field in the cert against the desired hostname. - * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! - */ -- if( peerCert == NULL ) { -- rv = SECFailure; -+ char* hostname = NULL; -+ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ -+ if (hostname && hostname[0]) { -+ rv = CERT_VerifyCertName(peerCert, hostname); -+ PORT_Free(hostname); - } else { -- char* hostname = NULL; -- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ -- if (hostname && hostname[0]) { -- rv = CERT_VerifyCertName(peerCert, hostname); -- PORT_Free(hostname); -- } else { -- rv = SECFailure; -- } -+ rv = SECFailure; - } - } - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700 -@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo - jint arrayLen=-1; - PRInt32 retval; - -+ if( env == NULL ) { -+ goto finish; -+ } -+ - /* - * get the OutputStream - */ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700 -@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo - #endif - - key.native = nativeErrcode; -+ key.java = -1; - target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode), - errcodeCompare ); - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700 -@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array) - */ - static char* getPWFromConsole() - { -- char c; -+ int c; - char *ret; - int i; - char buf[200]; /* no buffer overflow: we bail after 200 chars */ diff --git a/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch b/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch deleted file mode 100644 index 6ffc952..0000000 --- a/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/config.mk jss-4.2.6/mozilla/security/coreconf/config.mk ---- jss-4.2.6.orig/mozilla/security/coreconf/config.mk 2007-05-03 23:54:05.000000000 -0700 -+++ jss-4.2.6/mozilla/security/coreconf/config.mk 2013-07-22 18:42:19.000000000 -0700 -@@ -68,8 +68,19 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD Open - ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) - include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk - else -+ifeq ($(OS_TARGET), Linux) -+OS_RELEASE_VER_MAJOR := $(shell echo $(OS_RELEASE) | cut -f1 -d.) -+OS_RELEASE_VER_MINOR := $(shell echo $(OS_RELEASE) | cut -f2 -d.) -+OS_RELEASE_GT_2_6 := $(shell [ $(OS_RELEASE_VER_MAJOR) -ge 2 -o \( $(OS_RELEASE_VER_MAJOR) -eq 2 -a $(OS_RELEASE_VER_MINOR) -ge 6 \) ] && echo true) -+ifeq ($(OS_RELEASE_GT_2_6),true) -+include $(CORE_DEPTH)/coreconf/Linux2.6.mk -+else - include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk - endif -+else -+include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk -+endif -+endif - - ####################################################################### - # [4.0] Master "Core Components" source and release tags # diff --git a/SOURCES/jss-ipv6.patch b/SOURCES/jss-ipv6.patch deleted file mode 100644 index 9fd5fb9..0000000 --- a/SOURCES/jss-ipv6.patch +++ /dev/null @@ -1,623 +0,0 @@ -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def 2009-06-24 17:08:59.784371000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-06-19 17:56:00.000000000 -0700 -@@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket - Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake; - Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive; - Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative; -+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative; - Java_org_mozilla_jss_ssl_SSLSocket_getPort; - Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize; - Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize; -@@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - Java_org_mozilla_jss_ssl_SSLSocket_socketWrite; - Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative; - Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative; -+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative; - Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative; - Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative; - Java_org_mozilla_jss_ssl_SocketBase_setSSLOption; -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2007-03-20 15:39:28.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2009-06-24 13:46:49.000000000 -0700 -@@ -36,7 +36,8 @@ - - package org.mozilla.jss.ssl; - --import java.net.InetAddress; -+import java.util.*; -+import java.net.*; - import java.io.IOException; - import java.net.Socket; - import java.net.SocketException; -@@ -138,34 +139,34 @@ public class SSLServerSocket extends jav - super.close(); - - // create the socket -+ -+ int socketFamily = SocketBase.SSL_AF_INET; -+ if(SocketBase.supportsIPV6()) { -+ socketFamily = SocketBase.SSL_AF_INET6; -+ } -+ - sockProxy = new SocketProxy( -- base.socketCreate(this, certApprovalCallback, null) ); -+ base.socketCreate(this, certApprovalCallback, null,socketFamily) ); - - base.setProxy(sockProxy); - - setReuseAddress(reuseAddr); - -- // bind it to the local address and port -- if( bindAddr == null ) { -- bindAddr = anyLocalAddr; -- } - byte[] bindAddrBA = null; - if( bindAddr != null ) { - bindAddrBA = bindAddr.getAddress(); - } - base.socketBind(bindAddrBA, port); -+ -+ String hostName = null; -+ if(bindAddr != null) { -+ hostName = bindAddr.getCanonicalHostName(); -+ } - socketListen(backlog); - } - - private native void socketListen(int backlog) throws SocketException; - -- private static InetAddress anyLocalAddr; -- static { -- try { -- anyLocalAddr = InetAddress.getByName("0.0.0.0"); -- } catch (java.net.UnknownHostException e) { } -- } -- - /** - * Accepts a connection. This call will block until a connection is made - * or the timeout is reached. -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2009-06-24 13:27:15.000000000 -0700 -@@ -460,10 +460,15 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - JSSL_SocketData *sock; - PRNetAddr addr; - jbyte *addrBAelems = NULL; -+ int addrBALen = 0; - PRStatus status; - int stat; - const char *hostnameStr=NULL; - -+ jmethodID supportsIPV6ID; -+ jclass socketBaseClass; -+ jboolean supportsIPV6 = 0; -+ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; -@@ -472,16 +477,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - /* - * setup the PRNetAddr structure - */ -- addr.inet.family = AF_INET; -- addr.inet.port = htons(port); -- PR_ASSERT(sizeof(addr.inet.ip) == 4); -- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); -+ -+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); -+ if( socketBaseClass == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, -+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); -+ -+ if( supportsIPV6ID == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, -+ supportsIPV6ID); -+ - addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); -+ addrBALen = (*env)->GetArrayLength(env, addrBA); -+ -+ PR_ASSERT(addrBALen != 0); -+ - if( addrBAelems == NULL ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -- memcpy(&addr.inet.ip, addrBAelems, 4); - - /* - * Tell SSL the URL we think we want to connect to. -@@ -495,6 +516,38 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke - goto finish; - } - -+ if( addrBAelems == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ if(addrBALen != 4 && addrBALen != 16) { -+ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); -+ goto finish; -+ } -+ -+ if( addrBALen == 4) { -+ addr.inet.family = AF_INET; -+ addr.inet.port = PR_htons(port); -+ memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(supportsIPV6) { -+ addr.ipv6.family = AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); -+ } -+ -+ } else { /* Must be 16 and ipv6 */ -+ if(supportsIPV6) { -+ addr.ipv6.family = AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ memcpy(&addr.ipv6.ip,addrBAelems, 16); -+ } else { -+ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); -+ goto finish; -+ } -+ } -+ - /* - * make the connect call - */ -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2009-06-24 13:45:59.000000000 -0700 -@@ -243,11 +243,16 @@ public class SSLSocket extends java.net. - SSLClientCertificateSelectionCallback clientCertSelectionCallback) - throws IOException - { -+ -+ int socketFamily = SocketBase.SSL_AF_INET; -+ if(SocketBase.supportsIPV6()) { -+ socketFamily = SocketBase.SSL_AF_INET6; -+ } - // create the socket - sockProxy = - new SocketProxy( - base.socketCreate( -- this, certApprovalCallback, clientCertSelectionCallback) ); -+ this, certApprovalCallback, clientCertSelectionCallback,socketFamily) ); - - base.setProxy(sockProxy); - -@@ -288,7 +293,7 @@ public class SSLSocket extends java.net. - new SocketProxy( - base.socketCreate( - this, certApprovalCallback, clientCertSelectionCallback, -- s, host ) ); -+ s, host,SocketBase.SSL_AF_INET ) ); - - base.setProxy(sockProxy); - resetHandshake(); -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2007-03-20 15:39:28.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2009-06-24 13:50:32.000000000 -0700 -@@ -70,16 +70,16 @@ class SocketBase { - native byte[] socketCreate(Object socketObject, - SSLCertificateApprovalCallback certApprovalCallback, - SSLClientCertificateSelectionCallback clientCertSelectionCallback, -- java.net.Socket javaSock, String host) -+ java.net.Socket javaSock, String host,int family) - throws SocketException; - - byte[] socketCreate(Object socketObject, - SSLCertificateApprovalCallback certApprovalCallback, -- SSLClientCertificateSelectionCallback clientCertSelectionCallback) -+ SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family) - throws SocketException - { - return socketCreate(socketObject, certApprovalCallback, -- clientCertSelectionCallback, null, null); -+ clientCertSelectionCallback, null, null,family); - } - - native void socketBind(byte[] addrBA, int port) throws SocketException; -@@ -115,6 +115,10 @@ class SocketBase { - static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; - static final int SSL_REQUIRE_NO_ERROR = 21; - -+ -+ static final int SSL_AF_INET = 50; -+ static final int SSL_AF_INET6 = 51; -+ - void close() throws IOException { - socketClose(); - } -@@ -281,13 +285,25 @@ class SocketBase { - return in; - } - -+ private native byte[] getLocalAddressByteArrayNative() throws SocketException; -+ private native byte[] getPeerAddressByteArrayNative() throws SocketException; - /** - * @return the InetAddress of the peer end of the socket. - */ - InetAddress getInetAddress() - { - try { -- return convertIntToInetAddress( getPeerAddressNative() ); -+ byte[] address = getPeerAddressByteArrayNative(); -+ -+ InetAddress iAddr = null; -+ -+ try { -+ -+ iAddr = InetAddress.getByAddress(address); -+ } catch(UnknownHostException e) { -+ } -+ -+ return iAddr; - } catch(SocketException e) { - return null; - } -@@ -299,7 +315,17 @@ class SocketBase { - */ - InetAddress getLocalAddress() { - try { -- return convertIntToInetAddress( getLocalAddressNative() ); -+ byte[] address = getLocalAddressByteArrayNative(); -+ -+ InetAddress lAddr = null; -+ -+ try { -+ -+ lAddr = InetAddress.getByAddress(address); -+ } catch(UnknownHostException e) { -+ } -+ -+ return lAddr; - } catch(SocketException e) { - return null; - } -@@ -378,4 +404,45 @@ class SocketBase { - return topException; - } - } -+ -+ static private int supportsIPV6 = -1; -+ static boolean supportsIPV6() { -+ -+ if(supportsIPV6 >= 0) { -+ if(supportsIPV6 > 0) { -+ return true; -+ } else { -+ return false; -+ } -+ } -+ -+ Enumeration netInter; -+ try { -+ netInter = NetworkInterface.getNetworkInterfaces(); -+ } catch (SocketException e) { -+ -+ return false; -+ } -+ while ( netInter.hasMoreElements() ) -+ { -+ NetworkInterface ni = (NetworkInterface)netInter.nextElement(); -+ Enumeration addrs = ni.getInetAddresses(); -+ while ( addrs.hasMoreElements() ) -+ { -+ Object o = addrs.nextElement(); -+ if ( o.getClass() == InetAddress.class || -+ o.getClass() == Inet4Address.class || -+ o.getClass() == Inet6Address.class ) -+ { -+ InetAddress iaddr = (InetAddress) o; -+ if(o.getClass() == Inet6Address.class) { -+ supportsIPV6 = 1; -+ return true; -+ } -+ } -+ } -+ } -+ supportsIPV6 = 0; -+ return false; -+ } - } -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2007-04-24 11:34:58.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2009-06-24 14:22:02.000000000 -0700 -@@ -33,7 +33,6 @@ - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -- - #include - #include - #include -@@ -51,6 +50,9 @@ - #include - #endif - -+#define SSL_AF_INET 50 -+#define SSL_AF_INET6 51 -+ - void - JSSL_throwSSLSocketException(JNIEnv *env, char *message) - { -@@ -142,7 +144,7 @@ finish: - JNIEXPORT jbyteArray JNICALL - Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self, - jobject sockObj, jobject certApprovalCallback, -- jobject clientCertSelectionCallback, jobject javaSock, jstring host) -+ jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family) - { - jbyteArray sdArray = NULL; - JSSL_SocketData *sockdata = NULL; -@@ -150,10 +152,21 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - PRFileDesc *newFD; - PRFileDesc *tmpFD; - PRFilePrivate *priv = NULL; -+ int socketFamily = 0; -+ -+ if (family != SSL_AF_INET6 && family != SSL_AF_INET) { -+ JSSL_throwSSLSocketException(env, -+ "socketCreate() Invalid family!"); -+ goto finish; -+ } -+ if( family == SSL_AF_INET) -+ socketFamily = PR_AF_INET; -+ else -+ socketFamily = PR_AF_INET6; - - if( javaSock == NULL ) { - /* create a TCP socket */ -- newFD = PR_NewTCPSocket(); -+ newFD = PR_OpenTCPSocket(socketFamily); - if( newFD == NULL ) { - JSSL_throwSSLSocketException(env, - "PR_NewTCPSocket() returned NULL"); -@@ -394,10 +407,10 @@ PRInt32 JSSL_enums[] = { - SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ - SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ - SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ -- - 0 - }; - -+ - JNIEXPORT void JNICALL - Java_org_mozilla_jss_ssl_SocketBase_socketBind - (JNIEnv *env, jobject self, jbyteArray addrBA, jint port) -@@ -405,8 +418,13 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - JSSL_SocketData *sock; - PRNetAddr addr; - jbyte *addrBAelems = NULL; -+ int addrBALen = 0; - PRStatus status; - -+ jmethodID supportsIPV6ID; -+ jclass socketBaseClass; -+ jboolean supportsIPV6 = 0; -+ - if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { - /* exception was thrown */ - goto finish; -@@ -415,19 +433,72 @@ Java_org_mozilla_jss_ssl_SocketBase_sock - /* - * setup the PRNetAddr structure - */ -- addr.inet.family = AF_INET; -- addr.inet.port = htons(port); -+ -+ /* -+ * Do we support IPV6? -+ */ -+ -+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); -+ if( socketBaseClass == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, -+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); -+ -+ if( supportsIPV6ID == NULL ) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, -+ supportsIPV6ID); -+ -+ memset( &addr, 0, sizeof( PRNetAddr )); -+ - if( addrBA != NULL ) { -- PR_ASSERT(sizeof(addr.inet.ip) == 4); -- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); - addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); -+ addrBALen = (*env)->GetArrayLength(env, addrBA); -+ - if( addrBAelems == NULL ) { - ASSERT_OUTOFMEM(env); - goto finish; - } -- memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(addrBALen != 4 && addrBALen != 16) { -+ JSS_throwMsgPrErr(env, BIND_EXCEPTION, -+ "Invalid address in bind!"); -+ goto finish; -+ } -+ -+ if( addrBALen == 4) { -+ addr.inet.family = PR_AF_INET; -+ addr.inet.port = PR_htons(port); -+ memcpy(&addr.inet.ip, addrBAelems, 4); -+ -+ if(supportsIPV6) { -+ addr.inet.family = PR_AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); -+ } -+ -+ } else { /* Must be 16 and ipv6 */ -+ if(supportsIPV6) { -+ addr.ipv6.family = PR_AF_INET6; -+ addr.ipv6.port = PR_htons(port); -+ memcpy(&addr.ipv6.ip,addrBAelems, 16); -+ } else { -+ JSS_throwMsgPrErr(env, BIND_EXCEPTION, -+ "Invalid address in bind!"); -+ goto finish; -+ } -+ } - } else { -- addr.inet.ip = PR_htonl(INADDR_ANY); -+ if(supportsIPV6) { -+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr); -+ } else { -+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr); -+ } - } - - /* do the bind() call */ -@@ -601,6 +672,78 @@ finish: - return status; - } - -+JNIEXPORT jbyteArray JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative -+ (JNIEnv *env, jobject self) -+{ -+ jbyteArray byteArray=NULL; -+ PRNetAddr addr; -+ jbyte *address=NULL; -+ int size=4; -+ -+ if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { -+ size = 16; -+ address = (jbyte *) &addr.ipv6.ip; -+ } else { -+ address = (jbyte *) &addr.inet.ip; -+ } -+ -+ byteArray = (*env)->NewByteArray(env,size); -+ if(byteArray == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address); -+ if( (*env)->ExceptionOccurred(env) != NULL) { -+ PR_ASSERT(PR_FALSE); -+ goto finish; -+ } -+ -+finish: -+ return byteArray; -+} -+ -+JNIEXPORT jbyteArray JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative -+ (JNIEnv *env, jobject self) -+{ -+ jbyteArray byteArray=NULL; -+ PRNetAddr addr; -+ jbyte *address=NULL; -+ int size=4; -+ -+ if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { -+ size = 16; -+ address = (jbyte *) &addr.ipv6.ip; -+ } else { -+ address = (jbyte *) &addr.inet.ip; -+ } -+ -+ byteArray = (*env)->NewByteArray(env,size); -+ if(byteArray == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ (*env)->SetByteArrayRegion(env, byteArray, 0,size,address); -+ if( (*env)->ExceptionOccurred(env) != NULL) { -+ PR_ASSERT(PR_FALSE); -+ goto finish; -+ } -+ -+finish: -+ return byteArray; -+} -+ -+/* Leave the original versions of these functions for compatibility */ -+ - JNIEXPORT jint JNICALL - Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative - (JNIEnv *env, jobject self) -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 11:34:58.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2009-06-24 13:43:13.000000000 -0700 -@@ -290,6 +290,7 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - jobject inetAddress; - jbyteArray addrByteArray; - jint port; -+ int addrBALen = 0; - - if( GET_ENV(fd->secret->javaVM, env) ) goto finish; - -@@ -377,8 +378,9 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - - memset(addr, 0, sizeof(PRNetAddr)); - -- /* we only handle IPV4 */ -- PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 ); -+ addrBALen = (*env)->GetArrayLength(env, addrByteArray); -+ -+ PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) ); - - /* make sure you release them later */ - addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL); -@@ -388,9 +390,16 @@ getInetAddress(PRFileDesc *fd, PRNetAddr - } - - /* ip field is in network byte order */ -- memcpy( (void*) &addr->inet.ip, addrBytes, 4); -- addr->inet.family = PR_AF_INET; -- addr->inet.port = port; -+ -+ if (addrBALen == 4) { -+ memcpy( (void*) &addr->inet.ip, addrBytes, 4); -+ addr->inet.family = PR_AF_INET; -+ addr->inet.port = port; -+ } else { -+ memcpy( (void*) &addr->ipv6.ip,addrBytes, 16); -+ addr->inet.family = PR_AF_INET6; -+ addr->inet.port = port; -+ } - - (*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes, - JNI_ABORT); -diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h ---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2006-02-22 17:21:52.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2009-06-19 17:56:00.000000000 -0700 -@@ -312,6 +312,8 @@ PR_BEGIN_EXTERN_C - #define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase" - #define PROCESS_EXCEPTIONS_NAME "processExceptions" - #define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;" -+#define SUPPORTS_IPV6_NAME "supportsIPV6" -+#define SUPPORTS_IPV6_SIG "()Z" - - /* - * SSLCertificateApprovalCallback diff --git a/SOURCES/jss-javadocs-param.patch b/SOURCES/jss-javadocs-param.patch deleted file mode 100644 index 5cf92e3..0000000 --- a/SOURCES/jss-javadocs-param.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java.orig 2008-01-18 16:39:46.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2009-06-05 11:08:54.000000000 -0400 -@@ -116,7 +116,9 @@ - } - /** - * -- * @param -+ * @param key -+ * @param kg -+ * @return - */ - public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ - javax.crypto.SecretKey key = null; diff --git a/SOURCES/jss-key_pair_usage_with_op_flags.patch b/SOURCES/jss-key_pair_usage_with_op_flags.patch deleted file mode 100644 index a7ca9df..0000000 --- a/SOURCES/jss-key_pair_usage_with_op_flags.patch +++ /dev/null @@ -1,544 +0,0 @@ -diff -rupN jss-4.2.5/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.5/mozilla/security/jss/lib/jss.def 2007-05-08 18:40:14.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-05-30 01:57:48.000000000 -0700 -@@ -316,3 +316,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_isFip - ;+ local: - ;+ *; - ;+}; -+;+JSS_4.2.6 { # JSS 4.2.6 release -+;+ global: -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; -+;+ local: -+;+ *; -+;+}; -+ -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2009-05-22 07:40:14.000000000 -0700 -@@ -81,7 +81,6 @@ public class KeyPairGenerator { - genKeyPair() throws TokenException { - return engine.generateKeyPair(); - } -- - /** - * @return The type of key that this generator generates. - */ -@@ -192,6 +191,15 @@ public class KeyPairGenerator { - engine.extractablePairs(extractable); - } - -+ public void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, -+ KeyPairGeneratorSpi.Usage[] usages_mask) { -+ engine.setKeyPairUsages(usages,usages_mask); -+ } -+ -+ -+ -+ -+ - protected KeyPairAlgorithm algorithm; - protected KeyPairGeneratorSpi engine; - } -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2009-05-30 03:24:31.000000000 -0700 -@@ -60,4 +60,38 @@ public abstract class KeyPairGeneratorSp - public abstract void extractablePairs(boolean extractable); - - public abstract boolean keygenOnInternalToken(); -+ -+ /** -+ * In PKCS #11, each keypair can be marked with the operations it will -+ * be used to perform. Some tokens require that a key be marked for -+ * an operation before the key can be used to perform that operation; -+ * other tokens don't care. NSS provides a way to specify a set of -+ * flags and a corresponding mask for these flags. If a specific usage -+ * is desired set the value for that usage. If it is not set, let NSS -+ * behave in it's default fashion. If a behavior is desired, also set -+ * that behavior in the mask as well as the flags. -+ * -+ */ -+ public final static class Usage { -+ private Usage() { } -+ private Usage(int val) { this.val = val;} -+ private int val; -+ -+ public int getVal() { return val; } -+ -+ // these enums must match the -+ // and the opFlagForUsage list in PK11KeyPairGenerator.java -+ public static final Usage ENCRYPT = new Usage(0); -+ public static final Usage DECRYPT = new Usage(1); -+ public static final Usage SIGN = new Usage(2); -+ public static final Usage SIGN_RECOVER = new Usage(3); -+ public static final Usage VERIFY = new Usage(4); -+ public static final Usage VERIFY_RECOVER = new Usage(5); -+ public static final Usage WRAP = new Usage(6); -+ public static final Usage UNWRAP = new Usage(7); -+ public static final Usage DERIVE = new Usage(8); -+ } -+ -+ public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, -+ KeyPairGeneratorSpi.Usage[] usages_mask); - } -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2009-06-02 10:36:46.819581000 -0700 -@@ -120,13 +120,11 @@ finish: - - int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int); - --/* -- * make a common key gen function for both this file and PK11Token.c -- */ - SECStatus --JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+JSS_PK11_generateKeyPairWithOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, - PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -- void *params, PRBool temporary, jint sensitive, jint extractable) -+ void *params, PRBool temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) - { - PK11AttrFlags attrFlags = 0; - *privk=NULL; -@@ -173,12 +171,16 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK - } else { - attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); - } -- *privk = PK11_GenerateKeyPairWithFlags(slot, -+ -+ *privk = PK11_GenerateKeyPairWithOpFlags(slot, - mechanism, - params, - pubk, - attrFlags, -+ (CK_FLAGS) op_flags, -+ (CK_FLAGS) op_flags_mask/* the ones we don't want*/, - NULL /* default PW callback */ ); -+ - if( *privk == NULL ) { - int errLength; - char *errBuf; -@@ -217,13 +219,28 @@ finish: - return SECFailure; - } - -+/* -+ * make a common key gen function for both this file and PK11Token.c -+ */ -+SECStatus -+JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -+ void *params, PRBool temporary, jint sensitive, jint extractable) -+{ -+ -+ return JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, pubk, privk, params, temporary, sensitive, extractable, 0, 0); -+} -+ -+ - /********************************************************************** -- * Local generic helper -+ * Local generic helpers - */ -+ - static jobject --PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, -+PK11KeyPairGeneratorWithOpFlags(JNIEnv *env, jobject this, jobject token, - CK_MECHANISM_TYPE mechanism, void *params, -- jboolean temporary, jint sensitive, jint extractable) -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) - { - PK11SlotInfo* slot; - SECKEYPrivateKey *privk=NULL; -@@ -242,8 +259,8 @@ PK11KeyPairGenerator(JNIEnv *env, jobjec - } - PR_ASSERT(slot != NULL); - -- rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk, -- params, temporary, sensitive, extractable); -+ rv = JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, &pubk, &privk, -+ params, temporary, sensitive, extractable, op_flags, op_flags_mask); - if (rv != SECSuccess) { - goto finish; - } -@@ -267,6 +284,16 @@ finish: - return keyPair; - } - -+static jobject -+PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, -+ CK_MECHANISM_TYPE mechanism, void *params, -+ jboolean temporary, jint sensitive, jint extractable) -+{ -+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, mechanism, params, temporary, sensitive, extractable, 0, 0); -+} -+ -+ -+ - /********************************************************************** - * PK11KeyPairGenerator.generateRSAKeyPair - */ -@@ -289,6 +316,30 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - ¶ms, temporary, sensitive, extractable); - } - -+/********************************************************************** -+ * PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent, -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ PK11RSAGenParams params; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL); -+ -+ /************************************************** -+ * setup parameters -+ *************************************************/ -+ params.keySizeInBits = keySize; -+ params.pe = publicExponent; -+ -+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN, -+ ¶ms, temporary, sensitive, extractable, op_flags, op_flags_mask); -+} -+ -+ - #define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;} - - /********************************************************************** -@@ -339,6 +390,57 @@ finish: - return keyPair; - } - -+/********************************************************************** -+ * -+ * PK11KeyPairGenerator.generateDSAKeyPair -+ * -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q, -+ jbyteArray G, jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ SECItem p, q, g; -+ PQGParams *params=NULL; -+ jobject keyPair=NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL -+ && G!=NULL); -+ -+ /* zero these so we can free them indiscriminately later */ -+ ZERO_SECITEM(p); -+ ZERO_SECITEM(q); -+ ZERO_SECITEM(g); -+ -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ if( JSS_ByteArrayToOctetString(env, P, &p) || -+ JSS_ByteArrayToOctetString(env, Q, &q) || -+ JSS_ByteArrayToOctetString(env, G, &g) ) -+ { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); -+ goto finish; -+ } -+ params = PK11_PQG_NewParams(&p, &q, &g); -+ if(params == NULL) { -+ JSS_throw(env, OUT_OF_MEMORY_ERROR); -+ goto finish; -+ } -+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_DSA_KEY_PAIR_GEN, -+ params, temporary, sensitive, extractable, -+ op_flags, op_flags_mask); -+ -+finish: -+ SECITEM_FreeItem(&p, PR_FALSE); -+ SECITEM_FreeItem(&q, PR_FALSE); -+ SECITEM_FreeItem(&g, PR_FALSE); -+ PK11_PQG_DestroyParams(params); -+ return keyPair; -+} -+ -+ - void - DumpItem(SECItem *item) - { -@@ -361,6 +463,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG - (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, - jboolean temporary, jint sensitive, jint extractable) - { -+ - SECItem curve; - jobject keyPair=NULL; - -@@ -385,3 +488,39 @@ finish: - SECITEM_FreeItem(&curve, PR_FALSE); - return keyPair; - } -+ -+/********************************************************************** -+ * -+ * PK11KeyPairGenerator.generateECKeyPairWithOpFlags -+ * -+ */ -+JNIEXPORT jobject JNICALL -+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags -+ (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, -+ jboolean temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask) -+{ -+ SECItem curve; -+ jobject keyPair=NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL ); -+ -+ /* zero these so we can free them indiscriminately later */ -+ ZERO_SECITEM(curve); -+ -+ /************************************************** -+ * Setup the parameters -+ *************************************************/ -+ if( JSS_ByteArrayToOctetString(env, Curve, &curve)) -+ { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); -+ goto finish; -+ } -+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_EC_KEY_PAIR_GEN, -+ &curve, temporary, sensitive, extractable, -+ op_flags, op_flags_mask); -+ -+finish: -+ SECITEM_FreeItem(&curve, PR_FALSE); -+ return keyPair; -+} -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2009-05-30 05:30:25.000000000 -0700 -@@ -55,6 +55,39 @@ public final class PK11KeyPairGenerator - extends org.mozilla.jss.crypto.KeyPairGeneratorSpi - { - -+ // opFlag constants: each of these flags specifies a crypto operation -+ // the key will support. Their values must match the same-named C -+ // preprocessor macros defined in the PKCS #11 header pkcs11t.h. -+ private static final int CKF_ENCRYPT = 0x00000100; -+ private static final int CKF_DECRYPT = 0x00000200; -+ private static final int CKF_SIGN = 0x00000800; -+ private static final int CKF_SIGN_RECOVER = 0x00001000; -+ private static final int CKF_VERIFY = 0x00002000; -+ private static final int CKF_VERIFY_RECOVER = 0x00004000; -+ private static final int CKF_WRAP = 0x00020000; -+ private static final int CKF_UNWRAP = 0x00040000; -+ private static final int CKF_DERIVE = 0x00080000; -+ -+ // A table for mapping SymmetricKey.Usage to opFlag. This must be -+ // synchronized with SymmetricKey.Usage. -+ private static final int opFlagForUsage[] = { -+ CKF_ENCRYPT, /* 0 */ -+ CKF_DECRYPT, /* 1 */ -+ CKF_SIGN, /* 2 */ -+ CKF_SIGN_RECOVER, /* 3 */ -+ CKF_VERIFY, /* 4 */ -+ CKF_VERIFY_RECOVER, /* 5 */ -+ CKF_WRAP, /* 6 */ -+ CKF_UNWRAP, /* 7 */ -+ CKF_DERIVE /* 8 */ -+ }; -+ -+ // The crypto operations the key will support. It is the logical OR -+ // of the opFlag constants, each specifying a supported operation. -+ private int opFlags = 0; -+ private int opFlagsMask = 0; -+ -+ - /////////////////////////////////////////////////////////////////////// - /////////////////////////////////////////////////////////////////////// - // Constructors -@@ -189,41 +222,45 @@ public final class PK11KeyPairGenerator - * Generates a key pair on a token. Uses parameters if they were passed - * in through a call to initialize, otherwise uses defaults. - */ -+ - public KeyPair generateKeyPair() - throws TokenException - { - if(algorithm == KeyPairAlgorithm.RSA) { - if(params != null) { - RSAParameterSpec rsaparams = (RSAParameterSpec)params; -- return generateRSAKeyPair( -+ return generateRSAKeyPairWithOpFlags( - token, - rsaparams.getKeySize(), - rsaparams.getPublicExponent().longValue(), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } else { -- return generateRSAKeyPair( -+ return generateRSAKeyPairWithOpFlags( - token, - DEFAULT_RSA_KEY_SIZE, - DEFAULT_RSA_PUBLIC_EXPONENT.longValue(), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } - } else if(algorithm == KeyPairAlgorithm.DSA ) { - if(params==null) { - params = PQG1024; - } - DSAParameterSpec dsaParams = (DSAParameterSpec)params; -- return generateDSAKeyPair( -+ return generateDSAKeyPairWithOpFlags( - token, - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getP()), - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getQ()), - PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getG()), - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, opFlagsMask); - } else { - Assert._assert( algorithm == KeyPairAlgorithm.EC ); - // requires JAVA 1.5 for ECParameters. -@@ -233,12 +270,14 @@ public final class PK11KeyPairGenerator - // ecParams.init(params); - PK11ParameterSpec ecParams = (PK11ParameterSpec) params; - -- return generateECKeyPair( -+ return generateECKeyPairWithOpFlags( - token, - ecParams.getEncoded(), /* curve */ - temporaryPairMode, - sensitivePairMode, -- extractablePairMode); -+ extractablePairMode, -+ opFlags, -+ opFlagsMask); - } - } - -@@ -266,6 +305,17 @@ public final class PK11KeyPairGenerator - throws TokenException; - - /** -+ * Generates an RSA key pair with the given size and public exponent. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ private native KeyPair -+ generateRSAKeyPairWithOpFlags(PK11Token token, int keySize, long publicExponent, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; -+ -+ /** - * Generates a DSA key pair with the given P, Q, and G values. - * P, Q, and G are stored as big-endian twos-complement octet strings. - */ -@@ -275,6 +325,19 @@ public final class PK11KeyPairGenerator - throws TokenException; - - /** -+ * Generates a DSA key pair with the given P, Q, and G values. -+ * P, Q, and G are stored as big-endian twos-complement octet strings. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ private native KeyPair -+ generateDSAKeyPairWithOpFlags(PK11Token token, byte[] P, byte[] Q, byte[] G, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; -+ -+ -+ /** - * Generates a EC key pair with the given a curve. - * Curves are stored as DER Encoded Parameters. - */ -@@ -282,6 +345,18 @@ public final class PK11KeyPairGenerator - generateECKeyPair(PK11Token token, byte[] Curve, - boolean temporary, int sensitive, int extractable) - throws TokenException; -+ /** -+ * Generates a EC key pair with the given a curve. -+ * Curves are stored as DER Encoded Parameters. -+ * Adds the ability to specify a set of flags and masks -+ * to control how NSS generates the key pair. -+ */ -+ -+ private native KeyPair -+ generateECKeyPairWithOpFlags(PK11Token token, byte[] Curve, -+ boolean temporary, int sensitive, int extractable, -+ int op_flags, int op_flags_mask) -+ throws TokenException; - - /////////////////////////////////////////////////////////////////////// - /////////////////////////////////////////////////////////////////////// -@@ -397,6 +472,38 @@ public final class PK11KeyPairGenerator - extractablePairMode = extractable ? 1 : 0; - } - -+ /** -+ * Sets the requested key usages desired for the -+ * generated key pair. -+ * This allows the caller to suggest how NSS generates the key pair. -+ * @param usages List of desired key usages. -+ * @param usages_mask Corresponding mask for the key usages. -+ * if a usages is desired, make sure it is in the mask as well. -+ */ -+ -+ public void setKeyPairUsages(org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages, -+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages_mask) { -+ -+ this.opFlags = 0; -+ this.opFlagsMask = 0; -+ -+ if(usages != null) { -+ for( int i = 0; i < usages.length; i++ ) { -+ if( usages[i] != null ) { -+ this.opFlags |= opFlagForUsage[usages[i].getVal()]; -+ } -+ } -+ } -+ -+ if(usages_mask != null) { -+ for( int i = 0; i < usages_mask.length; i++ ) { -+ if( usages_mask[i] != null ) { -+ this.opFlagsMask |= opFlagForUsage[usages_mask[i].getVal()]; -+ } -+ } -+ } -+ } -+ - // - // requires JAVA 1.5 - // -diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h ---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2006-02-22 17:21:42.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2009-05-29 08:34:24.000000000 -0700 -@@ -157,6 +157,12 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK - PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK, - void *params, PRBool temporary, jint senstive, jint extractable); - -+SECStatus -+JSS_PK11_generateKeyPair_withOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, -+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, -+ void *params, PRBool temporary, jint sensitive, jint extractable, -+ jint op_flags, jint op_flags_mask); -+ - /*===================================================================== - C E R T I F I C A T E S - =====================================================================*/ diff --git a/SOURCES/jss-loadlibrary.patch b/SOURCES/jss-loadlibrary.patch deleted file mode 100644 index a8643a4..0000000 --- a/SOURCES/jss-loadlibrary.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -uN --recursive jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2008-01-31 17:29:16.000000000 -0500 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-01-07 10:47:04.000000000 -0500 -@@ -1334,11 +1334,20 @@ - */ - synchronized static void loadNativeLibraries() - { -- if( ! mNativeLibrariesLoaded ) -- { -- System.loadLibrary("jss4"); -- Debug.trace(Debug.VERBOSE, "jss library loaded"); -- mNativeLibrariesLoaded = true; -+ if( ! mNativeLibrariesLoaded ) { -+ try { -+ System.load( "/usr/lib64/jss/libjss4.so" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError e ) { -+ try { -+ System.load( "/usr/lib/jss/libjss4.so" ); -+ Debug.trace(Debug.VERBOSE, "jss library loaded"); -+ mNativeLibrariesLoaded = true; -+ } catch( UnsatisfiedLinkError f ) { -+ Debug.trace(Debug.VERBOSE, "jss library load failed"); -+ } -+ } - } - } - static private boolean mNativeLibrariesLoaded = false; diff --git a/SOURCES/jss-lunasaUnwrap.patch b/SOURCES/jss-lunasaUnwrap.patch deleted file mode 100644 index 5021bd6..0000000 --- a/SOURCES/jss-lunasaUnwrap.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700 -@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - isSensitive = PR_FALSE; - isExtractable = PR_FALSE; - } else if ( isLunasa) { -- isSensitive = PR_FALSE; -+ isSensitive = PR_TRUE; - isExtractable = PR_TRUE; - } - diff --git a/SOURCES/jss-ocspSettings.patch b/SOURCES/jss-ocspSettings.patch deleted file mode 100644 index c9ac226..0000000 --- a/SOURCES/jss-ocspSettings.patch +++ /dev/null @@ -1,106 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.orig jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.orig 2009-11-04 14:26:26.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-11-04 14:11:05.000000000 -0800 -@@ -329,6 +329,8 @@ Java_org_mozilla_jss_pkcs11_PK11Token_ne - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; - Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; -+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; -+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig 2009-11-04 14:20:43.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2009-11-05 10:48:32.590000000 -0800 -@@ -976,3 +976,45 @@ Java_org_mozilla_jss_CryptoManager_confi - } - } - -+ -+/********************************************************************** -+* OCSPCacheSettingsNative -+* -+* Allows configuration of the OCSP responder cache during runtime. -+*/ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative( -+ JNIEnv *env, jobject this, -+ jint ocsp_cache_size, -+ jint ocsp_min_cache_entry_duration, -+ jint ocsp_max_cache_entry_duration) -+{ -+ SECStatus rv = SECFailure; -+ -+ rv = CERT_OCSPCacheSettings( -+ ocsp_cache_size, ocsp_min_cache_entry_duration, -+ ocsp_max_cache_entry_duration); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, -+ GENERAL_SECURITY_EXCEPTION, -+ "Failed to set OCSP cache: error "+ PORT_GetError()); -+ } -+} -+ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative( -+ JNIEnv *env, jobject this, -+ jint ocsp_timeout ) -+{ -+ SECStatus rv = SECFailure; -+ -+ rv = CERT_SetOCSPTimeout(ocsp_timeout); -+ -+ if (rv != SECSuccess) { -+ JSS_throwMsgPrErr(env, -+ GENERAL_SECURITY_EXCEPTION, -+ "Failed to set OCSP timeout: error "+ PORT_GetError()); -+ } -+} -+ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig 2009-11-04 14:20:33.