diff --git a/.gitignore b/.gitignore index 799ca53..b4e8172 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/jss-4.8.1.tar.gz +SOURCES/jss-4.9.0-alpha2.tar.gz diff --git a/.jss.metadata b/.jss.metadata index d3c9489..c8a8f74 100644 --- a/.jss.metadata +++ b/.jss.metadata @@ -1 +1 @@ -5bf724d866e8fd7e577ffdecb06dbb679b113ce3 SOURCES/jss-4.8.1.tar.gz +3af27626d1238104b594aeea6979a6347df9804b SOURCES/jss-4.9.0-alpha2.tar.gz diff --git a/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch deleted file mode 100644 index 581f7cf..0000000 --- a/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 12 Mar 2021 20:41:51 -0500 -Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678) - -NSS doesn't generally allow keys to be imported in FIPS mode. However, -for portability with other JCA providers, we sometimes need to import -keys from byte arrays. Do this in the JNI layer by executing a PKCS#11 -encrypt and then unwrap using the same key. This lets us effectively -"import" a key into a token, if the token supports using the given -mechanism for both encryption and unwrapping operations. Some HSMs are -getting stricter about this and forbid using the same key for encrypt -and unwrap operations. - -Resolves: #334 - -Signed-off-by: Alexander Scheel -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++- - 1 file changed, 60 insertions(+), 2 deletions(-) - -diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c -index f39a3796..e8e9da16 100644 ---- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c -+++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c -@@ -712,6 +712,61 @@ finish: - return keyObj; - } - -+PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, -+ CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags, -+ PRBool isPerm, void *wincx) -+{ -+ PK11SymKey *result = NULL; -+ PK11SymKey *wrapper = NULL; -+ SECStatus ret = SECFailure; -+ unsigned int wrapped_len = 0; -+ unsigned int wrapped_max = key->len + 64; -+ unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char)); -+ SECItem wrapped_item = { siBuffer, wrapped_key, 0 }; -+ SECItem *param = NULL; -+ -+ /* Steps: -+ * 1. Generate a temporary key to encrypt and unwrap with, -+ * 2. Encrypt our key to import using the wrapping key, -+ * 3. Unwrap into the token using the wrapping key. -+ */ -+ -+#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN -+#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD -+ -+ wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx); -+ if (wrapper == NULL) { -+ goto done; -+ } -+ -+ param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper); -+ if (param == NULL) { -+ goto done; -+ } -+ -+ ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param, -+ wrapped_key, &wrapped_len, wrapped_max, -+ key->data, key->len); -+ if (ret != SECSuccess) { -+ goto done; -+ } -+ -+ wrapped_item.len = wrapped_len; -+ -+ result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, -+ param, &wrapped_item, type, operation, key->len, flags, -+ isPerm); -+ -+done: -+ free(wrapped_key); -+ SECITEM_FreeItem(param, PR_TRUE); -+ if (wrapper != NULL) { -+ PK11_DeleteTokenSymKey(wrapper); -+ PK11_FreeSymKey(wrapper); -+ } -+ return result; -+} -+ - /*********************************************************************** - * - * PK11KeyWrapper.nativeUnwrapSymPlaintext -@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext - } - - /* pull in the key */ -- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, -- operation, wrappedKey, flags, isPerm, NULL); -+ if (PK11_IsFIPS()) { -+ symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL); -+ } else { -+ symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL); -+ } - if( symKey == NULL ) { - JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key"); - goto finish; --- -2.26.2 - diff --git a/SPECS/jss.spec b/SPECS/jss.spec index 9fa89b0..616ef03 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -6,9 +6,11 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.8.1 -Release: 2%{?_timestamp}%{?