diff --git a/.gitignore b/.gitignore
index 9aa2e17..15d4ccb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/jss-4.2.6.tar.gz
+SOURCES/jss-4.4.0.tar.gz
diff --git a/.jss.metadata b/.jss.metadata
index bd356c5..21d2385 100644
--- a/.jss.metadata
+++ b/.jss.metadata
@@ -1 +1 @@
-4c7eb4e1bfcda535b4b4371f9389c0b77d717469 SOURCES/jss-4.2.6.tar.gz
+44982c04810aebfa1528d10184380b2c8832d148 SOURCES/jss-4.4.0.tar.gz
diff --git a/SOURCES/jss-ECC-HSM-FIPS.patch b/SOURCES/jss-ECC-HSM-FIPS.patch
deleted file mode 100644
index 739c930..0000000
--- a/SOURCES/jss-ECC-HSM-FIPS.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700
-@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
- /* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG},
- /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
- /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
-+/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
- /* REMEMBER TO UPDATE NUM_ALGS!!! */
- };
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700
-@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
- JSS_AlgType type;
- } JSS_AlgInfo;
-
--#define NUM_ALGS 50
-+#define NUM_ALGS 51
-
- extern JSS_AlgInfo JSS_AlgTable[];
- extern CK_ULONG JSS_symkeyUsage[];
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700
-@@ -232,5 +232,6 @@ public class Algorithm {
- protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
- protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
- protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
-+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
-
- }
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700
-@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al
- DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA");
-
- public static final Algorithm
-- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC");
-+
-+// To support both ECDSA and ECDH, it is best to provide two EC Families;
-+// However, since there is no token that does only CKM_DERIVE to
-+// date, we will just do ECDSA for now as it is sufficient enough today.
-+// This fix will support tokens that do not do ECDH
-+ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC");
-
- public static final KeyPairAlgorithm
- RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily);
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700
-@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends
- * operates on its input, which should be a hash.
- */
- public static final SignatureAlgorithm
-- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY,
-+ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST,
- "EC",
- null, null, ANSI_X962_OID.subBranch(2).subBranch(1) );
-
diff --git a/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch b/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch
deleted file mode 100644
index 1bcc238..0000000
--- a/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch
+++ /dev/null
@@ -1,451 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl
---- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700
-@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm
- org.mozilla.jss.crypto.EncryptionAlgorithm
- org.mozilla.jss.crypto.PQGParams
- org.mozilla.jss.crypto.SecretDecoderRing
-+org.mozilla.jss.asn1.ASN1Util
- org.mozilla.jss.pkcs11.CertProxy
- org.mozilla.jss.pkcs11.CipherContextProxy
- org.mozilla.jss.pkcs11.PK11Module
-diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk
---- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700
-@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \
- ../org/mozilla/jss/SecretDecoderRing \
- ../org/mozilla/jss \
- ../org/mozilla/jss/pkcs11 \
-+ ../org/mozilla/jss/asn1 \
- ../org/mozilla/jss/ssl \
- ../org/mozilla/jss/util \
- ../org/mozilla/jss/provider/java/security \
-diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700
-@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC
- Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
-+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
- ;+ local:
- ;+ *;
- ;+};
-diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk
---- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700
-@@ -41,6 +41,7 @@ release_sanitize::
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
-@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
- -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700
-@@ -0,0 +1,97 @@
-+/* ***** BEGIN LICENSE BLOCK *****
-+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+ *
-+ * The contents of this file are subject to the Mozilla Public License Version
-+ * 1.1 (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ * http://www.mozilla.org/MPL/
-+ *
-+ * Software distributed under the License is distributed on an "AS IS" basis,
-+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+ * for the specific language governing rights and limitations under the
-+ * License.
-+ *
-+ * The Original Code is the Netscape Security Services for Java.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *
-+ * Alternatively, the contents of this file may be used under the terms of
-+ * either the GNU General Public License Version 2 or later (the "GPL"), or
-+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+ * in which case the provisions of the GPL or the LGPL are applicable instead
-+ * of those above. If you wish to allow use of your version of this file only
-+ * under the terms of either the GPL or the LGPL, and not to allow others to
-+ * use your version of this file under the terms of the MPL, indicate your
-+ * decision by deleting the provisions above and replace them with the notice
-+ * and other provisions required by the GPL or the LGPL. If you do not delete
-+ * the provisions above, a recipient may use your version of this file under
-+ * the terms of any one of the MPL, the GPL or the LGPL.
