diff --git a/.gitignore b/.gitignore
index fe33249..1c02d34 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/jss-4.6.2.tar.gz
+SOURCES/jss-4.7.3.tar.gz
diff --git a/.jss.metadata b/.jss.metadata
index d14bd57..f86585b 100644
--- a/.jss.metadata
+++ b/.jss.metadata
@@ -1 +1 @@
-4fea1d770e0882aa9c1c6c493bce9eb579b5c085 SOURCES/jss-4.6.2.tar.gz
+c3c5fdc3003d78b26071d0c215067019ede3ad60 SOURCES/jss-4.7.3.tar.gz
diff --git a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch b/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
deleted file mode 100644
index 529b576..0000000
--- a/SOURCES/0001-Fix-NativeProxy-reference-tracker.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 91514ca0a2979ba778d27220ced0cd312e2cd2d2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 29 Oct 2019 10:43:56 -0400
-Subject: [PATCH] Fix NativeProxy reference tracker
-
-In eb5df01003d74b57473eacb84e538d31f5bb06ca, I introduced a bug by
-setting mPointer after trying to add NativeProxy to the registry. In
-most instances this won't matter, however, if another instance exists in
-the HashSet with the same hash value, the equals comparator will be
-used, triggering a NPE.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index 1c6d1aa5..a0811f76 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -40,8 +40,8 @@ public abstract class NativeProxy implements AutoCloseable
- */
- public NativeProxy(byte[] pointer) {
- assert(pointer!=null);
-- registry.add(this);
- mPointer = pointer;
-+ registry.add(this);
-
- if (saveStacktraces) {
- mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
-@@ -61,15 +61,12 @@ public abstract class NativeProxy implements AutoCloseable
- if( ! (obj instanceof NativeProxy) ) {
- return false;
- }
-- if( ((NativeProxy)obj).mPointer.length != mPointer.length) {
-+ if (((NativeProxy)obj).mPointer == null) {
-+ /* If mPointer is null, we have no way to compare the values
-+ * of the pointers, so assume they're unequal. */
- return false;
- }
-- for(int i=0; i < mPointer.length; i++) {
-- if(mPointer[i] != ((NativeProxy)obj).mPointer[i]) {
-- return false;
-- }
-- }
-- return true;
-+ return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
- }
-
- /**
---
-2.21.0
-
diff --git a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch b/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
deleted file mode 100644
index 04830df..0000000
--- a/SOURCES/0002-Fix-swapped-parameter-names-with-PBE.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:10:32 -0500
-Subject: [PATCH 1/2] Fix swapped parameter names with PBE
-
-Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
-related to extracting the parameter classes during PBE operations:
-previously, the classes of the underlying encryption algorithm were
-iterated over, instead of the classes of the PBE class itself. However,
-this commit iterated over the PBE parameter classes; no PBE algorithm
-accepts a IvParameterSpec, resulting in a null parameter passed to the
-later encryption or key wrap operation. This resulted in stack traces
-like the following:
-
-Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
- at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
- at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
- at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
- at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)
-
-Resolves: rh-bz#1807371
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +-
- org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-index 084752c3..0344b14d 100644
---- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java
-@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value {
- // generate IV
- EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
- AlgorithmParameterSpec params=null;
-- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+ Class<?> [] paramClasses = encAlg.getParameterClasses();
- for (int i = 0; i < paramClasses.length; i ++) {
- if ( paramClasses[i].equals(
- javax.crypto.spec.IvParameterSpec.class ) ) {
-diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-index a4709070..d85eb0d3 100644
---- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java
-@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value {
- // generate IV
- EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
