diff --git a/SOURCES/jss-add-TLS-SHA384-ciphers.patch b/SOURCES/jss-add-TLS-SHA384-ciphers.patch new file mode 100644 index 0000000..f9e5e68 --- /dev/null +++ b/SOURCES/jss-add-TLS-SHA384-ciphers.patch @@ -0,0 +1,167 @@ +From 82f4b9a032f942fdc005e12a408c8e87c9ea0f36 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Thu, 28 Jun 2018 17:42:36 -0700 +Subject: [PATCH] Ticket #4 Add support for TLS_*_SHA384 ciphers + +This patch adds support for TLS_*_SHA384 ciphers. + +Fixes https://pagure.io/jss/issue/4 +--- + org/mozilla/jss/ssl/SSLCipher.java | 7 +++++ + org/mozilla/jss/ssl/SSLSocket.java | 7 +++++ + org/mozilla/jss/tests/Constants.java | 11 ++++++-- + org/mozilla/jss/tests/SSLClientAuth.java | 45 ++++++++++++++++++++++++++++++++ + 4 files changed, 68 insertions(+), 2 deletions(-) + +diff --git a/org/mozilla/jss/ssl/SSLCipher.java b/org/mozilla/jss/ssl/SSLCipher.java +index 30acdd7..278126b 100644 +--- a/org/mozilla/jss/ssl/SSLCipher.java ++++ b/org/mozilla/jss/ssl/SSLCipher.java +@@ -258,8 +258,11 @@ public enum SSLCipher { + TLS_RSA_WITH_SEED_CBC_SHA (0x0096), + + TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C), ++ TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D), + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E), ++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009F), + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00A2), ++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00A3), + + TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001, true), + TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002, true), +@@ -292,11 +295,15 @@ public enum SSLCipher { + TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019, true), + + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023, true), ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024, true), + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027, true), ++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028, true), + + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02B, true), ++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02C, true), + TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02D, true), + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02F, true), ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030, true), + TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031, true); + + private int id; +diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java +index 0dd39fd..e104d3c 100644 +--- a/org/mozilla/jss/ssl/SSLSocket.java ++++ b/org/mozilla/jss/ssl/SSLSocket.java +@@ -268,8 +268,11 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096; + + public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C; ++ public final static int TLS_RSA_WITH_AES_256_GCM_SHA384 = 0x009D; + public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E; ++ public final static int TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = 0x009F; + public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2; ++ public final static int TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = 0x00A3; + + public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001; + public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002; +@@ -302,11 +305,15 @@ public class SSLSocket extends java.net.Socket { + public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019; + + public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = 0xc024; + public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027; ++ public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = 0xc028; + + public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B; ++ public final static int TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = 0xc02C; + public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D; + public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F; ++ public final static int TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = 0xc030; + public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031; + + /* +diff --git a/org/mozilla/jss/tests/Constants.java b/org/mozilla/jss/tests/Constants.java +index e613034..d79ad72 100755 +--- a/org/mozilla/jss/tests/Constants.java ++++ b/org/mozilla/jss/tests/Constants.java +@@ -142,8 +142,15 @@ public interface Constants { + /*77*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"), + /*78*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), + /*79*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"), +-/*78*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), +-/*80*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256") ++/*80*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"), ++/*81*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"), ++/*82*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384"), ++/*83*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"), ++/*84*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"), ++/*85*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"), ++/*86*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"), ++/*87*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"), ++/*88*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") + }; + + /** Cipher