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2009-11-05 10:48:59.415001000 -0800 -@@ -1479,4 +1479,41 @@ public final class CryptoManager impleme - String ocspResponderCertNickname ) - throws GeneralSecurityException; - -+ /** -+ * change OCSP cache settings -+ * * @param ocsp_cache_size max cache entries -+ * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt -+ * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt -+ */ -+ public void OCSPCacheSettings( -+ int ocsp_cache_size, -+ int ocsp_min_cache_entry_duration, -+ int ocsp_max_cache_entry_duration) -+ throws GeneralSecurityException -+ { -+ OCSPCacheSettingsNative(ocsp_cache_size, -+ ocsp_min_cache_entry_duration, -+ ocsp_max_cache_entry_duration); -+ } -+ -+ private native void OCSPCacheSettingsNative( -+ int ocsp_cache_size, -+ int ocsp_min_cache_entry_duration, -+ int ocsp_max_cache_entry_duration) -+ throws GeneralSecurityException; -+ -+ /** -+ * set OCSP timeout value -+ * * @param ocspTimeout OCSP timeout in seconds -+ */ -+ public void setOCSPTimeout( -+ int ocsp_timeout ) -+ throws GeneralSecurityException -+ { -+ setOCSPTimeoutNative( ocsp_timeout); -+ } -+ -+ private native void setOCSPTimeoutNative( -+ int ocsp_timeout ) -+ throws GeneralSecurityException; - } diff --git a/SOURCES/jss-post-rebase.patch b/SOURCES/jss-post-rebase.patch new file mode 100644 index 0000000..225ee96 --- /dev/null +++ b/SOURCES/jss-post-rebase.patch @@ -0,0 +1,5484 @@ +From e06171a21b19b1f6f5ce1749cebe2ecf942da614 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:45:18 -0700 +Subject: [PATCH 01/11] Added Eclipse project files. Eclipse project file, + classpath, settings have been added to automate cleanups and certain + formattings which will simplify and standardize the development. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347394 +--- + .classpath | 7 + + .gitignore | 1 + + .project | 17 +++ + .settings/org.eclipse.jdt.core.prefs | 282 +++++++++++++++++++++++++++++++++++ + .settings/org.eclipse.jdt.ui.prefs | 56 +++++++ + 5 files changed, 363 insertions(+) + create mode 100644 .classpath + create mode 100644 .gitignore + create mode 100644 .project + create mode 100644 .settings/org.eclipse.jdt.core.prefs + create mode 100644 .settings/org.eclipse.jdt.ui.prefs + +diff --git a/.classpath b/.classpath +new file mode 100644 +index 0000000..68f6f4f +--- /dev/null ++++ b/.classpath +@@ -0,0 +1,7 @@ ++ ++ ++ ++ ++ ++ ++ +diff --git a/.gitignore b/.gitignore +new file mode 100644 +index 0000000..ba077a4 +--- /dev/null ++++ b/.gitignore +@@ -0,0 +1 @@ ++bin +diff --git a/.project b/.project +new file mode 100644 +index 0000000..7f7adff +--- /dev/null ++++ b/.project +@@ -0,0 +1,17 @@ ++ ++ ++ jss ++ ++ ++ ++ ++ ++ org.eclipse.jdt.core.javabuilder ++ ++ ++ ++ ++ ++ org.eclipse.jdt.core.javanature ++ ++ +diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs +new file mode 100644 +index 0000000..d2fbe82 +--- /dev/null ++++ b/.settings/org.eclipse.jdt.core.prefs +@@ -0,0 +1,282 @@ ++eclipse.preferences.version=1 ++org.eclipse.jdt.core.formatter.align_type_members_on_columns=false ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation=0 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation=16 ++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_assignment=0 ++org.eclipse.jdt.core.formatter.alignment_for_binary_expression=16 ++org.eclipse.jdt.core.formatter.alignment_for_compact_if=16 ++org.eclipse.jdt.core.formatter.alignment_for_conditional_expression=80 ++org.eclipse.jdt.core.formatter.alignment_for_enum_constants=0 ++org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer=16 ++org.eclipse.jdt.core.formatter.alignment_for_method_declaration=0 ++org.eclipse.jdt.core.formatter.alignment_for_multiple_fields=16 ++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_resources_in_try=80 ++org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation=16 ++org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration=16 ++org.eclipse.jdt.core.formatter.alignment_for_union_type_in_multicatch=16 ++org.eclipse.jdt.core.formatter.blank_lines_after_imports=1 ++org.eclipse.jdt.core.formatter.blank_lines_after_package=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_field=0 ++org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration=0 ++org.eclipse.jdt.core.formatter.blank_lines_before_imports=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_member_type=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_method=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk=1 ++org.eclipse.jdt.core.formatter.blank_lines_before_package=0 ++org.eclipse.jdt.core.formatter.blank_lines_between_import_groups=1 ++org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations=1 ++org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_array_initializer=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_block=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_block_in_case=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_enum_constant=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_method_declaration=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_switch=end_of_line ++org.eclipse.jdt.core.formatter.brace_position_for_type_declaration=end_of_line ++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment=false ++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment=false ++org.eclipse.jdt.core.formatter.comment.format_block_comments=false ++org.eclipse.jdt.core.formatter.comment.format_header=false ++org.eclipse.jdt.core.formatter.comment.format_html=true ++org.eclipse.jdt.core.formatter.comment.format_javadoc_comments=true ++org.eclipse.jdt.core.formatter.comment.format_line_comments=false ++org.eclipse.jdt.core.formatter.comment.format_source_code=true ++org.eclipse.jdt.core.formatter.comment.indent_parameter_description=true ++org.eclipse.jdt.core.formatter.comment.indent_root_tags=true ++org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags=insert ++org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter=do not insert ++org.eclipse.jdt.core.formatter.comment.line_length=120 ++org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries=true ++org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries=true ++org.eclipse.jdt.core.formatter.comment.preserve_white_space_between_code_and_line_comments=false ++org.eclipse.jdt.core.formatter.compact_else_if=true ++org.eclipse.jdt.core.formatter.continuation_indentation=2 ++org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer=2 ++org.eclipse.jdt.core.formatter.disabling_tag=@formatter\:off ++org.eclipse.jdt.core.formatter.enabling_tag=@formatter\:on ++org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line=false ++org.eclipse.jdt.core.formatter.format_line_comment_starting_on_first_column=false ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header=true ++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header=true ++org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases=true ++org.eclipse.jdt.core.formatter.indent_empty_lines=false ++org.eclipse.jdt.core.formatter.indent_statements_compare_to_block=true ++org.eclipse.jdt.core.formatter.indent_statements_compare_to_body=true ++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases=true ++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=false ++org.eclipse.jdt.core.formatter.indentation.size=8 ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_field=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_local_variable=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_member=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_method=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_package=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_parameter=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_type=insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_label=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_annotation_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_anonymous_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_block=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_constant=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_declaration=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_method_body=insert ++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter=insert ++org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_binary_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block=insert ++org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments=insert ++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters=insert ++org.eclipse.jdt.core.formatter.insert_space_after_ellipsis=insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_try=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard=do not insert ++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_try_resources=insert ++org.eclipse.jdt.core.formatter.insert_space_after_unary_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter=insert ++org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_binary_operator=insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_try=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_ellipsis=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_try=insert ++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while=insert ++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return=insert ++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw=insert ++org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional=insert ++org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_try_resources=do not insert ++org.eclipse.jdt.core.formatter.insert_space_before_unary_operator=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration=do not insert ++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation=do not insert ++org.eclipse.jdt.core.formatter.join_lines_in_comments=false ++org.eclipse.jdt.core.formatter.join_wrapped_lines=false ++org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line=false ++org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line=false ++org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line=false ++org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line=false ++org.eclipse.jdt.core.formatter.lineSplit=120 ++org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column=false ++org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column=false ++org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body=0 ++org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve=1 ++org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line=true ++org.eclipse.jdt.core.formatter.tabulation.char=space ++org.eclipse.jdt.core.formatter.tabulation.size=4 ++org.eclipse.jdt.core.formatter.use_on_off_tags=false ++org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations=false ++org.eclipse.jdt.core.formatter.wrap_before_binary_operator=true ++org.eclipse.jdt.core.formatter.wrap_before_or_operator_multicatch=true ++org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested=true +diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs +new file mode 100644 +index 0000000..40b7812 +--- /dev/null ++++ b/.settings/org.eclipse.jdt.ui.prefs +@@ -0,0 +1,56 @@ ++eclipse.preferences.version=1 ++editor_save_participant_org.eclipse.jdt.ui.postsavelistener.cleanup=true ++formatter_profile=_PKI Project Profile ++formatter_settings_version=12 ++sp_cleanup.add_default_serial_version_id=true ++sp_cleanup.add_generated_serial_version_id=false ++sp_cleanup.add_missing_annotations=false ++sp_cleanup.add_missing_deprecated_annotations=true ++sp_cleanup.add_missing_methods=false ++sp_cleanup.add_missing_nls_tags=false ++sp_cleanup.add_missing_override_annotations=true ++sp_cleanup.add_missing_override_annotations_interface_methods=true ++sp_cleanup.add_serial_version_id=false ++sp_cleanup.always_use_blocks=true ++sp_cleanup.always_use_parentheses_in_expressions=false ++sp_cleanup.always_use_this_for_non_static_field_access=false ++sp_cleanup.always_use_this_for_non_static_method_access=false ++sp_cleanup.convert_to_enhanced_for_loop=false ++sp_cleanup.correct_indentation=false ++sp_cleanup.format_source_code=false ++sp_cleanup.format_source_code_changes_only=false ++sp_cleanup.make_local_variable_final=false ++sp_cleanup.make_parameters_final=false ++sp_cleanup.make_private_fields_final=true ++sp_cleanup.make_type_abstract_if_missing_method=false ++sp_cleanup.make_variable_declarations_final=false ++sp_cleanup.never_use_blocks=false ++sp_cleanup.never_use_parentheses_in_expressions=true ++sp_cleanup.on_save_use_additional_actions=true ++sp_cleanup.organize_imports=true ++sp_cleanup.qualify_static_field_accesses_with_declaring_class=false ++sp_cleanup.qualify_static_member_accesses_through_instances_with_declaring_class=true ++sp_cleanup.qualify_static_member_accesses_through_subtypes_with_declaring_class=true ++sp_cleanup.qualify_static_member_accesses_with_declaring_class=false ++sp_cleanup.qualify_static_method_accesses_with_declaring_class=false ++sp_cleanup.remove_private_constructors=true ++sp_cleanup.remove_trailing_whitespaces=true ++sp_cleanup.remove_trailing_whitespaces_all=true ++sp_cleanup.remove_trailing_whitespaces_ignore_empty=false ++sp_cleanup.remove_unnecessary_casts=true ++sp_cleanup.remove_unnecessary_nls_tags=false ++sp_cleanup.remove_unused_imports=true ++sp_cleanup.remove_unused_local_variables=false ++sp_cleanup.remove_unused_private_fields=true ++sp_cleanup.remove_unused_private_members=false ++sp_cleanup.remove_unused_private_methods=true ++sp_cleanup.remove_unused_private_types=true ++sp_cleanup.sort_members=false ++sp_cleanup.sort_members_all=false ++sp_cleanup.use_blocks=false ++sp_cleanup.use_blocks_only_for_return_and_throw=false ++sp_cleanup.use_parentheses_in_expressions=false ++sp_cleanup.use_this_for_non_static_field_access=false ++sp_cleanup.use_this_for_non_static_field_access_only_if_necessary=true ++sp_cleanup.use_this_for_non_static_method_access=false ++sp_cleanup.use_this_for_non_static_method_access_only_if_necessary=true +-- +2.9.3 + + +From 8019c869865593a8fc078ca6dd555191711dad7b Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:45:25 -0700 +Subject: [PATCH 02/11] Cleaned up SSLSocket class. The SSLSocket class has + been cleaned up using Eclipse to remove trailing white spaces and wildcards + in import statements. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347394 +--- + org/mozilla/jss/ssl/SSLSocket.java | 179 +++++++++++++++++++------------------ + 1 file changed, 90 insertions(+), 89 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index f91b218..642a3e6 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -4,12 +4,13 @@ + + package org.mozilla.jss.ssl; + +-import java.lang.IllegalArgumentException; +-import java.net.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.net.InetAddress; + import java.net.SocketException; + import java.net.SocketTimeoutException; +-import java.io.*; +-import java.io.IOException; ++import java.net.UnknownHostException; + import java.util.Vector; + + /** +@@ -41,13 +42,13 @@ public class SSLSocket extends java.net.Socket { + private boolean open = false; + private boolean handshakeAsClient = true; + private SocketBase base = new SocketBase(); +- static final public int SSL_REQUIRE_NEVER = ++ static final public int SSL_REQUIRE_NEVER = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NEVER; +- static final public int SSL_REQUIRE_ALWAYS = ++ static final public int SSL_REQUIRE_ALWAYS = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_ALWAYS; +- static final public int SSL_REQUIRE_FIRST_HANDSHAKE = ++ static final public int SSL_REQUIRE_FIRST_HANDSHAKE = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_FIRST_HANDSHAKE; +- static final public int SSL_REQUIRE_NO_ERROR = ++ static final public int SSL_REQUIRE_NO_ERROR = + org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NO_ERROR; + static final public int SSL_RENEGOTIATE_NEVER = + org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_NEVER; +@@ -411,12 +412,12 @@ public class SSLSocket extends java.net.Socket { + */ + public native void setReceiveBufferSize(int size) throws SocketException; + +- /** ++ /** + * Returnst he size (in bytes) of the receive buffer. + */ + public native int getReceiveBufferSize() throws SocketException; + +- /** ++ /** + * Closes this socket. + */ + public void close() throws IOException { +@@ -488,7 +489,7 @@ public class SSLSocket extends java.net.Socket { + l.handshakeCompleted(event); + } + } +- ++ + + /** + * Enables SSL v2 on this socket. It is enabled by default, unless the +@@ -534,10 +535,10 @@ public class SSLSocket extends java.net.Socket { + static public void enableTLSDefault(boolean enable) throws SocketException{ + setSSLDefaultOption(SocketBase.SSL_ENABLE_TLS, enable); + } +- ++ + /** +- * Enables Session tickets on this socket. It is disabled by default, +- * unless the default has been changed with ++ * Enables Session tickets on this socket. It is disabled by default, ++ * unless the default has been changed with + * enableSessionTicketsDefault. + */ + public void enableSessionTickets(boolean enable) throws SocketException { +@@ -547,7 +548,7 @@ public class SSLSocket extends java.net.Socket { + /** + * Sets the default for Session Tickets for all new sockets. + */ +- static public void enableSessionTicketsDefault(boolean enable) ++ static public void enableSessionTicketsDefault(boolean enable) + throws SocketException{ + setSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS, enable); + } +@@ -643,26 +644,26 @@ public class SSLSocket extends java.net.Socket { + + /** + * Enable rollback detection for this socket. +- * It is enabled by default, unless the default has been changed ++ * It is enabled by default, unless the default has been changed + * with enableRollbackDetectionDefault. + */ +- public void enableRollbackDetection(boolean enable) +- throws SocketException ++ public void enableRollbackDetection(boolean enable) ++ throws SocketException + { + base.enableRollbackDetection(enable); + } +- ++ + /** + * Sets the default rollback detection for all new sockets. + */ +- static void enableRollbackDetectionDefault(boolean enable) +- throws SocketException ++ static void enableRollbackDetectionDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION, enable); + } +- ++ + /** +- * This option, enableStepDown, is concerned with the generation ++ * This option, enableStepDown, is concerned with the generation + * of step-down keys which are used with export suites. + * If the server cert's public key is 512 bits or less + * this option is ignored because step-down keys don't +@@ -673,15 +674,15 @@ public class SSLSocket extends java.net.Socket { + * enable=false: don't generate step-down keys; disable + * export cipher suites + * +- * This option is enabled by default; unless the default has ++ * This option is enabled by default; unless the default has + * been changed with SSLSocket.enableStepDownDefault. + */ + public void enableStepDown(boolean enable) throws SocketException { + base.enableStepDown(enable); + } + /** +- * This option, enableStepDownDefault, is concerned with the +- * generation of step-down keys which are used with export suites. ++ * This option, enableStepDownDefault, is concerned with the ++ * generation of step-down keys which are used with export suites. + * This options will set the default for all sockets. + * If the server cert's public key is 512 bits of less, + * this option is ignored because step-down keys don't +@@ -694,92 +695,92 @@ public class SSLSocket extends java.net.Socket { + * + * This option is enabled by default for all sockets. + */ +- static void enableStepDownDefault(boolean enable) +- throws SocketException ++ static void enableStepDownDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN, enable); + } + + /** +- * Enable simultaneous read/write by separate read and write threads ++ * Enable simultaneous read/write by separate read and write threads + * (full duplex) for this socket. +- * It is disabled by default, unless the default has been changed ++ * It is disabled by default, unless the default has been changed + * with enableFDXDefault. + */ +- public void enableFDX(boolean enable) +- throws SocketException ++ public void enableFDX(boolean enable) ++ throws SocketException + { + base.enableFDX(enable); + } +- ++ + /** +- * Sets the default to permit simultaneous read/write ++ * Sets the default to permit simultaneous read/write + * by separate read and write threads (full duplex) + * for all new sockets. + */ +- static void enableFDXDefault(boolean enable) +- throws SocketException ++ static void enableFDXDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_ENABLE_FDX, enable); + } + + /** + * Enable sending v3 client hello in v2 format for this socket. +- * It is enabled by default, unless the default has been changed ++ * It is enabled by default, unless the default has been changed + * with enableV2CompatibleHelloDefault. + */ +- public void enableV2CompatibleHello(boolean enable) +- throws SocketException ++ public void enableV2CompatibleHello(boolean enable) ++ throws SocketException + { + base.enableV2CompatibleHello(enable); + } +- +- /** ++ ++ /** + * Sets the default to send v3 client hello in v2 format + * for all new sockets. + */ +- static void enableV2CompatibleHelloDefault(boolean enable) +- throws SocketException ++ static void enableV2CompatibleHelloDefault(boolean enable) ++ throws SocketException + { + setSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO, enable); + } +- ++ + /** + * @return a String listing the current SSLOptions for this SSLSocket. + */ + public String getSSLOptions() { + return base.getSSLOptions(); + } +- ++ + /** +- * +- * @param option +- * @return 0 for option disabled 1 for option enabled. ++ * ++ * @param option ++ * @return 0 for option disabled 1 for option enabled. + */ + static private native int getSSLDefaultOption(int option) + throws SocketException; + + /** +- * ++ * + * @return a String listing the Default SSLOptions for all SSLSockets. + */ + static public String getSSLDefaultOptions() { + StringBuffer buf = new StringBuffer(); + try { + buf.append("Default Options configured for all SSLSockets: "); +- buf.append("\nSSL_ENABLE_SSL2" + ++ buf.append("\nSSL_ENABLE_SSL2" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL2) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_SSL3" + +- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0) ++ buf.append("\nSSL_ENABLE_SSL3" + ++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_TLS" + +- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0) ++ buf.append("\nSSL_ENABLE_TLS" + ++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0) + ? "=on" : "=off")); + buf.append("\nSSL_ENABLE_SESSION_TICKETS" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) + != 0) ? "=on" : "=off")); +- buf.append("\nSSL_REQUIRE_CERTIFICATE"); ++ buf.append("\nSSL_REQUIRE_CERTIFICATE"); + switch (getSSLDefaultOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) { + case 0: + buf.append("=Never"); +@@ -797,23 +798,23 @@ public class SSLSocket extends java.net.Socket { + buf.append("=Report JSS Bug this option has a status."); + break; + } //end switch +- buf.append("\nSSL_REQUEST_CERTIFICATE" + +- ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) ++ buf.append("\nSSL_REQUEST_CERTIFICATE" + ++ ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_NO_CACHE" + ++ buf.append("\nSSL_NO_CACHE" + + ((getSSLDefaultOption(SocketBase.SSL_NO_CACHE) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ROLLBACK_DETECTION" + ++ buf.append("\nSSL_ROLLBACK_DETECTION" + + ((getSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_NO_STEP_DOWN" + ++ buf.append("\nSSL_NO_STEP_DOWN" + + ((getSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_FDX" + ++ buf.append("\nSSL_ENABLE_FDX" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_FDX) != 0) + ? "=on" : "=off")); +- buf.append("\nSSL_V2_COMPATIBLE_HELLO" + +- ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) ++ buf.append("\nSSL_V2_COMPATIBLE_HELLO" + ++ ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) + ? "=on" : "=off")); + buf.append("\nSSL_ENABLE_SESSION_TICKETS" + + ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) +@@ -845,7 +846,7 @@ public class SSLSocket extends java.net.Socket { + } + return buf.toString(); + } +- ++ + /** + * Sets whether the socket requires client authentication from the remote + * peer. If requestClientAuth() has not already been called, this +@@ -863,19 +864,19 @@ public class SSLSocket extends java.net.Socket { + * Sets whether the socket requires client authentication from the remote + * peer. If requestClientAuth() has not already been called, this method + * will tell the socket to request client auth as well as requiring it. +- * This is only meaningful for the server end of the SSL connection. +- * During the next handshake, the remote peer will be asked to ++ * This is only meaningful for the server end of the SSL connection. ++ * During the next handshake, the remote peer will be asked to + * authenticate itself with the requirement that was set. + * +- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, +- * SSLSocket.SSL_REQUIRE_ALWAYS, +- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, ++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, ++ * SSLSocket.SSL_REQUIRE_ALWAYS, ++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, + * SSLSocket.SSL_REQUIRE_NO_ERROR + */ + public void requireClientAuth(int mode) + throws SocketException + { +- if (mode >= SocketBase.SSL_REQUIRE_NEVER && ++ if (mode >= SocketBase.SSL_REQUIRE_NEVER && + mode <= SocketBase.SSL_REQUIRE_NO_ERROR) { + base.requireClientAuth(mode); + } else { +@@ -900,15 +901,15 @@ public class SSLSocket extends java.net.Socket { + * All subsequently created sockets will use this default setting + * This is only meaningful for the server end of the SSL connection. + * +- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, +- * SSLSocket.SSL_REQUIRE_ALWAYS, +- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, ++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER, ++ * SSLSocket.SSL_REQUIRE_ALWAYS, ++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE, + * SSLSocket.SSL_REQUIRE_NO_ERROR + */ + static public void requireClientAuthDefault(int mode) + throws SocketException + { +- if (mode >= SocketBase.SSL_REQUIRE_NEVER && ++ if (mode >= SocketBase.SSL_REQUIRE_NEVER && + mode <= SocketBase.SSL_REQUIRE_NO_ERROR) { + setSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE, true); + setSSLDefaultOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE,mode); +@@ -924,7 +925,7 @@ public class SSLSocket extends java.net.Socket { + */ + public native void forceHandshake() throws SocketException; + +- /** ++ /** + * Determines whether this end of the socket is the client or the server + * for purposes of the SSL protocol. By default, it is the client. + * @param b true if this end of the socket is the SSL slient, false +@@ -1031,7 +1032,7 @@ public class SSLSocket extends java.net.Socket { + base.useCache(b); + } + +- /** ++ /** + * Sets the default setting for use of the session cache. + */ + public void useCacheDefault(boolean b) throws SocketException { +@@ -1090,7 +1091,7 @@ public class SSLSocket extends java.net.Socket { + setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum()); + } + +- /** ++ /** + * Sets SSL Version Range Default + */ + private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max) +@@ -1102,13 +1103,13 @@ public class SSLSocket extends java.net.Socket { + setSSLDefaultOption(option, on ? 1 : 0); + } + +- /** ++ /** + * Sets SSL Default options that have simple enable/disable values. + */ + private static native void setSSLDefaultOption(int option, int on) + throws SocketException; + +- /** ++ /** + * Set SSL default options that have more modes than enable/disable. + */ + private static native void setSSLDefaultOptionMode(int option, int mode) +@@ -1141,19 +1142,19 @@ public class SSLSocket extends java.net.Socket { + native int socketAvailable() + throws IOException; + +- int read(byte[] b, int off, int len) ++ int read(byte[] b, int off, int len) + throws IOException, SocketTimeoutException { + synchronized (readLock) { + synchronized (this) { + if ( isClosed ) { /* abort read if socket is closed */ + throw new IOException( +- "Socket has been closed, and cannot be reused."); ++ "Socket has been closed, and cannot be reused."); + } +- inRead = true; ++ inRead = true; + } + int iRet; + try { +- iRet = socketRead(b, off, len, base.getTimeout()); ++ iRet = socketRead(b, off, len, base.getTimeout()); + } catch (SocketTimeoutException ste) { + throw new SocketTimeoutException( + "SocketTimeoutException cannot read on socket"); +@@ -1169,13 +1170,13 @@ public class SSLSocket extends java.net.Socket { + } + } + +- void write(byte[] b, int off, int len) ++ void write(byte[] b, int off, int len) + throws IOException, SocketTimeoutException { + synchronized (writeLock) { + synchronized (this) { + if ( isClosed ) { /* abort write if socket is closed */ + throw new IOException( +- "Socket has been closed, and cannot be reused."); ++ "Socket has been closed, and cannot be reused."); + } + inWrite = true; + } +@@ -1284,9 +1285,9 @@ public class SSLSocket extends java.net.Socket { + } + + /** +- * isFipsCipherSuite ++ * isFipsCipherSuite + * +- *@return true if the ciphersuite isFIPS, false otherwise ++ *@return true if the ciphersuite isFIPS, false otherwise + */ + public static boolean isFipsCipherSuite(int ciphersuite) throws SocketException { + return isFipsCipherSuiteNative(ciphersuite); +@@ -1364,12 +1365,12 @@ public class SSLSocket extends java.net.Socket { + + public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; + public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +- ++ + public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; + public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; + public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; + +-// New TLS cipher suites in NSS 3.4 ++// New TLS cipher suites in NSS 3.4 + public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; + public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; + public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +-- +2.9.3 + + +From 0138f3f47e061c088ca231f9b177363beb2c2f62 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:58:28 -0700 +Subject: [PATCH 03/11] Reformatted cipher definitions in SSLSocket class. The + cipher definitions in SSLSocket class have been moved to the top of the class + and reformatted for better readability. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347429 +--- + org/mozilla/jss/ssl/SSLSocket.java | 289 ++++++++++++++++++------------------- + 1 file changed, 144 insertions(+), 145 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index 642a3e6..ce39987 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -18,6 +18,150 @@ import java.util.Vector; + */ + public class SSLSocket extends java.net.Socket { + ++ /** ++ * ++ * Note the following cipher-suites constants are not all implemented. ++ * You need to call getImplementedCiphersuites. ++ * ++ */ ++ ++ public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01; ++ public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02; ++ public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03; ++ public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04; ++ public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05; ++ public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; ++ public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; ++ ++ public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; ++ public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; ++ public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; ++ public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; ++ public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; ++ public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; ++ public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; ++ public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; ++ public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; ++ ++ public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; ++ public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; ++ public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; ++ ++ public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; ++ public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; ++ public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; ++ ++ public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; ++ public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; ++ public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; ++ public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; ++ public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA ++ * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for ++ * backward compatibility. ++ */ ++ public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; ++ public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d; ++ public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; ++ ++ public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; ++ public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe; ++ ++ public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; ++ public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; ++ ++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; ++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; ++ public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; ++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; ++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; ++ ++ // New TLS cipher suites in NSS 3.4 ++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; ++ public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; ++ public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; ++ public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; ++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; ++ public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; ++ ++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; ++ public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; ++ public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; ++ public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; ++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; ++ public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; ++ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; ++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; ++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; ++ ++ public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; ++ public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; ++ public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; ++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; ++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; ++ public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; ++ ++ public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; ++ public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; ++ public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; ++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; ++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; ++ public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; ++ ++ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; ++ ++ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; ++ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; ++ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; ++ ++ public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; ++ public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; ++ public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006; ++ public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007; ++ public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a; ++ ++ public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b; ++ public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c; ++ public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d; ++ public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e; ++ public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f; ++ ++ public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010; ++ public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011; ++ public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013; ++ public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014; ++ ++ public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015; ++ public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016; ++ public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017; ++ public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; ++ public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; ++ ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; ++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; ++ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; ++ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; ++ + /* + * Locking strategy of SSLSocket + * +@@ -1303,149 +1447,4 @@ public class SSLSocket extends java.net.Socket { + * TLS_RSA_WITH_AES_128_CBC_SHA). + */ + public static native int[] getImplementedCipherSuites(); +- +- /** +- * +- * Note the following cipher-suites constants are not all implemented. +- * You need to call getImplementedCiphersuites. +- * +- */ +- +- public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01; +- public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02; +- public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03; +- public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04; +- public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05; +- public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; +- public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; +- +- public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; +- public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; +- public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; +- public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; +- public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; +- public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; +- public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; +- public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; +- public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; +- public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; +- +- public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; +- public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; +- public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; +- public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; +- public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; +- public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; +- +- public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; +- public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; +- public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; +- public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; +- public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; +- public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; +- +- public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; +- public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; +- public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; +- public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; +- public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; +- +- /** +- * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. +- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA +- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for +- * backward compatibility. +- */ +- public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; +- public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA= 0x001d; +- public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; +- +- public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; +- public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe; +- +- public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062; +- public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064; +- +- public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; +- public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; +- public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; +- +-// New TLS cipher suites in NSS 3.4 +- public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; +- public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030; +- public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; +- public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; +- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; +- public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; +- +- public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; +- public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; +- public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; +- public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; +- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; +- public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003a; +- public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003b; +- public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003c; +- public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003d; +- +- public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; +- public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; +- public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; +- public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; +- public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; +- public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; +- +- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; +- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006b; +- +- public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; +- public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; +- public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; +- public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; +- public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; +- public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; +- +- public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; +- +- public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009c; +- public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009e; +- public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; +- +- public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; +- public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; +- public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; +- public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004; +- public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005; +- +- public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006; +- public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007; +- public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a; +- +- public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b; +- public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c; +- public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d; +- public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e; +- public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f; +- +- public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010; +- public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011; +- public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013; +- public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014; +- +- public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015; +- public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016; +- public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017; +- public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; +- public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; +- +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; +- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02b; +- public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; +- public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f; +- public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; + } +- +-- +2.9.3 + + +From 71f8cd5a15610690f6e8f226fc081b10f9dd9cb6 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Fri, 17 Mar 2017 16:59:11 -0700 +Subject: [PATCH 04/11] Added annotations for deprecated SSL 3.0 ciphers. Some + SSL 3.0 ciphers have deprecated according to this list: + https://github.com/nss-dev/nss/blob/master/lib/ssl/sslproto.h + +The deprecated cipher definitions have been marked accordingly +in the SSLSocket class. The replacement cipher definitions (if +any) have been added with the same cipher IDs. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1347429 +--- + org/mozilla/jss/ssl/SSLSocket.java | 152 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 149 insertions(+), 3 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index ce39987..2e1ac54 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -33,45 +33,166 @@ public class SSLSocket extends java.net.Socket { + public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06; + public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07; + ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001; ++ public final static int TLS_RSA_WITH_NULL_MD5 = 0x0001; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002; ++ public final static int TLS_RSA_WITH_NULL_SHA = 0x0002; ++ + public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004; ++ public final static int TLS_RSA_WITH_RC4_128_MD5 = 0x0004; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005; ++ public final static int TLS_RSA_WITH_RC4_128_SHA = 0x0005; ++ + public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ public final static int TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007; ++ + public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009; ++ public final static int TLS_RSA_WITH_DES_CBC_SHA = 0x0009; ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; ++ public final static int TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a; + + public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ public final static int TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000c; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ public final static int TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d; ++ + public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ public final static int TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000f; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; ++ public final static int TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010; + + public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ public final static int TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ public final static int TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013; ++ + public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ public final static int TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015; ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; ++ public final static int TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016; + + public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018; ++ public final static int TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018; ++ + public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a; ++ public final static int TLS_DH_anon_WITH_DES_CBC_SHA = 0x001a; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated + public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b; ++ public final static int TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001b; + + /** + * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. +- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA +- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for +- * backward compatibility. + */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d; ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated + public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e; + + public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff; +@@ -92,14 +213,27 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031; + public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032; + public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034; ++ public final static int TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034; + + public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035; + public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036; + public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037; + public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; + public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; ++ public final static int TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A; ++ + public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; + public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; + public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; +@@ -109,14 +243,26 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043; + public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044; + public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046; ++ public final static int TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046; + + public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084; + public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085; + public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086; + public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087; + public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA. ++ */ ++ @Deprecated + public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; ++ public final static int TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089; + + public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; + +-- +2.9.3 + + +From 7027cbab0757376f4719674173206df0cdadd592 Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Tue, 21 Mar 2017 13:09:37 -0700 +Subject: [PATCH 05/11] Added SSLSocketListener. The SSLSocket has been + modified to support SSLSocketListener which will be invoked when an SSL alert + has been sent or received, also when an SSL handshake has been completed. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1348856 +--- + org/mozilla/jss/ssl/SSLAlertDescription.java | 64 ++++++++++++++ + org/mozilla/jss/ssl/SSLAlertEvent.java | 39 +++++++++ + org/mozilla/jss/ssl/SSLAlertLevel.java | 29 +++++++ + org/mozilla/jss/ssl/SSLSocket.java | 53 ++++++++---- + org/mozilla/jss/ssl/SSLSocketListener.java | 11 +++ + org/mozilla/jss/ssl/callbacks.c | 119 +++++++++++++++++++++++++++ + org/mozilla/jss/ssl/common.c | 19 +++++ + org/mozilla/jss/ssl/jssl.h | 8 ++ + org/mozilla/jss/util/java_ids.h | 8 ++ + 9 files changed, 332 insertions(+), 18 deletions(-) + create mode 100644 org/mozilla/jss/ssl/SSLAlertDescription.java + create mode 100644 org/mozilla/jss/ssl/SSLAlertEvent.java + create mode 100644 org/mozilla/jss/ssl/SSLAlertLevel.java + create mode 100644 org/mozilla/jss/ssl/SSLSocketListener.java + +diff --git a/org/mozilla/jss/ssl/SSLAlertDescription.java b/org/mozilla/jss/ssl/SSLAlertDescription.java +new file mode 100644 +index 0000000..c2ed060 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertDescription.java +@@ -0,0 +1,64 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public enum SSLAlertDescription { ++ ++ // see lib/ssl/ssl3prot.h in NSS ++ CLOSE_NOTIFY (0), ++ END_OF_EARLY_DATA (1), // TLS 1.3 ++ UNEXPECTED_MESSAGE (10), ++ BAD_RECORD_MAC (20), ++ DECRYPTION_FAILED (21), // RFC 5246 ++ RECORD_OVERFLOW (22), // TLS only ++ DECOMPRESSION_FAILURE (30), ++ HANDSHAKE_FAILURE (40), ++ NO_CERTIFICATE (41), // SSL3 only, NOT TLS ++ BAD_CERTIFICATE (42), ++ UNSUPPORTED_CERTIFICATE (43), ++ CERTIFICATE_REVOKED (44), ++ CERTIFICATE_EXPIRED (45), ++ CERTIFICATE_UNKNOWN (46), ++ ILLEGAL_PARAMETER (47), ++ ++ // All alerts below are TLS only. ++ UNKNOWN_CA (48), ++ ACCESS_DENIED (49), ++ DECODE_ERROR (50), ++ DECRYPT_ERROR (51), ++ EXPORT_RESTRICTION (60), ++ PROTOCOL_VERSION (70), ++ INSUFFICIENT_SECURITY (71), ++ INTERNAL_ERROR (80), ++ INAPPROPRIATE_FALLBACK (86), // could also be sent for SSLv3 ++ USER_CANCELED (90), ++ NO_RENEGOTIATION (100), ++ ++ // Alerts for client hello extensions ++ MISSING_EXTENSION (109), ++ UNSUPPORTED_EXTENSION (110), ++ CERTIFICATE_UNOBTAINABLE (111), ++ UNRECOGNIZED_NAME (112), ++ BAD_CERTIFICATE_STATUS_RESPONSE (113), ++ BAD_CERTIFICATE_HASH_VALUE (114), ++ NO_APPLICATION_PROTOCOL (120); ++ ++ private int id; ++ ++ private SSLAlertDescription(int id) { ++ this.id = id; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public static SSLAlertDescription valueOf(int id) { ++ for (SSLAlertDescription description : SSLAlertDescription.class.getEnumConstants()) { ++ if (description.id == id) return description; ++ } ++ return null; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLAlertEvent.java b/org/mozilla/jss/ssl/SSLAlertEvent.java +new file mode 100644 +index 0000000..bfa42e1 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertEvent.java +@@ -0,0 +1,39 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++import java.util.EventObject; ++ ++public class SSLAlertEvent extends EventObject { ++ ++ private static final long serialVersionUID = 1L; ++ ++ int level; ++ int description; ++ ++ public SSLAlertEvent(SSLSocket socket) { ++ super(socket); ++ } ++ ++ public SSLSocket getSocket() { ++ return (SSLSocket)getSource(); ++ } ++ ++ public int getLevel() { ++ return level; ++ } ++ ++ public void setLevel(int level) { ++ this.level = level; ++ } ++ ++ public int getDescription() { ++ return description; ++ } ++ ++ public void setDescription(int description) { ++ this.description = description; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLAlertLevel.java b/org/mozilla/jss/ssl/SSLAlertLevel.java +new file mode 100644 +index 0000000..f7f44f2 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLAlertLevel.java +@@ -0,0 +1,29 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public enum SSLAlertLevel { ++ ++ // see lib/ssl/ssl3prot.h in NSS ++ WARNING (1), ++ FATAL (2); ++ ++ private int id; ++ ++ private SSLAlertLevel(int id) { ++ this.id = id; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public static SSLAlertLevel valueOf(int id) { ++ for (SSLAlertLevel level : SSLAlertLevel.class.getEnumConstants()) { ++ if (level.id == id) return level; ++ } ++ return null; ++ } ++} +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index 2e1ac54..0dd39fd 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -11,7 +11,8 @@ import java.net.InetAddress; + import java.net.SocketException; + import java.net.SocketTimeoutException; + import java.net.UnknownHostException; +-import java.util.Vector; ++import java.util.ArrayList; ++import java.util.Collection; + + /** + * SSL client socket. +@@ -349,6 +350,9 @@ public class SSLSocket extends java.net.Socket { + static final public int SSL_RENEGOTIATE_TRANSITIONAL = + org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_TRANSITIONAL; + ++ private Collection socketListeners = new ArrayList<>(); ++ private Collection handshakeCompletedListeners = new ArrayList<>(); ++ + /** + * For sockets that get created by accept(). + */ +@@ -749,38 +753,51 @@ public class SSLSocket extends java.net.Socket { + //////////////////////////////////////////////////////////////////// + // SSL-specific stuff + //////////////////////////////////////////////////////////////////// +- private Vector handshakeCompletedListeners = new Vector(); ++ ++ public void addSocketListener(SSLSocketListener listener) { ++ socketListeners.add(listener); ++ addHandshakeCompletedListener(listener); ++ } ++ ++ public void removeSocketListener(SSLSocketListener listener) { ++ socketListeners.remove(listener); ++ removeHandshakeCompletedListener(listener); ++ } ++ ++ private void fireAlertReceivedEvent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertReceived(event); ++ } ++ } ++ ++ private void fireAlertSentEvent(SSLAlertEvent event) { ++ for (SSLSocketListener listener : socketListeners) { ++ listener.alertSent(event); ++ } ++ } + + /** + * Adds a listener to be notified when an SSL handshake completes. + */ +- public void addHandshakeCompletedListener(SSLHandshakeCompletedListener l) { +- handshakeCompletedListeners.addElement(l); ++ public void addHandshakeCompletedListener(SSLHandshakeCompletedListener listener) { ++ handshakeCompletedListeners.add(listener); + } + + /** + * Removes a previously registered listener for handshake completion. + */ +- public void removeHandshakeCompletedListener( +- SSLHandshakeCompletedListener l) { +- handshakeCompletedListeners.removeElement(l); ++ public void removeHandshakeCompletedListener(SSLHandshakeCompletedListener listener) { ++ handshakeCompletedListeners.remove(listener); + } + + private void notifyAllHandshakeListeners() { +- SSLHandshakeCompletedEvent event = +- new SSLHandshakeCompletedEvent(this); +- +- /* XXX NOT THREAD SAFE */ +- int i; +- for( i=0; i < handshakeCompletedListeners.size(); ++i) { +- SSLHandshakeCompletedListener l = +- (SSLHandshakeCompletedListener) +- handshakeCompletedListeners.elementAt(i); +- l.handshakeCompleted(event); ++ SSLHandshakeCompletedEvent event = new SSLHandshakeCompletedEvent(this); ++ ++ for (SSLHandshakeCompletedListener listener : handshakeCompletedListeners) { ++ listener.handshakeCompleted(event); + } + } + +- + /** + * Enables SSL v2 on this socket. It is enabled by default, unless the + * default has been changed with enableSSL2Default. +diff --git a/org/mozilla/jss/ssl/SSLSocketListener.java b/org/mozilla/jss/ssl/SSLSocketListener.java +new file mode 100644 +index 0000000..e653f66 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLSocketListener.java +@@ -0,0 +1,11 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++public interface SSLSocketListener extends SSLHandshakeCompletedListener { ++ ++ public void alertReceived(SSLAlertEvent event); ++ public void alertSent(SSLAlertEvent event); ++} +diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c +index d691363..0738e79 100644 +--- a/org/mozilla/jss/ssl/callbacks.c ++++ b/org/mozilla/jss/ssl/callbacks.c +@@ -271,6 +271,125 @@ loser: + return rv; + } + ++void ++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert) ++{ ++ JSSL_SocketData *socket = (JSSL_SocketData*) arg; ++ ++ jint rc; ++ JNIEnv *env; ++ jclass socketClass, eventClass; ++ jmethodID eventConstructor, eventSetLevel, eventSetDescription; ++ jobject event; ++ jmethodID fireEvent; ++ ++ PR_ASSERT(socket != NULL); ++ PR_ASSERT(socket->socketObject != NULL); ++ ++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL); ++ PR_ASSERT(rc == JNI_OK); ++ PR_ASSERT(env != NULL); ++ ++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */ ++ ++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS); ++ PR_ASSERT(socketClass != NULL); ++ ++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS); ++ PR_ASSERT(eventClass != NULL); ++ ++ eventConstructor = (*env)->GetMethodID(env, eventClass, "", "(L" SSLSOCKET_CLASS ";)V"); ++ PR_ASSERT(eventConstructor != NULL); ++ ++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject); ++ PR_ASSERT(event != NULL); ++ ++ /* event.setLevel(level); */ ++ ++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V"); ++ PR_ASSERT(eventSetLevel != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level); ++ ++ /* event.setDescription(description); */ ++ ++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V"); ++ PR_ASSERT(eventSetDescription != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description); ++ ++ /* socket.fireAlertReceivedEvent(event); */ ++ ++ fireEvent = (*env)->GetMethodID(env, ++ socketClass, ++ "fireAlertReceivedEvent", ++ "(L" SSL_ALERT_EVENT_CLASS ";)V"); ++ PR_ASSERT(fireEvent != NULL); ++ ++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event); ++ ++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM); ++} ++ ++void ++JSSL_AlertSentCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert) ++{ ++ JSSL_SocketData *socket = (JSSL_SocketData*) arg; ++ ++ jint rc; ++ JNIEnv *env; ++ jclass socketClass, eventClass; ++ jmethodID eventConstructor, eventSetLevel, eventSetDescription; ++ jobject event; ++ jmethodID fireEvent; ++ ++ PR_ASSERT(socket != NULL); ++ PR_ASSERT(socket->socketObject != NULL); ++ ++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL); ++ PR_ASSERT(rc == JNI_OK); ++ PR_ASSERT(env != NULL); ++ ++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */ ++ ++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS); ++ PR_ASSERT(socketClass != NULL); ++ ++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS); ++ PR_ASSERT(eventClass != NULL); ++ ++ eventConstructor = (*env)->GetMethodID(env, eventClass, "", "(L" SSLSOCKET_CLASS ";)V"); ++ PR_ASSERT(eventConstructor != NULL); ++ ++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject); ++ PR_ASSERT(event != NULL); ++ ++ /* event.setLevel(level); */ ++ ++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V"); ++ PR_ASSERT(eventSetLevel != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level); ++ ++ /* event.setDescription(description); */ ++ ++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V"); ++ PR_ASSERT(eventSetDescription != NULL); ++ ++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description); ++ ++ /* socket.fireAlertSentEvent(event); */ ++ ++ fireEvent = (*env)->GetMethodID(env, ++ socketClass, ++ "fireAlertSentEvent", ++ "(L" SSL_ALERT_EVENT_CLASS ";)V"); ++ PR_ASSERT(fireEvent != NULL); ++ ++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event); ++ ++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM); ++} + + void + JSSL_HandshakeCallback(PRFileDesc *fd, void *arg) +diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c +index be35c57..84a4332 100644 +--- a/org/mozilla/jss/ssl/common.c ++++ b/org/mozilla/jss/ssl/common.c +@@ -261,6 +261,7 @@ JSSL_SocketData* + JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, + PRFilePrivate *priv) + { ++ SECStatus status; + JSSL_SocketData *sockdata = NULL; + + /* make a JSSL_SocketData structure */ +@@ -297,6 +298,24 @@ JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, + sockdata->socketObject = NEW_WEAK_GLOBAL_REF(env, sockObj); + if( sockdata->socketObject == NULL ) goto finish; + ++ /* registering alert received callback */ ++ ++ status = SSL_AlertReceivedCallback(sockdata->fd, JSSL_AlertReceivedCallback, sockdata); ++ ++ if (status != SECSuccess) { ++ JSSL_throwSSLSocketException(env, "Unable to install alert received callback"); ++ goto finish; ++ } ++ ++ /* registering alert sent callback */ ++ ++ status = SSL_AlertSentCallback(sockdata->fd, JSSL_AlertSentCallback, sockdata); ++ ++ if (status != SECSuccess) { ++ JSSL_throwSSLSocketException(env, "Unable to install alert sent callback"); ++ goto finish; ++ } ++ + finish: + if( (*env)->ExceptionOccurred(env) != NULL ) { + if( sockdata != NULL ) { +diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h +index 616c755..571c2a4 100644 +--- a/org/mozilla/jss/ssl/jssl.h ++++ b/org/mozilla/jss/ssl/jssl.h +@@ -5,6 +5,8 @@ + #ifndef ORG_MOZILLA_JSS_SSL_JSSL_H + #define ORG_MOZILLA_JSS_SSL_JSSL_H + ++#include ++ + struct JSSL_SocketData { + PRFileDesc *fd; + jobject socketObject; /* weak global ref */ +@@ -26,6 +28,12 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + PRBool isServer); + + void ++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert); ++ ++void ++JSSL_AlertSentCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert); ++ ++void + JSSL_HandshakeCallback(PRFileDesc *fd, void *arg); + + SECStatus +diff --git a/org/mozilla/jss/util/java_ids.h b/org/mozilla/jss/util/java_ids.h +index 3ceebaa..7ec9ea9 100644 +--- a/org/mozilla/jss/util/java_ids.h ++++ b/org/mozilla/jss/util/java_ids.h +@@ -285,6 +285,11 @@ PR_BEGIN_EXTERN_C + #define SUPPORTS_IPV6_SIG "()Z" + + /* ++ * SSLAlertEvent ++ */ ++#define SSL_ALERT_EVENT_CLASS "org/mozilla/jss/ssl/SSLAlertEvent" ++ ++/* + * SSLCertificateApprovalCallback + */ + #define SSLCERT_APP_CB_APPROVE_NAME "approve" +@@ -300,8 +305,11 @@ PR_BEGIN_EXTERN_C + /* + * SSLSocket + */ ++#define SSLSOCKET_CLASS "org/mozilla/jss/ssl/SSLSocket" ++ + #define SSLSOCKET_HANDSHAKE_NOTIFIER_NAME "notifyAllHandshakeListeners" + #define SSLSOCKET_HANDSHAKE_NOTIFIER_SIG "()V" ++ + #define SSLSOCKET_PROXY_FIELD "sockProxy" + #define SSLSOCKET_PROXY_SIG "Lorg/mozilla/jss/ssl/SocketProxy;" + +-- +2.9.3 + + +From 1a83476dbbd54c87ffcf54fac7fdfa093812997f Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Tue, 21 Mar 2017 13:21:43 -0700 +Subject: [PATCH 06/11] Added SSLCipher enumeration. The cipher constants in + SSLSocket have been copied and converted into SSLCipher enumeration. The + enumeration provides a mechanism to convert between cipher ID and cipher + constant, also a flag to indicate whether it is an ECC cipher. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1349278 +--- + org/mozilla/jss/ssl/SSLCipher.java | 328 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 328 insertions(+) + create mode 100644 org/mozilla/jss/ssl/SSLCipher.java + +diff --git a/org/mozilla/jss/ssl/SSLCipher.java b/org/mozilla/jss/ssl/SSLCipher.java +new file mode 100644 +index 0000000..30acdd7 +--- /dev/null ++++ b/org/mozilla/jss/ssl/SSLCipher.java +@@ -0,0 +1,328 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++package org.mozilla.jss.ssl; ++ ++/** ++ * SSL cipher. ++ */ ++public enum SSLCipher { ++ ++ /** ++ * ++ * Note the following cipher-suites constants are not all implemented. ++ * You need to call SSLSocket.getImplementedCiphersuites(). ++ * ++ */ ++ ++ SSL2_RC4_128_WITH_MD5 (0xFF01), ++ SSL2_RC4_128_EXPORT40_WITH_MD5 (0xFF02), ++ SSL2_RC2_128_CBC_WITH_MD5 (0xFF03), ++ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 (0xFF04), ++ SSL2_IDEA_128_CBC_WITH_MD5 (0xFF05), ++ SSL2_DES_64_CBC_WITH_MD5 (0xFF06), ++ SSL2_DES_192_EDE3_CBC_WITH_MD5 (0xFF07), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_NULL_MD5 (0x0001), ++ TLS_RSA_WITH_NULL_MD5 (0x0001), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_NULL_SHA (0x0002), ++ TLS_RSA_WITH_NULL_SHA (0x0002), ++ ++ SSL3_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_RC4_128_MD5 (0x0004), ++ TLS_RSA_WITH_RC4_128_MD5 (0x0004), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_RC4_128_SHA (0x0005), ++ TLS_RSA_WITH_RC4_128_SHA (0x0005), ++ ++ SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_IDEA_CBC_SHA (0x0007), ++ TLS_RSA_WITH_IDEA_CBC_SHA (0x0007), ++ ++ SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_DES_CBC_SHA (0x0009), ++ TLS_RSA_WITH_DES_CBC_SHA (0x0009), ++ ++ /** ++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_RSA_WITH_3DES_EDE_CBC_SHA (0x000a), ++ TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a), ++ ++ SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000b), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_DSS_WITH_DES_CBC_SHA (0x000c), ++ TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d), ++ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d), ++ ++ SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000e), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_RSA_WITH_DES_CBC_SHA (0x000f), ++ TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010), ++ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010), ++ ++ SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_DSS_WITH_DES_CBC_SHA (0x0012), ++ TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013), ++ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013), ++ ++ SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_RSA_WITH_DES_CBC_SHA (0x0015), ++ TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015), ++ ++ /** ++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016), ++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016), ++ ++ SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 (0x0017), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_RC4_128_MD5 (0x0018), ++ TLS_DH_anon_WITH_RC4_128_MD5 (0x0018), ++ ++ SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA (0x0019), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_DES_CBC_SHA (0x001a), ++ TLS_DH_anon_WITH_DES_CBC_SHA (0x001a), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA. ++ */ ++ @Deprecated ++ SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA (0x001b), ++ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_NULL_SHA (0x001c), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA (0x001d), ++ ++ /** ++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported. ++ */ ++ @Deprecated ++ SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA (0x001e), ++ ++ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff), ++ SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe), ++ ++ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062), ++ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064), ++ ++ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063), ++ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065), ++ TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066), ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067), ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B), ++ ++ // New TLS cipher suites in NSS 3.4 ++ TLS_RSA_WITH_AES_128_CBC_SHA (0x002F), ++ TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030), ++ TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031), ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032), ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_AES_128_CBC_SHA (0x0034), ++ TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034), ++ ++ TLS_RSA_WITH_AES_256_CBC_SHA (0x0035), ++ TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036), ++ TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037), ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038), ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_AES_256_CBC_SHA (0x003A), ++ TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003A), ++ ++ TLS_RSA_WITH_NULL_SHA256 (0x003B), ++ TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C), ++ TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D), ++ ++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041), ++ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042), ++ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043), ++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044), ++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA (0x0046), ++ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046), ++ ++ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084), ++ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085), ++ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086), ++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087), ++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088), ++ ++ /** ++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA. ++ */ ++ @Deprecated ++ TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA (0x0089), ++ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089), ++ ++ TLS_RSA_WITH_SEED_CBC_SHA (0x0096), ++ ++ TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), ++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E), ++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00A2), ++ ++ TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001, true), ++ TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002, true), ++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003, true), ++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004, true), ++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005, true), ++ ++ TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006, true), ++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007, true), ++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008, true), ++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009, true), ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a, true), ++ ++ TLS_ECDH_RSA_WITH_NULL_SHA (0xc00b, true), ++ TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c, true), ++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d, true), ++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e, true), ++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f, true), ++ ++ TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010, true), ++ TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011, true), ++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012, true), ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013, true), ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014, true), ++ ++ TLS_ECDH_anon_WITH_NULL_SHA (0xc015, true), ++ TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016, true), ++ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017, true), ++ TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018, true), ++ TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019, true), ++ ++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023, true), ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027, true), ++ ++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02B, true), ++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02D, true), ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02F, true), ++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031, true); ++ ++ private int id; ++ private boolean ecc; ++ ++ private SSLCipher(int id) { ++ this.id = id; ++ } ++ ++ private SSLCipher(int id, boolean ecc) { ++ this.id = id; ++ this.ecc = ecc; ++ } ++ ++ public int getID() { ++ return id; ++ } ++ ++ public boolean isECC() { ++ return ecc; ++ } ++ ++ public static SSLCipher valueOf(int id) { ++ for (SSLCipher cipher : SSLCipher.class.getEnumConstants()) { ++ if (cipher.id == id) return cipher; ++ } ++ return null; ++ } ++} +-- +2.9.3 + + +From 5c09c644caf9849dd1602dc6df56c0691a2d25f8 Mon Sep 17 00:00:00 2001 +From: "Endi S. Edewata" +Date: Wed, 22 Mar 2017 19:17:19 -0700 +Subject: [PATCH 07/11] Replaced Password.readPasswordFromConsole() + implementation. + +The native implementation of Password.readPasswordFromConsole() has +been replaced with platform independent code using System.console() +which does not cause a problem if the program is interrupted while +waiting for password input. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1349349 +--- + org/mozilla/jss/util/Password.java | 24 +++-- + org/mozilla/jss/util/jssutil.c | 212 ------------------------------------- + 2 files changed, 17 insertions(+), 219 deletions(-) + +diff --git a/org/mozilla/jss/util/Password.java b/org/mozilla/jss/util/Password.java +index 9e6a3bb..47bc8a1 100644 +--- a/org/mozilla/jss/util/Password.java ++++ b/org/mozilla/jss/util/Password.java +@@ -5,6 +5,7 @@ + package org.mozilla.jss.util; + + import java.io.CharConversionException; ++import java.io.Console; + + /** + * Stores a password. clear should be +@@ -114,7 +115,7 @@ public class Password implements PasswordCallback, Cloneable, + * for example using wipeChars. + */ + public synchronized char[] getCharCopy() { +- return (char[]) password.clone(); ++ return password.clone(); + } + + /** +@@ -125,7 +126,7 @@ public class Password implements PasswordCallback, Cloneable, + * for example using wipeChars. + */ + synchronized byte[] getByteCopy() { +- return charToByte( (char[]) password.clone() ); ++ return charToByte( password.clone() ); + } + + /** +@@ -150,11 +151,11 @@ public class Password implements PasswordCallback, Cloneable, + public synchronized Object clone() { + Password dolly = new Password(); + +- dolly.password = (char[]) password.clone(); ++ dolly.password = password.clone(); + dolly.cleared = cleared; + return dolly; + } +- ++ + + /** + * The finalizer clears the sensitive information before releasing +@@ -230,9 +231,18 @@ public class Password implements PasswordCallback, Cloneable, + * <enter>). + * @return The password the user entered at the command line. + */ +- public synchronized static native Password readPasswordFromConsole() +- throws PasswordCallback.GiveUpException; +- ++ public static Password readPasswordFromConsole() throws PasswordCallback.GiveUpException { ++ ++ Console console = System.console(); ++ char[] password = console.readPassword(); ++ ++ if (password == null || password.length == 0) { ++ throw new PasswordCallback.GiveUpException(); ++ } ++ ++ return new Password(password); ++ } ++ + // The password, stored as a char[] so we can clear it. Passwords + // should never be stored in Strings because Strings can't be cleared. + private char[] password; +diff --git a/org/mozilla/jss/util/jssutil.c b/org/mozilla/jss/util/jssutil.c +index 609eeb3..0d19a84 100644 +--- a/org/mozilla/jss/util/jssutil.c ++++ b/org/mozilla/jss/util/jssutil.c +@@ -462,218 +462,6 @@ JSS_wipeCharArray(char* array) + } + } + +-/*********************************************************************** +- * platform-dependent definitions for getting passwords from console. +- ***********************************************************************/ +- +-#ifdef XP_UNIX +- +-#include +-#include +-#define GETCH getchar +-#define PUTCH putchar +- +-#else +- +-#include +-#define GETCH _getch +-#define PUTCH _putch +- +-#endif +- +-/*********************************************************************** +- * g e t P W F r o m C o n s o l e +- * +- * Does platform-dependent stuff to retrieve a char* from the console. +- * Retrieves up to the first newline character, but does not return +- * the newline. Maximum length is 200 chars. +- * Stars (*) are echoed to the screen. Backspacing works. +- * WARNING: This function is NOT thread-safe!!! This should be OK because +- * the Java method that calls it is synchronized. +- * +- * RETURNS +- * The password in a buffer owned by the caller, or NULL if the +- * user did not enter a password (just hit ). +- */ +-static char* getPWFromConsole() +-{ +- int c; +- char *ret; +- int i; +- char buf[200]; /* no buffer overflow: we bail after 200 chars */ +- int length=200; +-#ifdef XP_UNIX +- int fd = fileno(stdin); +- struct termios save_tio; +- struct termios tio; +-#endif +- +- +- /* +- * In Win32, the default is for _getch to not echo and to not be buffered. +- * In UNIX, we have to set this explicitly. +- */ +-#ifdef XP_UNIX +- if ( isatty(fd) ) { +- tcgetattr(fd, &save_tio); +- tio = save_tio; +- tio.c_lflag &= ~(ECHO|ICANON); /* no echo, non-canonical mode */ +- tio.c_cc[VMIN] = 1; /* 1 char at a time */ +- tio.c_cc[VTIME] = 0; /* wait forever */ +- tcsetattr(fd, TCSAFLUSH, &tio); +- } else { +- /* no reading from a file allowed. Windows enforces this automatically*/ +- return NULL; +- } +-#endif +- +- /* +- * Retrieve up to length characters, or the first newline character. +- */ +- for(i=0; i < length-1; i++) { +- PR_ASSERT(i >= 0); +- c = GETCH(); +- if( c == '\b' ) { +- /* +- * backspace. Back up the buffer and the cursor. +- */ +- if( i==0 ) { +- /* backspace is first char, do nothing */ +- i--; +- } else { +- /* backspace is not first char, backup one */ +- i -= 2; +- PUTCH('\b'); PUTCH(' '); PUTCH('\b'); +- } +- } else if( c == '\r' || c == '\n' ) { +- /* newline, we're done */ +- break; +- } else { +- /* normal password char. Echo an asterisk. */ +- buf[i] = c; +- PUTCH('*'); +- } +- } +- buf[i] = '\0'; +- PUTCH('\n'); +- +- /* +- * Restore the saved terminal settings. +- */ +-#ifdef XP_UNIX +- tcsetattr(fd, TCSAFLUSH, &save_tio); +-#endif +- +- /* If password is empty, return NULL to signal the user giving up */ +- if(buf[0] == '\0') { +- ret = NULL; +- } else { +- ret = PL_strdup(buf); +- } +- +- /* Clear the input buffer */ +- memset(buf, 0, length); +- +- return ret; +-} +- +- +-/*********************************************************************** +- * Class: org_mozilla_jss_util_Password +- * Method: readPasswordFromConsole +- * Signature: ()Lorg/mozilla/jss/util/Password; +- */ +-JNIEXPORT jobject JNICALL Java_org_mozilla_jss_util_Password_readPasswordFromConsole +- (JNIEnv *env, jclass clazz) +-{ +- char *pw=NULL; +- int pwlen; +- jclass pwClass; +- jmethodID pwConstructor; +- jcharArray pwCharArray=NULL; +- jchar *pwChars=NULL; +- jobject password=NULL; +- jboolean pwIsCopy; +- int i; +- +- /*************************************************** +- * Get JNI IDs +- ***************************************************/ +- pwClass = (*env)->FindClass(env, PASSWORD_CLASS_NAME); +- if(pwClass == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- pwConstructor = (*env)->GetMethodID(env, +- pwClass, +- PLAIN_CONSTRUCTOR, +- PASSWORD_CONSTRUCTOR_SIG); +- if(pwConstructor == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- +- /*************************************************** +- * Get the password from the console +- ***************************************************/ +- pw = getPWFromConsole(); +- +- if(pw == NULL) { +- JSS_throw(env, GIVE_UP_EXCEPTION); +- goto finish; +- } +- pwlen = strlen(pw); +- PR_ASSERT(pwlen > 0); +- +- /*************************************************** +- * Put the password into a char array +- ***************************************************/ +- pwCharArray = (*env)->NewCharArray(env, pwlen); +- if(pwCharArray == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- pwChars = (*env)->GetCharArrayElements(env, pwCharArray, &pwIsCopy); +- if(pwChars == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- for(i=0; i < pwlen; i++) { +- /* YUK! Only works for ASCII. */ +- pwChars[i] = pw[i]; +- } +- +- if( pwIsCopy ) { +- /* copy back the changes */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_COMMIT); +- /* clear the copy */ +- memset(pwChars, 0, pwlen); +- /* release the copy */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_ABORT); +- } else { +- /* pwChars is not a copy, so this should be a no-op, but we include +- * it anyway */ +- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, 0); +- } +- pwChars = NULL; +- +- /*************************************************** +- * Construct a new Password from the char array +- ***************************************************/ +- password = (*env)->NewObject(env, pwClass, pwConstructor, pwCharArray); +- if(password == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- +-finish: +- if(pw != NULL) { +- memset(pw, 0, strlen(pw)); +- PR_Free(pw); +- } +- return password; +-} +- + #ifdef DEBUG + static int debugLevel = JSS_TRACE_VERBOSE; + #else +-- +2.9.3 + + +From bee3bc6cfef28f39b8abb1fd7e8505e5a9880716 Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 23 Mar 2017 10:48:29 -0700 +Subject: [PATCH 08/11] Bug 1349831 - Revise top-level README file, r=emaldona + +--- + README | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 110 insertions(+), 24 deletions(-) + +diff --git a/README b/README +index 