- AlgorithmParameterSpec params=null;
-- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+ Class<?> [] paramClasses = encAlg.getParameterClasses();
- for (int i = 0; i < paramClasses.length; i ++) {
- if ( paramClasses[i].equals( IVParameterSpec.class ) ) {
- params = new IVParameterSpec( kg.generatePBE_IV() );
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index b35714e3..ebd269f3 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
- // generate IV
- EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
- AlgorithmParameterSpec params=null;
-- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+ Class<?> [] paramClasses = encAlg.getParameterClasses();
- for (int i = 0; i < paramClasses.length; i ++) {
- if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) {
- params = new IVParameterSpec( kg.generatePBE_IV() );
-@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
- // generate IV
- EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
- AlgorithmParameterSpec params=null;
-- Class<?> [] paramClasses = pbeAlg.getParameterClasses();
-+ Class<?> [] paramClasses = encAlg.getParameterClasses();
- for (int i = 0; i < paramClasses.length; i ++) {
- if ( paramClasses[i].equals(
- javax.crypto.spec.IvParameterSpec.class ) ) {
---
-2.24.1
-
diff --git a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch b/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
deleted file mode 100644
index 3f598a9..0000000
--- a/SOURCES/0003-Use-specified-algorithm-for-KeyWrap.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Fri, 28 Feb 2020 14:39:29 -0500
-Subject: [PATCH 2/2] Use specified algorithm for KeyWrap
-
-When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
-called, it would always request DES3_CBC_PAD as the key wrapping
-algorithm, regardless of the input PBE key type. However, the other form
-(with an implicit token) was correctly handling this case.
-
-Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
-instead of having to convert to/from a String form.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++-
- org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++--
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-index 3113f614..3a106977 100644
---- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java
-@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm {
-
- public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException {
- OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID);
-+ return fromOID(oid);
-+ }
-
-+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException {
- if (oid.equals(AES_KEY_WRAP_PAD_OID))
- return AES_KEY_WRAP_PAD;
-
-@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm {
- if (oid.equals(DES_CBC_PAD_OID))
- return DES_CBC_PAD;
-
-- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID);
-+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid);
- }
- }
-diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-index ebd269f3..abfc39a7 100644
---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
-@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value {
- }
- }
-
-- KeyWrapper wrapper = token.getKeyWrapper(
-- KeyWrapAlgorithm.DES3_CBC_PAD);
-+ // wrap the key
-+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID()));
- wrapper.initWrap(key, params);
- byte encrypted[] = wrapper.wrap(pri);
-
---
-2.24.1
-
diff --git a/SOURCES/0004-Remove-token-key-checks.patch b/SOURCES/0004-Remove-token-key-checks.patch
deleted file mode 100644
index 7353cce..0000000
--- a/SOURCES/0004-Remove-token-key-checks.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Tue, 17 Mar 2020 12:54:49 -0400
-Subject: [PATCH 1/2] Remove token key checks
-
-Previously we enforced strict token key matching: the primary key used
-for the operation must strictly reside on the current PKCS#11 token,
-otherwise JSS would bail. However, NSS has the ability to move the key
-to whichever token best supports the given operation. This means that
-we'd prematurely bail when the operation would succeed if it were
-actually executed. By removing these checks, we still leave the ability
-to generate keys on a specific token, we just allow them to be used on
-whatever token supports the given operation (and the key is allowed to
-be moved to).
