diff --git a/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch b/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch new file mode 100644 index 0000000..9b6fef4 --- /dev/null +++ b/SOURCES/jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch @@ -0,0 +1,68 @@ +From a8e371e54b009159e9e3a0d198bd5eb3ed68ac22 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 15 May 2018 14:58:07 -0700 +Subject: [PATCH] Ticket 3 JSS has wrong encoding for ecdsa with sha* + AlgorithmIdentifier This ticket addresses the issue to meet RFC 5758 where + param field must be omitted in the ECDSA Signature algorithm' + AlgorithmIdentifier for ecdsa-withSHA224, ecdsa-with-SHA256, + ecdsa-with-SHA384, or ecdsa-with-SHA512. + +fixes https://pagure.io/jss/issue/3 +--- + .../jss/pkix/primitive/AlgorithmIdentifier.java | 29 +++++++++++++++++++--- + 1 file changed, 25 insertions(+), 4 deletions(-) + +diff --git a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java +index 76e4718..0662f76 100644 +--- a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java ++++ b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java +@@ -4,10 +4,12 @@ + package org.mozilla.jss.pkix.primitive; + + import org.mozilla.jss.asn1.*; ++import org.mozilla.jss.crypto.SignatureAlgorithm; + import org.mozilla.jss.util.Assert; + import java.io.InputStream; + import java.io.OutputStream; + import java.io.IOException; ++import java.security.NoSuchAlgorithmException; + + public class AlgorithmIdentifier implements ASN1Value { + +@@ -100,10 +102,29 @@ public static class Template implements ASN1Template { + // the template should have enforced this + Assert._assert( seq.size() == 2 ); + +- return new AlgorithmIdentifier( +- (OBJECT_IDENTIFIER)seq.elementAt(0), // OID +- seq.elementAt(1) // parameters +- ); ++ OBJECT_IDENTIFIER algOID = (OBJECT_IDENTIFIER)seq.elementAt(0); ++ boolean allowParams = true; ++ try { ++ if (algOID.equals(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID()) || ++ algOID.equals(SignatureAlgorithm.ECSignatureWithSHA384Digest.toOID()) || ++ algOID.equals(SignatureAlgorithm.ECSignatureWithSHA512Digest.toOID())) { ++ allowParams = false; ++ } ++ } catch (NoSuchAlgorithmException e) { ++ // System.out.println("JSS: AlgorithmIdentifier:decode: " + e.toString()); ++ // unlikely to happen; swallow it. treat it as allowParams; ++ } ++ ++ if (!allowParams) { ++ return new AlgorithmIdentifier( ++ algOID // OID ++ ); ++ } else { ++ return new AlgorithmIdentifier( ++ (OBJECT_IDENTIFIER)seq.elementAt(0), // OID ++ seq.elementAt(1) // parameters ++ ); ++ } + } + } // end of Template + +-- +2.14.3 + diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 24b85e8..b3e7ae2 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -1,6 +1,6 @@ Name: jss Version: 4.4.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries @@ -43,6 +43,7 @@ Patch8: jss-ObjectNotFoundException-message.patch Patch9: jss-signature-correction.patch Patch10: jss-standardize-ECC-algorithm-names.patch Patch11: jss-fix-SignerInfo-version.patch +Patch12: jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch %description Java Security Services (JSS) is a java native interface which provides a bridge @@ -71,6 +72,7 @@ pushd jss %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 popd %build @@ -163,6 +165,10 @@ rm -rf $RPM_BUILD_ROOT %{_javadocdir}/%{name}-%{version}/* %changelog +* Tue May 22 2018 Dogtag Team 4.4.2-12 +- Bugzilla #1579202 - JSS has wrong encoding for ecdsa with sha* + AlgorithmIdentifier [rhel-7.5.z] (cfu) + * Mon Jan 22 2018 Dogtag Team 4.4.0-11 - Bugzilla #1506826 - org.mozilla.jss.pkix.cms.SignerInfo incorrectly producing signatures (especially for EC) (cfu,dstutzman)