4ceb0fd..cfc0244 100644 +--- a/README ++++ b/README +@@ -4,8 +4,8 @@ + + (1) Prepare a work area + +- (a) For upstream builds which checkout and utilize the current NSPR and NSS +- source repositories: ++ (a) For upstream builds which checkout and utilize ++ the current NSPR and NSS source repositories: + + # mkdir sandbox + # cd sandbox +@@ -20,13 +20,20 @@ + cd jss; hg pull -u -v; cd .. + ) + +- (b) Alternatively, for upstream builds which use the NSPR and NSS installed +- on the system: ++ (b) Alternatively, for upstream builds which use ++ the NSPR and NSS installed on the system: + + # mkdir sandbox + # cd sandbox + # export USE_INSTALLED_NSPR=1 + # export USE_INSTALLED_NSS=1 ++ # export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 ++ # export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 ++ # export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` ++ # export NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` ++ # export NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` ++ # export NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'` ++ # export XCFLAGS="-g" + # hg clone https://hg.mozilla.org/projects/jss + # cd .. + +@@ -41,9 +48,32 @@ + # export JAVA_HOME=/etc/alternatives/java_sdk_1.8.0_openjdk + # export USE_64=1 + +- NOTE: JSS will now attempt to verify whether or not these two environment +- variables have been set (JAVA_HOME is mandatory; USE_64 is mandatory +- on 64-bit platforms when building 64-bit). ++ NOTE: JSS will now attempt to verify whether or not these two ++ environment variables have been set (JAVA_HOME is mandatory; ++ USE_64 is mandatory on 64-bit platforms when building 64-bit). ++ ++ The following steps are optional, and left to the discretion of the user: ++ ++ Debug vs. Optimized jar files: ++ ++ By default, JSS will be built as a debuggable jar ++ (xpclass_dbg.jar - generally recommended for test builds); ++ to create an optimized jar (xpclass.jar), set the following ++ environment variable: ++ ++ # export BUILD_OPT=1 ++ ++ Beta vs. Non-Beta builds: ++ ++ Finally, by default, JSS is not built as a "beta" release (as ++ specified in 'org/mozilla/jss/util/jssver.h'): ++ ++ #define JSS_BETA PR_FALSE ++ ++ If a "beta" version of JSS is desired, reset this #define (as ++ specified in 'org/mozilla/jss/util/jssver.h') to: ++ ++ #define JSS_BETA PR_TRUE + + + (3) Build JSS +@@ -52,30 +82,88 @@ + # make clean all + # cd ../.. + +- (or you can run "# script -c 'make clean all' typescript.build') ++ (or you can run "# script -c 'make clean all' typescript.build") + + NOTE: When build method (1)(a) is being utilized, if nss has not been + built, it will now automatically be built before jss; if nss has + already been built, only jss will be built/re-built. + + +-(4) Run JSS Tests ++(4) Install JSS on the System (Optional) + +- # cd sandbox/jss +- # make test_jss +- # cd ../.. ++ If JSS already exists on the system, run something similar to the ++ following command(s): ++ ++ # sudo mv /usr/lib/java/jss4.jar /usr/lib/java/jss4.jar.orig ++ ++ If the platform is 32-bit Linux: ++ ++ # sudo mv /usr/lib/jss/libjss4.so /usr/lib/jss/libjss4.so.orig ++ ++ else if the platform is 64-bit Linux: ++ ++ # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig ++ ++ If BUILD_OPT is undefined (default Debuggable Jar): ++ ++ # sudo cp sandbox/dist/xpclass_dbg.jar /usr/lib/java/jss4.jar ++ ++ else if BUILD_OPT is defined (Optimized Jar): + +- (or you can run "# script -c 'make test_jss' typescript.tests) ++ # sudo cp sandbox/dist/xpclass.jar /usr/lib/java/jss4.jar ++ ++ # sudo chown root:root /usr/lib/java/jss4.jar ++ # sudo chmod 644 /usr/lib/java/jss4.jar ++ ++ # sudo cp sandbox/jss/lib/Linux*.OBJ/libjss4.so /usr/lib64/jss/libjss4.so ++ # sudo chown root:root /usr/lib64/jss/libjss4.so ++ # sudo chmod 755 /usr/lib64/jss/libjss4.so ++ ++ ++(5) Run JSS Tests (Optional, but only if build method (1)(a) was utilized) ++ ++ If build method (1)(a) is being utilized, it is possible to run the ++ built-in JSS tests: ++ ++ # cd sandbox/jss ++ # make test_jss ++ # cd ../.. ++ ++ (or you can run "# script -c 'make test_jss' typescript.tests") + + NOTE: This command is currently only available on Linux and Macintosh +- platforms; currenty JSS must be built via 'make clean all' before ++ platforms when method (1)(a) has been utilized to build JSS ++ since the tests are dependent upon the work area as setup in ++ this method; currenty JSS must be built via 'make clean all' before + execution of this command (e.g. - build is separate from test). + + +-(5) Known Issues ++(6) Restoration of non-Test-Only Systems (Optional) ++ ++ If step (4) above was run, and the system is being used for purposes ++ other than test, the user may wish to restore the original system JSS ++ by running the following commands: ++ ++ # sudo mv /usr/lib/java/jss4.jar.orig /usr/lib/java/jss4.jar ++ ++ If the platform is 32-bit Linux: ++ ++ # sudo mv /usr/lib/jss/libjss4.so.orig /usr/lib/jss/libjss4.so ++ ++ else if the platform is 64-bit Linux: ++ ++ # sudo mv /usr/lib64/jss/libjss4.so.orig /usr/lib64/jss/libjss4.so ++ ++ NOTE: For this procedure, no ownership or permission changes should ++ be necessary. ++ ++ ++(7) Known Issues + + * Mozilla Bug #1346410 - Load JSS libraries appropriately + ++ NOTE: This issue should not occur unless step (4) above was skipped. ++ + Testing failures were found while working on Bug 1346410 when loading the + JSS libraries to meet requirements of certain operating systems. Our + investigation revealed that due to the nature of the changes made via this +@@ -83,16 +171,14 @@ + that a failure may be encountered on one or more of the HMAC algorithms + causing these two tests to fail. On 64-bit Linux, for example, the + workaround for this issue is to perform the following steps before +- re-running the tests: ++ re-running the tests: ++ ++ (a) Install the new JSS builds by executing step (4) above ++ ++ (b) Execute the following commands: + +- # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig +- # sudo cp -p +- sandbox/dist/Linux3.10_x86_64_cc_glibc_PTH_64_DBG.OBJ/lib/libjss4.so +- /usr/lib64/jss/libjss4.so +- # sudo chown root:root /usr/lib64/jss/libjss4.so +- # sudo chmod 755 /usr/lib64/jss/libjss4.so +- # cd sandbox/jss; make test_jss ++ # cd sandbox/jss; make test_jss + + NOTE: If the system is being used for purposes other than test, the user +- may wish to restore 'libjss4.so.orig' back to 'libjss4.so'. ++ may wish to restore the original JSS by executing step (6) above. + +-- +2.9.3 + + +From 382d6611ee2208c0bbe03afac33b96bf7a34047a Mon Sep 17 00:00:00 2001 +From: Matthew Harmsen +Date: Thu, 23 Mar 2017 10:52:15 -0700 +Subject: [PATCH 09/11] Bug 1349836 - Changes to JSS Version Block, r=emaldona + +--- + lib/manifest.mn | 4 ++-- + manifest.mn | 8 ++------ + org/mozilla/jss/CryptoManager.c | 4 ++-- + org/mozilla/jss/CryptoManager.java | 4 ++-- + org/mozilla/jss/JSSProvider.java | 4 ++-- + org/mozilla/jss/util/jssver.h | 5 ++--- + 6 files changed, 12 insertions(+), 17 deletions(-) + +diff --git a/lib/manifest.mn b/lib/manifest.mn +index d37cb68..6f03301 100644 +--- a/lib/manifest.mn ++++ b/lib/manifest.mn +@@ -7,11 +7,11 @@ + #/* The VERSION Strings should be updated in the following */ + #/* files everytime a new release of JSS is generated: */ + #/* */ ++#/* lib/manifest.mn */ ++#/* org/mozilla/jss/CryptoManager.c */ + #/* org/mozilla/jss/CryptoManager.java */ + #/* org/mozilla/jss/JSSProvider.java */ + #/* org/mozilla/jss/util/jssver.h */ +-#/* lib/manifest.mn */ +-#/* jss/manifest.mn */ + #/* */ + #/********************************************************************/ + +diff --git a/manifest.mn b/manifest.mn +index 9338108..07cabce 100644 +--- a/manifest.mn ++++ b/manifest.mn +@@ -12,18 +12,14 @@ MODULE = jss + #/* The VERSION Strings should be updated in the following */ + #/* files everytime a new release of JSS is generated: */ + #/* */ ++#/* lib/manifest.mn */ ++#/* org/mozilla/jss/CryptoManager.c */ + #/* org/mozilla/jss/CryptoManager.java */ + #/* org/mozilla/jss/JSSProvider.java */ + #/* org/mozilla/jss/util/jssver.h */ +-#/* lib/manifest.mn */ +-#/* mozilla/security/jss/manifest.mn */ + #/* */ + #/********************************************************************/ + +-IMPORTS = nss/NSS_3_12_RTM \ +- nspr20/v4.7 \ +- $(NULL) +- + DIRS = coreconf \ + org \ + lib \ +diff --git a/org/mozilla/jss/CryptoManager.c b/org/mozilla/jss/CryptoManager.c +index 3eb9ae7..56e66b2 100644 +--- a/org/mozilla/jss/CryptoManager.c ++++ b/org/mozilla/jss/CryptoManager.c +@@ -49,11 +49,11 @@ const char * jss_sccsid() { + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++/* lib/manifest.mn */ ++/* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +-/* lib/manifest.mn */ +-/* mozilla/security/jss/manifest.mn */ + /* */ + /********************************************************************/ + +diff --git a/org/mozilla/jss/CryptoManager.java b/org/mozilla/jss/CryptoManager.java +index 9cc50d9..9e5503d 100644 +--- a/org/mozilla/jss/CryptoManager.java ++++ b/org/mozilla/jss/CryptoManager.java +@@ -1449,11 +1449,11 @@ public final class CryptoManager implements TokenSupplier + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++ /* lib/manifest.mn */ ++ /* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +- /* lib/manifest.mn */ +- /* jss/manifest.mn */ + /* */ + /********************************************************************/ + +diff --git a/org/mozilla/jss/JSSProvider.java b/org/mozilla/jss/JSSProvider.java +index 687e88b..a8205ab 100644 +--- a/org/mozilla/jss/JSSProvider.java ++++ b/org/mozilla/jss/JSSProvider.java +@@ -9,11 +9,11 @@ public final class JSSProvider extends java.security.Provider { + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ ++ /* lib/manifest.mn */ ++ /* org/mozilla/jss/CryptoManager.c */ + /* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +- /* lib/manifest.mn */ +- /* jss/manifest.mn */ + /* */ + /********************************************************************/ + /* QUESTION: When do we change MINOR and PATCH to 4 and 0? */ +diff --git a/org/mozilla/jss/util/jssver.h b/org/mozilla/jss/util/jssver.h +index bd8a492..df67620 100644 +--- a/org/mozilla/jss/util/jssver.h ++++ b/org/mozilla/jss/util/jssver.h +@@ -17,12 +17,11 @@ + /* The VERSION Strings should be updated in the following */ + /* files everytime a new release of JSS is generated: */ + /* */ +-/* org/mozilla/jss/CryptoManager.java */ ++/* lib/manifest.mn */ + /* org/mozilla/jss/CryptoManager.c */ ++/* org/mozilla/jss/CryptoManager.java */ + /* org/mozilla/jss/JSSProvider.java */ + /* org/mozilla/jss/util/jssver.h */ +-/* lib/manifest.mn */ +-/* jss/manifest.mn */ + /* */ + /********************************************************************/ + +-- +2.9.3 + + +From 434c9d5253d6f1e32c4f29cf66cb43d8ca7bf569 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Sat, 25 Mar 2017 12:08:51 -0400 +Subject: [PATCH 10/11] Bug 1337092 CMC conformance update: Implement required + ASN.1 code for RFC5272+, r=jmagne + +From: Christina Fu +Date: Thu, 16 Mar 2017 09:54:01 -0700 +Subject: [PATCH] bugzilla.mozilla#1337092 cmc RFC5272 ASN.1 +This patch provides the required ASN.1 code for updating cmc to RFC5272, +as well as adding some needed missing controls from earlier rfc 2797. +The major cmc control structures added are: IdentityProofV2, EncryptedPOP, +DecryptedPOP, PopLinkWitnessV2, CMCStatusInfoV2 and their underelying +support structures. +--- + org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java | 21 ++ + org/mozilla/jss/crypto/HMACAlgorithm.java | 2 +- + org/mozilla/jss/pkix/cmc/BodyPartReference.java | 198 +++++++++++++++ + org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java | 270 ++++++++++++++++++++ + org/mozilla/jss/pkix/cmc/DecryptedPOP.java | 165 ++++++++++++ + org/mozilla/jss/pkix/cmc/EncryptedPOP.java | 185 ++++++++++++++ + org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java | 145 +++++++++++ + org/mozilla/jss/pkix/cmc/IdentityProofV2.java | 163 ++++++++++++ + org/mozilla/jss/pkix/cmc/OtherInfo.java | 150 ++++++++--- + org/mozilla/jss/pkix/cmc/OtherReqMsg.java | 167 ++++++++++++ + org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java | 163 ++++++++++++ + org/mozilla/jss/pkix/cmc/RevokeRequest.java | 323 ++++++++++++++++++++++++ + org/mozilla/jss/pkix/cmc/TaggedRequest.java | 78 +++++- + org/mozilla/jss/pkix/cmmf/RevRequest.java | 3 + + org/mozilla/jss/pkix/crmf/CertRequest.java | 7 + + 15 files changed, 1995 insertions(+), 45 deletions(-) + create mode 100644 org/mozilla/jss/pkix/cmc/BodyPartReference.java + create mode 100644 org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/DecryptedPOP.java + create mode 100644 org/mozilla/jss/pkix/cmc/EncryptedPOP.java + create mode 100644 org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java + create mode 100644 org/mozilla/jss/pkix/cmc/IdentityProofV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/OtherReqMsg.java + create mode 100644 org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java + create mode 100644 org/mozilla/jss/pkix/cmc/RevokeRequest.java + +diff --git a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +index 399b555..d55dcfc 100644 +--- a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java ++++ b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +@@ -140,6 +140,27 @@ public class OBJECT_IDENTIFIER implements ASN1Value { + id_cmc_idPOPLinkWitness = id_cmc.subBranch(23); + public static final OBJECT_IDENTIFIER + id_cmc_idConfirmCertAcceptance = id_cmc.subBranch(24); ++ // rfc 5272 ++ public static final OBJECT_IDENTIFIER ++ id_cmc_statusInfoV2 = id_cmc.subBranch(25); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_trustedAnchors = id_cmc.subBranch(26); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_authData = id_cmc.subBranch(27); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_batchRequests = id_cmc.subBranch(28); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_batchResponses = id_cmc.subBranch(29); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_publishCert = id_cmc.subBranch(30); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_modCertTemplate = id_cmc.subBranch(31); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_controlProcessed = id_cmc.subBranch(32); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_popLinkWitnessV2 = id_cmc.subBranch(33); ++ public static final OBJECT_IDENTIFIER ++ id_cmc_identityProofV2 = id_cmc.subBranch(34); + + public static final OBJECT_IDENTIFIER + id_cct = PKIX.subBranch( 12 ); +diff --git a/org/mozilla/jss/crypto/HMACAlgorithm.java b/org/mozilla/jss/crypto/HMACAlgorithm.java +index aec57c8..24ed2ea 100644 +--- a/org/mozilla/jss/crypto/HMACAlgorithm.java ++++ b/org/mozilla/jss/crypto/HMACAlgorithm.java +@@ -34,7 +34,7 @@ public class HMACAlgorithm extends DigestAlgorithm { + * @exception NoSuchAlgorithmException If no registered HMAC algorithm + * has the given OID. + */ +- public static DigestAlgorithm fromOID(OBJECT_IDENTIFIER oid) ++ public static HMACAlgorithm fromOID(OBJECT_IDENTIFIER oid) + throws NoSuchAlgorithmException + { + Object alg = oidMap.get(oid); +diff --git a/org/mozilla/jss/pkix/cmc/BodyPartReference.java b/org/mozilla/jss/pkix/cmc/BodyPartReference.java +new file mode 100644 +index 0000000..e7358dc +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/BodyPartReference.java +@@ -0,0 +1,198 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 2004 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.util.Assert; ++import org.mozilla.jss.asn1.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.util.BitSet; ++ ++/** ++ * CMC BodyPartReference: ++ * 
          ++ *      BodyPartReference::= CHOICE { 
++ *          bodyPartID       BodyPartID
++ *          bodyPartPath     SEQUENCE SIZE (1..MAX) OF BodyPartID, 
++ *     } 
++ *
++ * @author Christina Fu (cfu)
++ *
          ++ */ ++public class BodyPartReference implements ASN1Value { ++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295"); ++ ++ /** ++ * The type of BodyPartReference. ++ */ ++ public static class Type { ++ private Type() { } ++ ++ static Type BodyPartID = new Type(); ++ static Type BodyPartPath = new Type(); ++ } ++ public static Type BodyPartID = Type.BodyPartID; ++ public static Type BodyPartPath = Type.BodyPartPath; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members ++ /////////////////////////////////////////////////////////////////////// ++ private Type type; ++ private INTEGER bodyPartID; ++ private SEQUENCE bodyPartPath; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private BodyPartReference() { } ++ ++ /** ++ * @param type The type of the BodyPartReference ++ * @param bodyPartID A BodyPartID. ++ * @param bodyPartPath The sequence of bodyPartIDs. ++ */ ++ public BodyPartReference(Type type, ++ INTEGER bodyPartID, ++ SEQUENCE bodyPartPath) { ++ this.bodyPartID = bodyPartID; ++ this.bodyPartPath = bodyPartPath; ++ } ++ ++ /** ++ * Adds a BodyPartID to the bodyPartPath SEQUENCE. ++ */ ++ public void addBodyPartId(int id) { ++ INTEGER id1 = new INTEGER(id); ++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0); ++ bodyPartPath.addElement( id1 ); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // member access ++ /////////////////////////////////////////////////////////////////////// ++ ++ /** ++ * Returns the type of BodyPartReference:
            ++ *
          • BodyPartID ++ *
          • BodyPartPath ++ *
          ++ */ ++ public Type getType() { ++ return type; ++ } ++ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ public SEQUENCE getBodyPartPath() { ++ return bodyPartPath; ++ } ++ /////////////////////////////////////////////////////////////////////// ++ // decoding/encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ public Tag getTag() { ++ //return the subType's tag ++ if (type == BodyPartID ) { ++ return INTEGER.TAG; ++ } else { ++ Assert._assert( type == BodyPartPath); ++ return SEQUENCE.TAG; ++ } ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ if (type == BodyPartID ) { ++ bodyPartID.encode(ostream); ++ } else { ++ Assert._assert( type == BodyPartPath); ++ bodyPartPath.encode(ostream); ++ } ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException ++ { ++ encode(ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ ++ /** ++ * A Template for decoding a BodyPartReference. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private CHOICE.Template choicet; ++ ++ public Template() { ++ choicet = new CHOICE.Template(); ++ choicet.addElement( INTEGER.getTemplate() ); ++ choicet.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return choicet.tagMatch(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ CHOICE c = (CHOICE) choicet.decode(istream); ++ ++ if( c.getTag().equals(INTEGER.TAG) ) { ++ return new BodyPartReference(BodyPartID, (INTEGER) c.getValue() , null); ++ } else { ++ Assert._assert( c.getTag().equals(SEQUENCE.TAG) ); ++ return new BodyPartReference(BodyPartPath, null, (SEQUENCE) c.getValue()); ++ } ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ //A CHOICE cannot be implicitly tagged ++ return decode(istream); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java +new file mode 100644 +index 0000000..9b6aeb9 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java +@@ -0,0 +1,270 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.util.Assert; ++import org.mozilla.jss.asn1.*; ++import java.io.IOException; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.util.BitSet; ++ ++/** ++ * CMCStatusInfoV2 replaces CMCStatusInfo in rfc 5272 ++ * CMC CMCStatusInfoV2: ++ * 
          ++ *     CMCStatusInfoV2 ::= SEQUENCE { 
++ *          cMCStatus           CMCStatus, 
++ *          bodyList            SEQUENCE SIZE (1..MAX)
++ *                                       BodyPartReference,
++ *          statusString        UTF8String OPTIONAL, 
++ *          otherInfo           CHOICE {  // defined in updated OtherInfo
++ *            failInfo            CMCFailInfo, 
++ *            pendInfo            PendInfo,
++ *            extendedFailInfo       SEQUENCE {
++ *              failInfoOID            OBJECT IDENTIFIER,
++ *              failInfoValue          AttributeValue
++ *            } OPTIONAL 
++ *         }
++ *     } 
++ *     PendInfo ::= SEQUENCE { 
++ *          pendToken           OCTET STRING, 
++ *          pendTime            GeneralizedTime 
++ *     }
++ *
++ * @author Christina Fu (cfu)
++ *
          ++ */ ++public class CMCStatusInfoV2 implements ASN1Value { ++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295"); ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER status; ++ private SEQUENCE bodyList; ++ private UTF8String statusString; ++ private OtherInfo otherInfo; ++ ++ // CMCStatus constants ++ public static final int SUCCESS = 0; ++ public static final int RESERVED = 1; ++ public static final int FAILED = 2; ++ public static final int PENDING = 3; ++ public static final int NOSUPPORT = 4; ++ public static final int CONFIRM_REQUIRED = 5; ++ public static final int POP_REQUIRED = 6; ++ public static final int PARTIAL = 7; ++ ++ public static final String[] STATUS = {"success", ++ "reserved", ++ "failed", ++ "pending", ++ "not supported", ++ "confirm required", ++ "pop required", ++ "partial"}; ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private CMCStatusInfoV2() { } ++ ++ /** ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ */ ++ public CMCStatusInfoV2(int status, SEQUENCE bodyList) { ++ this.status = new INTEGER(status); ++ this.bodyList = bodyList; ++ this.statusString = null; ++ this.otherInfo = null; ++ } ++ ++ /** ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ * @param statusString A String. ++ * @param otherInfo The OtherInfo choice. ++ */ ++ public CMCStatusInfoV2(int status, SEQUENCE bodyList, String ++ statusString, OtherInfo otherInfo) { ++ this.status = new INTEGER(status); ++ this.bodyList = bodyList; ++ if (statusString != null){ ++ try { ++ this.statusString = new UTF8String(statusString); ++ } catch (Exception e){} ++ } else ++ this.statusString = null; ++ this.otherInfo = otherInfo; ++ } ++ ++ /** ++ * Create a CMCStatusInfoV2 from decoding. ++ * @param status A CMCStatus constant. ++ * @param bodyList The sequence of BodyPartReference. ++ * @param statusString A UTF8String. ++ * @param otherInfo A CHOICE. ++ */ ++ public CMCStatusInfoV2(INTEGER status, SEQUENCE bodyList, UTF8String ++ statusString, OtherInfo otherInfo) { ++ this.status = status; ++ this.bodyList = bodyList; ++ this.statusString = statusString; ++ this.otherInfo = otherInfo; ++ } ++ ++ /** ++ * Sets the statusString field. May be null, since this ++ * field is optional. ++ */ ++ public void setStatusString(String statusString) { ++ if (statusString != null){ ++ try { ++ this.statusString = new UTF8String(statusString); ++ } catch (Exception e){} ++ } else{ ++ this.statusString = null; ++ } ++ } ++ ++ /** ++ * Adds a BodyPartID to the bodyList SEQUENCE. ++ */ ++ public void addBodyPartID(int id) { ++ INTEGER id1 = new INTEGER(id); ++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0); ++ bodyList.addElement( id1 ); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // member access ++ /////////////////////////////////////////////////////////////////////// ++ public int getStatus() { ++ return status.intValue(); ++ } ++ ++ public SEQUENCE getBodyList() { ++ return bodyList; ++ } ++ ++ public String getStatusString() { ++ if (statusString != null) ++ return statusString.toString(); ++ return null; ++ } ++ ++ public OtherInfo getOtherInfo() { ++ return otherInfo; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // decoding/encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ public static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ encode(TAG, ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException ++ { ++ SEQUENCE seq = new SEQUENCE(); ++ ++ seq.addElement(status); ++ seq.addElement(bodyList); ++ if( statusString != null ) { ++ seq.addElement( statusString ); ++ } ++ ++ if ( otherInfo != null) { ++ seq.addElement( otherInfo ); ++ } ++ ++ seq.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement( INTEGER.getTemplate() ); ++ seqt.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) ); ++ seqt.addOptionalElement( UTF8String.getTemplate()); ++ ++ seqt.addOptionalElement( OtherInfo.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ CMCStatusInfoV2 psi; ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new CMCStatusInfoV2((INTEGER)seq.elementAt(0), ++ (SEQUENCE)seq.elementAt(1), ++ (UTF8String)seq.elementAt(2), ++ (OtherInfo)seq.elementAt(3)); ++ } ++ } ++} ++ +diff --git a/org/mozilla/jss/pkix/cmc/DecryptedPOP.java b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java +new file mode 100644 +index 0000000..14013aa +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java +@@ -0,0 +1,165 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC DecryptedPOP: ++ * 
          ++ *     DecryptedPOP ::= SEQUENCE {
++ *         bodyPartID      BodyPartID,
++ *         thePOPAlgID     AlgorithmIdentifier,
++ *         thePOP         OCTET STRING
++ *     }
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class DecryptedPOP implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER bodyPartID; ++ private AlgorithmIdentifier thePOPAlgID; ++ private OCTET_STRING thePOP; ++ private SEQUENCE sequence; // for DER encoding ++ ++ /** ++ * Returns the bodyPartID field. ++ */ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ public AlgorithmIdentifier getThePOPAlgID() { ++ return thePOPAlgID; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return thePOP; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private DecryptedPOP() { } ++ ++ public DecryptedPOP( ++ INTEGER bodyPartID, ++ AlgorithmIdentifier thePOPAlgID, ++ OCTET_STRING thePOP) ++ { ++ if( bodyPartID==null || thePOPAlgID==null || ++ thePOP==null ) { ++ throw new IllegalArgumentException("DecryptedPOP constructor" ++ +" parameter is null"); ++ } ++ ++ this.bodyPartID = bodyPartID; ++ this.thePOPAlgID = thePOPAlgID; ++ this.thePOP = thePOP; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(bodyPartID); ++ sequence.addElement(thePOPAlgID); ++ sequence.addElement(thePOP); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded DecryptedPOP items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( INTEGER.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new DecryptedPOP( ++ (INTEGER) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/EncryptedPOP.java b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java +new file mode 100644 +index 0000000..58a3f4c +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java +@@ -0,0 +1,185 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import org.mozilla.jss.pkix.cms.*; ++import java.io.*; ++ ++/** ++ * CMC EncryptedPOP: ++ * 
          ++ *     EncryptedPOP ::= SEQUENCE {
++ *         request       TaggedRequest,
++ *         cms             ContentInfo,
++ *         thePOPAlgID     AlgorithmIdentifier,
++ *         witnessAlgID    AlgorithmIdentifier,
++ *         witness         OCTET STRING
++ *     }
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class EncryptedPOP implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private TaggedRequest request; ++ private ContentInfo cms; ++ private AlgorithmIdentifier thePOPAlgID; ++ private AlgorithmIdentifier witnessAlgID; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public TaggedRequest getRequest() { ++ return request; ++ } ++ ++ public ContentInfo getContentInfo() { ++ return cms; ++ } ++ ++ public AlgorithmIdentifier getThePOPAlgID() { ++ return thePOPAlgID; ++ } ++ ++ public AlgorithmIdentifier getWitnessAlgID() { ++ return witnessAlgID; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private EncryptedPOP() { } ++ ++ public EncryptedPOP( ++ TaggedRequest request, ++ ContentInfo cms, ++ AlgorithmIdentifier thePOPAlgID, ++ AlgorithmIdentifier witnessAlgID, ++ OCTET_STRING witness) ++ { ++ if( request==null || cms==null || thePOPAlgID==null || witnessAlgID==null || ++ witness==null ) { ++ throw new IllegalArgumentException("EncryptedPOP constructor" ++ +" parameter is null"); ++ } ++ ++ this.request = request; ++ this.cms = cms; ++ this.thePOPAlgID = thePOPAlgID; ++ this.witnessAlgID = witnessAlgID; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(request); ++ sequence.addElement(cms); ++ sequence.addElement(thePOPAlgID); ++ sequence.addElement(witnessAlgID); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded EncryptedPOP items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( TaggedRequest.getTemplate() ); ++ seqt.addElement( ContentInfo.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new EncryptedPOP( ++ (TaggedRequest) seq.elementAt(0), ++ (ContentInfo) seq.elementAt(1), ++ (AlgorithmIdentifier) seq.elementAt(2), ++ (AlgorithmIdentifier) seq.elementAt(3), ++ (OCTET_STRING) seq.elementAt(4) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java +new file mode 100644 +index 0000000..34a10a8 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java +@@ -0,0 +1,145 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.InputStream; ++import java.io.OutputStream; ++import java.io.IOException; ++import org.mozilla.jss.util.Assert; ++ ++/** ++ * ExtendedFailInfo per rfc 5272 ++ * It is to be used in CMCStatusInfoV2 as a CHOICE of otherInfo ++ * ++ * 
          ++ *      ExtendedFailInfo ::= SEQUENCE {
++ *          failInfoOID        OBJECT IDENTIFIER,
++ *          failInfoValue       ANY DEFINED BY failInfoOID }
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class ExtendedFailInfo implements ASN1Value { ++ ++ private OBJECT_IDENTIFIER failInfoOID; ++ private ANY failInfoValue; ++ ++ public static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ private ExtendedFailInfo() { } ++ ++ public ExtendedFailInfo(OBJECT_IDENTIFIER failInfoOID, ASN1Value failInfoValue) { ++ this.failInfoOID = failInfoOID; ++ if( failInfoValue instanceof ANY ) { ++ this.failInfoValue = (ANY) failInfoValue; ++ } else { ++ byte[] encoded = ASN1Util.encode(failInfoValue); ++ try { ++ this.failInfoValue = (ANY) ASN1Util.decode(ANY.getTemplate(), encoded); ++ } catch( InvalidBERException e ) { ++ Assert.notReached("InvalidBERException while decoding as ANY"); ++ } ++ } ++ } ++ ++ public OBJECT_IDENTIFIER getOID() { ++ return failInfoOID; ++ } ++ ++ /** ++ * Returns the failInfoValue of this ExtendedFailInfo, encoded as an ANY. ++ */ ++ public ANY getValue() { ++ return failInfoValue; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ encode(TAG, ostream); ++ } ++ ++ public void encode(Tag implicit, OutputStream ostream) ++ throws IOException ++ { ++ SEQUENCE seq = new SEQUENCE(); ++ seq.addElement(failInfoOID); ++ seq.addElement(failInfoValue); ++ ++ seq.encode(implicit, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding an ExtendedFailInfo. ++ */ ++ public static class Template implements ASN1Template { ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws IOException, InvalidBERException ++ { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicit, InputStream istream) ++ throws IOException, InvalidBERException ++ { ++ SEQUENCE.Template seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( new OBJECT_IDENTIFIER.Template() ); ++ seqt.addElement( new ANY.Template() ); ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicit, istream); ++ ++ // The template should have enforced this ++ Assert._assert(seq.size() == 2); ++ ++ return new ExtendedFailInfo( (OBJECT_IDENTIFIER) seq.elementAt(0), ++ seq.elementAt(1) ); ++ } ++ } ++ ++} +diff --git a/org/mozilla/jss/pkix/cmc/IdentityProofV2.java b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java +new file mode 100644 +index 0000000..f0daaaa +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java +@@ -0,0 +1,163 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC IdentityProofV2: ++ * per rfc 5272 ++ * 
          ++ *     IdentityProofV2 ::= SEQUENCE {
++ *         hashAlgID      AlgorithmIdentifier,
++ *         macAlgId       AlgorithmIdentifier,
++ *         witness        OCTET STRING
++ *     }
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class IdentityProofV2 implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private AlgorithmIdentifier hashAlgID; ++ private AlgorithmIdentifier macAlgId; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public AlgorithmIdentifier getHashAlgID() { ++ return hashAlgID; ++ } ++ ++ public AlgorithmIdentifier getMacAlgId() { ++ return macAlgId; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private IdentityProofV2() { } ++ ++ public IdentityProofV2( ++ AlgorithmIdentifier hashAlgID, ++ AlgorithmIdentifier macAlgId, ++ OCTET_STRING witness) ++ { ++ if( hashAlgID==null || macAlgId==null || ++ witness==null ) { ++ throw new IllegalArgumentException("IdentityProofV2 constructor" ++ +" parameter is null"); ++ } ++ ++ this.hashAlgID = hashAlgID; ++ this.macAlgId = macAlgId; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(hashAlgID); ++ sequence.addElement(macAlgId); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded IdentityProofV2 items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new IdentityProofV2( ++ (AlgorithmIdentifier) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/OtherInfo.java b/org/mozilla/jss/pkix/cmc/OtherInfo.java +index b93c193..3c83932 100644 +--- a/org/mozilla/jss/pkix/cmc/OtherInfo.java ++++ b/org/mozilla/jss/pkix/cmc/OtherInfo.java +@@ -9,13 +9,20 @@ import java.io.*; + import org.mozilla.jss.util.Assert; + + /** +- * CMCStatusInfo OtherInfo: ++ * CMCStatusInfoV2 OtherInfo: ++ * + * 
          +  *   OtherInfo ::= CHOICE { 
+  *       failInfo INTEGER, 
+- *       pendInfo PendInfo 
+- *   } 
++ *       pendInfo PendInfo,
++ *       extendedFailInfo       SEQUENCE {  // ExtendedFailInfo
++ *           failInfoOID            OBJECT IDENTIFIER,
++ *           failInfoValue          AttributeValue
++ *       } OPTIONAL
++ *   }
+  *
          ++ * ++ * @author Christina Fu (cfu) - updated for rfc5272 + */ + public class OtherInfo implements ASN1Value { + // CMCFailInfo constants +@@ -32,20 +39,23 @@ public class OtherInfo implements ASN1Value { + public static final int NO_KEY_REUSE = 10; + public static final int INTERNAL_CA_ERROR = 11; + public static final int TRY_LATER = 12; ++ public static final int authDataFail = 13; + +- public static final String[] FAIL_INFO = {"bad algorithm", +- "bad message check", +- "bad request", +- "bad time", +- "bad certificate id", +- "unsupported extensions", +- "must archive keys", +- "bad identity", +- "POP required", +- "POP failed", +- "no key reuse", +- "internal ca error", +- "try later"}; ++ public static final String[] FAIL_INFO = { ++ "bad algorithm", ++ "bad message check", ++ "bad request", ++ "bad time", ++ "bad certificate id", ++ "unsupported extensions", ++ "must archive keys", ++ "bad identity", ++ "POP required", ++ "POP failed", ++ "no key reuse", ++ "internal ca error", ++ "try later", ++ "authenticated data fail"}; + /** + * The type of OtherInfo. + */ +@@ -54,9 +64,11 @@ public class OtherInfo implements ASN1Value { + + static Type FAIL = new Type(); + static Type PEND = new Type(); ++ static Type EXTENDED = new Type(); + } + public static Type FAIL = Type.FAIL; + public static Type PEND = Type.PEND; ++ public static Type EXTENDED = Type.EXTENDED; + + /////////////////////////////////////////////////////////////////////// + // members and member access +@@ -65,6 +77,7 @@ public class OtherInfo implements ASN1Value { + private Type type; + private INTEGER failInfo; // if type == FAIL + private PendInfo pendInfo; // if type == PEND ++ private ExtendedFailInfo extendedFailInfo; // if type == EXTENDED + + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -73,17 +86,76 @@ public class OtherInfo implements ASN1Value { + // no default constructor + public OtherInfo() { } + +- /** ++ /** + * Constructs a OtherInfo from its components. + * + * @param type The type of the otherInfo. + * @param failInfo the CMCFailInfo code. + * @param pendInfo the pending information. ++ * ++ * Note: kept for backward compatibility for now; new code don't use + */ + public OtherInfo(Type type, INTEGER failInfo, PendInfo pendInfo) { ++ if (type == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter is null"); ++ } ++ ++ if ( type == FAIL ) { ++ if (failInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter failInfo is null"); ++ } ++ } else { ++ Assert._assert( type == PEND ); ++ if (pendInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter pendInfo is null"); ++ } ++ } ++ this.type = type; ++ this.failInfo = failInfo; ++ this.pendInfo = pendInfo; ++ } ++ ++ /** ++ * Constructs a OtherInfo from its components. ++ * ++ * @param type The type of the otherInfo. ++ * @param failInfo the CMCFailInfo code. ++ * @param pendInfo the pending information. ++ * @param extendedFailInfo the extendedFailInfo information. ++ */ ++ public OtherInfo(Type type, ++ INTEGER failInfo, ++ PendInfo pendInfo, ++ ExtendedFailInfo extendedFailInfo) { ++ if (type == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter is null"); ++ } ++ ++ if ( type == FAIL ) { ++ if (failInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter failInfo is null"); ++ } ++ } else if ( type == PEND ) { ++ if (pendInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter pendInfo is null"); ++ } ++ } else { ++ Assert._assert( type == EXTENDED ); ++ if (extendedFailInfo == null) { ++ throw new IllegalArgumentException("OtherInfo constructor" ++ +" parameter extendedFailInfo is null"); ++ } ++ } + this.type = type; + this.failInfo = failInfo; + this.pendInfo = pendInfo; ++ this.extendedFailInfo = extendedFailInfo; + } + + /////////////////////////////////////////////////////////////////////// +@@ -94,6 +166,7 @@ public class OtherInfo implements ASN1Value { + * Returns the type of OtherInfo:
            + *
          • FAIL + *
          • PEND ++ *
          • EXTENDED + *
          + */ + public Type getType() { +@@ -116,17 +189,27 @@ public class OtherInfo implements ASN1Value { + return pendInfo; + } + ++ /** ++ * If type == EXTENDED, returns the extendedFailInfo field. Otherwise, ++ * returns null. ++ */ ++ public ExtendedFailInfo getExtendedFailInfo() { ++ return extendedFailInfo; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // DER decoding/encoding + /////////////////////////////////////////////////////////////////////// + + public Tag getTag() { +- // return the subType's tag ++ // return the subType's tag + if( type == FAIL ) { + return INTEGER.TAG; +- } else { +- Assert._assert( type == PEND ); ++ } else if( type == PEND ){ + return PendInfo.TAG; ++ } else { ++ Assert._assert( type == EXTENDED ); ++ return ExtendedFailInfo.TAG; + } + } + +@@ -134,16 +217,18 @@ public class OtherInfo implements ASN1Value { + + if( type == FAIL ) { + failInfo.encode(ostream); +- } else { +- Assert._assert( type == PEND ); ++ } else if( type == PEND ){ + pendInfo.encode(ostream); ++ } else { ++ Assert._assert( type == EXTENDED ); ++ extendedFailInfo.encode(ostream); + } + } + + public void encode(Tag implicitTag, OutputStream ostream) + throws IOException { +- //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum()); +- encode(ostream); ++ //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum()); ++ encode(ostream); + } + + private static final Template templateInstance = new Template(); +@@ -162,6 +247,7 @@ public class OtherInfo implements ASN1Value { + choicet = new CHOICE.Template(); + choicet.addElement( INTEGER.getTemplate() ); + choicet.addElement( PendInfo.getTemplate() ); ++ choicet.addElement( ExtendedFailInfo.getTemplate() ); + } + + public boolean tagMatch(Tag tag) { +@@ -173,17 +259,19 @@ public class OtherInfo implements ASN1Value { + CHOICE c = (CHOICE) choicet.decode(istream); + + if( c.getTag().equals(INTEGER.TAG) ) { +- return new OtherInfo(FAIL, (INTEGER) c.getValue() , null); ++ return new OtherInfo(FAIL, (INTEGER) c.getValue() , null, null); ++ } else if( c.getTag().equals(PendInfo.TAG) ) { ++ return new OtherInfo(PEND, null, (PendInfo) c.getValue(), null); + } else { +- Assert._assert( c.getTag().equals(PendInfo.TAG) ); +- return new OtherInfo(PEND, null, (PendInfo) c.getValue()); ++ Assert._assert( c.getTag().equals(ExtendedFailInfo.TAG) ); ++ return new OtherInfo(EXTENDED, null, null, (ExtendedFailInfo) c.getValue()); + } + } + + public ASN1Value decode(Tag implicitTag, InputStream istream) + throws InvalidBERException, IOException { +- //Assert.notReached("A CHOICE cannot be implicitly tagged"); +- return decode(istream); +- } +- } ++ //Assert.notReached("A CHOICE cannot be implicitly tagged"); ++ return decode(istream); ++ } ++ } + } +diff --git a/org/mozilla/jss/pkix/cmc/OtherReqMsg.java b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java +new file mode 100644 +index 0000000..d1100b4 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java +@@ -0,0 +1,167 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 2004 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.*; ++ ++/** ++ * CMC OtherReqMsg. ++ * 
          ++ * OtherReqMsg is to be used by the "orm" field of the TaggedRequest per
++ *     definition in RFC 5272.
