From c89ed93af63bc36f1d818a8b5215b847425e1636 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 10 2018 05:42:56 +0000 Subject: import jss-4.4.0-11.el7 --- diff --git a/SOURCES/jss-ObjectNotFoundException-message.patch b/SOURCES/jss-ObjectNotFoundException-message.patch new file mode 100644 index 0000000..0d61e26 --- /dev/null +++ b/SOURCES/jss-ObjectNotFoundException-message.patch @@ -0,0 +1,680 @@ +# HG changeset patch +# User "Endi S. Dewata" +# Date 1509154719 -7200 +# Sat Oct 28 03:38:39 2017 +0200 +# Node ID 19a0e2146a929173757e6ccbb61a035ec9426f43 +# Parent b1a3c3cc6b3584948d251d3bfcfe6630d8970db5 +Added certificate nickname into ObjectNotFoundException message. +The code that generates ObjectNotFoundException has been modified +to include the certificate nickname to help troubleshooting. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1408057 + +diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c +--- a/org/mozilla/jss/PK11Finder.c ++++ b/org/mozilla/jss/PK11Finder.c +@@ -54,7 +54,9 @@ + cert = JSS_PK11_findCertAndSlotFromNickname(nick, NULL, &slot); + + if(cert == NULL) { +- JSS_nativeThrow(env, OBJECT_NOT_FOUND_EXCEPTION); ++ char *message = PR_smprintf("Certificate not found: %s", nick); ++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message); ++ PR_smprintf_free(message); + goto finish; + } + +@@ -1577,7 +1579,9 @@ + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + + if (cert == NULL) { +- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ char *message = PR_smprintf("Certificate not found: %s", nickname); ++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message); ++ PR_smprintf_free(message); + goto finish; + } else { + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will +@@ -1640,7 +1644,9 @@ + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + + if (cert == NULL) { +- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ char *message = PR_smprintf("Certificate not found: %s", nickname); ++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message); ++ PR_smprintf_free(message); + goto finish; + } else { + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to +@@ -1801,7 +1807,9 @@ + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + + if (cert == NULL) { +- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ char *message = PR_smprintf("Certificate not found: %s", nickname); ++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message); ++ PR_smprintf_free(message); + goto finish; + } else { + rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert, +# HG changeset patch +# User "Endi S. Dewata" +# Date 1509154819 -7200 +# Sat Oct 28 03:40:19 2017 +0200 +# Node ID 837c79476110ecd4bf6b507faad50edb9eed7e7e +# Parent 19a0e2146a929173757e6ccbb61a035ec9426f43 +Reformatted SocketBase.java. +The SocketBase.java has been auto-formatted using Eclipse to +simplify further changes on the file. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1408057 + +diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java +--- a/org/mozilla/jss/ssl/SocketBase.java ++++ b/org/mozilla/jss/ssl/SocketBase.java +@@ -27,6 +27,7 @@ + int getTimeout() { + return timeout; + } ++ + void setTimeout(int timeout) { + this.timeout = timeout; + } +@@ -36,18 +37,17 @@ + } + + native byte[] socketCreate(Object socketObject, +- SSLCertificateApprovalCallback certApprovalCallback, +- SSLClientCertificateSelectionCallback clientCertSelectionCallback, +- java.net.Socket javaSock, String host,int family) ++ SSLCertificateApprovalCallback certApprovalCallback, ++ SSLClientCertificateSelectionCallback clientCertSelectionCallback, ++ java.net.Socket javaSock, String host, int family) + throws SocketException; + + byte[] socketCreate(Object socketObject, +- SSLCertificateApprovalCallback certApprovalCallback, +- SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family) +- throws SocketException +- { ++ SSLCertificateApprovalCallback certApprovalCallback, ++ SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family) ++ throws SocketException { + return socketCreate(socketObject, certApprovalCallback, +- clientCertSelectionCallback, null, null, family); ++ clientCertSelectionCallback, null, null, family); + } + + native void socketBind(byte[] addrBA, int port) throws SocketException; +@@ -57,7 +57,7 @@ + * safer than copying the values of the C constants, which are subject + * to change, into Java code. + * Note to developer these constants are not all related! i.e. you cannot +- * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage ++ * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage + * in NSS and NSPR before using. + */ + static final int SSL_ENABLE_SSL2 = 0; +@@ -73,7 +73,7 @@ + static final int SSL_POLICY_DOMESTIC = 10; + static final int SSL_POLICY_EXPORT = 11; + static final int SSL_POLICY_FRANCE = 12; +- static final int SSL_ROLLBACK_DETECTION = 13; ++ static final int SSL_ROLLBACK_DETECTION = 13; + static final int SSL_NO_STEP_DOWN = 14; + static final int SSL_ENABLE_FDX = 15; + static final int SSL_V2_COMPATIBLE_HELLO = 16; +@@ -98,7 +98,7 @@ + static final int SSL_Variant_Stream = 33; + static final int SSL_Variant_Datagram = 34; + +- static final int SSL_AF_INET = 50; ++ static final int SSL_AF_INET = 50; + static final int SSL_AF_INET6 = 51; + + void close() throws IOException { +@@ -106,7 +106,7 @@ + } + + // SSLServerSocket and SSLSocket close methods +- // have their own synchronization control that ++ // have their own synchronization control that + // protects SocketBase.socketClose. + native void socketClose() throws IOException; + +@@ -118,14 +118,13 @@ + } + + public void requestClientAuthNoExpiryCheck(boolean b) +- throws SocketException +- { ++ throws SocketException { + requestingClientAuth = b; + requestClientAuthNoExpiryCheckNative(b); + } + + private native void requestClientAuthNoExpiryCheckNative(boolean b) +- throws SocketException; ++ throws SocketException; + + void enableSSL2(boolean enable) throws SocketException { + setSSLOption(SSL_ENABLE_SSL2, enable); +@@ -144,8 +143,7 @@ + } + + void enableRenegotiation(int mode) +- throws SocketException +- { ++ throws SocketException { + setSSLOptionMode(SocketBase.SSL_ENABLE_RENEGOTIATION, mode); + } + +@@ -168,23 +166,21 @@ + void enableV2CompatibleHello(boolean enable) throws SocketException { + setSSLOption(SSL_V2_COMPATIBLE_HELLO, enable); + } +- ++ + void setSSLOption(int option, boolean on) +- throws SocketException +- { ++ throws SocketException { + setSSLOption(option, on ? 1 : 0); + } + +- /** +- * Sets SSL options for this socket that have simple ++ /** ++ * Sets SSL options for this socket that have simple + * enable/disable values. + */ + native void setSSLOption(int option, int on) +- throws SocketException; ++ throws SocketException; + + void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range) +- throws SocketException +- { ++ throws SocketException { + setSSLVersionRange(range.getMinEnum(), range.getMaxEnum()); + } + +@@ -192,93 +188,101 @@ + * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2 + */ + native void setSSLVersionRange(int min, int max) +- throws SocketException; ++ throws SocketException; + +- /** ++ /** + * Sets the SSL option setting mode value use for options + * that have more values than just enable/disable. + */ + native void setSSLOptionMode(int option, int option2) +- throws SocketException; ++ throws SocketException; + +- + /* return 0 for option disabled 1 for option enabled. */ + native int getSSLOption(int option) +- throws SocketException; +- ++ throws SocketException; ++ + public String getSSLOptions() { + StringBuffer buf = new StringBuffer(); + try { + buf.append("SSL Options configured for this SSLSocket:"); +- buf.append("\nSSL_ENABLE_SSL2" + +- ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_SSL3" + +- ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_TLS" + +- ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_REQUIRE_CERTIFICATE"); ++ buf.append("\nSSL_ENABLE_SSL2" + ++ ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_ENABLE_SSL3" + ++ ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_ENABLE_TLS" + ++ ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_REQUIRE_CERTIFICATE"); + switch (getSSLOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) { +- case 0: +- buf.append("=Never"); +- break; +- case 1: +- buf.append("=Always"); +- break; +- case 2: +- buf.append("=First Handshake"); +- break; +- case 3: +- buf.append("=No Error"); +- break; +- default: +- buf.append("=Report JSS Bug this option has a status."); +- break; ++ case 0: ++ buf.append("=Never"); ++ break; ++ case 1: ++ buf.append("=Always"); ++ break; ++ case 2: ++ buf.append("=First Handshake"); ++ break; ++ case 3: ++ buf.append("=No Error"); ++ break; ++ default: ++ buf.append("=Report JSS Bug this option has a status."); ++ break; + } //end switch +- buf.append("\nSSL_REQUEST_CERTIFICATE" + +- ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_NO_CACHE" + +- ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_ROLLBACK_DETECTION" + +- ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_NO_STEP_DOWN" + +- ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_FDX" + +- ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_V2_COMPATIBLE_HELLO" + +- ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) +- ? "=on" : "=off")); +- buf.append("\nSSL_ENABLE_SESSION_TICKETS" + +- ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) +- != 