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/pkcs11/PK11Cipher.java | 4 ----
- org/mozilla/jss/pkcs11/PK11KeyWrapper.java | 22 -------------------
- org/mozilla/jss/pkcs11/PK11MessageDigest.java | 7 ------
- 3 files changed, 33 deletions(-)
-
-diff --git a/org/mozilla/jss/pkcs11/PK11Cipher.java b/org/mozilla/jss/pkcs11/PK11Cipher.java
-index 81b600a4..aac411a4 100644
---- a/org/mozilla/jss/pkcs11/PK11Cipher.java
-+++ b/org/mozilla/jss/pkcs11/PK11Cipher.java
-@@ -262,10 +262,6 @@ public final class PK11Cipher extends org.mozilla.jss.crypto.Cipher {
- if( key==null ) {
- throw new InvalidKeyException("Key is null");
- }
-- if( ! key.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("Key does not reside on the "+
-- "current token");
-- }
- if( ! (key instanceof PK11SymKey) ) {
- throw new InvalidKeyException("Key is not a PKCS #11 key");
- }
-diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-index 28840a87..eee2984d 100644
---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
-@@ -168,10 +168,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
- throw new InvalidKeyException("Key is null");
- }
- try {
-- if( ! key.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
-- key.getOwningToken().getName());
-- }
- if( ! (key instanceof PK11SymKey) ) {
- throw new InvalidKeyException("Key is not a PKCS #11 key");
- }
-@@ -196,10 +192,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
- if( key==null ) {
- throw new InvalidKeyException("Key is null");
- }
-- if( ! key.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("Key does not reside on the "+
-- "current token");
-- }
- if( ! (key instanceof PK11PrivKey) ) {
- throw new InvalidKeyException("Key is not a PKCS #11 key");
- }
-@@ -299,13 +291,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
- throw new InvalidKeyException("key to be wrapped is not a "+
- "PKCS #11 key");
- }
--/* NSS is capable of moving keys appropriately,
-- so this call is prematurely bailing
-- if( ! symKey.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("key to be wrapped does not live"+
-- " on the same token as the wrapping key");
-- }
--*/
- }
-
- /**
-@@ -320,13 +305,6 @@ public final class PK11KeyWrapper implements KeyWrapper {
- throw new InvalidKeyException("key to be wrapped is not a "+
- "PKCS #11 key");
- }
--/* NSS is capable of moving keys appropriately,
-- so this call is prematurely bailing
-- if( ! privKey.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("key to be wrapped does not live"+
-- " on the same token as the wrapping key");
-- }
--*/
- }
-
- /**
-diff --git a/org/mozilla/jss/pkcs11/PK11MessageDigest.java b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-index cd732788..7a1a6dad 100644
---- a/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-+++ b/org/mozilla/jss/pkcs11/PK11MessageDigest.java
-@@ -47,13 +47,6 @@ public final class PK11MessageDigest extends JSSMessageDigest {
- }
-
- hmacKey = (PK11SymKey) key;
--
-- if( ! key.getOwningToken().equals(token) ) {
-- hmacKey = null;
-- throw new InvalidKeyException(
-- "HMAC key does not live on the same token as this digest");
-- }
--
- this.digestProxy = initHMAC(token, alg, hmacKey);
- }
-
---
-2.25.1
-
diff --git a/SOURCES/0005-Fix-NativeProxy-release.patch b/SOURCES/0005-Fix-NativeProxy-release.patch
deleted file mode 100644
index e279abd..0000000
--- a/SOURCES/0005-Fix-NativeProxy-release.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From e623f14abcee16b5dfc57d6956e0ab4bb526ba5b Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 8 Apr 2020 12:21:49 -0400
-Subject: [PATCH] Fix NativeProxy registry tracking
-
-When the switch was made to a HashSet-based registry in
-eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
-hashCode(...). This resulted in calls to close() (and thus, finalize())
-not invoking the releaseNativeResources() function to release the
-underlying memory.
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/util/NativeProxy.java | 55 +++++++++++++++++++++------
- 1 file changed, 44 insertions(+), 11 deletions(-)
-
-diff --git a/org/mozilla/jss/util/NativeProxy.java b/org/mozilla/jss/util/NativeProxy.java
-index a0811f76..385c49f9 100644
---- a/org/mozilla/jss/util/NativeProxy.java
-+++ b/org/mozilla/jss/util/NativeProxy.java
-@@ -9,8 +9,10 @@ import java.util.HashSet;
- import java.lang.AutoCloseable;
- import java.lang.Thread;
- import java.util.Arrays;
-+import java.util.concurrent.atomic.AtomicInteger;
-
- import org.mozilla.jss.CryptoManager;
-+import org.mozilla.jss.netscape.security.util.Utils;
-
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
-@@ -39,11 +41,13 @@ public abstract class NativeProxy implements AutoCloseable
- * NativeProxy instance acts as a proxy for that native data structure.