++ *
++ * OtherReqMsg ::= SEQUENCE {
++ *      bodyPartID      BodyPartID,
++ *      requestMessageType    Object Identifier,
++ *      requestMessageValue   ANY defined by requestMessageType}
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class OtherReqMsg implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private INTEGER bodyPartID; ++ private OBJECT_IDENTIFIER requestMessageType; ++ private ANY requestMessageValue; ++ private SEQUENCE sequence; ++ ++ /** ++ * Returns the bodyPartID field. ++ */ ++ public INTEGER getBodyPartID() { ++ return bodyPartID; ++ } ++ ++ /** ++ * Returns the requestMessageType field. ++ */ ++ public OBJECT_IDENTIFIER getOtherReqMsgType() { ++ return requestMessageType; ++ } ++ ++ /** ++ * Returns the requestMessageValue field. ++ */ ++ public ANY getOtherReqMsgValue() { ++ return requestMessageValue; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ private OtherReqMsg() { } ++ ++ /** ++ * Constructs a new OtherReqMsg from its components. ++ */ ++ public OtherReqMsg(INTEGER bodyPartID, OBJECT_IDENTIFIER requestMessageType, ++ ANY requestMessageValue) { ++ if (bodyPartID == null || requestMessageType == null ++ || requestMessageValue == null) { ++ throw new IllegalArgumentException( ++ "parameter to OtherReqMsg constructor is null"); ++ } ++ sequence = new SEQUENCE(); ++ ++ this.bodyPartID = bodyPartID; ++ sequence.addElement(bodyPartID); ++ ++ this.requestMessageType = requestMessageType; ++ sequence.addElement(requestMessageType); ++ ++ this.requestMessageValue = requestMessageValue; ++ sequence.addElement(requestMessageValue); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // encoding/decoding ++ /////////////////////////////////////////////////////////////////////// ++ private static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding a OtherReqMsg. ++ */ ++ public static class Template implements ASN1Template { ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement(INTEGER.getTemplate()); ++ seqt.addElement(OBJECT_IDENTIFIER.getTemplate()); ++ seqt.addElement(ANY.getTemplate()); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new OtherReqMsg((INTEGER)seq.elementAt(0), ++ (OBJECT_IDENTIFIER)seq.elementAt(1), ++ (ANY)seq.elementAt(2)); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java +new file mode 100644 +index 0000000..637c316 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java +@@ -0,0 +1,163 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.pkix.primitive.*; ++import java.io.*; ++ ++/** ++ * CMC PopLinkWitnessV2: ++ * per rfc 5272 ++ * 
          ++ *     PopLinkWitnessV2 ::= SEQUENCE {
++ *         keyGenAlgorithm     AlgorithmIdentifier,
++ *         macAlgorithm       AlgorithmIdentifier,
++ *         witness        OCTET STRING
++ *     }
++ *
          ++ * ++ * @author Christina Fu (cfu) ++ */ ++public class PopLinkWitnessV2 implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private AlgorithmIdentifier keyGenAlgorithm; ++ private AlgorithmIdentifier macAlgorithm; ++ private OCTET_STRING witness; ++ private SEQUENCE sequence; // for DER encoding ++ ++ public AlgorithmIdentifier getKeyGenAlgorithm() { ++ return keyGenAlgorithm; ++ } ++ ++ public AlgorithmIdentifier getMacAlgorithm() { ++ return macAlgorithm; ++ } ++ ++ public OCTET_STRING getWitness() { ++ return witness; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // constructors ++ /////////////////////////////////////////////////////////////////////// ++ private PopLinkWitnessV2() { } ++ ++ public PopLinkWitnessV2( ++ AlgorithmIdentifier keyGenAlgorithm, ++ AlgorithmIdentifier macAlgorithm, ++ OCTET_STRING witness) ++ { ++ if( keyGenAlgorithm==null || macAlgorithm==null || ++ witness==null ) { ++ throw new IllegalArgumentException("PopLinkWitnessV2 constructor" ++ +" parameter is null"); ++ } ++ ++ this.keyGenAlgorithm = keyGenAlgorithm; ++ this.macAlgorithm = macAlgorithm; ++ this.witness = witness; ++ ++ sequence = new SEQUENCE(); ++ sequence.addElement(keyGenAlgorithm); ++ sequence.addElement(macAlgorithm); ++ sequence.addElement(witness); ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // DER encoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ private static final Template templateInstance = new Template(); ++ public static Template getTemplate() { ++ return templateInstance; ++ } ++ ++ /** ++ * A Template for decoding BER-encoded PopLinkWitnessV2 items. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( AlgorithmIdentifier.getTemplate() ); ++ seqt.addElement( OCTET_STRING.getTemplate() ); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new PopLinkWitnessV2( ++ (AlgorithmIdentifier) seq.elementAt(0), ++ (AlgorithmIdentifier) seq.elementAt(1), ++ (OCTET_STRING) seq.elementAt(2) ); ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/RevokeRequest.java b/org/mozilla/jss/pkix/cmc/RevokeRequest.java +new file mode 100644 +index 0000000..d8444b6 +--- /dev/null ++++ b/org/mozilla/jss/pkix/cmc/RevokeRequest.java +@@ -0,0 +1,323 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++ ++package org.mozilla.jss.pkix.cmc; ++ ++import org.mozilla.jss.asn1.*; ++import java.io.*; ++ ++/** ++ * CMC RevokeRequest. ++ * 
          ++ * RevokeRequest ::= SEQUENCE {
++ *      issuerName      Name,
++ *      serialNumber    INTEGER,
++ *      reason          CRLReason,
++ *      invalidityDate  GeneralizedTime OPTIONAL,
++ *      passphrase    OCTET STRING OPTIONAL,
++ *      comment         UTF8String OPTIONAL }
++ *
          ++ * ++ * For maintenance and conformance reasons, this code is brought over ++ * and mildly updated and renamed from cmmf/RevRequest during the process ++ * of CMC update to rfc 5272 ++ * @author Christina Fu (cfu) ++ */ ++public class RevokeRequest implements ASN1Value { ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constants ++ /////////////////////////////////////////////////////////////////////// ++ ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED unspecified = new ENUMERATED(0); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED keyCompromise = new ENUMERATED(1); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED cACompromise = new ENUMERATED(2); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED affiliationChanged = new ENUMERATED(3); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED superseded = new ENUMERATED(4); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED cessationOfOperation = new ENUMERATED(5); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED certificateHold = new ENUMERATED(6); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED removeFromCRL = new ENUMERATED(8); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED privilegeWithdrawn = new ENUMERATED(9); ++ /** ++ * A CRLReason, which can be used in the reason ++ * field. ++ */ ++ public static final ENUMERATED aACompromise = new ENUMERATED(10); ++ ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Members and member access ++ /////////////////////////////////////////////////////////////////////// ++ private ANY issuerName; ++ private INTEGER serialNumber; ++ private ENUMERATED reason; ++ private GeneralizedTime invalidityDate; // may be null ++ private OCTET_STRING passphrase; // may be null ++ private UTF8String comment; // may be null ++ private SEQUENCE sequence; ++ ++ /** ++ * Returns the issuerName field as an ANY. ++ */ ++ public ANY getIssuerName() { ++ return issuerName; ++ } ++ ++ /** ++ * Returns the serialNumber field. ++ */ ++ public INTEGER getSerialNumber() { ++ return serialNumber; ++ } ++ ++ /** ++ * Returns the reason field, which should indicate the ++ * reason for the revocation. The currently supported reasons are: ++ * 
          ++     * CRLReason ::= ENUMERATED {
++     *      unspecified             (0),
++     *      keyCompromise           (1),
++     *      cACompromise            (2),
++     *      affiliationChanged      (3),
++     *      superseded              (4),
++     *      cessationOfOperation    (5),
++     *      certificateHold         (6),
++     *      removeFromCRL           (8),
++     *      privilegeWithdrawn      (9),
++     *      aACompromise            (10) }
++     *
          ++ * These are all defined as constants in this class. ++ */ ++ public ENUMERATED getReason() { ++ return reason; ++ } ++ ++ /** ++ * Returns the invalidityDate field. Returns null ++ * if the field is not present. ++ */ ++ public GeneralizedTime getInvalidityDate() { ++ return invalidityDate; ++ } ++ ++ /** ++ * Returns the passphrase field. Returns ++ * null if the field is not present. ++ */ ++ public OCTET_STRING getSharedSecret() { ++ return passphrase; ++ } ++ ++ /** ++ * Returns the comment field. Returns null ++ * if the field is not present. ++ */ ++ public UTF8String getComment() { ++ return comment; ++ } ++ ++ /////////////////////////////////////////////////////////////////////// ++ // Constructors ++ /////////////////////////////////////////////////////////////////////// ++ ++ private RevokeRequest() { } ++ ++ ++ /** ++ * Constructs a new RevokeRequest from its components, ++ * omitting the invalidityDate field. ++ * ++ * @deprecated This constructor is obsolete now that ++ * invalidityDate has been added to the class. ++ * ++ * @param issuerName The issuerName field. ++ * @param serialNumber The serialNumber field. ++ * @param reason The reason field. The constants defined ++ * in this class may be used. ++ * @param passphrase The passphrase field. This field is ++ * optional, so null may be used. ++ * @param comment The comment field. This field is optional, ++ * so null may be used. ++ */ ++ public RevokeRequest(ANY issuerName, INTEGER serialNumber, ++ ENUMERATED reason, OCTET_STRING passphrase, ++ UTF8String comment) ++ { ++ this(issuerName, serialNumber, reason, null, passphrase, comment); ++ } ++ ++ /** ++ * Constructs a new RevokeRequest from its components. ++ * ++ * @param issuerName The issuerName field. ++ * @param serialNumber The serialNumber field. ++ * @param reason The reason field. The constants defined ++ * in this class may be used. ++ * @param invalidityDate The suggested value for the Invalidity Date ++ * CRL extension. This field is optional, so null may be ++ * used. ++ * @param passphrase The passphrase field. This field is ++ * optional, so null may be used. ++ * @param comment The comment field. This field is optional, ++ * so null may be used. ++ */ ++ public RevokeRequest(ANY issuerName, INTEGER serialNumber, ++ ENUMERATED reason, GeneralizedTime invalidityDate, ++ OCTET_STRING passphrase, UTF8String comment) ++ { ++ if( issuerName==null || serialNumber==null || reason==null ) { ++ throw new IllegalArgumentException( ++ "parameter to RevokeRequest constructor is null"); ++ } ++ sequence = new SEQUENCE(); ++ ++ this.issuerName = issuerName; ++ sequence.addElement(issuerName); ++ ++ this.serialNumber = serialNumber; ++ sequence.addElement(serialNumber); ++ ++ this.reason = reason; ++ sequence.addElement(reason); ++ ++ this.invalidityDate = invalidityDate; ++ sequence.addElement(invalidityDate); ++ ++ this.passphrase = passphrase; ++ sequence.addElement(passphrase); ++ ++ this.comment = comment; ++ sequence.addElement(comment); ++ } ++ ++ ++ /////////////////////////////////////////////////////////////////////// ++ // encoding/decoding ++ /////////////////////////////////////////////////////////////////////// ++ ++ private static final Tag TAG = SEQUENCE.TAG; ++ public Tag getTag() { ++ return TAG; ++ } ++ ++ public void encode(OutputStream ostream) throws IOException { ++ sequence.encode(ostream); ++ } ++ ++ public void encode(Tag implicitTag, OutputStream ostream) ++ throws IOException { ++ sequence.encode(implicitTag, ostream); ++ } ++ ++ ++ ++ /** ++ * A Template class for decoding a RevokeRequest. ++ */ ++ public static class Template implements ASN1Template { ++ ++ private SEQUENCE.Template seqt; ++ ++ public Template() { ++ seqt = new SEQUENCE.Template(); ++ seqt.addElement(ANY.getTemplate()); ++ seqt.addElement(INTEGER.getTemplate()); ++ seqt.addElement(ENUMERATED.getTemplate()); ++ seqt.addOptionalElement(GeneralizedTime.getTemplate()); ++ seqt.addOptionalElement(OCTET_STRING.getTemplate()); ++ seqt.addOptionalElement(UTF8String.getTemplate()); ++ } ++ ++ public boolean tagMatch(Tag tag) { ++ return TAG.equals(tag); ++ } ++ ++ public ASN1Value decode(InputStream istream) ++ throws InvalidBERException, IOException { ++ return decode(TAG, istream); ++ } ++ ++ public ASN1Value decode(Tag implicitTag, InputStream istream) ++ throws InvalidBERException, IOException { ++ ++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream); ++ ++ return new RevokeRequest( (ANY) seq.elementAt(0), ++ (INTEGER) seq.elementAt(1), ++ (ENUMERATED) seq.elementAt(2), ++ (GeneralizedTime) seq.elementAt(3), ++ (OCTET_STRING) seq.elementAt(4), ++ (UTF8String) seq.elementAt(5) ); ++ ++ } ++ } ++} +diff --git a/org/mozilla/jss/pkix/cmc/TaggedRequest.java b/org/mozilla/jss/pkix/cmc/TaggedRequest.java +index e616660..e71b57c 100644 +--- a/org/mozilla/jss/pkix/cmc/TaggedRequest.java ++++ b/org/mozilla/jss/pkix/cmc/TaggedRequest.java +@@ -15,6 +15,11 @@ import org.mozilla.jss.util.Assert; + * TaggedRequest ::= CHOICE { + * tcr [0] TaggedCertificationRequest, + * crm [1] CertReqMsg ++ * orm [2] SEQUENCE { ++ * bodyPartID BodyPartID, ++ * requestMessageType OBJECT IDENTIFIER, ++ * requestMessageValue ANY DEFINED BY requestMessageType ++ * } // added for rfc 5272; defined in OtherReqMsg + * } + * + */ +@@ -27,9 +32,11 @@ public class TaggedRequest implements ASN1Value { + + static Type PKCS10 = new Type(); + static Type CRMF = new Type(); ++ static Type OTHER = new Type(); + } + public static Type PKCS10 = Type.PKCS10; + public static Type CRMF = Type.CRMF; ++ public static Type OTHER = Type.OTHER; + + /////////////////////////////////////////////////////////////////////// + // members and member access +@@ -38,6 +45,7 @@ public class TaggedRequest implements ASN1Value { + private Type type; + private TaggedCertificationRequest tcr; // if type == PKCS10 + private CertReqMsg crm; // if type == CRMF ++ private OtherReqMsg orm; // if type == OTHER + + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -48,7 +56,7 @@ public class TaggedRequest implements ASN1Value { + + /** + * Constructs a TaggedRequest from its components. +- * ++ * kept for backward compatibility for now + * @param type The type of the request. + * @param tcr Tagged pkcs10 request. + * @param crm CRMF request. +@@ -59,6 +67,24 @@ public class TaggedRequest implements ASN1Value { + this.crm = crm; + } + ++ /** ++ * Constructs a TaggedRequest from its components. ++ * rfc 5272 ++ * @param type The type of the request. ++ * @param tcr Tagged pkcs10 request. ++ * @param crm CRMF request. ++ * @param orm OTHER request. ++ */ ++ public TaggedRequest(Type type, ++ TaggedCertificationRequest tcr, ++ CertReqMsg crm, ++ OtherReqMsg orm) { ++ this.type = type; ++ this.tcr = tcr; ++ this.crm = crm; ++ this.orm = orm; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // accessors + /////////////////////////////////////////////////////////////////////// +@@ -67,6 +93,7 @@ public class TaggedRequest implements ASN1Value { + * Returns the type of TaggedRequest:
            + *
          • PKCS10 + *
          • CRMF ++ *
          • OTHER + *
          + */ + public Type getType() { +@@ -89,6 +116,14 @@ public class TaggedRequest implements ASN1Value { + return crm; + } + ++ /** ++ * If type == OTHER, returns the orm field. Otherwise, ++ * returns null. ++ */ ++ public OtherReqMsg getOrm() { ++ return orm; ++ } ++ + /////////////////////////////////////////////////////////////////////// + // DER decoding/encoding + /////////////////////////////////////////////////////////////////////// +@@ -96,9 +131,11 @@ public class TaggedRequest implements ASN1Value { + public Tag getTag() { + if( type == PKCS10 ) { + return Tag.get(0); +- } else { +- Assert._assert( type == CRMF ); ++ } else if( type == CRMF ){ + return Tag.get(1); ++ } else { ++ Assert._assert( type == OTHER ); ++ return Tag.get(2); + } + } + +@@ -109,12 +146,17 @@ public class TaggedRequest implements ASN1Value { + // a CHOICE must be explicitly tagged + //EXPLICIT e = new EXPLICIT( Tag.get(0), tcr ); + //e.encode(ostream); +- } else { +- Assert._assert( type == CRMF ); ++ } else if( type == CRMF ) { + crm.encode(Tag.get(1), ostream); + // a CHOICE must be explicitly tagged + //EXPLICIT e = new EXPLICIT( Tag.get(1), crm ); + //e.encode(ostream); ++ } else { ++ Assert._assert( type == OTHER ); ++ orm.encode(Tag.get(2), ostream); ++ // a CHOICE must be explicitly tagged ++ //EXPLICIT e = new EXPLICIT( Tag.get(2), orm ); ++ //e.encode(ostream); + } + } + +@@ -142,12 +184,16 @@ public class TaggedRequest implements ASN1Value { + + //EXPLICIT.Template et = new EXPLICIT.Template( + // Tag.get(0), TaggedCertificationRequest.getTemplate() ); +- //choicet.addElement( et ); ++ //choicet.addElement( et ); + choicet.addElement( Tag.get(0), TaggedCertificationRequest.getTemplate() ); + //et = new EXPLICIT.Template( + // Tag.get(1), CertReqMsg.getTemplate() ); +- //choicet.addElement( et ); ++ //choicet.addElement( et ); + choicet.addElement( Tag.get(1), CertReqMsg.getTemplate() ); ++ //et = new EXPLICIT.Template( ++ // Tag.get(2), CertReqMsg.getTemplate() ); ++ //choicet.addElement( et ); ++ choicet.addElement( Tag.get(2), OtherReqMsg.getTemplate() ); + } + + public boolean tagMatch(Tag tag) { +@@ -161,15 +207,21 @@ public class TaggedRequest implements ASN1Value { + if( c.getTag().equals(Tag.get(0)) ) { + //EXPLICIT e = (EXPLICIT) c.getValue(); + //return new TaggedRequest(PKCS10, +- // (TaggedCertificationRequest) +- // e.getContent(), null ); ++ // (TaggedCertificationRequest) ++ // e.getContent(), null ); + return new TaggedRequest(PKCS10, (TaggedCertificationRequest) c.getValue() , null); ++ } if( c.getTag().equals(Tag.get(1)) ) { ++ //EXPLICIT e = (EXPLICIT) c.getValue(); ++ //return new TaggedRequest(CRMF, ++ // (CertReqMsg) ++ // e.getContent(), null ); ++ return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue() , null); + } else { +- Assert._assert( c.getTag().equals(Tag.get(1)) ); ++ Assert._assert( c.getTag().equals(Tag.get(2)) ); + //EXPLICIT e = (EXPLICIT) c.getValue(); +- //return new TaggedRequest(CRMF, null, +- // (CertReqMsg) e.getContent() ); +- return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue()); ++ //return new TaggedRequest(OTHER, null, ++ // (CertReqMsg) e.getContent() ); ++ return new TaggedRequest(OTHER, null, null, (OtherReqMsg) c.getValue()); + } + } + +diff --git a/org/mozilla/jss/pkix/cmmf/RevRequest.java b/org/mozilla/jss/pkix/cmmf/RevRequest.java +index 3fd1342..578548b 100644 +--- a/org/mozilla/jss/pkix/cmmf/RevRequest.java ++++ b/org/mozilla/jss/pkix/cmmf/RevRequest.java +@@ -18,6 +18,9 @@ import java.io.*; + * sharedSecret OCTET STRING OPTIONAL, + * comment UTF8String OPTIONAL } + * ++ * For maintenance and conformance reasons, this code has been brought ++ * over and renamed to cmc/RevokeRequest during the CMC update to rfc 5272. ++ * All new code should use cmc/RevokeRequest instead + */ + public class RevRequest implements ASN1Value { + +diff --git a/org/mozilla/jss/pkix/crmf/CertRequest.java b/org/mozilla/jss/pkix/crmf/CertRequest.java +index ee0868c..90aab0d 100644 +--- a/org/mozilla/jss/pkix/crmf/CertRequest.java ++++ b/org/mozilla/jss/pkix/crmf/CertRequest.java +@@ -57,6 +57,13 @@ public class CertRequest implements ASN1Value { + } + + /** ++ * Returns the controls field. ++ */ ++ public SEQUENCE getControls() { ++ return controls; ++ } ++ ++ /** + * Returns the number of optional Controls in the cert request. + * The number may be zero. + */ +-- +2.9.3 + + +From 9462edf264ae6da5aad113b293af9f5345542caa Mon Sep 17 00:00:00 2001 +From: Elio Maldonado +Date: Mon, 27 Mar 2017 12:01:30 -0700 +Subject: [PATCH 11/11] Bug 1350130 - Missing + CryptoManager.verifyCertificateNowCUNative() implementation, r=edewata + +--- + org/mozilla/jss/PK11Finder.c | 87 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 87 insertions(+) + +diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c +index a488c4f..9e234e6 100644 +--- a/org/mozilla/jss/PK11Finder.c ++++ b/org/mozilla/jss/PK11Finder.c +@@ -1554,6 +1554,68 @@ finish: + } + + /*********************************************************************** ++ * CryptoManager.verifyCertificateNow ++ * ++ * Called by java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative ++ */ ++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, ++ jboolean checkSig, jint required_certificateUsage, ++ SECCertificateUsage *currUsage) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage certificateUsage; ++ CERTCertificate *cert=NULL; ++ char *nickname=NULL; ++ ++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); ++ if( nickname == NULL ) { ++ goto finish; ++ } ++ ++ certificateUsage = required_certificateUsage; ++ ++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); ++ ++ if (cert == NULL) { ++ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ goto finish; ++ } else { ++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will ++ * retrieve the current valid usage into currUsage ++ */ ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, currUsage ); ++ if ((rv == SECSuccess) && certificateUsage == 0x0000) { ++ if (*currUsage == ++ ( certUsageUserCertImport | ++ certUsageVerifyCA | ++ certUsageProtectedObjectSigner | ++ certUsageAnyCA )) { ++ ++ /* the cert is good for nothing ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ (0x0b80) */ ++ rv =SECFailure; ++ } ++ } ++ } ++ ++finish: ++ if(nickname != NULL) { ++ (*env)->ReleaseStringUTFChars(env, nickString, nickname); ++ } ++ if(cert != NULL) { ++ CERT_DestroyCertificate(cert); ++ } ++ ++ return rv; ++} ++ ++/*********************************************************************** + * CryptoManager.verifyCertificateNowNative + * + * Returns JNI_TRUE if success, JNI_FALSE otherwise +@@ -1604,6 +1666,31 @@ finish: + } + + /*********************************************************************** ++ * CryptoManager.verifyCertificateNowCUNative ++ * ++ * Returns jint which contains bits in SECCertificateUsage that reflects ++ * the cert usage(s) that the cert is good for ++ * if the cert is good for nothing, returned value is ++ * (0x0b80): ++ * certUsageUserCertImport | ++ * certUsageVerifyCA | ++ * certUsageProtectedObjectSigner | ++ * certUsageAnyCA ++ */ ++JNIEXPORT jint JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig) ++{ ++ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); ++ /* rv is ignored */ ++ ++ return currUsage; ++} ++ ++/*********************************************************************** + * CryptoManager.verifyCertificateNowNative2 + * + * Verify a certificate that exists in the given cert database, +-- +2.9.3 + diff --git a/SOURCES/jss-rhel-7-4-beta.patch b/SOURCES/jss-rhel-7-4-beta.patch new file mode 100644 index 0000000..5bfe995 --- /dev/null +++ b/SOURCES/jss-rhel-7-4-beta.patch @@ -0,0 +1,844 @@ +# HG changeset patch +# User Fraser Tweedale +# Date 1493324725 25200 +# Thu Apr 27 13:25:25 2017 -0700 +# Node ID c8885dd6787639d74a1c9d634fd289ff17fa6f02 +# Parent b2306481f30dcc8c0c060520805d405dd2546d14 +Bug 1355358 - CryptoStore: add methods for importing and exporting EncryptedPrivateKeyInfo, r=cfu + +diff --git a/lib/jss.def b/lib/jss.def +--- a/lib/jss.def ++++ b/lib/jss.def +@@ -324,3 +324,9 @@ + ;+ local: + ;+ *; + ;+}; ++;+JSS_4.4.1 { # JSS 4.4.1 release ++;+ global: ++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo; ++;+ local: ++;+ *; ++;+}; +diff --git a/org/mozilla/jss/crypto/Algorithm.c b/org/mozilla/jss/crypto/Algorithm.c +--- a/org/mozilla/jss/crypto/Algorithm.c ++++ b/org/mozilla/jss/crypto/Algorithm.c +@@ -86,7 +86,13 @@ + /* 55 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, + /* 56 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, + /* 57 */ {CKM_NSS_AES_KEY_WRAP, PK11_MECH}, +-/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH} ++/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}, ++/* 59 */ {SEC_OID_AES_128_ECB, SEC_OID_TAG}, ++/* 60 */ {SEC_OID_AES_128_CBC, SEC_OID_TAG}, ++/* 61 */ {SEC_OID_AES_192_ECB, SEC_OID_TAG}, ++/* 62 */ {SEC_OID_AES_192_CBC, SEC_OID_TAG}, ++/* 63 */ {SEC_OID_AES_256_ECB, SEC_OID_TAG}, ++/* 64 */ {SEC_OID_AES_256_CBC, SEC_OID_TAG} + /* REMEMBER TO UPDATE NUM_ALGS!!! */ + }; + +diff --git a/org/mozilla/jss/crypto/Algorithm.h b/org/mozilla/jss/crypto/Algorithm.h +--- a/org/mozilla/jss/crypto/Algorithm.h ++++ b/org/mozilla/jss/crypto/Algorithm.h +@@ -24,7 +24,7 @@ + JSS_AlgType type; + } JSS_AlgInfo; + +-#define NUM_ALGS 59 ++#define NUM_ALGS 65 + + extern JSS_AlgInfo JSS_AlgTable[]; + extern CK_ULONG JSS_symkeyUsage[]; +diff --git a/org/mozilla/jss/crypto/Algorithm.java b/org/mozilla/jss/crypto/Algorithm.java +--- a/org/mozilla/jss/crypto/Algorithm.java ++++ b/org/mozilla/jss/crypto/Algorithm.java +@@ -212,4 +212,12 @@ + protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56; + protected static final short CKM_NSS_AES_KEY_WRAP=57; + protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58; ++ ++ // AES Encryption Algorithms ++ protected static final short SEC_OID_AES_128_ECB = 59; ++ protected static final short SEC_OID_AES_128_CBC = 60; ++ protected static final short SEC_OID_AES_192_ECB = 61; ++ protected static final short SEC_OID_AES_192_CBC = 62; ++ protected static final short SEC_OID_AES_256_ECB = 63; ++ protected static final short SEC_OID_AES_256_CBC = 64; + } +diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java +--- a/org/mozilla/jss/crypto/CryptoStore.java ++++ b/org/mozilla/jss/crypto/CryptoStore.java +@@ -4,6 +4,7 @@ + + package org.mozilla.jss.crypto; + ++import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.util.*; + import java.security.*; + import java.security.cert.CertificateEncodingException; +@@ -68,9 +69,50 @@ + public void deletePrivateKey(org.mozilla.jss.crypto.PrivateKey key) + throws NoSuchItemOnTokenException, TokenException; + ++ /** ++ * Get an encrypted private key for the given cert. ++ * ++ * @param cert Certificate of key to be exported ++ * @param pbeAlg The PBEAlgorithm to use ++ * @param pw The password to encrypt with ++ * @param iteration Iteration count; default of 2000 if le 0 ++ */ ++ public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, ++ PBEAlgorithm pbeAlg, Password pw, int iteration) ++ throws CryptoManager.NotInitializedException, ++ ObjectNotFoundException, TokenException; + +- public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, +- PBEAlgorithm pbeAlg, Password pw, int iteration); ++ /** ++ * Get an encrypted private key, with optional password ++ * conversion. ++ * ++ * @param conv Password converter. If null, pw.getByteCopy() ++ * will be used to get password bytes. ++ * @param pw The password ++ * @param alg The encryption algorithm ++ * @param n Iteration count; default of 2000 if le 0 ++ * @param k The private key ++ */ ++ public byte[] getEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ Algorithm alg, ++ int n, ++ PrivateKey k); ++ ++ /** ++ * @param conv Password converter. If null, pw.getByteCopy() ++ * will be used to get password bytes. ++ * @param pw The password ++ * @param nickname Nickname to use for private key ++ * @param pubKey Public key corresponding to private key ++ */ ++ public void importEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ String nickname, ++ PublicKey pubKey, ++ byte[] epkiBytes); + + //////////////////////////////////////////////////////////// + // Certs +diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java b/org/mozilla/jss/crypto/EncryptionAlgorithm.java +--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java ++++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java +@@ -347,12 +347,14 @@ + { 2, 16, 840, 1, 101, 3, 4, 1 } ); + + public static final EncryptionAlgorithm +- AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, + AES_ROOT_OID.subBranch(1), 128); + + public static final EncryptionAlgorithm +- AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(2), 128); + +@@ -361,11 +363,13 @@ + Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid + + public static final EncryptionAlgorithm +- AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192); + + public static final EncryptionAlgorithm +- AES_192_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_192_CBC = new EncryptionAlgorithm(SEC_OID_AES_192_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(22), 192); + +@@ -374,11 +378,13 @@ + Padding.PKCS5, IVParameterSpecClasses, 16, null, 192); // no oid + + public static final EncryptionAlgorithm +- AES_256_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB, ++ AES_256_ECB = new EncryptionAlgorithm(SEC_OID_AES_256_ECB, ++ Alg.AES, Mode.ECB, + Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(41), 256); + + public static final EncryptionAlgorithm +- AES_256_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC, ++ AES_256_CBC = new EncryptionAlgorithm(SEC_OID_AES_256_CBC, ++ Alg.AES, Mode.CBC, + Padding.NONE, IVParameterSpecClasses, 16, + AES_ROOT_OID.subBranch(42), 256); + +diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c ++++ b/org/mozilla/jss/pkcs11/PK11Store.c +@@ -31,6 +31,8 @@ + char *data; + } secuPWData; + ++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj); ++ + /********************************************************************** + * PK11Store.putSymKeysInVector + */ +@@ -533,103 +535,293 @@ + + + JNIEXPORT jbyteArray JNICALL +-Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo +-(JNIEnv *env, jobject this, jobject certObj, jobject algObj, +- jobject pwObj, jint iteration) ++Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo( ++ JNIEnv *env, ++ jobject this, ++ jobject conv, ++ jobject pwObj, ++ jobject algObj, ++ jint iterations, ++ jobject key) ++{ ++ // initialisations so we can goto finish ++ SECItem *pwItem = NULL; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ SECItem epkiItem; ++ epkiItem.data = NULL; ++ epkiItem.len = 0; + +-{ +- SECKEYEncryptedPrivateKeyInfo *epki = NULL; +- jbyteArray encodedEpki = NULL; ++ PR_ASSERT(env != NULL && this != NULL); ++ ++ if (pwObj == NULL || algObj == NULL || key == NULL) { ++ JSS_throw(env, NULL_POINTER_EXCEPTION); ++ goto finish; ++ } ++ ++ if (iterations <= 0) { ++ iterations = 2000; // set default iterations ++ } ++ ++ // get slot + PK11SlotInfo *slot = NULL; +- SECOidTag algTag; +- jclass passwordClass = NULL; +- jmethodID getByteCopyMethod = NULL; +- jbyteArray pwArray = NULL; +- jbyte* pwchars = NULL; +- SECItem pwItem; +- CERTCertificate *cert = NULL; +- SECItem epkiItem; +- +- epkiItem.data = NULL; +- +- /* get slot */ + if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { + ASSERT_OUTOFMEM(env); + goto finish; + } + PR_ASSERT(slot!