diff --git a/.gitignore b/.gitignore
index 1c02d34..799ca53 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/jss-4.7.3.tar.gz
+SOURCES/jss-4.8.1.tar.gz
diff --git a/.jss.metadata b/.jss.metadata
index f86585b..d3c9489 100644
--- a/.jss.metadata
+++ b/.jss.metadata
@@ -1 +1 @@
-c3c5fdc3003d78b26071d0c215067019ede3ad60 SOURCES/jss-4.7.3.tar.gz
+5bf724d866e8fd7e577ffdecb06dbb679b113ce3 SOURCES/jss-4.8.1.tar.gz
diff --git a/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
new file mode 100644
index 0000000..581f7cf
--- /dev/null
+++ b/SOURCES/0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
@@ -0,0 +1,105 @@
+From 3cc2f62eaca0e616dadc3053919180615b48bf54 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <alexander.m.scheel@gmail.com>
+Date: Fri, 12 Mar 2021 20:41:51 -0500
+Subject: [PATCH] Encrypt & unwrap symmetric key in FIPS mode (#678)
+
+NSS doesn't generally allow keys to be imported in FIPS mode. However,
+for portability with other JCA providers, we sometimes need to import
+keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
+encrypt and then unwrap using the same key. This lets us effectively
+"import" a key into a token, if the token supports using the given
+mechanism for both encryption and unwrapping operations. Some HSMs are
+getting stricter about this and forbid using the same key for encrypt
+and unwrap operations.
+
+Resolves: #334
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+Signed-off-by: Alexander Scheel <alexander.m.scheel@gmail.com>
+---
+ org/mozilla/jss/pkcs11/PK11KeyWrapper.c | 62 ++++++++++++++++++++++++-
+ 1 file changed, 60 insertions(+), 2 deletions(-)
+
+diff --git a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+index f39a3796..e8e9da16 100644
+--- a/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
++++ b/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+@@ -712,6 +712,61 @@ finish:
+ return keyObj;
+ }
+
++PK11SymKey *JSS_PK11_ImportSymKeyWithFlagsFIPS(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
++ CK_ATTRIBUTE_TYPE operation, SECItem *key, CK_FLAGS flags,
++ PRBool isPerm, void *wincx)
++{
++ PK11SymKey *result = NULL;
++ PK11SymKey *wrapper = NULL;
++ SECStatus ret = SECFailure;
++ unsigned int wrapped_len = 0;
++ unsigned int wrapped_max = key->len + 64;
++ unsigned char *wrapped_key = calloc(wrapped_max, sizeof(unsigned char));
++ SECItem wrapped_item = { siBuffer, wrapped_key, 0 };
++ SECItem *param = NULL;
++
++ /* Steps:
++ * 1. Generate a temporary key to encrypt and unwrap with,
++ * 2. Encrypt our key to import using the wrapping key,
++ * 3. Unwrap into the token using the wrapping key.
