diff --git a/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch b/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch
new file mode 100644
index 0000000..9b6fef4
--- /dev/null
+++ b/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch
@@ -0,0 +1,68 @@
+From a8e371e54b009159e9e3a0d198bd5eb3ed68ac22 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Tue, 15 May 2018 14:58:07 -0700
+Subject: [PATCH] Ticket 3 JSS has wrong encoding for ecdsa with sha*
+ AlgorithmIdentifier This ticket addresses the issue to meet RFC 5758 where
+ param field must be omitted in the ECDSA Signature algorithm'
+ AlgorithmIdentifier for ecdsa-withSHA224, ecdsa-with-SHA256,
+ ecdsa-with-SHA384, or ecdsa-with-SHA512.
+
+fixes https://pagure.io/jss/issue/3
+---
+ .../jss/pkix/primitive/AlgorithmIdentifier.java | 29 +++++++++++++++++++---
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java
+index 76e4718..0662f76 100644
+--- a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java
++++ b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java
+@@ -4,10 +4,12 @@
+ package org.mozilla.jss.pkix.primitive;
+
+ import org.mozilla.jss.asn1.*;
++import org.mozilla.jss.crypto.SignatureAlgorithm;
+ import org.mozilla.jss.util.Assert;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.io.IOException;
++import java.security.NoSuchAlgorithmException;
+
+ public class AlgorithmIdentifier implements ASN1Value {
+
+@@ -100,10 +102,29 @@ public static class Template implements ASN1Template {
+ // the template should have enforced this
+ Assert._assert( seq.size() == 2 );
+
+- return new AlgorithmIdentifier(
+- (OBJECT_IDENTIFIER)seq.elementAt(0), // OID
+- seq.elementAt(1) // parameters
+- );
++ OBJECT_IDENTIFIER algOID = (OBJECT_IDENTIFIER)seq.elementAt(0);
++ boolean allowParams = true;
++ try {
++ if (algOID.equals(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID()) ||
++ algOID.equals(SignatureAlgorithm.ECSignatureWithSHA384Digest.toOID()) ||
++ algOID.equals(SignatureAlgorithm.ECSignatureWithSHA512Digest.toOID())) {
++ allowParams = false;
++ }
++ } catch (NoSuchAlgorithmException e) {
++ // System.out.println("JSS: AlgorithmIdentifier:decode: " + e.toString());
++ // unlikely to happen; swallow it. treat it as allowParams;
++ }
++
++ if (!allowParams) {
++ return new AlgorithmIdentifier(
++ algOID // OID
++ );
++ } else {
++ return new AlgorithmIdentifier(
++ (OBJECT_IDENTIFIER)seq.elementAt(0), // OID
++ seq.elementAt(1) // parameters
++ );
++ }
+ }
+ } // end of Template
+
+--
+2.14.3
+
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 24b85e8..b3e7ae2 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -1,6 +1,6 @@
Name: jss
Version: 4.4.0
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@@ -43,6 +43,7 @@ Patch8: jss-ObjectNotFoundException-message.patch
Patch9: jss-signature-correction.patch
Patch10: jss-standardize-ECC-algorithm-names.patch
Patch11: jss-fix-SignerInfo-version.patch
+Patch12: jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch
%description
Java Security Services (JSS) is a java native interface which provides a bridge
@@ -71,6 +72,7 @@ pushd jss
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
popd
%build
@@ -163,6 +165,10 @@ rm -rf $RPM_BUILD_ROOT
%{_javadocdir}/%{name}-%{version}/*
%changelog
+* Tue May 22 2018 Dogtag Team <pki-devel@redhat.com> 4.4.2-12
+- Bugzilla #1579202 - JSS has wrong encoding for ecdsa with sha*
+ AlgorithmIdentifier [rhel-7.5.z] (cfu)
+
* Mon Jan 22 2018 Dogtag Team <pki-devel@redhat.com> 4.4.0-11
- Bugzilla #1506826 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly
producing signatures (especially for EC) (cfu,dstutzman)