- */
- public NativeProxy(byte[] pointer) {
-- assert(pointer!=null);
-+ assert(pointer!=null);
-+
- mPointer = pointer;
-- registry.add(this);
-+ mHashCode = registryIndex.getAndIncrement();
-
- if (saveStacktraces) {
-+ registry.add(this);
- mTrace = Arrays.toString(Thread.currentThread().getStackTrace());
- }
- }
-@@ -55,18 +59,31 @@ public abstract class NativeProxy implements AutoCloseable
- * a different underlying native pointer.
- */
- public boolean equals(Object obj) {
-- if(obj==null) {
-+ if (obj == null) {
- return false;
- }
-- if( ! (obj instanceof NativeProxy) ) {
-+ if (!(obj instanceof NativeProxy)) {
- return false;
- }
-- if (((NativeProxy)obj).mPointer == null) {
-- /* If mPointer is null, we have no way to compare the values
-- * of the pointers, so assume they're unequal. */
-+ NativeProxy nObj = (NativeProxy) obj;
-+ if (this.mPointer == null || nObj.mPointer == null) {
- return false;
- }
-- return Arrays.equals(((NativeProxy)obj).mPointer, mPointer);
-+
-+ return Arrays.equals(this.mPointer, nObj.mPointer);
-+ }
-+
-+ /**
-+ * Hash code based around mPointer value.
-+ *
-+ * Note that Object.hashCode() isn't sufficient as it tries to determine
-+ * the Object's value based on all internal variables. Because we want a
-+ * single static hashCode that is unique to each instance of nativeProxy,
-+ * we construct it up front based on an incrementing counter and cache it
-+ * throughout the lifetime of this object.
-+ */
-+ public int hashCode() {
-+ return mHashCode;
- }
-
- /**
-@@ -112,11 +129,11 @@ public abstract class NativeProxy implements AutoCloseable
- */
- public final void close() throws Exception {
- try {
-- if (registry.remove(this)) {
-+ if (mPointer != null) {
- releaseNativeResources();
- }
- } finally {
-- mPointer = null;
-+ clear();
- }
- }
-
-@@ -131,13 +148,16 @@ public abstract class NativeProxy implements AutoCloseable
- */
- public final void clear() {
- this.mPointer = null;
-- registry.remove(this);
-+ if (saveStacktraces) {
-+ registry.remove(this);
-+ }
- }
-
- /**
- * Byte array containing native pointer bytes.
- */
- private byte mPointer[];
-+ private int mHashCode;
-
- /**
- * String containing backtrace of pointer generation.
-@@ -158,6 +178,15 @@ public abstract class NativeProxy implements AutoCloseable
- * releaseNativeResources() gets called.
- */
- static HashSet<NativeProxy> registry = new HashSet<NativeProxy>();
-+ static AtomicInteger registryIndex = new AtomicInteger();
-+
-+ public String toString() {
-+ if (mPointer == null) {
-+ return this.getClass().getName() + "[" + mHashCode + "@null]";
-+ }
-+
-+ return this.getClass().getName() + "[" + mHashCode + "@" + Utils.HexEncode(mPointer) + "]";
-+ }
-
- /**
- * Internal helper to check whether or not assertions are enabled in the
-@@ -178,6 +207,10 @@ public abstract class NativeProxy implements AutoCloseable
- * is thrown.