++ */
++
++#define FIPS_KEYGEN_ALGO CKM_AES_KEY_GEN
++#define FIPS_ENCRYPT_UNWRAP_ALGO CKM_AES_KEY_WRAP_PAD
++
++ wrapper = PK11_KeyGen(slot, FIPS_KEYGEN_ALGO, NULL, 32, wincx);
++ if (wrapper == NULL) {
++ goto done;
++ }
++
++ param = PK11_GenerateNewParam(FIPS_ENCRYPT_UNWRAP_ALGO, wrapper);
++ if (param == NULL) {
++ goto done;
++ }
++
++ ret = PK11_Encrypt(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO, param,
++ wrapped_key, &wrapped_len, wrapped_max,
++ key->data, key->len);
++ if (ret != SECSuccess) {
++ goto done;
++ }
++
++ wrapped_item.len = wrapped_len;
++
++ result = PK11_UnwrapSymKeyWithFlagsPerm(wrapper, FIPS_ENCRYPT_UNWRAP_ALGO,
++ param, &wrapped_item, type, operation, key->len, flags,
++ isPerm);
++
++done:
++ free(wrapped_key);
++ SECITEM_FreeItem(param, PR_TRUE);
++ if (wrapper != NULL) {
++ PK11_DeleteTokenSymKey(wrapper);
++ PK11_FreeSymKey(wrapper);
++ }
++ return result;
++}
++
+ /***********************************************************************
+ *
+ * PK11KeyWrapper.nativeUnwrapSymPlaintext
+@@ -765,8 +820,11 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
+ }
+
+ /* pull in the key */
+- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
+- operation, wrappedKey, flags, isPerm, NULL);
++ if (PK11_IsFIPS()) {
++ symKey = JSS_PK11_ImportSymKeyWithFlagsFIPS(slot, keyTypeMech, operation, wrappedKey, flags, isPerm, NULL);
++ } else {
++ symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap, operation, wrappedKey, flags, isPerm, NULL);
++ }
+ if( symKey == NULL ) {
+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Failed to unwrap key");
+ goto finish;
+--
+2.26.2
+
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index 8b3f9c6..9fa89b0 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -6,8 +6,8 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
-Version: 4.7.3
-Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
+Version: 4.8.1
+Release: 2%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -a1
# To generate the source tarball:
@@ -25,6 +25,7 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# <version tag> \
# > jss-VERSION-RELEASE.patch
# Patch: jss-VERSION-RELEASE.patch
+Patch1: 0001-Encrypt-unwrap-symmetric-key-in-FIPS-mode-678.patch
################################################################################
# Build Dependencies
@@ -33,7 +34,7 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
# autosetup
BuildRequires: git
BuildRequires: make
-BuildRequires: cmake
+BuildRequires: cmake >= 3.14
BuildRequires: zip
BuildRequires: unzip
@@ -50,7 +51,7 @@ BuildRequires: glassfish-jaxb-api
%else
BuildRequires: slf4j-jdk14
%endif
-BuildRequires: apache-commons-lang
+BuildRequires: apache-commons-lang3
BuildRequires: junit
@@ -64,12 +65,12 @@ Requires: glassfish-jaxb-api
%else
Requires: slf4j-jdk14
%endif
-Requires: apache-commons-lang
+Requires: apache-commons-lang3
Conflicts: ldapjdk < 4.20
Conflicts: idm-console-framework < 1.2
-Conflicts: tomcatjss < 7.3.4
-Conflicts: pki-base < 10.6.5
+Conflicts: tomcatjss < 7.6.0
+Conflicts: pki-base < 10.10.0
%description
Java Security Services (JSS) is a java native interface which provides a bridge
@@ -108,26 +109,13 @@ export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
-# RHEL's CMake doesn't support -B flag.
-%if 0%{?rhel}
-%{__mkdir_p} %{_vpath_builddir}
-cd %{_vpath_builddir}
-%endif
-
# The Makefile is not thread-safe
%cmake \
-DJAVA_HOME=%{java_home} \
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
-%if 0%{?rhel}
- ..
-%else
-B %{_vpath_builddir}
-%endif
-%if 0%{?fedora}
cd %{_vpath_builddir}
-%endif
-
%{__make} all
%{__make} javadoc
ctest --output-on-failure
@@ -173,6 +161,24 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
################################################################################
%changelog
+* Tue Mar 16 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-2
+- Bug 1932803 - HSM + FIPS: CMCRequest with a shared secret resulting in error
+
+* Thu Jan 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.1-1
+- Rebase to upstream JSS v4.8.1
+- Red Hat Bugilla #1908541 - jss broke SCEP - missing PasswordChallenge class
+- Red Hat Bugilla #1489256 - [RFE] jss should support RSA with OAEP padding
+
+* Wed Nov 18 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-2
+- Only check PKCS11Constants on beta builds
+- Bump tomcatjss, pki-core conflicts due to lang3
+
+* Wed Oct 28 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-1
+- Rebase to upstream JSS v4.8.0
+
+* Tue Oct 20 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.8.0-0.1
+- Rebase to upstream JSS v4.8.0-b1
+
* Fri Sep 11 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 4.7.3-1
- Rebase to upstream stable release JSS v4.7.3
- Red Hat Bugzilla #1873235 - Fix SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT in pki ca-user-cert-add