-+ *
-+ * ***** END LICENSE BLOCK ***** */
-+#include "_jni/org_mozilla_jss_asn1_ASN1Util.h"
-+#include <pk11func.h>
-+#include <nspr.h>
-+#include <seccomon.h>
-+#include <key.h>
-+#include <secitem.h>
-+
-+#include <jssutil.h>
-+#include <java_ids.h>
-+#include <jss_exceptions.h>
-+#include <Algorithm.h>
-+
-+/***********************************************************************
-+ *
-+ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid
-+ * retrieves OID description by NSS's OID Tag identifier
-+ * the OID byte array is expected to be without the OID Tag (6) and size
-+ * (together 2 bytes)
-+ */
-+JNIEXPORT jstring JNICALL
-+Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA)
-+{
-+ SECItem *oid = NULL;
-+ SECOidTag oidTag = SEC_OID_UNKNOWN;
-+ char *oidDesc = NULL;
-+ jstring description= "";
-+
-+ if (oidBA == NULL) {
-+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
-+ "JSS getTagDescriptionByOid: oidBA null");
-+ goto finish;
-+ } else {
-+ /**************************************************
-+ * Setup the parameters
-+ *************************************************/
-+ oid = JSS_ByteArrayToSECItem(env, oidBA);
-+ if (oid == NULL) {
-+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
-+ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed");
-+ goto finish;
-+ }
-+
-+ /*
-+ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match
-+ */
-+ oidTag = SECOID_FindOIDTag(oid);
-+ if (oidTag == SEC_OID_UNKNOWN) {
-+ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
-+ "JSS getTagDescriptionByOid: OID UNKNOWN");
-+ goto finish;
-+ }
-+
-+ oidDesc = SECOID_FindOIDTagDescription(oidTag);
-+ if (oidDesc == NULL) {
-+ oidDesc = "";
-+ }
-+ description = (*env)->NewStringUTF(env, oidDesc);
-+ }
-+
-+finish:
-+ return description;
-+}
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700
-@@ -36,6 +36,8 @@
- package org.mozilla.jss.asn1;
-
- import java.io.*;
-+import java.util.Arrays;
-+
- import org.mozilla.jss.asn1.InvalidBERException;
- import org.mozilla.jss.util.Assert;
-
-@@ -114,4 +116,71 @@ public class ASN1Util {
- numRead += nr;
- }
- }
-+
-+ /**
-+ * returns the ECC curve byte array given the X509 public key byte array
-+ *
-+ * @param X509PubKeyBytes byte array of an X509PubKey
-+ * @param withHeader tells if the return byes should inclulde the tag and size header or not
-+ */
-+ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes,
-+ boolean withHeader)
-+ throws IllegalArgumentException, ArrayIndexOutOfBoundsException,
-+ NullPointerException
-+ {
-+ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) {
-+ throw new IllegalArgumentException("X509PubKeyBytes null");
-+ }
-+
-+ /* EC public key OID complete with tag and size */
-+ byte[] EC_PubOIDBytes_full =
-+ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID);
-+
-+ /* EC public key OID without tag and size */
-+ byte[] EC_PubOIDBytes =
-+ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length);
-+
-+ int curveBeginIndex = 0;
-+ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) {
-+ byte[] tmp =
-+ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length);
-+ if (Arrays.equals(tmp, EC_PubOIDBytes)) {
-+ curveBeginIndex = idx+ EC_PubOIDBytes.length;
-+ break;
-+ }
-+ }
-+
-+ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1];
-+
-+ if (withHeader) {
-+ /* actual curve with tag and size */
-+ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2);
-+ return curve;
-+ } else {
-+ /* actual curve without tag and size */
-+ byte curve[] =
-+ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2,
-+ curveBeginIndex + 2 + curveByteArraySize);
-+ return curve;
-+ }
-+ }
-+
-+ /**
-+ * getOIDdescription() returns a text description of the OID
-+ * from OID byte array
-+ * the OID byte array is expected to be without the OID Tag (6) and size
-+ * (together 2 bytes)
-+ */
-+ public static String
-+ getOIDdescription(byte[] oidBA) {
-+ return getTagDescriptionByOid(oidBA);
-+ }
-+
-+ /**
-+ * get OID description JNI method
-+ */
-+ private native static String
-+ getTagDescriptionByOid(byte[] oidBA);
-+
-+
- }
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700
-@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c
- #######################################################################
- # (4) Include "local" platform-dependent assignments (OPTIONAL). #
- #######################################################################
--#include config.mk
-+include config.mk
-
-
- #######################################################################
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700
-@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement
- ///////////////////////////////////////////////////////////////////////
-
- /**
-+ * The OID space for EC
-+ */
-+ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID =
-+ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} );
-+
-+ /**
- * The OID space for RSA Data Security, Inc.
- */
- public static final OBJECT_IDENTIFIER RSADSI =
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700
-@@ -0,0 +1,41 @@
-+#
-+# ***** BEGIN LICENSE BLOCK *****
-+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+#
-+# The contents of this file are subject to the Mozilla Public License Version
-+# 1.1 (the "License"); you may not use this file except in compliance with
-+# the License. You may obtain a copy of the License at
-+# http://www.mozilla.org/MPL/
-+#
-+# Software distributed under the License is distributed on an "AS IS" basis,
-+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+# for the specific language governing rights and limitations under the
-+# License.