0) ? "=on" : "=off")); ++ buf.append("\nSSL_REQUEST_CERTIFICATE" + ++ ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_NO_CACHE" + ++ ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_ROLLBACK_DETECTION" + ++ ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_NO_STEP_DOWN" + ++ ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_ENABLE_FDX" + ++ ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_V2_COMPATIBLE_HELLO" + ++ ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0) ++ ? "=on" ++ : "=off")); ++ buf.append("\nSSL_ENABLE_SESSION_TICKETS" + ++ ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) != 0) ? "=on" : "=off")); + buf.append("\nSSL_ENABLE_RENEGOTIATION"); + switch (getSSLOption(SocketBase.SSL_ENABLE_RENEGOTIATION)) { +- case 0: +- buf.append("=SSL_RENEGOTIATE_NEVER"); +- break; +- case 1: +- buf.append("=SSL_RENEGOTIATE_UNRESTRICTED"); +- break; +- case 2: +- buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN"); +- break; +- case 3: +- buf.append("=SSL_RENEGOTIATE_TRANSITIONAL"); +- break; +- default: +- buf.append("=Report JSS Bug this option has a status."); +- break; ++ case 0: ++ buf.append("=SSL_RENEGOTIATE_NEVER"); ++ break; ++ case 1: ++ buf.append("=SSL_RENEGOTIATE_UNRESTRICTED"); ++ break; ++ case 2: ++ buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN"); ++ break; ++ case 3: ++ buf.append("=SSL_RENEGOTIATE_TRANSITIONAL"); ++ break; ++ default: ++ buf.append("=Report JSS Bug this option has a status."); ++ break; + } //end switch +- buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" + +- ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0) +- ? "=on" : "=off")); ++ buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" + ++ ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0) ++ ? "=on" ++ : "=off")); + + } catch (SocketException e) { + buf.append("\ngetSSLOptions exception " + e.getMessage()); +@@ -292,19 +296,18 @@ + * of construction than getByName(), and it is final. + * + * @return The InetAddress corresponding to the given integer, +- * or null if the InetAddress could not be constructed. ++ * or null if the InetAddress could not be constructed. + */ +- private static InetAddress +- convertIntToInetAddress(int intAddr) { ++ private static InetAddress convertIntToInetAddress(int intAddr) { + InetAddress in; + int[] addr = new int[4]; + addr[0] = ((intAddr >>> 24) & 0xff); + addr[1] = ((intAddr >>> 16) & 0xff); +- addr[2] = ((intAddr >>> 8) & 0xff); +- addr[3] = ((intAddr ) & 0xff); ++ addr[2] = ((intAddr >>> 8) & 0xff); ++ addr[3] = ((intAddr) & 0xff); + try { + in = InetAddress.getByName( +- addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3] ); ++ addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3]); + } catch (java.net.UnknownHostException e) { + in = null; + } +@@ -312,12 +315,13 @@ + } + + private native byte[] getLocalAddressByteArrayNative() throws SocketException; ++ + private native byte[] getPeerAddressByteArrayNative() throws SocketException; ++ + /** + * @return the InetAddress of the peer end of the socket. + */ +- InetAddress getInetAddress() +- { ++ InetAddress getInetAddress() { + try { + byte[] address = getPeerAddressByteArrayNative(); + +@@ -326,14 +330,15 @@ + try { + + iAddr = InetAddress.getByAddress(address); +- } catch(UnknownHostException e) { ++ } catch (UnknownHostException e) { + } + + return iAddr; +- } catch(SocketException e) { ++ } catch (SocketException e) { + return null; + } + } ++ + private native int getPeerAddressNative() throws SocketException; + + /** +@@ -348,20 +353,21 @@ + try { + + lAddr = InetAddress.getByAddress(address); +- } catch(UnknownHostException e) { ++ } catch (UnknownHostException e) { + } + + return lAddr; +- } catch(SocketException e) { ++ } catch (SocketException e) { + return null; + } + } ++ + private native int getLocalAddressNative() throws SocketException; + + public int getLocalPort() { + try { + return getLocalPortNative(); +- } catch(SocketException e) { ++ } catch (SocketException e) { + return 0; + } + } +@@ -369,18 +375,16 @@ + private native int getLocalPortNative() throws SocketException; + + void requireClientAuth(boolean require, boolean onRedo) +- throws SocketException +- { +- if( require && !requestingClientAuth ) { ++ throws SocketException { ++ if (require && !requestingClientAuth) { + requestClientAuth(true); + } + setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0); + } + + void requireClientAuth(int mode) +- throws SocketException +- { +- if(mode > 0 && !requestingClientAuth ) { ++ throws SocketException { ++ if (mode > 0 && !requestingClientAuth) { + requestClientAuth(true); + } + setSSLOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE, mode); +@@ -390,52 +394,52 @@ + * Sets the