=NULL); +- +- /* get algorithm */ +- algTag = JSS_getOidTagFromAlg(env, algObj); +- if( algTag == SEC_OID_UNKNOWN ) { +- JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized PBE algorithm"); ++ ++ // get algorithm ++ SECOidTag algTag = JSS_getOidTagFromAlg(env, algObj); ++ if (algTag == SEC_OID_UNKNOWN) { ++ JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized algorithm"); + goto finish; + } + +- /* +- * get password +- */ +- passwordClass = (*env)->GetObjectClass(env, pwObj); +- if(passwordClass == NULL) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- getByteCopyMethod = (*env)->GetMethodID( +- env, +- passwordClass, +- PW_GET_BYTE_COPY_NAME, +- PW_GET_BYTE_COPY_SIG); +- if(getByteCopyMethod==NULL) { ++ pwItem = preparePassword(env, conv, pwObj); ++ if (pwItem == NULL) { + ASSERT_OUTOFMEM(env); + goto finish; + } +- pwArray = (*env)->CallObjectMethod( env, pwObj, getByteCopyMethod); +- pwchars = (*env)->GetByteArrayElements(env, pwArray, NULL); +- /* !!! Include the NULL byte or not? */ +- pwItem.data = (unsigned char*) pwchars; +- pwItem.len = strlen((const char*)pwchars) + 1; + +- /* +- * get cert +- */ +- if( JSS_PK11_getCertPtr(env, certObj, &cert) != PR_SUCCESS ) { +- /* exception was thrown */ ++ // get key ++ SECKEYPrivateKey *privk; ++ if (JSS_PK11_getPrivKeyPtr(env, key, &privk) != PR_SUCCESS) { ++ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); + goto finish; + } + +- /* +- * export the epki +- */ +- epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algTag, &pwItem, +- cert, iteration, NULL /*wincx*/); +- ++ // export the epki ++ epki = PK11_ExportEncryptedPrivKeyInfo( ++ slot, algTag, pwItem, privk, iterations, NULL /*wincx*/); + +- /* +- * DER-encode the epki +- */ +- epkiItem.data = NULL; +- epkiItem.len = 0; +- if( SEC_ASN1EncodeItem(NULL, &epkiItem, epki, +- SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate) ) == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to ASN1-encode " +- "EncryptedPrivateKeyInfo"); ++ // DER-encode the epki ++ if (SEC_ASN1EncodeItem(NULL, &epkiItem, epki, ++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate)) == NULL) { ++ JSS_throwMsg( ++ env, TOKEN_EXCEPTION, ++ "Failed to ASN1-encode EncryptedPrivateKeyInfo"); + goto finish; + } + +- /* +- * convert to Java byte array +- */ +- encodedEpki = JSS_SECItemToByteArray(env, &epkiItem); ++ // convert to Java byte array ++ jbyteArray encodedEpki = JSS_SECItemToByteArray(env, &epkiItem); + + finish: +- if( epki != NULL ) { ++ if (epki != NULL) { + SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/); + } +- if( pwchars != NULL ) { +- (*env)->ReleaseByteArrayElements(env, pwArray, pwchars, JNI_ABORT); ++ if (epkiItem.data != NULL) { ++ SECITEM_FreeItem(&epkiItem, PR_FALSE /*freeit*/); + } +- if(epkiItem.data != NULL) { +- PR_Free(epkiItem.data); ++ if (pwItem != NULL) { ++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/); + } + return encodedEpki; + } ++ ++ ++JNIEXPORT void JNICALL ++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo( ++ JNIEnv *env, ++ jobject this, ++ jobject conv, ++ jobject pwObj, ++ jstring nickname, ++ jobject pubKeyObj, ++ jbyteArray epkiBytes) ++{ ++ // initialisations so we can goto finish ++ SECItem *epkiItem = NULL; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ SECItem *pwItem = NULL; ++ SECItem *spkiItem = NULL; ++ CERTSubjectPublicKeyInfo *spki = NULL; ++ SECKEYPublicKey *pubKey = NULL; ++ const char *nicknameChars = NULL; ++ ++ PR_ASSERT(env != NULL && this != NULL); ++ ++ if (pwObj == NULL || nickname == NULL || pubKeyObj == NULL) { ++ JSS_throw(env, NULL_POINTER_EXCEPTION); ++ goto finish; ++ } ++ ++ // get slot ++ PK11SlotInfo *slot = NULL; ++ if (JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ PR_ASSERT(slot != NULL); ++ ++ // decode EncryptedPrivateKeyInfo ++ epkiItem = JSS_ByteArrayToSECItem(env, epkiBytes); ++ epki = PR_Calloc(1, sizeof(SECKEYEncryptedPrivateKeyInfo)); ++ if (SEC_ASN1DecodeItem( ++ NULL, ++ epki, ++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate), ++ epkiItem ++ ) != SECSuccess) { ++ JSS_throwMsg(env, INVALID_DER_EXCEPTION, ++ "Failed to decode EncryptedPrivateKeyInfo"); ++ goto finish; ++ } ++ ++ pwItem = preparePassword(env, conv, pwObj); ++ if (pwItem == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ // get public key value ++ jclass pubKeyClass = (*env)->GetObjectClass(env, pubKeyObj); ++ if (pubKeyClass == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ jmethodID getEncoded = (*env)->GetMethodID( ++ env, pubKeyClass, "getEncoded", "()[B"); ++ if (getEncoded == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ jbyteArray spkiBytes = (*env)->CallObjectMethod( ++ env, pubKeyObj, getEncoded); ++ spkiItem = JSS_ByteArrayToSECItem(env, spkiBytes); ++ spki = PR_Calloc(1, sizeof(CERTSubjectPublicKeyInfo)); ++ if (SEC_ASN1DecodeItem( ++ NULL, ++ spki, ++ SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate), ++ spkiItem ++ ) != SECSuccess) { ++ JSS_throwMsg(env, INVALID_DER_EXCEPTION, ++ "Failed to decode SubjectPublicKeyInfo"); ++ goto finish; ++ } ++ ++ pubKey = SECKEY_ExtractPublicKey(spki); ++ if (pubKey == NULL) { ++ JSS_throwMsgPrErr(env, INVALID_DER_EXCEPTION, ++ "Failed to extract public key from SubjectPublicKeyInfo"); ++ goto finish; ++ } ++ ++ SECItem *pubValue; ++ switch (pubKey->keyType) { ++ case dsaKey: ++ pubValue = &pubKey->u.dsa.publicValue; ++ break; ++ case dhKey: ++ pubValue = &pubKey->u.dh.publicValue; ++ break; ++ case rsaKey: ++ pubValue = &pubKey->u.rsa.modulus; ++ break; ++ case ecKey: ++ pubValue = &pubKey->u.ec.publicValue; ++ break; ++ default: ++ pubValue = NULL; ++ } ++ ++ // prepare nickname ++ nicknameChars = (*env)->GetStringUTFChars(env, nickname, NULL); ++ if (nicknameChars == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ SECItem nickItem; ++ nickItem.data = nicknameChars; ++ nickItem.len = (*env)->GetStringUTFLength(env, nickname); ++ ++ // if keyUsage = 0, defaults to signing and encryption/key agreement. ++ // see pk11akey.c in NSS ++ int keyUsage = 0; ++ ++ // perform import ++ SECStatus result = PK11_ImportEncryptedPrivateKeyInfo( ++ slot, epki, pwItem, &nickItem, pubValue, ++ PR_TRUE /* isperm */, PR_TRUE /* isprivate */, ++ pubKey->keyType, keyUsage, NULL /* wincx */); ++ if (result != SECSuccess) { ++ JSS_throwMsg( ++ env, TOKEN_EXCEPTION, ++ "Failed to import EncryptedPrivateKeyInfo to token"); ++ goto finish; ++ } ++ ++finish: ++ if (epkiItem != NULL) { ++ SECITEM_FreeItem(epkiItem, PR_TRUE /*freeit*/); ++ } ++ if (epki != NULL) { ++ SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/); ++ } ++ if (spkiItem != NULL) { ++ SECITEM_FreeItem(spkiItem, PR_TRUE /*freeit*/); ++ } ++ if (spki != NULL) { ++ SECKEY_DestroySubjectPublicKeyInfo(spki); ++ } ++ if (pwItem != NULL) { ++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/); ++ } ++ if (pubKey != NULL) { ++ SECKEY_DestroyPublicKey(pubKey); ++ } ++ if (nicknameChars != NULL) { ++ (*env)->ReleaseStringUTFChars(env, nickname, nicknameChars); ++ } ++} ++ ++/* Process the given password through the given PasswordConverter, ++ * returning a new SECItem* on success. ++ * ++ * After use, the caller should free the SECItem: ++ * ++ * SECITEM_FreeItem(pwItem, PR_TRUE). ++ */ ++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj) { ++ jclass passwordClass = (*env)->GetObjectClass(env, pwObj); ++ if (passwordClass == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ ++ jbyteArray pwBytes; ++ ++ if (conv == NULL) { ++ jmethodID getByteCopy = (*env)->GetMethodID( ++ env, passwordClass, PW_GET_BYTE_COPY_NAME, PW_GET_BYTE_COPY_SIG); ++ if (getByteCopy == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ pwBytes = (*env)->CallObjectMethod(env, pwObj, getByteCopy); ++ } else { ++ jmethodID getChars = (*env)->GetMethodID( ++ env, passwordClass, "getChars", "()[C"); ++ if (getChars == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ jcharArray pwChars = (*env)->CallObjectMethod(env, pwObj, getChars); ++ ++ jclass convClass = (*env)->GetObjectClass(env, conv); ++ if (conv == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ jmethodID convert = (*env)->GetMethodID( ++ env, convClass, "convert", "([C)[B"); ++ if (convert == NULL) { ++ ASSERT_OUTOFMEM(env); ++ return NULL; ++ } ++ pwBytes = (*env)->CallObjectMethod(env, conv, convert, pwChars); ++ } ++ ++ return JSS_ByteArrayToSECItem(env, pwBytes); ++} +diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java +--- a/org/mozilla/jss/pkcs11/PK11Store.java ++++ b/org/mozilla/jss/pkcs11/PK11Store.java +@@ -4,8 +4,10 @@ + + package org.mozilla.jss.pkcs11; + ++import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.*; + import org.mozilla.jss.util.*; ++import java.security.PublicKey; + import java.security.cert.CertificateEncodingException; + import java.util.Vector; + +@@ -53,8 +55,35 @@ + public native void deletePrivateKey(PrivateKey key) + throws NoSuchItemOnTokenException, TokenException; + +- public native byte[] getEncryptedPrivateKeyInfo(X509Certificate cert, +- PBEAlgorithm pbeAlg, Password pw, int iteration); ++ public byte[] getEncryptedPrivateKeyInfo( ++ X509Certificate cert, ++ PBEAlgorithm pbeAlg, ++ Password pw, ++ int iteration) ++ throws CryptoManager.NotInitializedException, ++ ObjectNotFoundException, TokenException { ++ return getEncryptedPrivateKeyInfo( ++ null, ++ pw, ++ pbeAlg, ++ iteration, ++ CryptoManager.getInstance().findPrivKeyByCert(cert) ++ ); ++ } ++ ++ public native byte[] getEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ Algorithm alg, ++ int n, ++ PrivateKey k); ++ ++ public native void importEncryptedPrivateKeyInfo( ++ KeyGenerator.CharToByteConverter conv, ++ Password pw, ++ String nickname, ++ PublicKey pubKey, ++ byte[] epkiBytes); + + //////////////////////////////////////////////////////////// + // Certs +diff --git a/org/mozilla/jss/util/jss_exceptions.h b/org/mozilla/jss/util/jss_exceptions.h +--- a/org/mozilla/jss/util/jss_exceptions.h ++++ b/org/mozilla/jss/util/jss_exceptions.h +@@ -47,6 +47,8 @@ + + #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException" + ++#define INVALID_DER_EXCEPTION "org/mozilla/jss/crypto/InvalidDERException" ++ + #define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException" + + #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException" +# HG changeset patch +# User Fraser Tweedale +# Date 1493335326 25200 +# Thu Apr 27 16:22:06 2017 -0700 +# Node ID ead2ea094c98ddc708169c3de411ca8d8883cab8 +# Parent c8885dd6787639d74a1c9d634fd289ff17fa6f02 +Bug 1359731 - CryptoStore.importPrivateKey enhancements, r=cfu + +- Enhance CryptoStore.importPrivateKey to support temporary import, and +- returning the private key to the caller. +- Also remove some validation of the unused keyType argument. + +diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java +--- a/org/mozilla/jss/crypto/CryptoStore.java ++++ b/org/mozilla/jss/crypto/CryptoStore.java +@@ -21,17 +21,30 @@ + //////////////////////////////////////////////////////////// + + /** +- * Imports a raw private key into this token. ++ * Imports a raw private key into this token (permanently). + * + * @param key The private key. + * @exception TokenException If the key cannot be imported to this token. + * @exception KeyAlreadyImportedException If the key already exists on this token. + */ +- public void ++ public PrivateKey + importPrivateKey( byte[] key, + PrivateKey.Type type ) + throws TokenException, KeyAlreadyImportedException; + ++ /** ++ * Imports a raw private key into this token. ++ * ++ * @param key The private key. ++ * @param temporary Whether the key should be temporary. ++ * @exception TokenException If the key cannot be imported to this token. ++ * @exception KeyAlreadyImportedException If the key already exists on this token. ++ */ ++ public PrivateKey ++ importPrivateKey( byte[] key, ++ PrivateKey.Type type, boolean temporary) ++ throws TokenException, KeyAlreadyImportedException; ++ + + /** + * Returns all private keys stored on this token. +diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c +--- a/org/mozilla/jss/pkcs11/PK11Store.c ++++ b/org/mozilla/jss/pkcs11/PK11Store.c +@@ -429,22 +429,22 @@ + int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int); + + /*********************************************************************** +- * importPrivateKey ++ * PK11Store.importdPrivateKey + */ +-static void +-importPrivateKey ++JNIEXPORT jobject JNICALL ++Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey + ( JNIEnv *env, + jobject this, + jbyteArray keyArray, + jobject keyTypeObj, +- PRBool temporary ) ++ jboolean temporary ) + { + SECItem derPK; + PK11SlotInfo *slot; + jthrowable excep; +- KeyType keyType; + SECStatus status; + SECItem nickname; ++ jobject privkObj = NULL; + + /* + * initialize so we can goto finish +@@ -452,13 +452,6 @@ + derPK.data = NULL; + derPK.len = 0; + +- +- keyType = JSS_PK11_getKeyType(env, keyTypeObj); +- if( keyType == nullKey ) { +- /* exception was thrown */ +- goto finish; +- } +- + PR_ASSERT(env!=NULL && this!=NULL); + + if(keyArray == NULL) { +@@ -492,14 +485,22 @@ + nickname.len = 0; + nickname.data = NULL; + +- status = PK11_ImportDERPrivateKeyInfo(slot, &derPK, &nickname, +- NULL /*public value*/, PR_TRUE /*isPerm*/, +- PR_TRUE /*isPrivate*/, 0 /*keyUsage*/, NULL /*wincx*/); ++ SECKEYPrivateKey *privk = NULL; ++ status = PK11_ImportDERPrivateKeyInfoAndReturnKey( ++ slot, &derPK, &nickname, ++ NULL /*public value*/, !temporary /*isPerm*/, ++ PR_TRUE /*isPrivate*/, 0 /*keyUsage*/, ++ &privk, NULL /*wincx*/); + if(status != SECSuccess) { + JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import private key info"); + goto finish; + } + ++ privkObj = JSS_PK11_wrapPrivKey(env, &privk); ++ if (privkObj == NULL) { ++ goto finish; ++ } ++ + finish: + /* Save any exceptions */ + if( (excep=(*env)->ExceptionOccurred(env)) ) { +@@ -515,24 +516,11 @@ + if( excep ) { + (*env)->Throw(env, excep); + } ++ return privkObj; + } + + extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[]; + +-/*********************************************************************** +- * PK11Store.importdPrivateKey +- */ +-JNIEXPORT void JNICALL +-Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey +- ( JNIEnv *env, +- jobject this, +- jbyteArray keyArray, +- jobject keyTypeObj ) +-{ +- importPrivateKey(env, this, keyArray, +- keyTypeObj, PR_FALSE /* not temporary */); +-} +- + + JNIEXPORT jbyteArray JNICALL + Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo( +diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java +--- a/org/mozilla/jss/pkcs11/PK11Store.java ++++ b/org/mozilla/jss/pkcs11/PK11Store.java +@@ -23,9 +23,15 @@ + * @exception TokenException If the key cannot be imported to this token. + * @exception KeyAlreadyImportedException If the key already on this token. + */ +- public native void +- importPrivateKey( byte[] key, +- PrivateKey.Type type ) ++ public PrivateKey ++ importPrivateKey(byte[] key, PrivateKey.Type type) ++ throws TokenException,KeyAlreadyImportedException { ++ return importPrivateKey(key, type, false); ++ } ++ ++ public native PrivateKey ++ importPrivateKey( ++ byte[] key, PrivateKey.Type type, boolean temporary) + throws TokenException,KeyAlreadyImportedException; + + public synchronized PrivateKey[] +# HG changeset patch +# User Matthew Harmsen +# Date 1493389838 25200 +# Fri Apr 28 07:30:38 2017 -0700 +# Node ID 4ee5af07d6d8fd7efe60d130d3e7593f6e12e642 +# Parent ead2ea094c98ddc708169c3de411ca8d8883cab8 +Bug 1352476 - RFE: Document on the README how to create a release tag, r=emaldona + +diff --git a/README b/README +--- a/README ++++ b/README +@@ -158,7 +158,40 @@ + be necessary. + + +-(7) Known Issues ++(7) Tagging the Source Code for a Release ++ ++ During development, several releases may be made. Consequently, it is ++ good practice to create a "regular tag" to the source code at these ++ various points in time using the following format: ++ ++ # hg tag -m "message" JSS___YYYYMMDD ++ ++ where: = JSS Major Version Number ++ = JSS Minor Version Number ++ YYYY = 4-digit year (e. g. - 2017) ++ MM = 2-digit month (e. g. - 01, ..., 12) ++ DD = 2-digit day of the month (e. g. - 01, ..., 31) ++ ++ For example: ++ ++ # hg id ++ b3e864205ff0+ tip ++ ++ # hg tag -m "Added tag JSS_4_4_20170328 for changeset b3e864205ff0" JSS_4_4_20170328 ++ ++ At the appropriate time, a new major.minor version may be created. At this ++ time, it is important to create a maintenance branch for any future changes ++ to the previous major.minor version: ++ ++ For example: ++ ++ # hg id ++ f00f00f00f00+ tip ++ ++ # hg branch -m "Created branch JSS_4_4_BRANCH for changeset f00f00f00f00" JSS_4_4_BRANCH ++ ++ ++(8) Known Issues + + * Mozilla Bug #1346410 - Load JSS libraries appropriately + diff --git a/SOURCES/jss-support-TLS1_1-TLS1_2.patch b/SOURCES/jss-support-TLS1_1-TLS1_2.patch deleted file mode 100644 index 7fd2207..0000000 --- a/SOURCES/jss-support-TLS1_1-TLS1_2.patch +++ /dev/null @@ -1,345 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved jss-4.2.6/mozilla/security/jss/lib/jss.def ---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved 2014-09-29 14:12:27.560206348 -0700 -+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2014-09-29 14:12:34.376194464 -0700 -@@ -334,6 +334,8 @@ Java_org_mozilla_jss_CryptoManager_setOC - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; - Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; - Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; -+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; -+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault; - ;+ local: - ;+ *; - ;+}; -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved 2014-09-29 14:12:27.565206339 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2014-09-29 14:13:33.222091053 -0700 -@@ -56,6 +56,105 @@ - #endif - - -+/* -+ * support TLS v1.1 and v1.2 -+ * sets default SSL version range for sockets created after this call -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env, -+ jclass clazz, jint ssl_variant, jint min, jint max) -+{ -+ SECStatus status; -+ SSLVersionRange vrange; -+ -+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size|| -+ min <0 || min >= JSSL_enums_size || -+ max <0 || max >= JSSL_enums_size) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ vrange.min = JSSL_enums[min]; -+ vrange.max = JSSL_enums[max]; -+ -+ /* get supported range */ -+ SSLVersionRange supported_range; -+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant], -+ &supported_range); -+ if( status != SECSuccess ) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ /* now check the min and max */ -+ if (vrange.min < supported_range.min || -+ vrange.max > supported_range.max) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ /* set the default SSL Version Range */ -+ status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant], -+ &vrange); -+ if( status != SECSuccess ) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError()); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+finish: -+ return; -+} -+ -+/* -+ * support TLS v1.1 and v1.2 -+ * sets SSL version range for this socket -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange -+ (JNIEnv *env, jobject self, jint min, jint max) -+{ -+ SECStatus status; -+ JSSL_SocketData *sock = NULL; -+ SSLVersionRange vrange; -+ -+ if ( min <0 || min >= JSSL_enums_size || -+ max <0 || max >= JSSL_enums_size) { -+ char buf[128]; -+ PR_snprintf(buf, 128, "JSS setSSLVersionRange(): for max=%d failed - out of range for array JSSL_enums size: %d", min, max, JSSL_enums_size); -+ JSSL_throwSSLSocketException(env, buf); -+ goto finish; -+ } -+ -+ /* get my fd */ -+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { -+ goto finish; -+ } -+ -+ vrange.min = JSSL_enums[min]; -+ vrange.max = JSSL_enums[max]; -+ -+ /* -+ * set the SSL Version Range -+ * The validity of the range will be checked by this NSS call -+ */ -+ status = SSL_VersionRangeSet(sock->fd, &vrange); -+ if( status != SECSuccess ) { -+ JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed"); -+ goto finish; -+ } -+ -+finish: -+ EXCEPTION_CHECK(env, sock) -+ return; -+} -+ - JNIEXPORT void JNICALL - Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env, - jclass clazz, jint joption, jint on) -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved 2014-09-29 14:12:27.566206338 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2014-09-29 14:12:34.377194462 -0700 -@@ -36,6 +36,7 @@ - - package org.mozilla.jss.ssl; - -+import java.lang.IllegalArgumentException; - import java.net.*; - import java.net.SocketException; - import java.net.SocketTimeoutException; -@@ -948,6 +949,63 @@ public class SSLSocket extends java.net. - setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b); - } - -+ /* -+ * _min_enum and _max_enum should be one of the following: -+ * SocketBase.SSL_LIBRARY_VERSION_3_0 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1 -+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2 -+ */ -+ public static class SSLVersionRange { -+ private int _min_enum; -+ private int _max_enum; -+ public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0; -+ public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0; -+ public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1; -+ public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2; -+ public SSLVersionRange(int min_enum, int max_enum) -+ throws IllegalArgumentException { -+ if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) && -+ (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) && -+ (min_enum <= max_enum)) { -+ _min_enum = min_enum; -+ _max_enum = max_enum; -+ } else { -+ throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range"); -+ } -+ } -+ -+ int getMinEnum() { return _min_enum; } -+ int getMaxEnum() { return _max_enum; } -+ -+ } -+ -+ public static class SSLProtocolVariant { -+ private int _enum; -+ private SSLProtocolVariant(int val) { _enum = val; } -+ -+ int getEnum() { return _enum; } -+ -+ public static final SSLProtocolVariant STREAM = -+ new SSLProtocolVariant(SocketBase.SSL_Variant_Stream); -+ public static final SSLProtocolVariant DATA_GRAM = -+ new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram); -+ -+ } -+ -+ public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range) -+ throws SocketException -+ { -+ if (range == null) -+ throw new SocketException("setSSLVersionRangeDefault: range null"); -+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum()); -+ } -+ -+ /** -+ * Sets SSL Version Range Default -+ */ -+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max) -+ throws SocketException; - - private static void setSSLDefaultOption(int option, boolean on) - throws SocketException -@@ -1221,6 +1279,8 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063; - public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065; - public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066; -+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067; -+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B; - - // New TLS cipher suites in NSS 3.4 - public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F; -@@ -1236,6 +1296,10 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038; - public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039; - public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A; -+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B; -+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C; -+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D; -+ - - public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041; - public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042; -@@ -1251,6 +1315,12 @@ public class SSLSocket extends java.net. - public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088; - public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089; - -+ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; -+ -+ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; -+ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; -+ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; -+ - public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; - public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; - public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003; -@@ -1281,5 +1351,13 @@ public class SSLSocket extends java.net. - public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018; - public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; - -+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; -+ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; -+ -+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; -+ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; -+ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; -+ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; -+ - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved 2014-09-29 14:12:27.564206341 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2014-09-29 14:12:34.378194460 -0700 -@@ -114,6 +114,15 @@ class SocketBase { - static final int SSL_REQUIRE_ALWAYS = 19; - static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; - static final int SSL_REQUIRE_NO_ERROR = 21; -+ /* ssl/sslproto.h for supporting SSLVersionRange */ -+ static final int SSL_LIBRARY_VERSION_2 = 22; -+ static final int SSL_LIBRARY_VERSION_3_0 = 23; -+ static final int SSL_LIBRARY_VERSION_TLS_1_0 = 24; -+ static final int SSL_LIBRARY_VERSION_TLS_1_1 = 25; -+ static final int SSL_LIBRARY_VERSION_TLS_1_2 = 26; -+ /* ssl/sslt.h */ -+ static final int SSL_Variant_Stream = 27; -+ static final int SSL_Variant_Datagram = 28; - - - static final int SSL_AF_INET = 50; -@@ -190,6 +199,18 @@ class SocketBase { - native void setSSLOption(int option, int on) - throws SocketException; - -+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range) -+ throws SocketException -+ { -+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum()); -+ } -+ -+ /** -+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2 -+ */ -+ native void setSSLVersionRange(int min, int max) -+ throws SocketException; -+ - /** - * Sets the SSL option setting mode value use for options - * that have more values than just enable/diasable. -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved 2014-09-29 14:12:27.562206345 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2014-09-29 14:12:34.378194460 -0700 -@@ -38,6 +38,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -407,8 +408,16 @@ PRInt32 JSSL_enums[] = { - SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ - SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ - SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ -+ SSL_LIBRARY_VERSION_2, /* 22 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_3_0, /* 23 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_0, /* 24 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_1, /* 25 */ /* sslproto.h */ -+ SSL_LIBRARY_VERSION_TLS_1_2, /* 26 */ /* sslproto.h */ -+ ssl_variant_stream, /* 27 */ /* sslt.h */ -+ ssl_variant_datagram, /* 28 */ /* sslt.h */ - 0 - }; -+ - - - JNIEXPORT void JNICALL -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved 2014-09-29 14:12:27.563206343 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h 2014-09-29 14:13:59.605044228 -0700 -@@ -111,6 +111,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL - - - extern PRInt32 JSSL_enums[]; -+#define JSSL_enums_size 29 - - JSSL_SocketData* - JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD, -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved 2014-09-29 14:12:27.567206336 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java 2014-09-29 14:12:34.379194458 -0700 -@@ -149,6 +149,21 @@ public interface Constants { - /*52*/ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"), - /*53*/ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"), - /*54*/ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"), -+/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"), -+/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"), -+/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"), -+/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"), -+/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"), -+/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"), -+/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"), -+/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"), -+/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"), -+/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"), -+/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"), -+/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), -+/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"), -+/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), -+/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256") - }; - - /** Cipher supported by JSSE (JDK 1.5.x) */ diff --git a/SOURCES/jss-symkey-enhancements.patch b/SOURCES/jss-symkey-enhancements.patch deleted file mode 100644 index 248ba76..0000000 --- a/SOURCES/jss-symkey-enhancements.patch +++ /dev/null @@ -1,1855 +0,0 @@ -diff -up ./mozilla/security/jss/build_java.pl.jmagne ./mozilla/security/jss/build_java.pl ---- ./mozilla/security/jss/build_java.pl.jmagne 2016-04-14 13:56:16.946920239 -0700 -+++ ./mozilla/security/jss/build_java.pl 2016-04-14 14:53:08.501298062 -0700 -@@ -31,7 +31,8 @@ org.mozilla.jss.pkcs11.PK11MessageDigest - org.mozilla.jss.pkcs11.PK11PrivKey - org.mozilla.jss.pkcs11.PK11PubKey - org.mozilla.jss.pkcs11.PK11SymKey --org.mozilla.jss.pkcs11.PK11KeyPairGenerator -+org.mozilla.jss.pkcs11.PK11KeyPairGenerator -+org.mozilla.jss.pkcs11.PK11SymmetricKeyDeriver - org.mozilla.jss.pkcs11.PK11KeyGenerator - org.mozilla.jss.pkcs11.PK11Token - org.mozilla.jss.pkcs11.PrivateKeyProxy -diff -up ./mozilla/security/jss/lib/jss.def.jmagne ./mozilla/security/jss/lib/jss.def ---- ./mozilla/security/jss/lib/jss.def.jmagne 2016-04-14 16:00:06.229534228 -0700 -+++ ./mozilla/security/jss/lib/jss.def 2016-04-14 16:00:32.229356314 -0700 -@@ -158,6 +158,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de - Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey; - Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector; - Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector; -+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector; - Java_org_mozilla_jss_pkcs11_SigContextProxy_releaseNativeResources; - Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getModulusByteArray; - Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getPublicExponentByteArray; -@@ -336,6 +337,8 @@ Java_org_mozilla_jss_CryptoManager_verif - Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; - Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange; - Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault; -+Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey; -+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative; - ;+ local: - ;+ *; - ;+}; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne 2016-04-14 16:02:38.108494940 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2016-04-14 16:02:47.243432431 -0700 -@@ -114,6 +114,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { - /* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG}, - /* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG}, - /* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, -+/* 54 */ {SEC_OID_HMAC_SHA1,SEC_OID_TAG}, -+/* 55 */ {SEC_OID_HMAC_SHA224,SEC_OID_TAG}, -+/* 56 */ {SEC_OID_HMAC_SHA256,SEC_OID_TAG}, -+/* 57 */ {SEC_OID_HMAC_SHA384,SEC_OID_TAG}, -+/* 58 */ {SEC_OID_HMAC_SHA512,SEC_OID_TAG} - /* REMEMBER TO UPDATE NUM_ALGS!!! */ - }; - -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne 2016-04-14 11:30:41.871517926 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2016-04-14 11:30:54.933436860 -0700 -@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { - JSS_AlgType type; - } JSS_AlgInfo; - --#define NUM_ALGS 54 -+#define NUM_ALGS 59 - - extern JSS_AlgInfo JSS_AlgTable[]; - extern CK_ULONG JSS_symkeyUsage[]; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne 2016-04-14 16:06:13.388021812 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2016-04-14 16:06:27.537924813 -0700 -@@ -237,5 +237,9 @@ public class Algorithm { - protected static final short SEC_OID_PKCS5_PBKDF2=51; - protected static final short SEC_OID_PKCS5_PBES2=52; - protected static final short SEC_OID_PKCS5_PBMAC1=53; -- -+ protected static final short SEC_OID_HMAC_SHA1=54; -+ protected static final short SEC_OID_HMAC_SHA224=55; -+ protected static final short SEC_OID_HMAC_SHA256=56; -+ protected static final short SEC_OID_HMAC_SHA384=57; -+ protected static final short SEC_OID_HMAC_SHA512=58; - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne 2016-04-14 17:03:33.504298176 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java 2016-04-14 17:03:42.198238112 -0700 -@@ -75,6 +75,18 @@ public interface CryptoStore { - getPrivateKeys() throws TokenException; - - /** -+ * Returns all symmetric keys stored on this token. -+ * -+ * @return An array of all symmetric keys stored on this token. -+ * @exception TokenException If an error occurs on the token while -+ * gathering the keys. -+ */ -+ public SymmetricKey[] -+ getSymmetricKeys() throws TokenException; -+ -+ -+ -+ /** - * Deletes the given PrivateKey from the CryptoToken. - * This is a very dangerous call: it deletes the key from the underlying - * token. After calling this, the PrivateKey passed in must no longer -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne 2016-04-14 16:07:39.458429756 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2016-04-14 16:07:52.266341595 -0700 -@@ -92,6 +92,9 @@ public interface CryptoToken { - getCipherContext(EncryptionAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; - -+ public abstract SymmetricKeyDeriver getSymmetricKeyDeriver() -+ throws TokenException; -+ - public abstract KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne 2016-04-14 16:09:02.858855679 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java 2016-04-14 16:09:18.048751121 -0700 -@@ -85,4 +85,21 @@ public class HMACAlgorithm extends Diges - public static final HMACAlgorithm SHA1 = new HMACAlgorithm - (CKM_SHA_1_HMAC, "SHA-1-HMAC", - OBJECT_IDENTIFIER.ALGORITHM.subBranch(26), 20); -+ -+ public static final HMACAlgorithm SHA224 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA224, "SHA-224-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(8), 28); -+ -+ public static final HMACAlgorithm SHA256 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA256, "SHA-256-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(9), 32); -+ -+ public static final HMACAlgorithm SHA384 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA384, "SHA-384-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(10), 48); -+ -+ public static final HMACAlgorithm SHA512 = new HMACAlgorithm -+ (SEC_OID_HMAC_SHA512, "SHA-512-HMAC", -+ OBJECT_IDENTIFIER.RSADSI.subBranch(11), 64); -+ - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne 2016-04-14 16:10:43.930159965 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2016-04-14 16:10:55.377081172 -0700 -@@ -133,4 +133,21 @@ public interface KeyWrapper { - throws TokenException, IllegalStateException, - InvalidAlgorithmParameterException; - -+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ SymmetricKey.Usage usage, int keyLength) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException; -+ -+ /** -+ * Unwraps a key and allows it to be used for all operations. -+ * @param keyLength The expected length of the key in bytes. This is -+ * only used for variable-length keys (RC4) and non-padding -+ * algorithms. Otherwise, it can be set to anything(like 0). -+ */ -+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ int keyLength) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException; -+ -+ - } -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne 2016-04-14 16:36:36.080464052 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java 2016-04-14 16:36:49.784369514 -0700 -@@ -0,0 +1,79 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.crypto; -+ -+import java.security.spec.AlgorithmParameterSpec; -+import java.security.InvalidAlgorithmParameterException; -+import java.security.PublicKey; -+import java.security.InvalidKeyException; -+ -+public interface SymmetricKeyDeriver { -+ -+ /* Use with the encrypt type mechanisms -+ Example: initDerive( -+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16); -+ */ -+ -+ public abstract void initDerive(SymmetricKey baseKey, -+ long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize) -+ throws InvalidKeyException; -+ -+ -+ -+ /* Use with key extraction and key concatanation mechanisms -+ -+ Example: -+ param: byte array that has the bit position of where to extract -+ initDerive( -+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8); -+ -+ -+ initDerive( -+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0); -+ -+ */ -+ -+ public abstract void initDerive(SymmetricKey baseKey, -+ SymmetricKey secondaryKey, long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize) -+ throws InvalidKeyException; -+ -+ public abstract SymmetricKey derive() -+ throws TokenException; -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java ---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne 2016-04-14 16:11:50.865699222 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java 2016-04-14 16:12:02.768617289 -0700 -@@ -71,6 +71,10 @@ public interface SymmetricKey { - - String getFormat(); - -+ String getNickName(); -+ -+ void setNickName(String nickName); -+ - public final static class Type { - // all names converted to lowercase for case insensitivity - private static Hashtable nameMap = new Hashtable(); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne 2016-04-14 16:15:59.271989344 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn 2016-04-14 16:16:10.670910881 -0700 -@@ -64,6 +64,7 @@ CSRCS = \ - PK11Store.c \ - PK11SymKey.c \ - PK11Token.c \ -+ PK11SymmetricKeyDeriver.c \ - $(NULL) - - -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne 2016-04-14 16:17:29.760366477 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-14 16:17:58.742166983 -0700 -@@ -519,7 +519,7 @@ JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym - (JNIEnv *env, jclass clazz, jobject tokenObj, jobject unwrapperObj, - jbyteArray wrappedBA, jobject wrapAlgObj, jobject typeAlgObj, -- jint keyLen, jbyteArray ivBA, jint usageEnum) -+ jint keyLen, jbyteArray ivBA, jint usageEnum,jboolean temporary) - { - PK11SymKey *symKey=NULL, *wrappingKey=NULL; - CK_MECHANISM_TYPE wrappingMech, keyTypeMech; -@@ -527,6 +527,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - jobject keyObj = NULL; - CK_ULONG operation; - CK_FLAGS flags; -+ PRBool isPermanent = PR_FALSE; - - /* get key type */ - keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj); -@@ -579,8 +580,21 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - flags = 0; - } - -- symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param, -- wrappedKey, keyTypeMech, operation, keyLen, flags); -+ if( temporary ) { -+ isPermanent = PR_FALSE; -+ } else { -+ isPermanent = PR_TRUE; -+ } -+ -+ if( isPermanent == PR_FALSE) { -+ symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param, -+ wrappedKey, keyTypeMech, operation, keyLen, flags); -+ -+ } else { -+ symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrappingKey, wrappingMech, param, -+ wrappedKey, keyTypeMech, operation, keyLen, flags,isPermanent); -+ } -+ - if( symKey == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key"); - goto finish; -@@ -702,7 +716,7 @@ finish: - JNIEXPORT jobject JNICALL - Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext - (JNIEnv *env, jclass clazz, jobject tokenObj, jbyteArray wrappedBA, -- jobject typeAlgObj, jint usageEnum) -+ jobject typeAlgObj, jint usageEnum,jboolean temporary) - { - PK11SymKey *symKey=NULL; - CK_MECHANISM_TYPE keyTypeMech; -@@ -711,6 +725,8 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - PK11SlotInfo *slot = NULL; - CK_ULONG operation; - CK_FLAGS flags; -+ PRBool isPerm = PR_FALSE; -+ - - /* get key type */ - keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj); -@@ -740,9 +756,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - flags = 0; - } - -+ if( temporary ) { -+ isPerm = PR_FALSE; -+ } else { -+ isPerm = PR_TRUE; -+ } -+ - /* pull in the key */ - symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, -- operation, wrappedKey, flags, PR_FALSE /*isPerm*/, NULL); -+ operation, wrappedKey, flags, isPerm, NULL); - if( symKey == NULL ) { - JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key"); - goto finish; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne 2016-04-14 16:19:26.998559480 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2016-04-14 16:19:40.941463506 -0700 -@@ -498,8 +498,25 @@ final class PK11KeyWrapper implements Ke - return unwrapSymmetric(wrapped, type, -1, keyLen); - } - -+ public SymmetricKey -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, -+ SymmetricKey.Usage usage, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ return unwrapSymmetricPerm(wrapped, type, usage.getVal(), keyLen); -+ } -+ -+ public SymmetricKey -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ return unwrapSymmetricPerm(wrapped, type, -1, keyLen); -+ } -+ - private SymmetricKey -- unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type, -+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, - int usageEnum, int keyLen) - throws TokenException, IllegalStateException, - InvalidAlgorithmParameterException -@@ -508,6 +525,10 @@ final class PK11KeyWrapper implements Ke - throw new IllegalStateException(); - } - -+ /* Since we want permanent,make the temporary arg false */ -+ boolean temporary = false; -+ -+ - if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) { - if( keyLen <= 0 ) { - throw new InvalidAlgorithmParameterException( -@@ -521,12 +542,53 @@ final class PK11KeyWrapper implements Ke - - if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) { - return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type), -- usageEnum ); -+ usageEnum,temporary ); - } else { - if( symKey != null ) { - Assert._assert(pubKey==null && privKey==null); - return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm, -- algFromType(type), keyLen, IV, usageEnum); -+ algFromType(type), keyLen, IV, usageEnum,temporary); -+ } else { -+ Assert._assert(privKey!