-+#
-+# The Original Code is the Netscape Security Services for Java.
-+#
-+# The Initial Developer of the Original Code is
-+# Netscape Communications Corporation.
-+# Portions created by the Initial Developer are Copyright (C) 1998-2000
-+# the Initial Developer. All Rights Reserved.
-+#
-+# Contributor(s):
-+#
-+# Alternatively, the contents of this file may be used under the terms of
-+# either the GNU General Public License Version 2 or later (the "GPL"), or
-+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+# in which case the provisions of the GPL or the LGPL are applicable instead
-+# of those above. If you wish to allow use of your version of this file only
-+# under the terms of either the GPL or the LGPL, and not to allow others to
-+# use your version of this file under the terms of the MPL, indicate your
-+# decision by deleting the provisions above and replace them with the notice
-+# and other provisions required by the GPL or the LGPL. If you do not delete
-+# the provisions above, a recipient may use your version of this file under
-+# the terms of any one of the MPL, the GPL or the LGPL.
-+#
-+# ***** END LICENSE BLOCK *****
-+TARGETS=$(LIBRARY)
-+SHARED_LIBRARY=
-+IMPORT_LIBRARY=
-+
-+NO_MD_RELEASE = 1
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700
-@@ -41,6 +41,8 @@ MODULE = jss
-
- NS_USE_JDK = 1
-
-+REQUIRES = nspr20 nss
-+
- PACKAGE = org/mozilla/jss/asn1
-
- CLASSES = \
-@@ -112,3 +114,9 @@ JSRCS = \
- UTCTime.java \
- UTF8String.java \
- $(NULL)
-+
-+CSRCS = \
-+ ASN1Util.c \
-+ $(NULL)
-+
-+LIBRARY_NAME = jssasn1
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700
-@@ -48,6 +48,7 @@ DIRS = \
- crypto \
- SecretDecoderRing \
- pkcs11 \
-+ asn1 \
- ssl \
- provider \
- $(NULL)
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700
-@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten
- // }
- // }
- //
--// public BigInteger getW() {
--// try {
--// return new BigInteger( getWByteArray() );
--// } catch(NumberFormatException e) {
--// Assert.notReached("Unable to decode DSA public value");
--// return null;
--// }
--// }
--//
--// private native byte[] getCurveByteArray();
--// private native byte[] getWByteArray();
-+
-+ public BigInteger getCurve() {
-+ try {
-+ return new BigInteger( getCurveByteArray() );
-+ } catch(NumberFormatException e) {
-+ Assert.notReached("Unable to decode EC curve");
-+ return null;
-+ }
-+ }
-+
-+ public byte[] getCurveBA() {
-+ return getCurveByteArray();
-+ }
-+
-+ public BigInteger getW() {
-+ try {
-+ return new BigInteger( getWByteArray() );
-+ } catch(NumberFormatException e) {
-+ Assert.notReached("Unable to decode EC public value");
-+ return null;
-+ }
-+ }
-+
-+ private native byte[] getCurveByteArray();
-+ private native byte[] getWByteArray();
- }
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700
-@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- numAttribs = 4;
- }
- break;
-+ case CKK_EC:
-+ numAttribs = 1;
-+ attribs[0] = CKA_SIGN;
-+ if (isExtractable) {
-+ attribs[1] = CKA_EXTRACTABLE;
-+ numAttribs = 2;
-+ }
-+ break;
- case CKK_DSA:
- attribs[0] = CKA_SIGN;
- numAttribs = 1;
-@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- attribs[0] = CKA_DERIVE;
- numAttribs = 1;
- break;
-- case CKK_EC:
-- attribs[0] = CKA_SIGN;
-- attribs[1] = CKA_DERIVE;
-- numAttribs = 2;
-- break;
- default:
- /* unknown key type */
- PR_ASSERT(PR_FALSE);
-@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- attribs, numAttribs, NULL /*wincx*/);
- if( privk == NULL ) {
- char err[256] = {0};
-- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
-+ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
- JSS_throwMsg(env, TOKEN_EXCEPTION, err);
- goto finish;
- }