nickname of the certificate to use for client authentication. + */ + public void setClientCertNickname(String nick) throws SocketException { +- try { +- setClientCert( CryptoManager.getInstance().findCertByNickname(nick) ); +- } catch(CryptoManager.NotInitializedException nie) { +- throw new SocketException("CryptoManager not initialized"); +- } catch(ObjectNotFoundException onfe) { +- throw new SocketException("Object not found: " + onfe); +- } catch(TokenException te) { +- throw new SocketException("Token Exception: " + te); +- } ++ try { ++ setClientCert(CryptoManager.getInstance().findCertByNickname(nick)); ++ } catch (CryptoManager.NotInitializedException nie) { ++ throw new SocketException("CryptoManager not initialized"); ++ } catch (ObjectNotFoundException onfe) { ++ throw new SocketException("Object not found: " + onfe); ++ } catch (TokenException te) { ++ throw new SocketException("Token Exception: " + te); ++ } + } + + native void setClientCert(org.mozilla.jss.crypto.X509Certificate cert) +- throws SocketException; ++ throws SocketException; + + void useCache(boolean b) throws SocketException { + setSSLOption(SSL_NO_CACHE, !b); + } + + static Throwable processExceptions(Throwable topException, +- Throwable bottomException) +- { +- try { +- StringBuffer strBuf; +- strBuf = new StringBuffer( topException.toString() ); ++ Throwable bottomException) { ++ try { ++ StringBuffer strBuf; ++ strBuf = new StringBuffer(topException.toString()); + +- if( bottomException != null ) { +- strBuf.append(" --> "); +- strBuf.append( bottomException.toString() ); ++ if (bottomException != null) { ++ strBuf.append(" --> "); ++ strBuf.append(bottomException.toString()); ++ } ++ ++ Class excepClass = topException.getClass(); ++ Class stringClass = java.lang.String.class; ++ Constructor cons = excepClass.getConstructor(new Class[] { stringClass }); ++ ++ return (Throwable) cons.newInstance(new Object[] { strBuf.toString() }); ++ } catch (Exception e) { ++ Assert.notReached("Problem constructing exception container"); ++ return topException; + } +- +- Class excepClass = topException.getClass(); +- Class stringClass = java.lang.String.class; +- Constructor cons = excepClass.getConstructor(new Class[] {stringClass}); +- +- return (Throwable) cons.newInstance(new Object[] { strBuf.toString() }); +- } catch(Exception e ) { +- Assert.notReached("Problem constructing exception container"); +- return topException; +- } + } + + static private int supportsIPV6 = -1; ++ + static boolean supportsIPV6() { + +- if(supportsIPV6 >= 0) { +- if(supportsIPV6 > 0) { ++ if (supportsIPV6 >= 0) { ++ if (supportsIPV6 > 0) { + return true; + } else { + return false; +@@ -444,28 +448,25 @@ + + Enumeration netInter; + try { +- netInter = NetworkInterface.getNetworkInterfaces(); +- } catch (SocketException e) { ++ netInter = NetworkInterface.getNetworkInterfaces(); ++ } catch (SocketException e) { + +- return false; ++ return false; + } +- while ( netInter.hasMoreElements() ) +- { +- NetworkInterface ni = (NetworkInterface)netInter.nextElement(); ++ while (netInter.hasMoreElements()) { ++ NetworkInterface ni = (NetworkInterface) netInter.nextElement(); + Enumeration addrs = ni.getInetAddresses(); +- while ( addrs.hasMoreElements() ) +- { +- Object o = addrs.nextElement(); +- if ( o.getClass() == InetAddress.class || +- o.getClass() == Inet4Address.class || +- o.getClass() == Inet6Address.class ) +- { +- InetAddress iaddr = (InetAddress) o; +- if(o.getClass() == Inet6Address.class) { +- supportsIPV6 = 1; +- return true; +- } +- } ++ while (addrs.hasMoreElements()) { ++ Object o = addrs.nextElement(); ++ if (o.getClass() == InetAddress.class || ++ o.getClass() == Inet4Address.class || ++ o.getClass() == Inet6Address.class) { ++ InetAddress iaddr = (InetAddress) o; ++ if (o.getClass() == Inet6Address.class) { ++ supportsIPV6 = 1; ++ return true; ++ } ++ } + } + } + supportsIPV6 = 0; +# HG changeset patch +# User "Endi S. Dewata" +# Date 1509154824 -7200 +# Sat Oct 28 03:40:24 2017 +0200 +# Node ID ca2c2fcfaf207f87c3c69e493f2b30fd0a088e95 +# Parent 837c79476110ecd4bf6b507faad50edb9eed7e7e +Fixed SocketBase.setClientCertNickname() exception handling. +Previously the SocketBase.setClientCertNickname() would catch +the original exception and throw a SocketException instead. +The original stack trace was lost since SocketException does not +support chaining. + +The code has been modified to throw a RuntimeException instead +and chain the original exception. This way the original stack +trace can be preserved to help troubleshooting. + +https://bugzilla.mozilla.org/show_bug.cgi?id=1408057 + +diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java +--- a/org/mozilla/jss/ssl/SocketBase.java ++++ b/org/mozilla/jss/ssl/SocketBase.java +@@ -4,17 +4,21 @@ + + package org.mozilla.jss.ssl; + +-import java.net.