=null && pubKey==null && symKey==null); -+ throw new TokenException("We do not support permnament unwrapping with private key."); -+ } -+ } -+ } -+ -+ -+ private SymmetricKey -+ unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type, -+ int usageEnum, int keyLen) -+ throws TokenException, IllegalStateException, -+ InvalidAlgorithmParameterException -+ { -+ if( state != UNWRAP ) { -+ throw new IllegalStateException(); -+ } -+ -+ if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) { -+ if( keyLen <= 0 ) { -+ throw new InvalidAlgorithmParameterException( -+ "RC4 keys wrapped in unpadded algorithms need key length"+ -+ " specified when unwrapping"); -+ } -+ } else { -+ // Don't use the key length -+ //keyLen = 0; -+ } -+ -+ /* Since we DONT want permanent,make the temporary arg true */ -+ boolean temporary = true; -+ -+ -+ if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) { -+ return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type), -+ usageEnum, temporary ); -+ } else { -+ if( symKey != null ) { -+ Assert._assert(pubKey==null && privKey==null); -+ return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm, -+ algFromType(type), keyLen, IV, usageEnum,temporary); - } else { - Assert._assert(privKey!=null && pubKey==null && symKey==null); - return nativeUnwrapSymWithPriv(token, privKey, wrapped, -@@ -586,7 +648,7 @@ final class PK11KeyWrapper implements Ke - private static native SymmetricKey - nativeUnwrapSymWithSym(PK11Token token, SymmetricKey unwrappingKey, - byte[] wrappedKey, KeyWrapAlgorithm alg, Algorithm type, int keyLen, -- byte[] IV, int usageEnum) -+ byte[] IV, int usageEnum,boolean temporary) - throws TokenException; - - /** -@@ -600,7 +662,7 @@ final class PK11KeyWrapper implements Ke - - private static native SymmetricKey - nativeUnwrapSymPlaintext(PK11Token token, byte[] wrappedKey, -- Algorithm type, int usageEnum); -+ Algorithm type, int usageEnum,boolean temporary); - - private void reset() { - state = UNINITIALIZED; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne 2016-05-06 18:10:04.531912407 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2016-05-06 17:36:19.913933639 -0700 -@@ -99,17 +99,19 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD - } - - /* copy the key, setting the CKA_SIGN attribute */ -- newKey = PK11_CopySymKeyForSigning(origKey, mech); -+/* newKey = PK11_CopySymKeyForSigning(origKey, mech); - if( newKey == NULL ) { - JSS_throwMsg(env, DIGEST_EXCEPTION, - "Unable to set CKA_SIGN attribute on symmetric key"); - goto finish; - } - -+*/ -+ - param.data = NULL; - param.len = 0; - -- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, ¶m); -+ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, ¶m); - if( context == NULL ) { - JSS_throwMsg(env, DIGEST_EXCEPTION, - "Unable to initialize digest context"); -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne 2016-04-14 16:22:16.174394977 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2016-04-14 16:22:26.605323176 -0700 -@@ -44,13 +44,101 @@ - #include - #include - #include -- - #include - #include - #include "pk11util.h" - #include - #include - -+typedef struct -+{ -+ enum -+ { -+ PW_NONE = 0, -+ PW_FROMFILE = 1, -+ PW_PLAINTEXT = 2, -+ PW_EXTERNAL = 3 -+ } source; -+ char *data; -+} secuPWData; -+ -+/********************************************************************** -+ * PK11Store.putSymKeysInVector -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector -+ (JNIEnv *env, jobject this, jobject keyVector) -+{ -+ PK11SlotInfo *slot; -+ jobject object = NULL; -+ jclass vectorClass; -+ jmethodID addElement; -+ -+ PK11SymKey *firstSymKey= NULL; -+ PK11SymKey *sk = NULL; -+ PK11SymKey *nextSymKey = NULL; -+ secuPWData pwdata; -+ -+ PK11SymKey *freeSymKey = NULL; -+ PK11SymKey *nextFreeSymKey = NULL; -+ -+ pwdata.source = PW_NONE; -+ pwdata.data = (char *) NULL; -+ -+ PR_ASSERT(env!=NULL && this!=NULL && keyVector!=NULL); -+ -+ if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ PR_ASSERT(slot!=NULL); -+ -+ vectorClass = (*env)->GetObjectClass(env, keyVector); -+ if(vectorClass == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ addElement = (*env)->GetMethodID(env, -+ vectorClass, -+ VECTOR_ADD_ELEMENT_NAME, -+ VECTOR_ADD_ELEMENT_SIG); -+ if(addElement == NULL) { -+ ASSERT_OUTOFMEM(env); -+ goto finish; -+ } -+ -+ PK11_Authenticate(slot, PR_TRUE /*load certs*/, NULL /*wincx*/); -+ -+ /* Obtain the symmetric key list. */ -+ firstSymKey = PK11_ListFixedKeysInSlot( slot , NULL, ( void *) &pwdata ); -+ sk = firstSymKey; -+ -+ while(( sk != NULL )) -+ { -+ if( sk ) { -+ -+ nextSymKey = sk; -+ object = JSS_PK11_wrapSymKey(env, &sk); -+ -+ if(object == NULL) { -+ PR_ASSERT( (*env)->ExceptionOccurred(env) ); -+ goto finish; -+ } -+ -+ /*************************************************** -+ * Insert the key into the vector -+ ***************************************************/ -+ (*env)->CallVoidMethod(env, keyVector, addElement, object); -+ } -+ -+ sk = PK11_GetNextSymKey( nextSymKey ); -+ } -+ -+finish: -+ -+ return; -+} - - /********************************************************************** - * PK11Store.putKeysInVector -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne 2016-04-14 16:23:26.997907471 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java 2016-04-14 16:23:34.435856272 -0700 -@@ -66,8 +66,23 @@ public final class PK11Store implements - keys.copyInto( (Object[]) array ); - return array; - } -+ -+ public synchronized SymmetricKey[] -+ getSymmetricKeys() throws TokenException { -+ -+ Vector keys = new Vector(); -+ putSymKeysInVector(keys); -+ SymmetricKey[] array = new SymmetricKey[keys.size()]; -+ keys.copyInto( (Object[]) array); -+ return array; -+ } -+ -+ -+ - protected native void putKeysInVector(Vector keys) throws TokenException; - -+ protected native void putSymKeysInVector(Vector symKeys) throws TokenException; -+ - - public native void deletePrivateKey(PrivateKey key) - throws NoSuchItemOnTokenException, TokenException; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne 2016-04-14 16:24:44.565372557 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2016-05-17 11:37:48.532485104 -0700 -@@ -33,7 +33,6 @@ - * the terms of any one of the MPL, the GPL or the LGPL. - * - * ***** END LICENSE BLOCK ***** */ -- - #include "_jni/org_mozilla_jss_pkcs11_SymKeyProxy.h" - - #include -@@ -62,6 +61,8 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - jmethodID constructor; - jbyteArray ptrArray; - jobject Key=NULL; -+ char *nickname = NULL; -+ jstring jnickname = NULL; - - PR_ASSERT(env!=NULL && symKey!=NULL && *symKey!=NULL); - -@@ -72,10 +73,17 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - goto finish; - } - -+ nickname = PK11_GetSymKeyNickname( *symKey ); -+ -+ if (nickname) { -+ jnickname = (*env)->NewStringUTF(env, nickname); -+ } -+ -+ - /* find the constructor */ - constructor = (*env)->GetMethodID(env, keyClass, - PLAIN_CONSTRUCTOR, -- PK11SYMKEY_CONSTRUCTOR_SIG); -+ PK11SYMKEY_CONSTRUCTOR_1_SIG); - if(constructor == NULL) { - ASSERT_OUTOFMEM(env); - goto finish; -@@ -87,12 +95,16 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym - goto finish; - } - /* call the constructor */ -- Key = (*env)->NewObject(env, keyClass, constructor, ptrArray); -+ Key = (*env)->NewObject(env, keyClass, constructor, ptrArray,jnickname); - - finish: - if(Key == NULL) { - PK11_FreeSymKey(*symKey); - } -+ if(nickname != NULL) { -+ PORT_Free(nickname); -+ nickname = NULL; -+ } - *symKey = NULL; - return Key; - } -@@ -181,6 +193,49 @@ finish: - - /*********************************************************************** - * -+ * PK11SymKey.setNickNameNative -+ */ -+JNIEXPORT void JNICALL -+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative -+ (JNIEnv *env, jobject this,jstring nickname) -+{ -+ PK11SymKey *key=NULL; -+ const char *keyname = NULL; -+ SECStatus status; -+ -+ /* If no nickname provided, we are done */ -+ if( nickname == NULL ) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, -+ "Nickname is NULL, will not be set"); -+ goto finish; -+ } -+ -+ /* get the key pointer */ -+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS) { -+ goto finish; -+ } -+ -+ /* convert the Java String into a native "C" string */ -+ keyname = (*env)->GetStringUTFChars( env, nickname, 0 ); -+ -+ /* name the key */ -+ status = PK11_SetSymKeyNickname( key, keyname ); -+ if( status != SECSuccess ) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, -+ "Failed to name symmetric key"); -+ } -+finish: -+ -+ if( keyname != NULL ) { -+ /* free the native "C" string */ -+ (*env)->ReleaseStringUTFChars(env, nickname, keyname); -+ } -+ -+ return; -+} -+ -+/*********************************************************************** -+ * - * PK11SymKey.getKeyData - */ - JNIEXPORT jbyteArray JNICALL -@@ -279,6 +334,10 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g - case CKK_AES: - typeFieldName = AES_KEYTYPE_FIELD; - break; -+ case CKK_DES2: -+ printf("hello des2! \n"); -+ typeFieldName = DES3_KEYTYPE_FIELD; -+ break; - default: - PR_ASSERT(PR_FALSE); - typeFieldName = DES_KEYTYPE_FIELD; -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne 2016-04-14 16:58:33.385371633 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java 2016-05-17 11:41:36.323841045 -0700 -@@ -44,9 +44,17 @@ public final class PK11SymKey implements - protected PK11SymKey(byte[] pointer) { - Assert._assert(pointer!=null); - keyProxy = new SymKeyProxy(pointer); -+ nickName = null; -+ } -+ -+ protected PK11SymKey(byte[] pointer,String nickName) { -+ Assert._assert(pointer!=null); -+ keyProxy = new SymKeyProxy(pointer); -+ this.nickName = nickName; - } - - private SymKeyProxy keyProxy; -+ private String nickName; - - public SymmetricKey.Type getType() { - KeyType kt = getKeyType(); -@@ -108,6 +116,20 @@ public final class PK11SymKey implements - public String getFormat() { - return "RAW"; - } -+ -+ public String getNickName() { -+ return nickName; -+ } -+ -+ public void setNickName(String nickName) { -+ this.nickName = nickName; -+ -+ if( nickName != null) { -+ setNickNameNative(nickName); -+ } -+ } -+ -+ public native void setNickNameNative(String nickName); - } - - class SymKeyProxy extends KeyProxy { -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne 2016-04-14 16:26:18.611723763 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c 2016-05-17 14:13:35.456574082 -0700 -@@ -0,0 +1,364 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+#include "_jni/org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "java_ids.h" -+ -+#include "pk11util.h" -+#include -+ -+/*********************************************************************** -+ * Expose the NSS functionality at low level, one should know what to do -+ * at the Java level. -+ */ -+ -+JNIEXPORT jobject JNICALL Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey -+ (JNIEnv * env, jobject this,jobject tokenObj, -+ jobject baseKeyObj, jobject secondaryKeyObj, -+ jlong deriveMechanism, jbyteArray param, jbyteArray iv, jlong targetMechanism, jlong operation, jlong keySize) -+{ -+ jobject keyObj = NULL; -+ PK11SlotInfo *slot=NULL; -+ PK11SlotInfo *bestSlot = NULL; -+ PK11SlotInfo *slotForKey = NULL; -+ PK11SlotInfo *slotForSecondaryKey = NULL; -+ PK11SlotInfo *finalSlot = NULL; -+ PK11SlotInfo *finalSecondarySlot = NULL; -+ PK11SlotInfo *finalBaseKeySlot = NULL; -+ -+ PK11SymKey *baseKey = NULL; -+ PK11SymKey *bestBaseKey = NULL; -+ PK11SymKey *finalBaseKey = NULL; -+ PK11SymKey *newKey = NULL; -+ -+ PK11SymKey *secondaryKey = NULL; -+ PK11SymKey *bestSecondaryKey = NULL; -+ PK11SymKey *finalSecondaryKey = NULL; -+ PK11SymKey *derivedKey = NULL; -+ jbyte *paramValue = NULL; -+ int paramLength = 0; -+ jbyte *ivValue = NULL; -+ int ivLength = 0; -+ -+ -+ CK_OBJECT_HANDLE keyhandle = 0; -+ -+ CK_AES_CBC_ENCRYPT_DATA_PARAMS aes; -+ CK_DES_CBC_ENCRYPT_DATA_PARAMS des; -+ CK_KEY_DERIVATION_STRING_DATA string; -+ -+ SECItem paramsItem = { siBuffer, NULL, 0 }; -+ -+ PR_ASSERT(env!=NULL && this!=NULL); -+ -+ if( baseKeyObj == 0) { -+ PR_fprintf(PR_STDOUT,"baseKeyObj can not be null!\n"); -+ goto loser; -+ } -+ -+ if( param != NULL) { -+ paramValue = (*env)->GetByteArrayElements(env,param, NULL); -+ paramLength = (*env)->GetArrayLength(env,param); -+ } -+ -+ if( iv != NULL) { -+ ivValue = (*env)->GetByteArrayElements(env,iv, NULL); -+ ivLength = (*env)->GetArrayLength(env,iv); -+ } -+ -+ /* Set up the params data for the PK11_Derive family */ -+ -+ switch ( deriveMechanism ) { -+ case CKM_DES_ECB_ENCRYPT_DATA: -+ case CKM_DES3_ECB_ENCRYPT_DATA: -+ case CKM_AES_ECB_ENCRYPT_DATA: -+ case CKM_CAMELLIA_ECB_ENCRYPT_DATA: -+ case CKM_SEED_ECB_ENCRYPT_DATA: -+ /* Use CK_KEY_DERIVATION_STRING_DATA */ -+ -+ string.pData = (unsigned char *) paramValue; -+ string.ulLen = paramLength; -+ paramsItem.data = (void *) &string; -+ paramsItem.len = sizeof(string); -+ -+ break; -+ case CKM_DES_CBC_ENCRYPT_DATA: -+ case CKM_DES3_CBC_ENCRYPT_DATA: -+ /* Use CK_DES_CBC_ENCRYPT_DATA_PARAMS */ -+ -+ if( ivValue == NULL) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA or CKM_DES3_CBC_ENCRYPT_DATA. \n"); -+ goto loser; -+ } -+ -+ if( ivLength != 8) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA structure to be 8 bytes!. \n"); -+ goto loser; -+ } -+ -+ des.pData = (unsigned char *) paramValue; -+ des.length = paramLength; -+ PORT_Memcpy(des.iv,ivValue,ivLength); -+ paramsItem.data = (void *) &des; -+ paramsItem.len = sizeof(des); -+ -+ break; -+ -+ case CKM_AES_CBC_ENCRYPT_DATA: -+ case CKM_CAMELLIA_CBC_ENCRYPT_DATA: -+ case CKM_SEED_CBC_ENCRYPT_DATA: -+ /* Use CK_AES_CBC_ENCRYPT_DATA_PARAMS */ -+ -+ if ( ivValue == NULL ) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CBC encrypt derive for AES, or CAMELLIA or SEED. \n"); -+ goto loser; -+ } -+ -+ if( ivLength != 16) { -+ PR_fprintf(PR_STDOUT, "Need iv param for CK_AES_CBC_ENCRYPT_DATA_PARAMS structure to be 16 bytes!. \n"); -+ goto loser; -+ } -+ -+ aes.pData = (unsigned char *) paramValue; -+ aes.length = paramLength; -+ PORT_Memcpy(aes.iv,ivValue,ivLength); -+ paramsItem.data = (void *) &aes; -+ paramsItem.len = sizeof(aes); -+ break; -+ default: -+ paramsItem.data = (unsigned char *) paramValue; -+ paramsItem.len = paramLength; -+ break; -+ } -+ -+ /* Get slot */ -+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { -+ goto loser; -+ } -+ -+ /* Get base key */ -+ -+ if( JSS_PK11_getSymKeyPtr(env, baseKeyObj, &baseKey) != PR_SUCCESS) { -+ PR_fprintf(PR_STDOUT, "PK11SymmetricKeyDeriver.nativeDeriveSymKey: Unable to extract symmetric base key!"); -+ goto loser; -+ } -+ -+ /* Ask NSS what the best slot for the given mechanism */ -+ -+ bestSlot = PK11_GetBestSlot(deriveMechanism, NULL); -+ -+ if( bestSlot == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find suitable slot for sym key derivation! \n"); -+ goto loser; -+ } -+ -+ slotForKey = PK11_GetSlotFromKey(baseKey); -+ -+ int keyOnRequestedSlot = 0; -+ int baseKeyMoved= 0; -+ -+ if(slotForKey != slot) { -+ keyOnRequestedSlot = 0; -+ } else { -+ keyOnRequestedSlot = 1; -+ finalBaseKeySlot = slot; -+ } -+ -+ if ( PK11_DoesMechanism( slot, deriveMechanism)) { -+ if ( keyOnRequestedSlot ) { -+ finalBaseKey = baseKey; -+ } else { -+ bestBaseKey = PK11_MoveSymKey( slot, CKA_ENCRYPT, 0, PR_FALSE, baseKey ); -+ if(bestBaseKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to requested slot!\n"); -+ goto loser; -+ } -+ baseKeyMoved = 1; -+ finalBaseKey = bestBaseKey; -+ finalBaseKeySlot = slot; -+ } -+ -+ } else { -+ bestBaseKey = PK11_MoveSymKey( bestSlot, CKA_ENCRYPT, 0, PR_FALSE, baseKey ); -+ if(bestBaseKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to best slot!\n"); -+ goto loser; -+ } -+ baseKeyMoved = 1; -+ finalBaseKey = bestBaseKey; -+ finalBaseKeySlot = bestSlot; -+ } -+ -+ /* Assume we want to do a concatenation family here */ -+ -+ if( secondaryKeyObj != NULL) { -+ if( JSS_PK11_getSymKeyPtr(env, secondaryKeyObj, &secondaryKey) != PR_SUCCESS) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find secondary sym key!\n"); -+ goto loser; -+ } -+ -+ /* Make sure the secondary key is in the proper slot to do concatenation */ -+ -+ slotForSecondaryKey = PK11_GetSlotFromKey( secondaryKey ); -+ -+ if( finalBaseKeySlot != slotForSecondaryKey ) { -+ -+ finalSecondaryKey = PK11_MoveSymKey (finalBaseKeySlot, CKA_ENCRYPT, 0, PR_FALSE, secondaryKey); -+ -+ if( finalSecondaryKey == NULL) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, Problem moving secondary key to proper slot.\n"); -+ goto loser; -+ } -+ } else { -+ finalSecondaryKey = secondaryKey; -+ } -+ -+ if( paramValue == NULL) { -+ keyhandle = PK11_GetSymKeyHandle(finalSecondaryKey); -+ -+ if( keyhandle == 0) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, can't get handle for secondary sym key.\n"); -+ goto loser; -+ } -+ -+ paramsItem.data=(unsigned char *) &keyhandle; -+ paramsItem.len=sizeof(keyhandle); -+ -+ } else { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: incorrect input parameter provided!\n"); -+ goto loser; -+ } -+ } -+ -+ derivedKey = PK11_Derive(finalBaseKey, deriveMechanism, ¶msItem, targetMechanism, -+ operation, keySize); -+ if(derivedKey == NULL) { -+ PR_fprintf(PR_STDOUT, -+ "ERROR: Can't derive symmetric key, error: %d \n",PR_GetError()); -+ goto loser; -+ } -+ -+ if ( (finalSlot = PK11_GetSlotFromKey(derivedKey )) != slot) { -+ newKey = PK11_MoveSymKey ( slot, CKA_ENCRYPT, 0, PR_FALSE, derivedKey); -+ -+ if ( newKey == NULL ) { -+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: error moving key to original slot, return anyway. \n"); -+ newKey = derivedKey; -+ derivedKey = NULL; -+ } -+ -+ } else { -+ newKey = derivedKey; -+ derivedKey = NULL; -+ } -+ -+ keyObj = JSS_PK11_wrapSymKey(env, &newKey); -+ -+loser: -+ -+ if ( bestBaseKey != NULL ) { -+ PK11_FreeSymKey ( bestBaseKey ); -+ bestBaseKey = NULL; -+ } -+ -+ if ( bestSecondaryKey != NULL ) { -+ PK11_FreeSymKey ( bestSecondaryKey ); -+ bestSecondaryKey = NULL; -+ } -+ -+ if ( derivedKey != NULL) { -+ PK11_FreeSymKey ( derivedKey ); -+ derivedKey = NULL; -+ } -+ -+ if (bestSlot != NULL ) { -+ PK11_FreeSlot(bestSlot); -+ bestSlot = NULL; -+ } -+ -+ if ( slotForKey != NULL ) { -+ PK11_FreeSlot( slotForKey ); -+ slotForKey = NULL; -+ } -+ -+ if ( finalSlot != NULL ) { -+ PK11_FreeSlot( finalSlot ); -+ finalSlot = NULL; -+ } -+ -+ if ( finalSecondarySlot != NULL ) { -+ PK11_FreeSlot( finalSecondarySlot ); -+ finalSecondarySlot = NULL; -+ } -+ -+ if ( slotForSecondaryKey != NULL ) { -+ PK11_FreeSlot( slotForSecondaryKey ); -+ slotForSecondaryKey = NULL; -+ } -+ -+ if(paramValue) { -+ (*env)->ReleaseByteArrayElements(env, param, (jbyte*)paramValue, -+ JNI_ABORT); -+ } -+ if(ivValue) { -+ (*env)->ReleaseByteArrayElements(env, iv, (jbyte*)ivValue, -+ JNI_ABORT); -+ } -+ -+ if( keyObj == NULL) { -+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Unable to derive symmetric key! " -+ "failure!"); -+ } -+ -+ return keyObj; -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne 2016-04-14 16:28:29.179823017 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java 2016-04-14 16:28:36.186774680 -0700 -@@ -0,0 +1,158 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.pkcs11; -+ -+import org.mozilla.jss.crypto.*; -+import org.mozilla.jss.util.Assert; -+import sun.security.pkcs11.wrapper.*; -+import java.security.InvalidKeyException; -+ -+ -+/*This operation is pkcs11 based only */ -+ -+public class PK11SymmetricKeyDeriver implements SymmetricKeyDeriver { -+ -+ private PK11Token token = null; -+ private SymmetricKey baseKey = null; -+ private SymmetricKey secondaryKey = null; -+ private long deriveMechanism = 0; -+ private long targetMechanism = 0; -+ private long operation = 0; -+ private long keySize = 0; -+ private byte[] param = null; -+ private byte[] iv = null; -+ -+ public PK11SymmetricKeyDeriver(PK11Token token) -+ { -+ this.token = token; -+ } -+ -+ /* Use with the encrypt type mechanisms -+ -+ Example: initDerive( -+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16); -+ -+ -+ */ -+ public void initDerive(SymmetricKey baseKey, long deriveMech, byte[] param, byte[] iv, -+ long targetMech, long operation, long keySize) throws InvalidKeyException -+ { -+ reset(); -+ -+ if(baseKey == null) { -+ throw new InvalidKeyException("Key is null"); -+ } -+ -+ this.baseKey = baseKey; -+ this.deriveMechanism = deriveMech; -+ this.targetMechanism = targetMech; -+ this.operation = operation; -+ -+ if ( param != null) { -+ this.param = new byte[param.length]; -+ System.arraycopy(param,0,this.param,0,param.length); -+ } -+ -+ if ( iv != null) { -+ this.iv = new byte[iv.length]; -+ System.arraycopy(iv,0,this.iv,0,iv.length); -+ } -+ -+ this.keySize = keySize; -+ -+ } -+ -+ /* Use with key extraction and key concatanation mechanisms -+ -+ Example Extraction: -+ param: byte array that has the bit position of where to extract -+ initDerive( -+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8); -+ -+ Example Concat: -+ -+ initDerive( -+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0); -+ -+ */ -+ -+ public void initDerive(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMech, -+ byte[] param, byte[] iv, long targetMech, long operation, long keySize) throws InvalidKeyException -+ { -+ reset(); -+ -+ if ( baseKey == null || secondaryKey == null) { -+ throw new InvalidKeyException("Key is null"); -+ } -+ -+ initDerive(baseKey, deriveMech, param,iv,targetMech,operation,keySize); -+ this.secondaryKey = secondaryKey; -+ -+ } -+ -+ -+ public SymmetricKey derive() -+ throws TokenException -+ { -+ SymmetricKey result = deriveSymKey(this.baseKey,this.secondaryKey,this.deriveMechanism, this.param, this.iv, this.targetMechanism, this.operation,this.keySize); -+ return result; -+ } -+ -+ private SymmetricKey -+ deriveSymKey(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv, long targetMechanism, long operation, long keySize) -+ throws TokenException, IllegalStateException -+ { -+ return nativeDeriveSymKey(token, baseKey, secondaryKey,deriveMechanism, param, iv, targetMechanism, operation, keySize); -+ } -+ -+ public native SymmetricKey nativeDeriveSymKey(PK11Token token, SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv, -+ long targetMechanism, long operation, long keySize); -+ -+ private void reset() { -+ baseKey = null; -+ secondaryKey = null; -+ deriveMechanism = 0; -+ targetMechanism = 0; -+ operation = 0; -+ keySize = 0; -+ param = null; -+ iv = null; -+ } -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne 2016-04-14 16:30:46.098878459 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2016-04-14 17:27:30.918367372 -0700 -@@ -131,6 +131,11 @@ public final class PK11Token implements - return PK11KeyGenerator.clone(key, this); - } - -+ public PK11SymmetricKeyDeriver getSymmetricKeyDeriver() -+ { -+ return new PK11SymmetricKeyDeriver(this); -+ } -+ - public KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException -diff -up ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java ---- ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne 2016-04-14 16:32:58.529964860 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java 2016-05-17 11:43:51.858862556 -0700 -@@ -0,0 +1,516 @@ -+/* ***** BEGIN LICENSE BLOCK ***** -+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 -+ * -+ * The contents of this file are subject to the Mozilla Public License Version -+ * 1.1 (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * http://www.mozilla.org/MPL/ -+ * -+ * Software distributed under the License is distributed on an "AS IS" basis, -+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License -+ * for the specific language governing rights and limitations under the -+ * License. -+ * -+ * The Original Code is the Netscape Security Services for Java. -+ * -+ * The Initial Developer of the Original Code is -+ * Netscape Communications Corporation. -+ * Portions created by the Initial Developer are Copyright (C) 1998-2000 -+ * the Initial Developer. All Rights Reserved. -+ * -+ * Contributor(s): -+ * -+ * Alternatively, the contents of this file may be used under the terms of -+ * either the GNU General Public License Version 2 or later (the "GPL"), or -+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), -+ * in which case the provisions of the GPL or the LGPL are applicable instead -+ * of those above. If you wish to allow use of your version of this file only -+ * under the terms of either the GPL or the LGPL, and not to allow others to -+ * use your version of this file under the terms of the MPL, indicate your -+ * decision by deleting the provisions above and replace them with the notice -+ * and other provisions required by the GPL or the LGPL. If you do not delete -+ * the provisions above, a recipient may use your version of this file under -+ * the terms of any one of the MPL, the GPL or the LGPL. -+ * -+ * ***** END LICENSE BLOCK ***** */ -+ -+package org.mozilla.jss.tests; -+ -+import org.mozilla.jss.crypto.*; -+import org.mozilla.jss.CryptoManager; -+import org.mozilla.jss.util.Assert; -+import org.mozilla.jss.pkcs11.*; -+import sun.security.pkcs11.wrapper.PKCS11Constants; -+import java.nio.ByteBuffer; -+import java.util.Arrays; -+import java.util.Vector; -+import java.util.Enumeration; -+ -+/** -+ * Sym Key deriving tests.. -+ * -+ */ -+ -+public class SymKeyDeriving { -+ -+ private static final byte[] iv8 = new byte [] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8 }; -+ private static final byte[] iv16 = new byte [] { 0x1, 0x2, 0x3, 0x4, -+ 0x5, 0x6, 0x7, 0x8, -+ 0x9,0xa, 0xb, 0xc,0xd,0xe, 0xf,0x10 }; -+ -+ private static final byte[] derivationData1 = new byte[] { 0x11, 0x11, 0x13, -+ 0x14, 0x15, 0x16, 0x17, 0x18 }; -+ -+ private static final byte[] derivationData2 = new byte [] { 0x9, 0xa, 0xb, 0xc, 0xd, -+ 0xe, 0xf, 0x10 }; -+ -+ private static final byte[] derivationData16 = new byte[] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6,0x7, 0x8, -+ 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0x10 }; -+ -+ -+ public static void main(String args[]) { -+ -+ SymmetricKey macKeyDev = null; -+ try { -+ -+ CryptoManager.InitializationValues vals = -+ new CryptoManager.InitializationValues("./" -+ ); -+ CryptoManager.initialize(vals); -+ CryptoManager cm = CryptoManager.getInstance(); -+ CryptoToken token = cm.getInternalCryptoToken(); -+ CryptoToken keyToken = cm.getInternalKeyStorageToken(); -+ System.out.println("interal token name: " + keyToken.getName()); -+ KeyGenerator keyKg = keyToken.getKeyGenerator(KeyGenAlgorithm.DES3); -+ SymmetricKey baseKey = keyKg.generate(); -+ -+ -+ KeyGenerator keyKgDes = keyToken.getKeyGenerator(KeyGenAlgorithm.DES); -+ SymmetricKey baseKeyDes = keyKgDes.generate(); -+ System.out.println("strength: " + baseKeyDes.getStrength()); -+ -+ -+ KeyGenerator keyKgAES = keyToken.getKeyGenerator(KeyGenAlgorithm.AES); -+ keyKgAES.initialize(128); -+ SymmetricKey baseKeyAES = keyKgAES.generate(); -+ -+ -+ -+ System.out.println("baseKey bytes: "); -+ byte[] baseBytes = baseKey.getEncoded(); -+ displayByteArray(baseBytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 16 bytes. \n"); -+ -+ -+ SymmetricKeyDeriver deriver = token.getSymmetricKeyDeriver(); -+ System.out.println("deriver: " + deriver); -+ System.out.println("CKM_EXTRACT_KEY_FROM_KEY : " + PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY); -+ -+ long bitPosition = 0; -+ -+ byte[] param = longToBytes(bitPosition); -+ -+ deriver.initDerive( -+ baseKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey extracted16 = deriver.derive(); -+ -+ System.out.println("Derived key: " + extracted16); -+ -+ if(extracted16 == null) { -+ System.out.println("Failed to derive 16 byte key with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n"); -+ } -+ -+ System.out.println("derivedKey 16 bytes: "); -+ byte[] derivedBytes = extracted16.getEncoded(); -+ displayByteArray(derivedBytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 8 bytes. \n"); -+ -+ -+ SymmetricKeyDeriver extract8 = token.getSymmetricKeyDeriver(); -+ extract8.initDerive( -+ extracted16, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null, -+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ -+ SymmetricKey extracted8 = extract8.derive(); -+ System.out.println("Derived key: " + extracted8); -+ -+ if(extracted8 == null) { -+ System.out.println("Failed to derive key extracted 8 bytes with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n"); -+ } -+ -+ byte[] extracted8Bytes = extracted8.getEncoded(); -+ System.out.println("derived extracted 8 bytes of key: "); -+ displayByteArray(extracted8Bytes,true); -+ -+ -+ /*****************************************************************************************************/ -+ -+ -+ System.out.println("\n Mechanism CKM_CONCATENATE_BASE_AND_KEY test 16 + 8 = 24 byte key. \n"); -+ -+ SymmetricKeyDeriver concat = keyToken.getSymmetricKeyDeriver(); -+ concat.initDerive( -+ extracted16,extracted8, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 0); -+ -+ SymmetricKey concated24 = concat.derive(); -+ -+ if( concated24 == null) { -+ System.out.println("Failed to derive key concated 8 bytes to 16 bytes key: CKM_CONCATENATE_BASE_AND_KEY \n"); -+ } -+ -+ byte[] concated24Bytes = concated24.getEncoded(); -+ System.out.println("derived concated 16 + 8 = 24 byte key: "); -+ displayByteArray(concated24Bytes,true); -+ -+ /*****************************************************************************************************/ -+ -+ // Now lets try more complex derivation -+ -+ // tmp2 = PK11_Derive( master , CKM_DES_ECB_ENCRYPT_DATA , ¶m , CKM_CONCATENATE_BASE_AND_KEY , CKA_DERIVE , 0); -+ -+ System.out.println("\n Mechanism CKM_DES_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encrypt = token.getSymmetricKeyDeriver(); -+ -+ encrypt.initDerive( -+ baseKeyDes, /* PKCS11Constants.CKM_DES_ECB_ENCRYPT_DATA */ 4352L,derivationData1 ,null, -+ PKCS11Constants.CKM_DES_ECB, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ SymmetricKey encrypted8 = encrypt.derive(); -+ -+ if( encrypted8 == null) { -+ System.out.println("Failed to derive 8 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encrypted8Bytes = encrypted8.getEncoded(); -+ System.out.println("derived encrypted 8 bytes: " + encrypted8Bytes.length); -+ displayByteArray(encrypted8Bytes,true); -+ -+ Cipher cipher = null; -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_ECB); -+ -+ cipher.initEncrypt(baseKeyDes); -+ -+ byte[] ciphertext = cipher.doFinal(derivationData1); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encrypted8Bytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encrypted8Bytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encrypted8Bytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ // Try ecnrypted des3 derivation -+ -+ System.out.println("\n Mechanism CKM_DES3_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDes3 = token.getSymmetricKeyDeriver(); -+ -+ encryptDes3.initDerive( -+ baseKey, /* PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA */ 4354L ,derivationData16 ,null, -+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encrypted16 = encryptDes3.derive(); -+ -+ if ( encrypted16 == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encrypted16Bytes = encrypted16.