_commit_id}%{?dist} -#global _phase -a1 +# For development (i.e. unsupported) releases, use x.y.z-0.n.. +# For official (i.e. supported) releases, use x.y.z-r where r >=1. +Version: 4.9.0 +Release: 0.2.alpha2%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -alpha2 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -25,14 +27,34 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas # \ # > jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch -Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch + +################################################################################ +# Java +################################################################################ + +%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8 +%define java_devel java-1.8.0-openjdk-devel +%define java_headless java-1.8.0-openjdk-headless +%define java_home /usr/lib/jvm/jre-1.8.0-openjdk +%else +%define java_devel java-11-openjdk-devel +%define java_headless java-11-openjdk-headless +%define java_home /usr/lib/jvm/jre-11-openjdk +%endif + +################################################################################ +# Build Options +################################################################################ + +# By default the build will execute unit tests unless --without test +# option is specified. + +%bcond_without test ################################################################################ # Build Dependencies ################################################################################ -# autosetup -BuildRequires: git BuildRequires: make BuildRequires: cmake >= 3.14 BuildRequires: zip @@ -42,29 +64,21 @@ BuildRequires: gcc-c++ BuildRequires: nspr-devel >= 4.13.1 BuildRequires: nss-devel >= 3.44 BuildRequires: nss-tools >= 3.44 -BuildRequires: java-devel +BuildRequires: %{java_devel} BuildRequires: jpackage-utils BuildRequires: slf4j BuildRequires: glassfish-jaxb-api -%if 0%{?rhel} && 0%{?rhel} <= 7 -# no slf4j-jdk14 -%else BuildRequires: slf4j-jdk14 -%endif BuildRequires: apache-commons-lang3 BuildRequires: junit Requires: nss >= 3.44 -Requires: java-headless +Requires: %{java_headless} Requires: jpackage-utils Requires: slf4j Requires: glassfish-jaxb-api -%if 0%{?rhel} && 0%{?rhel} <= 7 -# no slf4j-jdk14 -%else Requires: slf4j-jdk14 -%endif Requires: apache-commons-lang3 Conflicts: ldapjdk < 4.20 @@ -90,15 +104,13 @@ This package contains the API documentation for JSS. ################################################################################ %prep -%autosetup -n %{name}-%{version}%{?_phase} -p 1 -S git +%autosetup -n %{name}-%{version}%{?_phase} -p 1 ################################################################################ %build %set_build_flags -[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java - # Enable compiler optimizations export BUILD_OPT=1 @@ -111,39 +123,43 @@ modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENA # The Makefile is not thread-safe %cmake \ + -DVERSION=%{version} \ -DJAVA_HOME=%{java_home} \ -DJAVA_LIB_INSTALL_DIR=%{_jnidir} \ + -DJSS_LIB_INSTALL_DIR=%{_libdir}/jss \ -B %{_vpath_builddir} cd %{_vpath_builddir} -%{__make} all -%{__make} javadoc + +%{__make} \ + VERBOSE=%{?_verbose} \ + CMAKE_NO_VERBOSE=1 \ + --no-print-directory \ + all + +%{__make} \ + VERBOSE=%{?_verbose} \ + CMAKE_NO_VERBOSE=1 \ + --no-print-directory \ + javadoc + +%if %{with test} ctest --output-on-failure +%endif ################################################################################ %install -# There is no install target so we'll do it by hand - -# jars -install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} -install -m 644 %{_vpath_builddir}/jss4.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar - -# We have to use the name libjss4.so because this is dynamically -# loaded by the jar file. -install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss -install -m 0755 %{_vpath_builddir}/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ -pushd ${RPM_BUILD_ROOT}%{_libdir}/jss - ln -fs %{_jnidir}/jss4.jar jss4.jar -popd +cd %{_vpath_builddir} -# javadoc -install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} -cp -rp %{_vpath_builddir}/docs/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} -cp -p jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} -cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +%{__make} \ + VERBOSE=%{?_verbose} \ + CMAKE_NO_VERBOSE=1 \ + DESTDIR=%{buildroot} \ + INSTALL="install -p" \ + --no-print-directory \ + install -# No ldconfig is required since this library is loaded by Java itself. ################################################################################ %files @@ -161,8 +177,11 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog -* Tue Mar 16 2021 Red Hat PKI Team 4.8.1-2 -- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error +* Fri Jun 11 2021 Red Hat PKI Team 4.9.0-0.2 +- Rebase to JSS 4.9.0-alpha2 + +* Wed Jun 02 2021 Red Hat PKI Team 4.9.0-0.1 +- Rebase to JSS 4.9.0-alpha1 * Thu Jan 14 2021 Red Hat PKI Team 4.8.1-1 - Rebase to upstream JSS v4.8.1