*; ++import java.io.IOException; ++import java.lang.reflect.Constructor; ++import java.net.Inet4Address; ++import java.net.Inet6Address; ++import java.net.InetAddress; ++import java.net.NetworkInterface; + import java.net.SocketException; +-import java.io.*; +-import java.io.IOException; +-import java.util.Vector; ++import java.net.UnknownHostException; + import java.util.Enumeration; +-import java.lang.reflect.Constructor; +-import org.mozilla.jss.util.Assert; ++ + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.crypto.ObjectNotFoundException; + import org.mozilla.jss.crypto.TokenException; ++import org.mozilla.jss.crypto.X509Certificate; ++import org.mozilla.jss.util.Assert; + + class SocketBase { + +@@ -395,13 +399,18 @@ + */ + public void setClientCertNickname(String nick) throws SocketException { + try { +- setClientCert(CryptoManager.getInstance().findCertByNickname(nick)); ++ CryptoManager cm = CryptoManager.getInstance(); ++ X509Certificate cert = cm.findCertByNickname(nick); ++ setClientCert(cert); ++ + } catch (CryptoManager.NotInitializedException nie) { +- throw new SocketException("CryptoManager not initialized"); ++ throw new RuntimeException(nie); ++ + } catch (ObjectNotFoundException onfe) { +- throw new SocketException("Object not found: " + onfe); ++ throw new RuntimeException(onfe); ++ + } catch (TokenException te) { +- throw new SocketException("Token Exception: " + te); ++ throw new RuntimeException(te); + } + } + diff --git a/SOURCES/jss-SignatureAlgorithm.patch b/SOURCES/jss-SignatureAlgorithm.patch new file mode 100644 index 0000000..e87db1b --- /dev/null +++ b/SOURCES/jss-SignatureAlgorithm.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User David Stutzman david.konrad.stutzman@us.army.mil +# Date 1509062346 25200 +# Thu Oct 26 16:59:06 2017 -0700 +# Node ID b1a3c3cc6b3584948d251d3bfcfe6630d8970db5 +# Parent 252c10f448971b7ae087bde259505abd5dc5a03a +Bugzilla.mozilla 1409867 org.mozilla.jss.pkix.cms.SignerInfo incorrectly producing signatures (especially for EC) + +The patch fixes the OID that goes into the signatureAlgorithm field as well as passing the full signature algorithm to the Signature context to generate the signature using the proper algorithm. +With this patch, if one passes SignatureAlgorithm.RSASignatureWithSHA256Digest in the constructor one will now get sha256WithRSAEncryption (1 2 840 113549 1 1 11) in the signatureAlgorithm field. + +cfu checking in for dstutzman + +diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java +--- a/org/mozilla/jss/pkix/cms/SignerInfo.java ++++ b/org/mozilla/jss/pkix/cms/SignerInfo.java +@@ -289,7 +289,7 @@ + } + + digestEncryptionAlgorithm = new AlgorithmIdentifier( +- signingAlg.getRawAlg().toOID(),null ); ++ signingAlg.toOID(),null ); + + + if( signedAttributes != null ) +@@ -332,7 +332,7 @@ + // encrypt the DER-encoded DigestInfo with the private key + CryptoToken token = signingKey.getOwningToken(); + Signature sig; +- sig = token.getSignatureContext( signingAlg.getRawAlg() ); ++ sig = token.getSignatureContext( signingAlg ); + sig.initSign(signingKey); + sig.update(toBeSigned); + encryptedDigest = new OCTET_STRING(sig.sign()); diff --git a/SOURCES/jss-fix-SignerInfo-version.patch b/SOURCES/jss-fix-SignerInfo-version.patch new file mode 100644 index 0000000..e76e393 --- /dev/null +++ b/SOURCES/jss-fix-SignerInfo-version.patch @@ -0,0 +1,44 @@ +# HG changeset patch +# User David Stutzman +# Date 1516144092 28800 +# Tue Jan 16 15:08:12 2018 -0800 +# Node ID 1d858c6d4626b625bb671426e6899d98c2f5bb2e +# Parent 8746a3fc74785e2fd12f86d08a6886ed9160620e +Bug# 386351 SignerInfo version, r=cfu + +This patch fixes versioning of SignerInfo to match CMS spec. + +cfu for dstutzman + +diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java +--- a/org/mozilla/jss/pkix/cms/SignerInfo.java ++++ b/org/mozilla/jss/pkix/cms/SignerInfo.java +@@ -52,9 +52,6 @@ + private OCTET_STRING encryptedDigest; + private SET unsignedAttributes; // [1] OPTIONAL + +- // we only do CMS in RFC 2630 +- private static final INTEGER VERSION = new INTEGER(3); +- + /////////////////////////////////////////////////////////////////////// + /////////////////////////////////////////////////////////////////////// + // Accessor methods +@@ -198,8 +195,17 @@ + CryptoManager.NotInitializedException, SignatureException, + TokenException + { +- version = VERSION; ++ if (signerIdentifier == null) { ++ throw new IllegalArgumentException("SignerIdentifier may not be null"); ++ } + this.signerIdentifier = signerIdentifier; ++ if (SignerIdentifier.ISSUER_AND_SERIALNUMBER.equals(this.signerIdentifier.getType())) { ++ this.version = new INTEGER(1); ++ } else if (SignerIdentifier.SUBJECT_KEY_IDENTIFIER.equals(this.signerIdentifier.getType())) { ++ this.version = new INTEGER(3); ++ } else { ++ throw new IllegalArgumentException("Unexpected SignerIdentifier type"); ++ } + this.digestAlgorithm = + new AlgorithmIdentifier(signingAlg.getDigestAlg().toOID(),null); + diff --git a/SOURCES/jss-signature-correction.patch b/SOURCES/jss-signature-correction.patch new file mode 100644 index 0000000..1746083 --- /dev/null +++ b/SOURCES/jss-signature-correction.patch @@ -0,0 +1,306 @@ +# HG changeset patch +# User David Stutzman +# Date 1515711524 28800 +# Thu Jan 11 14:58:44 2018 -0800 +# Node ID 9e2db7eee6652330723d935c2b900b9b09b1ab9d +# Parent ca2c2fcfaf207f87c3c69e493f2b30fd0a088e95 +Bug 1409867 - additional fix from dstutzman: allow signatures to be created correctly. + +cfu for dstutzman + +diff --git a/org/mozilla/jss/pkix/cms/SignerInfo.java b/org/mozilla/jss/pkix/cms/SignerInfo.java +--- a/org/mozilla/jss/pkix/cms/SignerInfo.java ++++ b/org/mozilla/jss/pkix/cms/SignerInfo.java +@@ -9,14 +9,10 @@ + import org.mozilla.jss.util.Assert; + import org.mozilla.jss.pkix.primitive.*; + import org.mozilla.jss.crypto.*; +-import java.util.Vector; +-import java.math.BigInteger; +-import java.io.ByteArrayInputStream; + import java.security.InvalidKeyException; + import java.security.SignatureException; + import java.security.NoSuchAlgorithmException; + import java.security.MessageDigest; +-import org.mozilla.jss.crypto.*; + import org.mozilla.jss.crypto.X509Certificate; + import org.mozilla.jss.pkix.cert.*; + import org.mozilla.jss.*; +@@ -73,14 +69,6 @@ + } + + /** +- * Low-level method to set the version. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setVersion(INTEGER version) { +- this.version = version; +- } +- */ +- +- /** + * Retrieves the SignerIdentifier. + */ + public SignerIdentifier getSignerIdentifier() { +@@ -88,14 +76,6 @@ + } + + /** +- * Low-level method to set the signerIdentifier. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setSignerIdentifier( SignerIdentifier iasn ) { +- this.signerIdentifier = iasn; +- } +- */ +- +- /** + * Retrieves the DigestAlgorithm used in this SignerInfo. + * + * @exception NoSuchAlgorithmException If the algorithm is not +@@ -116,14 +96,6 @@ + } + + /** +- * Low-level method to set the digest AlgorithmIdentifier. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setDigestAlgorithmIdentifier(AlgorithmIdentifier algid) { +- this.digestAlgorithm = algid; +- } +- */ +- +- /** + * Retrieves the signed attributes, if they exist. + * + */ +@@ -139,14 +111,6 @@ + } + + /** +- * Low-level method to set the signedAttributes field. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setSignedAttributes(SET authAttrib) { +- this.signedAttributes = authAttrib; +- } +- */ +- +- /** + * Returns the raw signature (digest encryption) algorithm used in this + * SignerInfo. + * +@@ -168,15 +132,6 @@ + } + + /** +- * Low-level method to set the digestEncryptionAlgorithm field. +- * It is not normally necessary to call this. Use it at your own risk. +- public void +- setDigestEncryptionAlgorithmIdentifier(AlgorithmIdentifier algid) { +- this.digestEncryptionAlgorithm= algid; +- } +- */ +- +- /** + * Retrieves the encrypted digest. + */ + public byte[] getEncryptedDigest() { +@@ -184,14 +139,6 @@ + } + + /** +- * Low-level method to set the encryptedDigest field. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setEncryptedDigest(byte[] ed) { +- this.encryptedDigest = new OCTET_STRING(ed); +- } +- */ +- +- /** + * Retrieves the unsigned attributes, if they exist. + * + */ +@@ -206,14 +153,6 @@ + return (unsignedAttributes!=null); + } + +- /** +- * Low-level method to set the unsignedAttributes field. +- * It is not normally necessary to call this. Use it at your own risk. +- public void setUnsignedAttributes(SET unauthAttrib) { +- this.unsignedAttributes = unauthAttrib; +- } +- */ +- + /////////////////////////////////////////////////////////////////////// + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -221,17 +160,6 @@ + /////////////////////////////////////////////////////////////////////// + + /** +- * Low-level default constructor. All fields are initialized to null. +- * Before this SignerInfo can be processed or used in any way, all of +- * the fields except signedAttributes and +- * unsignedAttributes must be non-null. +- *