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700
-@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke
- if( type == PrivateKey.RSA ) {
- if( !(publicKey instanceof RSAPublicKey)) {
- throw new InvalidKeyException("Type of public key does not "+
-- "match type of private key");
-+ "match type of private key which is RSA");
- }
- return ((RSAPublicKey)publicKey).getModulus().toByteArray();
-+ } else if(type == PrivateKey.EC) {
-+ if( !(publicKey instanceof PK11ECPublicKey) ) {
-+ throw new InvalidKeyException("Type of public key does not "+
-+ "match type of private key which is EC");
-+ }
-+ return ((PK11ECPublicKey)publicKey).getW().toByteArray();
- } else if(type == PrivateKey.DSA) {
- if( !(publicKey instanceof DSAPublicKey) ) {
- throw new InvalidKeyException("Type of public key does not "+
-- "match type of private key");
-+ "match type of private key which is DSA");
- }
- return ((DSAPublicKey)publicKey).getY().toByteArray();
- } else {
diff --git a/SOURCES/jss-ECC-pop.patch b/SOURCES/jss-ECC-pop.patch
deleted file mode 100644
index 48da89d..0000000
--- a/SOURCES/jss-ECC-pop.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -rupN jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2004-04-25 08:02:26.000000000 -0700
-+++ jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2009-07-27 13:38:38.197422000 -0700
-@@ -130,6 +130,16 @@ public class CertReqMsg implements ASN1V
- ///////////////////////////////////////////////////////////////////////
-
- public void verify() throws SignatureException,
-+ InvalidKeyFormatException, NoSuchAlgorithmException,
-+ org.mozilla.jss.CryptoManager.NotInitializedException,
-+ TokenException, java.security.InvalidKeyException, IOException{
-+
-+ CryptoToken token = CryptoManager.getInstance()
-+ .getInternalCryptoToken();
-+ verify(token);
-+ }
-+
-+ public void verify(CryptoToken token) throws SignatureException,
- InvalidKeyFormatException, NoSuchAlgorithmException,
- org.mozilla.jss.CryptoManager.NotInitializedException,
- TokenException, java.security.InvalidKeyException, IOException{
-@@ -149,8 +159,6 @@ public class CertReqMsg implements ASN1V
- pubkey = (PublicKey) spi.toPublicKey();
- }
-
-- CryptoToken token = CryptoManager.getInstance()
-- .getInternalCryptoToken();
- SignatureAlgorithm sigAlg =
- SignatureAlgorithm.fromOID(alg.getOID());
- Signature sig = token.getSignatureContext(sigAlg);
diff --git a/SOURCES/jss-ECC_keygen_byCurveName.patch b/SOURCES/jss-ECC_keygen_byCurveName.patch
deleted file mode 100644
index 0617183..0000000
--- a/SOURCES/jss-ECC_keygen_byCurveName.patch
+++ /dev/null
@@ -1,490 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix 2010-10-20 09:54:35.189680000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2010-10-20 10:54:53.154835000 -0700
-@@ -196,7 +196,10 @@ public class KeyPairGenerator {
- engine.setKeyPairUsages(usages,usages_mask);
- }
-
--
-+ public int getCurveCodeByName(String curveName)
-+ throws InvalidParameterException {
-+ return engine.getCurveCodeByName(curveName);
-+ }
-
-
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix 2010-10-20 09:54:52.393628000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2010-10-20 10:55:39.441698000 -0700
-@@ -94,4 +94,6 @@ public abstract class KeyPairGeneratorSp
-
- public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
- KeyPairGeneratorSpi.Usage[] usages_mask);
-+
-+ public abstract int getCurveCodeByName(String curveName) throws InvalidParameterException;
- }
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix 2010-10-15 10:30:57.832196000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2010-10-20 11:09:30.523208000 -0700
-@@ -44,6 +44,7 @@ import java.security.*;
- import java.security.SecureRandom;