supported by JSSE (JDK 1.5.x) */ +diff --git a/org/mozilla/jss/tests/SSLClientAuth.java b/org/mozilla/jss/tests/SSLClientAuth.java +index e1c6163..b656b82 100644 +--- a/org/mozilla/jss/tests/SSLClientAuth.java ++++ b/org/mozilla/jss/tests/SSLClientAuth.java +@@ -148,6 +148,8 @@ public class SSLClientAuth implements Runnable { + + } + configureDefaultSSLoptions(); ++ ++ testSpecificCiphers(); + + useNickname = false; + testConnection(); +@@ -265,6 +267,49 @@ public class SSLClientAuth implements Runnable { + System.exit(1); + } + } ++ ++ // test one or more specific ciphers ++ // -- normally for newly added ciphers ++ private void testSpecificCiphers() { ++ try { ++ //Disable SSL2 and SSL3 ciphers ++ SSLSocket.enableSSL2Default(false); ++ SSLSocket.enableSSL3Default(false); ++ /* TLS is enabled by default */ ++ ++ /* Enable Session tickets by default */ ++ SSLSocket.enableSessionTicketsDefault(true); ++ ++ /* ++ * when testing specific ciphers: ++ * 1. flip this to true ++ * 2. change the ciphers comparison (the code below was from ++ * the latest test ++ */ ++ if (false) { ++ System.out.println("testing new TLS_*SHA384 ciphers"); ++ System.out.println("Enable ony two new ciphers."); ++ int ciphers[] = ++ org.mozilla.jss.ssl.SSLSocket.getImplementedCipherSuites(); ++ for (int i = 0; i < ciphers.length; ++i) { ++ if (ciphers[i] == 157 || ciphers[i] == 159) { ++ System.out.println("enabling cipher: " + ciphers[i]); ++ /* enable a couple SHA384 ciphers */ ++ SSLSocket.setCipherPreferenceDefault(ciphers[i], true); ++ } else { ++ System.out.println("disabling cipher: " + ciphers[i]); ++ /* disable the non SHA384 ciphers */ ++ SSLSocket.setCipherPreferenceDefault(ciphers[i], false); ++ } ++ } ++ } ++ ++ } catch (SocketException ex) { ++ System.out.println("Error configuring ciphers."); ++ ex.printStackTrace(); ++ System.exit(1); ++ } ++ } + + private void testConnection() throws Exception { + serverReady = false; +-- +1.8.3.1 + diff --git a/SOURCES/jss-fix-algorithm-identifier-encode-decode.patch b/SOURCES/jss-fix-algorithm-identifier-encode-decode.patch new file mode 100644 index 0000000..0d53702 --- /dev/null +++ b/SOURCES/jss-fix-algorithm-identifier-encode-decode.patch @@ -0,0 +1,44 @@ +From 7c7a97f60c1b3400b921981a3cd9e9aae4f28987 Mon Sep 17 00:00:00 2001 +From: Christina Fu +Date: Tue, 26 Jun 2018 17:59:28 -0700 +Subject: [PATCH] Ticket 12 AlgorithmIdentifier decode/encode process alters + original data + +This patch provides fix to ensure that the encoding and decoding of an AlgorithmIdentifier +structure would not alter the data. + +credit: original fix suggestion provided by david.k.stutzman2.ctr@mail.mil + +fixes https://pagure.io/jss/issue/12 +--- + org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java +index 0662f76..3487707 100644 +--- a/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java ++++ b/org/mozilla/jss/pkix/primitive/AlgorithmIdentifier.java +@@ -103,19 +103,8 @@ public static class Template implements ASN1Template { + Assert._assert( seq.size() == 2 ); + + OBJECT_IDENTIFIER algOID = (OBJECT_IDENTIFIER)seq.elementAt(0); +- boolean allowParams = true; +- try { +- if (algOID.equals(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID()) || +- algOID.equals(SignatureAlgorithm.ECSignatureWithSHA384Digest.toOID()) || +- algOID.equals(SignatureAlgorithm.ECSignatureWithSHA512Digest.toOID())) { +- allowParams = false; +- } +- } catch (NoSuchAlgorithmException e) { +- // System.out.println("JSS: AlgorithmIdentifier:decode: " + e.toString()); +- // unlikely to happen; swallow it. treat it as allowParams; +- } + +- if (!allowParams) { ++ if (seq.elementAt(1) == null) { + return new AlgorithmIdentifier( + algOID // OID + ); +-- +1.8.3.1 + diff --git a/SPECS/jss.spec b/SPECS/jss.spec index b3e7ae2..d43b148 100644 --- a/SPECS/jss.spec +++ b/SPECS/jss.spec @@ -1,6 +1,6 @@ Name: jss Version: 4.4.0 -Release: 12%{?dist} +Release: 13%{?dist} Summary: Java Security Services (JSS) Group: System Environment/Libraries @@ -44,6 +44,8 @@ Patch9: jss-signature-correction.patch Patch10: jss-standardize-ECC-algorithm-names.patch Patch11: jss-fix-SignerInfo-version.patch Patch12: jss-fix-ECDSA-SHA-AlgorithmIdentifier-encoding.patch +Patch13: jss-fix-algorithm-identifier-encode-decode.patch +Patch14: jss-add-TLS-SHA384-ciphers.patch %description Java Security Services (JSS) is a java native interface which provides a bridge @@ -73,6 +75,8 @@ pushd jss %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 popd %build @@ -165,6 +169,12 @@ rm -rf $RPM_BUILD_ROOT %{_javadocdir}/%{name}-%{version}/* %changelog +* Mon Jul 2 2018 Dogtag Team 4.4.2-13 +- Bugzilla #1595759 - org.mozilla.jss.pkix.primitive.AlgorithmIdentifier + decode/encode process alters original data [rhel-7.5.z] (cfu) +- Bugzilla #1596552 - JSS: Add support for TLS_*_SHA384 ciphers + [rhel-7.5.z] (cfu) + * Tue May 22 2018 Dogtag Team 4.4.2-12 - Bugzilla #1579202 - JSS has wrong encoding for ecdsa with sha* AlgorithmIdentifier [rhel-7.5.z] (cfu)