It is not normally necessary to call this constructor.Use it at +- * your own risk. +- public SignerInfo() { +- } +- */ +- +- /** + * A constructor for creating a new SignerInfo from scratch. + * + * @param signerIdentifier The signerIdentifier of the +@@ -303,36 +231,32 @@ + ////////////////////////////////////////////////// + + // compute the digest +- byte[] digest=null; +- DigestAlgorithm digestAlg = signingAlg.getDigestAlg(); +- if( signedAttributes == null ) { ++ CryptoToken token = signingKey.getOwningToken(); ++ Signature sig; ++ byte[] toBeSigned = null; ++ if (signedAttributes == null) { + // just use the message digest of the content +- digest = messageDigest; ++ if (signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature) { ++ SEQUENCE digestInfo = createDigestInfo(messageDigest, false); ++ toBeSigned = ASN1Util.encode(digestInfo); ++ } else { ++ toBeSigned = messageDigest; ++ } ++ sig = token.getSignatureContext(signingAlg.getRawAlg()); //data is already digested + } else { +- // digest the contents octets of the signed attributes +- byte[] enc = ASN1Util.encode(signedAttributes); +- MessageDigest md = +- MessageDigest.getInstance(digestAlg.toString()); +- digest = md.digest( enc ); +- } +- +- byte[] toBeSigned; +- if( signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) { +- // put the digest in a DigestInfo +- SEQUENCE digestInfo = new SEQUENCE(); +- AlgorithmIdentifier digestAlgId = +- new AlgorithmIdentifier( digestAlg.toOID(),null ); +- digestInfo.addElement( digestAlgId ); +- digestInfo.addElement( new OCTET_STRING( digest ) ); +- toBeSigned = ASN1Util.encode(digestInfo); +- } else { +- toBeSigned = digest; ++ byte[] encoding = ASN1Util.encode(signedAttributes); ++ if (signingAlg.getRawAlg() == SignatureAlgorithm.RSASignature) { ++ // put the digest in a DigestInfo ++ SEQUENCE digestInfo = createDigestInfo(encoding, true); ++ toBeSigned = ASN1Util.encode(digestInfo); ++ sig = token.getSignatureContext(SignatureAlgorithm.RSASignature); ++ } else { ++ toBeSigned = encoding; ++ sig = token.getSignatureContext(signingAlg); ++ } + } + + // encrypt the DER-encoded DigestInfo with the private key +- CryptoToken token = signingKey.getOwningToken(); +- Signature sig; +- sig = token.getSignatureContext( signingAlg ); + sig.initSign(signingKey); + sig.update(toBeSigned); + encryptedDigest = new OCTET_STRING(sig.sign()); +@@ -494,21 +418,20 @@ + digestEncryptionAlgorithm.getOID() + ); + ++ CryptoToken token = CryptoManager.getInstance() ++ .getInternalCryptoToken(); ++ Signature sig; + byte[] toBeVerified; +- if( sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) { ++ if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) { + // create DigestInfo structure +- SEQUENCE digestInfo = new SEQUENCE(); +- digestInfo.addElement( +- new AlgorithmIdentifier(digestAlgorithm.getOID(), null) ); +- digestInfo.addElement( new OCTET_STRING(messageDigest) ); ++ SEQUENCE digestInfo = createDigestInfo(messageDigest, false); + toBeVerified = ASN1Util.encode(digestInfo); ++ sig = token.getSignatureContext(sigAlg.getRawAlg()); + } else { + toBeVerified = messageDigest; ++ sig = token.getSignatureContext(sigAlg); + } +- +- CryptoToken token = CryptoManager.getInstance() +- .getInternalCryptoToken(); +- Signature sig = token.getSignatureContext(sigAlg); ++ + sig.initVerify(pubkey); + sig.update(toBeVerified); + if( sig.verify(encryptedDigest.toByteArray()) ) { +@@ -671,31 +594,22 @@ + // Now verify the signature. + CryptoToken token = + CryptoManager.getInstance().getInternalCryptoToken(); +- Signature sig = token.getSignatureContext( sigAlg ); +- sig.initVerify(pubkey); ++ Signature sig; + + // verify the contents octets of the DER encoded signed attribs +- byte[] toBeDigested = ASN1Util.encode(signedAttributes); +- +- MessageDigest md = MessageDigest.getInstance( +- DigestAlgorithm.fromOID(digestAlgorithm.getOID()).toString() ); +- byte[] digest = md.digest(toBeDigested); +- ++ byte[] encoding = ASN1Util.encode(signedAttributes); + byte[] toBeVerified; +- if( sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature ) { ++ if (sigAlg.getRawAlg() == SignatureAlgorithm.RSASignature) { + // create DigestInfo structure +- SEQUENCE digestInfo = new SEQUENCE(); +- +- AlgorithmIdentifier digestAlgId = +- new AlgorithmIdentifier( digestAlgorithm.getOID(),null ); +- digestInfo.addElement( digestAlgId ); +- +- digestInfo.addElement( new OCTET_STRING(digest) ); ++ SEQUENCE digestInfo = createDigestInfo(encoding, true); + toBeVerified = ASN1Util.encode(digestInfo); ++ sig = token.getSignatureContext(SignatureAlgorithm.RSASignature); + } else { +- toBeVerified = digest; ++ toBeVerified = encoding; ++ sig = token.getSignatureContext(sigAlg); + } + ++ sig.initVerify(pubkey); + sig.update( toBeVerified ); + + if( ! sig.verify(encryptedDigest.toByteArray()) ) { +@@ -708,6 +622,25 @@ + // SUCCESSFULLY VERIFIED + + } ++ ++ private SEQUENCE createDigestInfo(byte[] data, boolean doDigest) throws NoSuchAlgorithmException { ++ if(data == null || data.length == 0){ ++ throw new