- import java.security.spec.AlgorithmParameterSpec;
- import java.security.spec.DSAParameterSpec;
-+import java.util.Hashtable;
-
-
- /**
-@@ -55,6 +56,246 @@ public final class PK11KeyPairGenerator
- extends org.mozilla.jss.crypto.KeyPairGeneratorSpi
- {
-
-+ // curve code for getting the actual EC curve
-+ private enum ECCurve_Code {
-+ // NIST, SEC2 Prime curves
-+ secp521r1 , // == nistp521
-+ nistp521 ,
-+ secp384r1 , // == nistp384
-+ nistp384 ,
-+ secp256r1 , // == nistp256
-+ nistp256 ,
-+ secp256k1 ,
-+ secp224r1 , // == nistp224
-+ nistp224 ,
-+ secp224k1 ,
-+ secp192r1 , // == nistp192
-+ nistp192 ,
-+ secp192k1 ,
-+ secp160r2 ,
-+ secp160r1 ,
-+ secp160k1 ,
-+ secp128r2 ,
-+ secp128r1 ,
-+ secp112r2 ,
-+ secp112r1 ,
-+ // NIST, SEC2 Binary curves
-+ sect571r1 , // == nistb571
-+ nistb571 ,
-+ sect571k1 , // == nistk571
-+ nistk571 ,
-+ sect409r1 , // == nistb409
-+ nistb409 ,
-+ sect409k1 , // == nistk409
-+ nistk409 ,
-+ sect283r1 , // == nistb283
-+ nistb283 ,
-+ sect283k1 , // == nistk283
-+ nistk283 ,
-+ sect239k1 ,
-+ sect233r1 , // == nistb233
-+ nistb233 ,
-+ sect233k1 , // == nistk233
-+ nistk233 ,
-+ sect193r2 ,
-+ sect193r1 ,
-+ nistb163 ,
-+ sect163r2 , // == nistb163
-+ sect163r1 ,
-+ sect163k1 , // == nistk163
-+ nistk163 ,
-+ sect131r2 ,
-+ sect131r1 ,
-+ sect113r2 ,
-+ sect113r1 ,
-+ // ANSI X9.62 Prime curves
-+ prime239v3 ,
-+ prime239v2 ,
-+ prime239v1 ,
-+ prime192v3 ,
-+ prime192v2 ,
-+ prime192v1 , // == nistp192
-+ // prime256v1 == nistp256
-+ // ANSI X9.62 Binary curves
-+ c2pnb163v1 ,
-+ c2pnb163v2 ,
-+ c2pnb163v3 ,
-+ c2pnb176v1 ,
-+ c2tnb191v1 ,
-+ c2tnb191v2 ,
-+ c2tnb191v3 ,
-+ //c2onb191v4 ,
-+ //c2onb191v5 ,
-+ c2pnb208w1 ,
-+ c2tnb239v1 ,
-+ c2tnb239v2 ,
-+ c2tnb239v3 ,
-+ //c2onb239v4 ,
-+ //c2onb239v5 ,
-+ c2pnb272w1 ,
-+ c2pnb304w1 ,
-+ c2tnb359v1 ,
-+ c2pnb368w1 ,
-+ c2tnb431r1
-+ // no WTLS curves fo now
-+ };
-+
-+ private static Hashtable ECCurve_NameToCode = new Hashtable();
-+ static {
-+ // NIST, SEC2 Prime curves
-+ ECCurve_NameToCode.put(
-+ "secp521r1", ECCurve_Code.secp521r1);
-+ ECCurve_NameToCode.put(
-+ "nistp521", ECCurve_Code.nistp521);
-+ ECCurve_NameToCode.put(
-+ "secp384r1", ECCurve_Code.secp384r1);
-+ ECCurve_NameToCode.put(
-+ "nistp384", ECCurve_Code.nistp384);
-+ ECCurve_NameToCode.put(
-+ "secp256r1", ECCurve_Code.secp256r1);
-+ ECCurve_NameToCode.put(
-+ "nistp256", ECCurve_Code.nistp256);
-+ ECCurve_NameToCode.put(
-+ "secp256k1", ECCurve_Code.secp256k1);
-+ ECCurve_NameToCode.put(
-+ "secp224r1", ECCurve_Code.secp224r1);
-+ ECCurve_NameToCode.put(
-+ "nistp224", ECCurve_Code.nistp224);
-+ ECCurve_NameToCode.put(
-+ "secp224k1", ECCurve_Code.secp224k1);
-+ ECCurve_NameToCode.put(
-+ "secp192r1", ECCurve_Code.secp192r1);
-+ ECCurve_NameToCode.put(
-+ "nistp192", ECCurve_Code.nistp192);
-+ ECCurve_NameToCode.put(
-+ "secp192k1", ECCurve_Code.secp192k1);
-+ ECCurve_NameToCode.put(
-+ "secp160r2", ECCurve_Code.secp160r2);
-+ ECCurve_NameToCode.put(
-+ "secp160r1", ECCurve_Code.secp160r1);
-+ ECCurve_NameToCode.put(
-+ "secp160k1", ECCurve_Code.secp160k1);
-+ ECCurve_NameToCode.put(
-+ "secp128r2", ECCurve_Code.secp128r2);
-+ ECCurve_NameToCode.put(
-+ "secp128r1", ECCurve_Code.secp128r1);
-+ ECCurve_NameToCode.put(
-+ "secp112r2", ECCurve_Code.secp112r2);
-+ ECCurve_NameToCode.put(
-+ "secp112r1", ECCurve_Code.secp112r1);
-+ // NIST, SEC2 Binary curves
-+ ECCurve_NameToCode.put(
-+ "sect571r1", ECCurve_Code.sect571r1);
-+ ECCurve_NameToCode.put(
-+ "nistb571", ECCurve_Code.nistb571);
-+ ECCurve_NameToCode.put(
-+ "sect571k1", ECCurve_Code.sect571k1);
-+ ECCurve_NameToCode.put(
-+ "nistk571", ECCurve_Code.nistk571);
-+ ECCurve_NameToCode.put(
-+ "sect409r1", ECCurve_Code.sect409r1);