- */
- public synchronized static void assertRegistryEmpty() {
-+ if (!saveStacktraces) {
-+ return;
-+ }
-+
- if (!registry.isEmpty()) {
- logger.warn(registry.size() + " NativeProxys are still registered.");
-
---
-2.25.2
-
diff --git a/SOURCES/0006-Fix-SSLSocket-closure.patch b/SOURCES/0006-Fix-SSLSocket-closure.patch
deleted file mode 100644
index f7a401c..0000000
--- a/SOURCES/0006-Fix-SSLSocket-closure.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 278ff534e0a30cb112e8c29de573bf45b4264ad2 Mon Sep 17 00:00:00 2001
-From: Alexander Scheel <ascheel@redhat.com>
-Date: Wed, 15 Apr 2020 08:20:37 -0400
-Subject: [PATCH] Fix SSLSocket closure
-
-Signed-off-by: Alexander Scheel <ascheel@redhat.com>
----
- org/mozilla/jss/ssl/SocketBase.java | 14 +++++++++++-
- org/mozilla/jss/ssl/common.c | 34 +++++++++++++++++++----------
- 2 files changed, 36 insertions(+), 12 deletions(-)
-
-diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
-index 2c835913..27109369 100644
---- a/org/mozilla/jss/ssl/SocketBase.java
-+++ b/org/mozilla/jss/ssl/SocketBase.java
-@@ -106,7 +106,19 @@ class SocketBase {
- static final int SSL_AF_INET6 = 51;
-
- void close() throws IOException {
-- socketClose();
-+ try {
-+ if (sockProxy != null) {
-+ socketClose();
-+ sockProxy.close();
-+ }
-+ } catch (Exception e) {
-+ String msg = "Unexpected exception while trying to finalize ";
-+ msg += "SocketProxy: " + e.getMessage();
-+
-+ throw new IOException(msg, e);
-+ } finally {
-+ sockProxy = null;
-+ }
- }
-
- // SSLServerSocket and SSLSocket close methods
-diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
-index 2db9fda1..2c52a9d6 100644
---- a/org/mozilla/jss/ssl/common.c
-+++ b/org/mozilla/jss/ssl/common.c
-@@ -333,21 +333,28 @@ JNIEXPORT void JNICALL
- Java_org_mozilla_jss_ssl_SocketProxy_releaseNativeResources
- (JNIEnv *env, jobject this)
- {
-- /* SSLSocket.close and SSLServerSocket.close call */
-- /* SocketBase.close to destroy all native Resources */
-- /* attached to the socket. There is no native resource */
-- /* to release after close has been called. This method */
-- /* remains because SocketProxy extends org.mozilla.jss.util.NativeProxy*/
-- /* which defines releaseNativeResources as abstract and */
-- /* therefore must be implemented by SocketProxy */
-+ JSSL_SocketData *sockdata;
-+
-+ PR_ASSERT(env != NULL && this != NULL);
-+
-+ if (JSS_getPtrFromProxy(env, this, (void**)&sockdata) != PR_SUCCESS) {
-+ return;
-+ }
-+
-+ JSSL_DestroySocketData(env, sockdata);
- }
-
- void
- JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
- {
-- PR_ASSERT(sd != NULL);
-+ if (sd == NULL) {
-+ return;
-+ }
-
-- PR_Close(sd->fd);
-+ if (sd->fd != NULL) {
-+ PR_Close(sd->fd);
-+ sd->fd = NULL;
-+ }
-
- if( sd->socketObject != NULL ) {
- DELETE_WEAK_GLOBAL_REF(env, sd->socketObject );
-@@ -367,6 +374,8 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd)
- if( sd->lock != NULL ) {
- PR_DestroyLock(sd->lock);
- }
-+
-+ memset(sd, 0, sizeof(JSSL_SocketData));
- PR_Free(sd);
- }
-
-@@ -540,12 +549,15 @@ Java_org_mozilla_jss_ssl_SocketBase_socketClose(JNIEnv *env, jobject self)
- JSSL_SocketData *sock = NULL;
-
- /* get the FD */
-- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
-+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS || sock == NULL) {
- /* exception was thrown */
- return;
- }
-
-- JSSL_DestroySocketData(env, sock);
-+ if (sock->fd != NULL) {
-+ PR_Close(sock->fd);
-+ sock->fd = NULL;
-+ }
- }
-
- JNIEXPORT void JNICALL
---
-2.25.2
-
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 172f73e..8b3f9c6 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -6,9 +6,9 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
-Version: 4.6.2
-Release: 6%{?_timestamp}%{?_commit_id}%{?dist}
-# global _phase -a1
+Version: 4.7.3
+Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
+#global _phase -a1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
@@ -25,12 +25,6 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \
# > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch
-Patch0: 0001-Fix-NativeProxy-reference-tracker.patch