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encrypted16Bytes.length); -+ displayByteArray(encrypted16Bytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_ECB); -+ cipher.initEncrypt(baseKey); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encrypted16Bytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encrypted16Bytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encrypted16Bytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_DES_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDesCBC = token.getSymmetricKeyDeriver(); -+ -+ encryptDesCBC.initDerive( -+ baseKeyDes, /* PKCS11Constants.CKM_DES_CBC_ENCRYPT_DATA */ 4353L ,derivationData1 ,iv8, -+ PKCS11Constants.CKM_DES_CBC, PKCS11Constants.CKA_DERIVE,(long) 8); -+ -+ -+ SymmetricKey encryptedDesCBC = encryptDesCBC.derive(); -+ -+ if ( encryptedDesCBC == null) { -+ System.out.println("Failed to derive 8 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedDesCBCBytes = encryptedDesCBC.getEncoded(); -+ -+ System.out.println("derived encrypted 8 bytes: " + encryptedDesCBCBytes.length); -+ displayByteArray(encryptedDesCBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_CBC); -+ cipher.initEncrypt(baseKeyDes,new IVParameterSpec(iv8)); -+ ciphertext = cipher.doFinal(derivationData1); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedDesCBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedDesCBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedDesCBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_DES3_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptDes3CBC = token.getSymmetricKeyDeriver(); -+ -+ encryptDes3CBC.initDerive( -+ baseKey, /* PKCS11Constants.CKM_DES3_CBC_ENCRYPT_DATA */ 4355L ,derivationData16 ,iv8, -+ PKCS11Constants.CKM_DES3_CBC, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedDes3CBC = encryptDes3CBC.derive(); -+ -+ if ( encryptedDes3CBC == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedDes3CBCBytes = encryptedDes3CBC.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedDes3CBCBytes.length); -+ displayByteArray(encryptedDes3CBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_CBC); -+ cipher.initEncrypt(baseKey,new IVParameterSpec(iv8)); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedDes3CBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedDes3CBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedDes3CBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_AES_ECB_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptAESECB = token.getSymmetricKeyDeriver(); -+ -+ //System.in.read(); -+ encryptAESECB.initDerive( -+ baseKeyAES, /* PKCS11Constants.CKM_AES_ECB_ENCRYPT_DATA */ 4356L ,derivationData16 ,null, -+ PKCS11Constants.CKM_AES_ECB, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedAESECB = encryptAESECB.derive(); -+ -+ if ( encryptedAESECB == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedAESECBBytes = encryptedAESECB.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedAESECBBytes.length); -+ displayByteArray(encryptedAESECBBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_ECB); -+ cipher.initEncrypt(baseKeyAES); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedAESECBBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedAESECBBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedAESECBBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ -+ /*****************************************************************************************************/ -+ -+ System.out.println("\n Mechanism CKM_AES_CBC_ENCRYPT_DATA test. \n"); -+ -+ SymmetricKeyDeriver encryptAESCBC= token.getSymmetricKeyDeriver(); -+ -+ //System.in.read(); -+ encryptAESCBC.initDerive( -+ baseKeyAES, /* PKCS11Constants.CKM_AES_CBC_ENCRYPT_DATA */ 4357L ,derivationData16 ,iv16, -+ PKCS11Constants.CKM_AES_CBC, PKCS11Constants.CKA_DERIVE,(long) 16); -+ -+ -+ SymmetricKey encryptedAESCBC = encryptAESCBC.derive(); -+ -+ if ( encryptedAESCBC == null) { -+ System.out.println("Failed to derive 16 bytes from encrypted derivation data."); -+ } -+ -+ byte[] encryptedAESCBCBytes = encryptedAESCBC.getEncoded(); -+ -+ System.out.println("derived encrypted 16 bytes: " + encryptedAESCBCBytes.length); -+ displayByteArray(encryptedAESCBCBytes,true); -+ -+ -+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_CBC); -+ cipher.initEncrypt(baseKeyAES,new IVParameterSpec(iv16)); -+ ciphertext = cipher.doFinal(derivationData16); -+ displayByteArray(ciphertext,true); -+ -+ if ( ciphertext.length != encryptedAESCBCBytes.length ) { -+ System.out.println("FAILED: encrypted data length not equal to derived key length."); -+ } else { -+ for ( int i = 0; i < ciphertext.length ; i ++) { -+ ciphertext[i]&=0xfe; -+ encryptedAESCBCBytes[i]&=0xfe; -+ } -+ if ( Arrays.equals(ciphertext, encryptedAESCBCBytes)) { -+ System.out.println("PASSED: derived key the same as encrypted data."); -+ } else { -+ -+ System.out.println("FAILED: derived key not the same as encrypted data."); -+ } -+ } -+ -+ // get vector of symkeys -+ -+ Enumeration ect = null; -+ ect = (Enumeration) cm.getAllTokens(); -+ CryptoToken ct = null; //ct = cm.getTokenByName("ePass Token"); -+ while (ect.hasMoreElements()) -+ { -+ ct = ect.nextElement(); -+ System.out.println("CryptoToken.name= " + ct.getName()); -+ } -+ -+ SymmetricKey[] keys = keyToken.getCryptoStore().getSymmetricKeys(); -+ -+ SymmetricKey macKey = getSymKeyByName(keys, "defKeySet-macKey"); -+ -+ System.out.println("macKey: " + macKey); -+ -+ } catch(Exception e) { -+ e.printStackTrace(); -+ } -+ } -+ -+ public static void -+ displayByteArray(byte[] ba, boolean has_check_sum) { -+ char mask = 0xff; -+ -+ if ( has_check_sum == true ) -+ mask = 0xfe; -+ -+ for(int i=0; i < ba.length; i++) { -+ -+ System.out.print( Integer.toHexString(ba[i]&mask) + " " ); -+ if( (i % 26) == 25 ) { -+ System.out.println(""); -+ } -+ } -+ System.out.println(""); -+ } -+ -+ public static byte[] longToBytes(long x) { -+ ByteBuffer buffer = ByteBuffer.allocate(8); -+ buffer.putLong(x); -+ return buffer.array(); -+ } -+ -+ public static byte[] concatByteArrays(byte[] a, byte[] b) { -+ byte[] result = new byte[a.length + b.length]; -+ System.arraycopy(a, 0, result, 0, a.length); -+ System.arraycopy(b, 0, result, a.length, b.length); -+ return result; -+ } -+ -+ public static SymmetricKey getSymKeyByName( SymmetricKey[] keys, String name) { -+ if ( keys == null || name == null ) { -+ return null; -+ } -+ -+ int len = keys.length; -+ for(int i = 0 ; i < len ; i++ ) { -+ SymmetricKey cur = keys[i]; -+ if ( cur != null ) { -+ if( name.equals(cur.getNickName())) { -+ System.out.println("Found key: " + name + "\n"); -+ return cur; -+ } -+ } -+ } -+ -+ return null; -+ } -+} -diff -up ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h ---- ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne 2016-04-14 16:34:36.729287416 -0700 -+++ ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2016-04-14 16:34:45.608226163 -0700 -@@ -243,6 +243,7 @@ PR_BEGIN_EXTERN_C - */ - #define PK11SYMKEY_CLASS_NAME "org/mozilla/jss/pkcs11/PK11SymKey" - #define PK11SYMKEY_CONSTRUCTOR_SIG "([B)V" -+#define PK11SYMKEY_CONSTRUCTOR_1_SIG "([BLjava/lang/String;)V" - - /* - * PK11Token diff --git a/SOURCES/jss-undo-BadPaddingException-deprecation.patch b/SOURCES/jss-undo-BadPaddingException-deprecation.patch deleted file mode 100644 index 1b372a7..0000000 --- a/SOURCES/jss-undo-BadPaddingException-deprecation.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700 -@@ -35,9 +35,6 @@ - * ***** END LICENSE BLOCK ***** */ - package org.mozilla.jss.crypto; - --/** -- * @deprecated Use javax.crypto.BadPaddingException. -- */ - public class BadPaddingException extends Exception { - public BadPaddingException() { - super(); diff --git a/SOURCES/jss-undo-JCA-deprecations.patch b/SOURCES/jss-undo-JCA-deprecations.patch deleted file mode 100644 index a51c51a..0000000 --- a/SOURCES/jss-undo-JCA-deprecations.patch +++ /dev/null @@ -1,171 +0,0 @@ -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700 -@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert; - * it is not necessary to call update if all of the data is - * available at once. In this case, all of the input can be processed with one - * call to doFinal. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) - */ - public abstract class Cipher { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700 -@@ -60,7 +60,6 @@ public interface CryptoToken { - * @param algorithm The algorithm used for the signing/verification. - * @exception java.security.NoSuchAlgorithmException If the given - * algorithm is not supported by this provider. -- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) - */ - public abstract org.mozilla.jss.crypto.Signature - getSignatureContext(SignatureAlgorithm algorithm) -@@ -73,7 +72,6 @@ public interface CryptoToken { - * @param algorithm The algorithm used for digesting. - * @exception java.security.NoSuchAlgorithmException If this provider - * does not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) - */ - public abstract JSSMessageDigest - getDigestContext(DigestAlgorithm algorithm) -@@ -89,15 +87,11 @@ public interface CryptoToken { - * @param algorithm The algorithm used for encryption/decryption. - * @exception java.security.NoSuchAlgorithmException If this provider - * does not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) - */ - public abstract Cipher - getCipherContext(EncryptionAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; - -- /** -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) -- */ - public abstract KeyWrapper - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws java.security.NoSuchAlgorithmException, TokenException; -@@ -123,7 +117,6 @@ public interface CryptoToken { - * @param algorithm The algorithm that the keys will be used with. - * @exception java.security.NoSuchAlgorithmException If this token does not - * support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) - */ - public abstract KeyGenerator - getKeyGenerator(KeyGenAlgorithm algorithm) -@@ -136,7 +129,6 @@ public interface CryptoToken { - * cannot be extracted from the current token. - * @exception InvalidKeyException If the owning token cannot process - * the key to be cloned. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory}) - */ - public SymmetricKey cloneKey(SymmetricKey key) - throws SymmetricKey.NotExtractableException, -@@ -151,7 +143,6 @@ public interface CryptoToken { - * DSA, EC, etc.) - * @exception java.security.NoSuchAlgorithmException If this token does - * not support the given algorithm. -- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) - */ - public abstract KeyPairGenerator - getKeyPairGenerator(KeyPairAlgorithm algorithm) -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700 -@@ -41,7 +41,6 @@ import java.security.InvalidKeyException - - /** - * A class for performing message digesting (hashing) and MAC operations. -- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) - */ - public abstract class JSSMessageDigest { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700 -@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto; - - /** - * An interface for secure random numbers. -- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom}) - */ - public interface JSSSecureRandom { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700 -@@ -43,7 +43,6 @@ import java.io.CharConversionException; - - /** - * Generates symmetric keys for encryption and decryption. -- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) - */ - public interface KeyGenerator { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700 -@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam - * keygenOnInternalToken to find out if this is happening. - * - * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator -- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) - */ - public class KeyPairGenerator { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700 -@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar - import java.security.PublicKey; - import java.security.InvalidKeyException; - --/** -- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) -- */ - public interface KeyWrapper { - - public void initWrap(SymmetricKey wrappingKey, -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700 -@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam - * Instances of this class can be obtain from CryptoTokens. - * - * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext -- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) - */ - public class Signature { - -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700 -@@ -37,15 +37,10 @@ - - /* This program demonstrates how to sign data with keys from JSS - * -- * Most of this code is deprecated look at JCASigTest.java -- * - * The token name can be either the name of a hardware token, or - * one of the internal tokens: - * Internal Crypto Services Token - * Internal Key Storage Token (keys stored in key3.db) -- * -- * @see org.mozilla.jss.tests.JCASigTest -- * @deprecated Use the JCA interface instead - */ - - package org.mozilla.jss.tests; -diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl ---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700 -@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature " - $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile"; - run_test($testname, $command); - -+$testname = "Mozilla-JSS NSS Signature "; -+$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile"; -+run_test($testname, $command); -+ - $testname = "Secret Decoder Ring"; - $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile"; - run_test($testname, $command); diff --git a/SOURCES/jss-wrapInToken.patch b/SOURCES/jss-wrapInToken.patch deleted file mode 100644 index 697895f..0000000 --- a/SOURCES/jss-wrapInToken.patch +++ /dev/null @@ -1,158 +0,0 @@ -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700 -@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param, - &wrapped, NULL /* wincx */ ); - if(status != SECSuccess) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, -- "Wrapping operation failed on token"); -+ char err[256] = {0}; -+ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError()); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } - PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL); -@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - int numAttribs = 0; - CK_TOKEN_INFO tokenInfo; - -+ /* ideal defaults */ - PRBool isSensitive = PR_TRUE; - PRBool isExtractable = PR_FALSE; -- /* special case nethsm*/ -+ -+ /* special case nethsm and lunasa*/ - CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; -+ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; - PRBool isNethsm = PR_TRUE; -+ PRBool isLunasa = PR_TRUE; - - if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { - /* exception was thrown */ -@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - break; - } - } -+ ix = 0; -+ for(ix=0; ix < 4; ix++) { -+ if (tokenInfo.label[ix] != lunasaLabel[ix]) { -+ isLunasa = PR_FALSE; -+ break; -+ } -+ } - - } else { - isNethsm = PR_FALSE; -+ isLunasa = PR_FALSE; - } - - /* get unwrapping key */ -@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp - } - keyType = PK11_GetKeyType(keyTypeMech, 0); - -+ /* special case nethsm and lunasa*/ - if( isNethsm ) { - isSensitive = PR_FALSE; - isExtractable = PR_FALSE; -+ } else if ( isLunasa) { -+ isSensitive = PR_FALSE; -+ isExtractable = PR_TRUE; - } - --setAttrs: - /* figure out which operations to enable for this key */ - switch (keyType) { - case CKK_RSA: -+ numAttribs = 3; - attribs[0] = CKA_SIGN; - attribs[1] = CKA_SIGN_RECOVER; - attribs[2] = CKA_UNWRAP; - if (isExtractable) { - attribs[3] = CKA_EXTRACTABLE; - numAttribs = 4; -- } else { -- numAttribs = 3; - } - break; - case CKK_DSA: -@@ -459,7 +474,9 @@ setAttrs: - &label, pubValue, token, isSensitive /*sensitive*/, keyType, - attribs, numAttribs, NULL /*wincx*/); - if( privk == NULL ) { -- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); -+ char err[256] = {0}; -+ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); -+ JSS_throwMsg(env, TOKEN_EXCEPTION, err); - goto finish; - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700 -@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } -+/* NSS is capable of moving keys appropriately, -+ so this call is prematurely bailing - if( ! symKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -+*/ - } - - /** -@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke - throw new InvalidKeyException("key to be wrapped is not a "+ - "PKCS #11 key"); - } -+/* NSS is capable of moving keys appropriately, -+ so this call is prematurely bailing - if( ! privKey.getOwningToken().equals(token) ) { - throw new InvalidKeyException("key to be wrapped does not live"+ - " on the same token as the wrapping key"); - } -+*/ - } - - /** -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700 -@@ -135,10 +135,13 @@ public final class PK11Token implements - getKeyWrapper(KeyWrapAlgorithm algorithm) - throws NoSuchAlgorithmException, TokenException - { -+/* NSS is capable of finding the right token to do algorithm, -+ so this call is prematurely bailing - if( ! doesAlgorithm(algorithm) ) { - throw new NoSuchAlgorithmException( - algorithm+" is not supported by this token"); - } -+*/ - return new PK11KeyWrapper(this, algorithm); - } - -diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java ---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700 -+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700 -@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp - } - - KeyWrapper wrapper = token.getKeyWrapper( -- KeyWrapAlgorithm.DES3_CBC); -+ KeyWrapAlgorithm.DES3_CBC_PAD); - wrapper.initWrap(key, params); - byte encrypted[] = wrapper.wrap(pri); - -@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp - return epki; - - } catch (Exception e) { -+ System.out.println("createPBE: exception:"+e.toString()); - Assert.notReached("EncryptedPrivateKeyInfo exception:" - +".createPBE"); - } diff --git a/SPECS/jss.spec b/SPECS/jss.spec index cc130dc..07214f3 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -1,60 +1,39 @@ Name: jss -Version: 4.2.6 -Release: 42%{?dist} +Version: 4.4.0 +Release: 7%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/jss/ -# The source for this package was pulled from upstream's cvs. Use the +# The source for this package was pulled from upstream's hg. Use the # following commands to generate the tarball: -# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot export -r JSS_4_2_6_RTM -d jss-4.2.6 -N mozilla/security/coreconf mozilla/security/jss -# tar -czvf jss-4.2.6.tar.gz jss-4.2.6 -Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/%{name}-%{version}.tar.gz -Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/MPL-1.1.txt -Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/gpl.txt -Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/lgpl.txt +# +# hg clone https://hg.mozilla.org/projects/jss +# cd jss +# hg archive --prefix jss-4.4.0/jss/ ../jss-4.4.0.tar.gz +# +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{name}-%{version}.tar.gz +Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/MPL-1.1.txt +Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/gpl.txt +Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/lgpl.txt BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildRequires: nss-devel >= 3.21.0 -BuildRequires: nspr-devel >= 4.11.0 +Conflicts: idm-console-framework < 1.1.17-4 +Conflicts: pki-base < 10.4.0 +Conflicts: tomcatjss < 7.2.1 + +BuildRequires: nss-devel >= 3.28.4-6 +BuildRequires: nspr-devel >= 4.13.1 BuildRequires: java-devel -Requires: java -Requires: nss >= 3.21.0 - -Patch1: jss-key_pair_usage_with_op_flags.patch -Patch2: jss-javadocs-param.patch -Patch3: jss-ipv6.patch -Patch4: jss-ECC-pop.patch -Patch5: jss-loadlibrary.patch -Patch6: jss-ocspSettings.patch -Patch7: jss-ECC_keygen_byCurveName.patch -Patch8: jss-VerifyCertificate.patch -Patch9: jss-bad-error-string-pointer.patch -Patch10: jss-VerifyCertificateReturnCU.patch -#Patch11: jss-slots-not-freed.patch -Patch12: jss-ECC-HSM-FIPS.patch -Patch13: jss-eliminate-native-compiler-warnings.patch -Patch14: jss-eliminate-java-compiler-warnings.patch -Patch15: jss-PKCS12-FIPS.patch -Patch16: jss-eliminate-native-coverity-defects.patch -Patch17: jss-PBE-PKCS5-V2-secure-P12.patch -Patch18: jss-wrapInToken.patch -Patch19: jss-HSM-manufacturerID.patch -Patch20: jss-ECC-Phase2KeyArchivalRecovery.patch -Patch21: jss-undo-JCA-deprecations.patch -Patch22: jss-undo-BadPaddingException-deprecation.patch -Patch23: jss-fixed-build-issue-on-F17-or-newer.patch -Patch24: jss-SHA-OID-fix.patch -Patch25: jss-RC4-strengh-verify.patch -Patch26: jss-support-TLS1_1-TLS1_2.patch -Patch27: jss-WindowsCompileFix.patch -Patch28: jss-WindowsLoadLibrary.patch -Patch29: jss-Fixed-build-failures.patch -Patch30: jss-VerifyCertificate-enhancement.patch -Patch31: jss-lunasaUnwrap.patch -Patch32: jss-symkey-enhancements.patch -Patch33: jss-crmf-envelopedData.patch +%if 0%{?fedora} >= 25 +BuildRequires: perl +%endif +Requires: java-headless +Requires: nss >= 3.28.4-6 + +Patch1: jss-post-rebase.patch +Patch2: jss-rhel-7-4-beta.patch %description Java Security Services (JSS) is a java native interface which provides a bridge @@ -70,47 +49,22 @@ Requires: jss = %{version}-%{release} This package contains the API documentation for JSS. %prep -%setup -q +%setup -q -n %{name}-%{version} +pushd jss %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -#%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 -%patch27 -p1 -%patch28 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch33 -p1 +popd %build [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java +[ -z "$USE_INSTALLED_NSPR" ] && export USE_INSTALLED_NSPR=1 +[ -z "$USE_INSTALLED_NSS" ] && export USE_INSTALLED_NSS=1 # Enable compiler optimizations and disable debugging code -BUILD_OPT=1 -export BUILD_OPT +# NOTE: If you ever need to create a debug build with optimizations disabled +# just comment out this line and change in the %%install section below the +# line that copies jars xpclass.jar to be xpclass_dbg.jar +export BUILD_OPT=1 # Generate symbolic info for debuggers XCFLAGS="-g $RPM_OPT_FLAGS" @@ -133,31 +87,22 @@ export NSPR_LIB_DIR export NSS_INCLUDE_DIR export NSS_LIB_DIR -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +%if 0%{?__isa_bits} == 64 USE_64=1 export USE_64 %endif -%if 0%{?fedora} >= 16 -cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk -sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk - -cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk -sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk - -cp -p mozilla/security/coreconf/Linux3.2.mk mozilla/security/coreconf/Linux3.6.mk -sed -i -e 's;LINUX3_1;LINUX3_6;' mozilla/security/coreconf/Linux3.6.mk -%endif - # The Makefile is not thread-safe -make -C mozilla/security/coreconf -make -C mozilla/security/jss -make -C mozilla/security/jss javadoc +make -C jss/coreconf +make -C jss +make -C jss javadoc + +%check %install rm -rf $RPM_BUILD_ROOT docdir -# Copy the license files here so we can include them in %doc +# Copy the license files here so we can include them in %%doc cp -p %{SOURCE1} . cp -p %{SOURCE2} . cp -p %{SOURCE3} . @@ -165,31 +110,23 @@ cp -p %{SOURCE3} . # There is no install target so we'll do it by hand # jars -%if 0%{?fedora} >= 16 -install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} -install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar -%else -install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss -install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_libdir}/jss/jss4-%{version}.jar -ln -fs jss4-%{version}.jar $RPM_BUILD_ROOT%{_libdir}/jss/jss4.jar - install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} -ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar -%endif +# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_dbg.jar +install -m 644 dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar # We have to use the name libjss4.so because this is dynamically # loaded by the jar file. install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss -install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ -%if 0%{?fedora} >= 16 +install -m 0755 dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ pushd ${RPM_BUILD_ROOT}%{_libdir}/jss ln -fs %{_jnidir}/jss4.jar jss4.jar popd -%endif # javadoc install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} -cp -rp mozilla/dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -rp dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -p jss/jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} %clean rm -rf $RPM_BUILD_ROOT @@ -197,21 +134,115 @@ rm -rf $RPM_BUILD_ROOT # No ldconfig is required since this library is loaded by Java itself. %files %defattr(-,root,root,-) -%doc mozilla/security/jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt +%doc jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt %{_libdir}/jss/* %{_jnidir}/* +%{_libdir}/jss/lib*.so %files javadoc %defattr(-,root,root,-) %dir %{_javadocdir}/%{name}-%{version} %{_javadocdir}/%{name}-%{version}/* - %changelog +* Tue May 9 2017 Matthew Harmsen - 4.4.0-7 +- Bump NSS dependencies from 4.28.3 to 4.28.4-6 to pick-up fix in + Mozilla Bugzilla #1360207 - Fix incorrect if (ss->...) in SSL_ReconfigFD + +* Mon May 1 2017 Matthew Harmsen - 4.4.0-6 +- Mozilla Bugzilla #1352476 - RFE: Document on the README how to create a + release tag (mharmsen) +- Mozilla Bugzilla #1355358 - CryptoStore: add methods for importing and + exporting EncryptedPrivateKeyInfo (ftweedal) +- Mozilla Bugzilla #1359731 - CryptoStore.importPrivateKey enhancements + (ftweedal) + +* Mon Apr 17 2017 Matthew Harmsen - 4.4.0-5 +- Mozilla Bugzilla #1355268 - JSS 4.4 is incompatible with versions of + idm-console-framework < 1.1.17-4 +- Red Hat Bugzilla #1435076 - Remove unused legacy lines from JSS spec files + +* Mon Mar 27 2017 Matthew Harmsen - 4.4.0-4 +- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4 +- Updated build requirements for NSPR +- Updated build and runtime requirements for NSS +- ## 'jss-post-rebase.patch' resolves the following issues ported from + ## upstream: +- Mozilla Bugzilla #1337092 - CMC conformance update: Implement required ASN.1 + code for RFC5272+ (cfu) +- Mozilla Bugzilla #1347394 - Eclipse project files for JSS (edewata) +- Mozilla Bugzilla #1347429 - Deprecated SSL 3.0 cipher names in SSLSocket + class. (edewata) +- Mozilla Bugzilla #1348856 - SSL alert callback (edewata) +- Mozilla Bugzilla #1349278 - SSL cipher enumeration (edewata) +- Mozilla Bugzilla #1349349 - Problem with Password.readPasswordFromConsole(). + (edewata) +- Mozilla Bugzilla #1349831 - Revise top-level README file (mharmsen) +- Mozilla Bugzilla #1349836 - Changes to JSS Version Block (mharmsen) +- Mozilla Bugzilla #1350130 - Missing + CryptoManager.verifyCertificateNowCUNative() implementation. (emaldona) + +* Tue Mar 21 2017 Matthew Harmsen - 4.4.0-3 +- Added Conflicts statement due to incompatibility with pki-base < 10.4.0 + +* Wed Mar 15 2017 Matthew Harmsen - 4.4.0-2 +- Added Conflicts statement due to incompatibility with tomcatjss < 7.2.1 + +* Mon Mar 13 2017 Elio Maldonado - 4.4.0-1 +- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4 +- ## JSS 4.4.0 includes the following patches ported from downstream: +- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS +- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings +- Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS and + CS interface +- Mozilla Bugzilla #1307993 - Expose updated certificate verification function + in JSS +- Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to bad + pointer arithmetic +- Mozilla Bugzilla #1308001 - Verification should fail when a revoked + certificate is added +- Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build +- Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode + (HSM + NSS) +- Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan +- Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PKCS12 +- Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping + unwrapping keys should be done in the token +- Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for + manufacturer identifier +- Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in + JSS 4.2.6 +- Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and + TLS v1.2 via NSS through JSS +- Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up exact + error from NSS +- Mozilla Bugzilla #1308027 - Merge pki-symkey into jss +- Mozilla Bugzilla #1308029 - Resolve Javadoc build issues +- Mozilla Bugzilla #1308047 - support ECC encryption key archival and recovery +- Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed + PKCS#11 bypass support +- Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on token +- Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA HSM + in FIPS Mode and ECC algorithms +- Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID + functions +- Mozilla Bugzilla #1346410 - Load JSS libraries appropriately +- ## JSS 4.4.0 includes the following changes for building and testing: +- Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test +- Mozilla Bugzilla #1346420 - Document steps required to use the proper + libjss4.so when running certain HMAC Algorithms tests + +* Wed Feb 22 2017 Jack Magne - 4.2.6-44 +- Bugzilla Bug #1425971 - Simple problem unwrapping AES sym keys on token + +* Fri Feb 10 2017 Fedora Release Engineering - 4.2.6-43 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Tue Aug 9 2016 Christina Fu - 4.2.6-42 -- Sync up patches from both Fedora and RHEL; adding one patch +- Sync up patches from both Fedora and RHEL; adding two patches (cfu, edewata, mharmsen) from RHEL: -- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata) +- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows (cfu) +- make it compile on Windows platforms (cfu for nhosoi) * Fri Jun 24 2016 Christina Fu - 4.2.6-41 - Bugzilla 1221295 jss fails to decode EncryptedKey >> EnvelopedData @@ -225,13 +256,16 @@ rm -rf $RPM_BUILD_ROOT - PKI ticket 801 - Merge pki-symkey into jss (phase 1) (jmagne) -* Wed Jul 8 2015 Christina Fu - 4.2.6-37 -- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows +* Wed Dec 09 2015 Endi Dewata - 4.2.6-38 +- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata) + +* Thu Apr 09 2015 Marcin Juszkiewicz - 4.2.6-37 +- Fix use of __isa_bits macro so it does not fail during srpm generation on koji -* Fri Apr 24 2015 Christina Fu - 4.2.6-36 -- make it compile on Windows platforms (cfu for nhosoi) +* Thu Apr 09 2015 Marcin Juszkiewicz - 4.2.6-36 +- Use __isa_bits macro to check for 64-bit arch. Unblocks aarch64 and ppc64le. -* Mon Sep 29 2014 Christina Fu - 4.2.6-35 +* Tue Sep 30 2014 Christina Fu - 4.2.6-35 - Bugzilla Bug #1040640 - Incorrect OIDs for SHA2 algorithms (cfu for jnimeh@gmail.com) - Bugzilla Bug #1133718 - Key strength validation is not performed for RC4 @@ -239,14 +273,17 @@ rm -rf $RPM_BUILD_ROOT - Bugzilla Bug #816396 - Provide Tomcat support for TLS v1.1 and TLS v1.2 via NSS through JSS (cfu) -* Fri Jan 24 2014 Daniel Mach - 4.2.6-33 -- Mass rebuild 2014-01-24 +* Sat Aug 16 2014 Fedora Release Engineering - 4.2.6-34 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 4.2.6-33 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild -* Fri Dec 27 2013 Daniel Mach - 4.2.6-32 -- Mass rebuild 2013-12-27 +* Fri Mar 28 2014 Michael Simacek - 4.2.6-32 +- Use Requires: java-headless rebuild (#1067528) -* Wed Nov 13 2013 Christina Fu - 4.2.6-31 -- Bugzilla Bug #1028581 - jss fails to build on RHEL7 for non-x86 arch +* Sat Aug 03 2013 Fedora Release Engineering - 4.2.6-31 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild * Wed Jul 17 2013 Nathan Kinder - 4.2.6-30 - Bugzilla Bug #847120 - Unable to build JSS on F17 or newer