-+ ECCurve_NameToCode.put(
-+ "nistb409", ECCurve_Code.nistb409);
-+ ECCurve_NameToCode.put(
-+ "sect409k1", ECCurve_Code.sect409k1);
-+ ECCurve_NameToCode.put(
-+ "nistk409", ECCurve_Code.nistk409);
-+ ECCurve_NameToCode.put(
-+ "sect283r1", ECCurve_Code.sect283r1);
-+ ECCurve_NameToCode.put(
-+ "nistb283", ECCurve_Code.nistb283);
-+ ECCurve_NameToCode.put(
-+ "sect283k1", ECCurve_Code.sect283k1);
-+ ECCurve_NameToCode.put(
-+ "nistk283", ECCurve_Code.nistk283);
-+ ECCurve_NameToCode.put(
-+ "sect239k1", ECCurve_Code.sect239k1);
-+ ECCurve_NameToCode.put(
-+ "sect233r1", ECCurve_Code.sect233r1);
-+ ECCurve_NameToCode.put(
-+ "nistb233", ECCurve_Code.nistb233);
-+ ECCurve_NameToCode.put(
-+ "sect233k1", ECCurve_Code.sect233k1);
-+ ECCurve_NameToCode.put(
-+ "nistk233", ECCurve_Code.nistk233);
-+ ECCurve_NameToCode.put(
-+ "sect193r2", ECCurve_Code.sect193r2);
-+ ECCurve_NameToCode.put(
-+ "sect193r1", ECCurve_Code.sect193r1);
-+ ECCurve_NameToCode.put(
-+ "nistb163", ECCurve_Code.nistb163);
-+ ECCurve_NameToCode.put(
-+ "sect163r2", ECCurve_Code.sect163r2);
-+ ECCurve_NameToCode.put(
-+ "sect163r1", ECCurve_Code.sect163r1);
-+ ECCurve_NameToCode.put(
-+ "sect163k1", ECCurve_Code.sect163k1);
-+ ECCurve_NameToCode.put(
-+ "nistk163", ECCurve_Code.nistk163);
-+ ECCurve_NameToCode.put(
-+ "sect131r2", ECCurve_Code.sect131r2);
-+ ECCurve_NameToCode.put(
-+ "sect131r1", ECCurve_Code.sect131r1);
-+ ECCurve_NameToCode.put(
-+ "sect113r2", ECCurve_Code.sect113r2);
-+ ECCurve_NameToCode.put(
-+ "sect113r1", ECCurve_Code.sect113r1);
-+ // ANSI Prime curves
-+ ECCurve_NameToCode.put(
-+ "prime239v3", ECCurve_Code.prime239v3);
-+ ECCurve_NameToCode.put(
-+ "prime239v2", ECCurve_Code.prime239v2);
-+ ECCurve_NameToCode.put(
-+ "prime239v1", ECCurve_Code.prime239v1);
-+ ECCurve_NameToCode.put(
-+ "prime192v3", ECCurve_Code.prime192v3);
-+ ECCurve_NameToCode.put(
-+ "prime192v2", ECCurve_Code.prime192v2);
-+ ECCurve_NameToCode.put(
-+ "prime192v1", ECCurve_Code.prime192v1);
-+ // ANSI Binary curves
-+ ECCurve_NameToCode.put(
-+ "c2pnb163v1", ECCurve_Code.c2pnb163v1);
-+ ECCurve_NameToCode.put(
-+ "c2pnb163v2", ECCurve_Code.c2pnb163v2);
-+ ECCurve_NameToCode.put(
-+ "c2pnb163v3", ECCurve_Code.c2pnb163v3);
-+ ECCurve_NameToCode.put(
-+ "c2pnb176v1", ECCurve_Code.c2pnb176v1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb191v1", ECCurve_Code.c2tnb191v1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb191v2", ECCurve_Code.c2tnb191v2);
-+ ECCurve_NameToCode.put(
-+ "c2tnb191v3", ECCurve_Code.c2tnb191v3);
-+ //ECCurve_NameToCode.put(
-+ // "c2onb191v4", ECCurve_Code.c2onb191v4);
-+ //ECCurve_NameToCode.put(
-+ // "c2onb191v5", ECCurve_Code.c2onb191v5);
-+ ECCurve_NameToCode.put(
-+ "c2pnb208w1", ECCurve_Code.c2pnb208w1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb239v1", ECCurve_Code.c2tnb239v1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb239v2", ECCurve_Code.c2tnb239v2);
-+ ECCurve_NameToCode.put(
-+ "c2tnb239v3", ECCurve_Code.c2tnb239v3);
-+ //ECCurve_NameToCode.put(
-+ // "c2onb239v4", ECCurve_Code.c2onb239v4);
-+ //ECCurve_NameToCode.put(
-+ // "c2onb239v5", ECCurve_Code.c2onb239v5);
-+ ECCurve_NameToCode.put(
-+ "c2pnb272w1", ECCurve_Code.c2pnb272w1);
-+ ECCurve_NameToCode.put(
-+ "c2pnb304w1", ECCurve_Code.c2pnb304w1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb359v1", ECCurve_Code.c2tnb359v1);
-+ ECCurve_NameToCode.put(
-+ "c2pnb368w1", ECCurve_Code.c2pnb368w1);
-+ ECCurve_NameToCode.put(
-+ "c2tnb431r1", ECCurve_Code.c2tnb431r1);
-+ }
-+
- // opFlag constants: each of these flags specifies a crypto operation
- // the key will support. Their values must match the same-named C
- // preprocessor macros defined in the PKCS #11 header pkcs11t.h.