IllegalArgumentException("Data to digest must be supplied"); ++ } ++ SEQUENCE digestInfo = new SEQUENCE(); ++ digestInfo.addElement(this.digestAlgorithm); ++ byte[] digest; ++ if (doDigest) { ++ MessageDigest md = MessageDigest.getInstance( ++ DigestAlgorithm.fromOID(this.digestAlgorithm.getOID()).toString()); ++ digest = md.digest(data); ++ } else { ++ digest = data; ++ } ++ digestInfo.addElement(new OCTET_STRING(digest)); ++ return digestInfo; ++ } ++ + + /** + * Compares two non-null byte arrays. Returns true if they are identical, diff --git a/SOURCES/jss-standardize-ECC-algorithm-names.patch b/SOURCES/jss-standardize-ECC-algorithm-names.patch new file mode 100644 index 0000000..dc47fdb --- /dev/null +++ b/SOURCES/jss-standardize-ECC-algorithm-names.patch @@ -0,0 +1,41 @@ +# HG changeset patch +# User David Stutzman +# Date 1515722400 28800 +# Thu Jan 11 18:00:00 2018 -0800 +# Node ID 8746a3fc74785e2fd12f86d08a6886ed9160620e +# Parent 9e2db7eee6652330723d935c2b900b9b09b1ab9d +Bug 589158 Add support for Java Security Standard Algorithm Names for EC Signature types + +This patch adds the aliases for Java Security Standard Algorithm Names for EC Signature types. + +cfu for dstutzman (reviewed by wtc) + +diff --git a/org/mozilla/jss/JSSProvider.java b/org/mozilla/jss/JSSProvider.java +--- a/org/mozilla/jss/JSSProvider.java ++++ b/org/mozilla/jss/JSSProvider.java +@@ -79,21 +79,25 @@ + put("Alg.Alias.Signature.SHA-1/EC", "SHA1withEC"); + put("Alg.Alias.Signature.SHA/ECDSA", "SHA1withEC"); + put("Alg.Alias.Signature.SHA1/ECDSA", "SHA1withEC"); ++ put("Alg.Alias.Signature.SHA1withECDSA", "SHA1withEC"); //JCE Standard Name + + put("Signature.SHA256withEC", + "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA256EC"); + put("Alg.Alias.Signature.SHA256/EC", "SHA256withEC"); + put("Alg.Alias.Signature.SHA-256/EC", "SHA256withEC"); ++ put("Alg.Alias.Signature.SHA256withECDSA", "SHA256withEC"); //JCE Standard Name + + put("Signature.SHA384withEC", + "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA384EC"); + put("Alg.Alias.Signature.SHA384/EC", "SHA384withEC"); + put("Alg.Alias.Signature.SHA-384/EC", "SHA384withEC"); ++ put("Alg.Alias.Signature.SHA384withECDSA", "SHA384withEC"); //JCE Standard Name + + put("Signature.SHA512withEC", + "org.mozilla.jss.provider.java.security.JSSSignatureSpi$SHA512EC"); + put("Alg.Alias.Signature.SHA512/EC", "SHA512withEC"); + put("Alg.Alias.Signature.SHA-512/EC", "SHA512withEC"); ++ put("Alg.Alias.Signature.SHA512withECDSA", "SHA512withEC"); //JCE Standard Name + + ///////////////////////////////////////////////////////////// + // Message Digesting diff --git a/SPECS/jss.spec b/SPECS/jss.spec index ec2a94b..24b85e8 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -1,7 +1,6 @@ Name: jss Version: 4.4.0 -#Release: 8%{?dist} -Release: 9.el7_4 +Release: 11%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries @@ -27,8 +26,8 @@ Conflicts: tomcatjss < 7.2.1 BuildRequires: nss-devel >= 3.28.4-6 BuildRequires: nspr-devel >= 4.13.1 BuildRequires: java-devel -%if 0%{?fedora} >= 25 -BuildRequires: perl +%if 0%{?fedora} >= 25 || 0%{?rhel} > 7 +BuildRequires: perl-interpreter %endif Requires: java-headless Requires: nss >= 3.28.4-6 @@ -39,6 +38,11 @@ Patch3: jss-HMAC-test-for-AES-encrypt-unwrap.patch Patch4: jss-PBE-padded-block-cipher-enhancements.patch Patch5: jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch Patch6: jss-HMAC-unwrap-keywrap-FIPSMODE.patch +Patch7: jss-SignatureAlgorithm.patch +Patch8: jss-ObjectNotFoundException-message.patch +Patch9: jss-signature-correction.patch +Patch10: jss-standardize-ECC-algorithm-names.patch +Patch11: jss-fix-SignerInfo-version.patch %description Java Security Services (JSS) is a java native interface which provides a bridge @@ -62,6 +66,11 @@ pushd jss %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 popd %build @@ -154,6 +163,20 @@ rm -rf $RPM_BUILD_ROOT %{_javadocdir}/%{name}-%{version}/* %changelog +* Mon Jan 22 2018 Dogtag Team 4.4.0-11 +- Bugzilla #1506826 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly + producing signatures (especially for EC) (cfu,dstutzman) +- Bugzilla #1533667 - Add: standard algorithm names for all ECC signature + types (cfu,dstutzman) +- Bugzilla #1534761 - SignerInfo class inserts wrong version # into the + resulting structure (cfu,dstutzman) + +* Wed Nov 1 2017 Dogtag Team 4.4.0-10 +- Bugzilla #1506710 - JSS throws ObjectNotFoundException without message + (edewata) +- Bugzilla #1506826 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly + producing signatures (especially for EC) (cfu,dstutzman) + * Fri Oct 27 2017 Dogtag Team 4.4.0-9 - Bugzilla #1505690 - new JSS failures: HMAC Unwrap and KeyWrapping FIPSMODE [rhel-7.4.z] (jmagne)