-Patch1: 0002-Fix-swapped-parameter-names-with-PBE.patch
-Patch3: 0003-Use-specified-algorithm-for-KeyWrap.patch
-Patch4: 0004-Remove-token-key-checks.patch
-Patch5: 0005-Fix-NativeProxy-release.patch
-Patch6: 0006-Fix-SSLSocket-closure.patch
################################################################################
# Build Dependencies
@@ -40,11 +34,13 @@ Patch6: 0006-Fix-SSLSocket-closure.patch
BuildRequires: git
BuildRequires: make
BuildRequires: cmake
+BuildRequires: zip
+BuildRequires: unzip
BuildRequires: gcc-c++
BuildRequires: nspr-devel >= 4.13.1
-BuildRequires: nss-devel >= 3.30
-BuildRequires: nss-tools >= 3.30
+BuildRequires: nss-devel >= 3.44
+BuildRequires: nss-tools >= 3.44
BuildRequires: java-devel
BuildRequires: jpackage-utils
BuildRequires: slf4j
@@ -55,11 +51,10 @@ BuildRequires: glassfish-jaxb-api
BuildRequires: slf4j-jdk14
%endif
BuildRequires: apache-commons-lang
-BuildRequires: apache-commons-codec
BuildRequires: junit
-Requires: nss >= 3.30
+Requires: nss >= 3.44
Requires: java-headless
Requires: jpackage-utils
Requires: slf4j
@@ -70,7 +65,6 @@ Requires: glassfish-jaxb-api
Requires: slf4j-jdk14
%endif
Requires: apache-commons-lang
-Requires: apache-commons-codec
Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2
@@ -114,15 +108,28 @@ export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+# RHEL's CMake doesn't support -B flag.
+%if 0%{?rhel}
+%{__mkdir_p} %{_vpath_builddir}
+cd %{_vpath_builddir}
+%endif
+
# The Makefile is not thread-safe
-rm -rf build && mkdir -p build && cd build
%cmake \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
+%if 0%{?rhel}
..
+%else
+ -B %{_vpath_builddir}
+%endif
+
+%if 0%{?fedora}
+cd %{_vpath_builddir}
+%endif
%{__make} all
-%{__make} javadoc || true
+%{__make} javadoc
ctest --output-on-failure
################################################################################
@@ -132,19 +139,19 @@ ctest --output-on-failure
# jars
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 build/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 build/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
+install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar
popd
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp build/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
@@ -153,7 +160,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
%files
%defattr(-,root,root,-)
-%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss.html
+%license MPL-1.1.txt gpl.txt lgpl.txt
%{_libdir}/*
%{_jnidir}/*
@@ -165,14 +173,29 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
-* Wed Apr 15 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-6
-- NativeProxy never calls releaseNativeResources - Memory Leak
- Additional patch to fix SSLSocket resource freeing
- Bugzilla #1822402
-
-* Tue Apr 14 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-5
-- NativeProxy never calls releaseNativeResources - Memory Leak
- Bugzilla #1822402
+* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
+- Rebase to upstream stable release JSS v4.7.3
+- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add
+
+* Thu Aug 06 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.2-1
+- Rebase to upstream stable release JSS v4.7.2
+- Red Hat Bugzilla #1822246 - Fix SSLSocket NULL pointer deference after close
+
+* Fri Jul 31 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.1-1
+- Rebase to upstream stable release JSS v4.7.1
+
+* Thu Jul 09 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-1
+- Rebase to upstream stable release JSS v4.7.0
+- Fixed TestSSLEngine
+
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.4
+- Rebased to JSS 4.7.0-b4
+
+* Mon Jun 22 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.3
+- Rebased to JSS 4.7.0-b3
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.0-0.1
+- Rebased to JSS 4.7.0-b1
* Mon Mar 23 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.6.2-4
- Red Hat Bugzilla #1807371 - KRA-HSM: Async and sync key recovery using kra agent web is failing