-@@ -165,7 +406,15 @@ public final class PK11KeyPairGenerator
- }
- } else {
- Assert._assert( algorithm == KeyPairAlgorithm.EC );
-- params = getCurve(strength);
-+ if (strength < 112) {
-+ // for EC, "strength" is actually a code for curves defined in
-+ // ECCurve_Code
-+ params = getECCurve(strength);
-+ } else {
-+ // this is the old method of strength to curve mapping,
-+ // which is somewhat defective
-+ params = getCurve(strength);
-+ }
- }
- }
-
-@@ -642,6 +891,189 @@ public final class PK11KeyPairGenerator
- static final OBJECT_IDENTIFIER CURVE_SECG_T571R1
- = SECG_EC_CURVE.subBranch(39);
-
-+ // the EC curvecode to oid hash table
-+ private static Hashtable mECCurve_CodeToCurve = new Hashtable();
-+ static {
-+ // SEG Prime curves
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp521r1.ordinal(), (Object) CURVE_SECG_P521R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistp521.ordinal(), (Object) CURVE_SECG_P521R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp384r1.ordinal(), (Object) CURVE_SECG_P384R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistp384.ordinal(), (Object) CURVE_SECG_P384R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp256r1.ordinal(), (Object) CURVE_ANSI_P256V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistp256.ordinal(), (Object) CURVE_ANSI_P256V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp256k1.ordinal(), (Object) CURVE_SECG_P256K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp224r1.ordinal(), (Object) CURVE_SECG_P224R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistp224.ordinal(), (Object) CURVE_SECG_P224R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp224k1.ordinal(), (Object) CURVE_SECG_P224K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp192r1.ordinal(), (Object) CURVE_ANSI_P192V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistp192.ordinal(), (Object) CURVE_ANSI_P192V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp192k1.ordinal(), (Object) CURVE_SECG_P192K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp160r2.ordinal(), (Object) CURVE_SECG_P160R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp160r1.ordinal(), (Object) CURVE_SECG_P160R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp160k1.ordinal(), (Object) CURVE_SECG_P160K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp128r2.ordinal(), (Object) CURVE_SECG_P128R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp128r1.ordinal(), (Object) CURVE_SECG_P128R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp112r2.ordinal(), (Object) CURVE_SECG_P112R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.secp112r1.ordinal(), (Object) CURVE_SECG_P112R1);
-+ // SEG Binary curves
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect571r1.ordinal(), (Object) CURVE_SECG_T571R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistb571.ordinal(), (Object) CURVE_SECG_T571R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect571k1.ordinal(), (Object) CURVE_SECG_T571K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistk571.ordinal(), (Object) CURVE_SECG_T571K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect409r1.ordinal(), (Object) CURVE_SECG_T409R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistb409.ordinal(), (Object) CURVE_SECG_T409R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect409k1.ordinal(), (Object) CURVE_SECG_T409K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistk409.ordinal(), (Object) CURVE_SECG_T409K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect283r1.ordinal(), (Object) CURVE_SECG_T283R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistb283.ordinal(), (Object) CURVE_SECG_T283R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect283k1.ordinal(), (Object) CURVE_SECG_T283K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistk283.ordinal(), (Object) CURVE_SECG_T283K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect239k1.ordinal(), (Object) CURVE_SECG_T239K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect233r1.ordinal(), (Object) CURVE_SECG_T233R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistb233.ordinal(), (Object) CURVE_SECG_T233R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect233k1.ordinal(), (Object) CURVE_SECG_T233K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistk233.ordinal(), (Object) CURVE_SECG_T233K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect193r2.ordinal(), (Object) CURVE_SECG_T193R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect193r1.ordinal(), (Object) CURVE_SECG_T193R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistb163.ordinal(), (Object) CURVE_SECG_T163K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect163r2.ordinal(), (Object) CURVE_SECG_T163R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect163r1.ordinal(), (Object) CURVE_SECG_T163R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect163k1.ordinal(), (Object) CURVE_SECG_T163K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.nistk163.ordinal(), (Object) CURVE_SECG_T163K1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect131r2.ordinal(), (Object) CURVE_SECG_T131R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect131r1.ordinal(), (Object) CURVE_SECG_T131R1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect113r2.ordinal(), (Object) CURVE_SECG_T113R2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.sect113r1.ordinal(), (Object) CURVE_SECG_T113R1);
-+ // ANSI Prime curves
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime239v3.ordinal(), (Object) CURVE_ANSI_P239V3);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime239v2.ordinal(), (Object) CURVE_ANSI_P239V2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime239v1.ordinal(), (Object) CURVE_ANSI_P239V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime192v3.ordinal(), (Object) CURVE_ANSI_P192V3);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime192v2.ordinal(), (Object) CURVE_ANSI_P192V2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.prime192v1.ordinal(), (Object) CURVE_ANSI_P192V1);
-+ // ANSI Binary curves
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb163v1.ordinal(), (Object) CURVE_ANSI_PNB163V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb163v2.ordinal(), (Object) CURVE_ANSI_PNB163V2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb163v3.ordinal(), (Object) CURVE_ANSI_PNB163V3);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb176v1.ordinal(), (Object) CURVE_ANSI_PNB176V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb191v1.ordinal(), (Object) CURVE_ANSI_TNB191V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb191v2.ordinal(), (Object) CURVE_ANSI_TNB191V2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb191v3.ordinal(), (Object) CURVE_ANSI_TNB191V3);
-+ //mECCurve_CodeToCurve.put(
-+ // ECCurve_Code.c2onb191v4.ordinal(), (Object) CURVE_ANSI_ONB191V4);
-+ //mECCurve_CodeToCurve.put(
-+ // ECCurve_Code.c2onb191v5.ordinal(), (Object) CURVE_ANSI_ONB191V5);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb208w1.ordinal(), (Object) CURVE_ANSI_PNB208W1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb239v1.ordinal(), (Object) CURVE_ANSI_TNB239V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb239v2.ordinal(), (Object) CURVE_ANSI_TNB239V2);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb239v3.ordinal(), (Object) CURVE_ANSI_TNB239V3);
-+ //mECCurve_CodeToCurve.put(
-+ // ECCurve_Code.c2onb239v4.ordinal(), (Object) CURVE_ANSI_ONB239V4);
-+ //mECCurve_CodeToCurve.put(
-+ // ECCurve_Code.c2onb239v5.ordinal(), (Object) CURVE_ANSI_ONB239V5);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb272w1.ordinal(), (Object) CURVE_ANSI_PNB272W1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb304w1.ordinal(), (Object) CURVE_ANSI_PNB304W1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb359v1.ordinal(), (Object) CURVE_ANSI_TNB359V1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2pnb368w1.ordinal(), (Object) CURVE_ANSI_PNB368W1);
-+ mECCurve_CodeToCurve.put(
-+ ECCurve_Code.c2tnb431r1.ordinal(), (Object) CURVE_ANSI_TNB431R1);
-+ }
-+
-+ public int getCurveCodeByName(String curveName)
-+ throws InvalidParameterException {
-+ if (curveName == null)
-+ throw new InvalidParameterException();
-+ ECCurve_Code c = (ECCurve_Code) ECCurve_NameToCode.get(curveName);
-+ if (c == null)
-+ throw new InvalidParameterException(curveName);
-+ return c.ordinal();
-+ }
-+
-+ /*
-+ * getECCurve
-+ * maps curvecode to the actual oid of the curve and
-+ * returns the PK11ParameterSpec
-+ */
-+ private AlgorithmParameterSpec getECCurve(int curvecode)
-+ throws InvalidParameterException
-+ {
-+ OBJECT_IDENTIFIER oid;
-+
-+ oid = (OBJECT_IDENTIFIER) mECCurve_CodeToCurve.get(curvecode);
-+ if (oid == null)
-+ throw new IllegalArgumentException("curvecode ="+curvecode);
-+ return new PK11ParameterSpec(ASN1Util.encode(oid));
-+ }
-+
- private AlgorithmParameterSpec getCurve(int strength)
- throws InvalidParameterException
- {
diff --git a/SOURCES/jss-Fixed-build-failures.patch b/SOURCES/jss-Fixed-build-failures.patch
deleted file mode 100644
index af11010..0000000
--- a/SOURCES/jss-Fixed-build-failures.patch
+++ /dev/null
@@ -1,349 +0,0 @@
-From 22092d1bde94dc8a1f6e8198fa2fcc597c36c32f Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 9 Dec 2015 00:30:50 +0100
-Subject: [PATCH] Fixed build failures.
-
-The Javadoc on various classes have been modified to fix build
-failures on F23 and Rawhide due to stringent requirements on
-those platforms.
-
-The Debug_debug.jnot has been renamed to Debug.java to fix build
-failure in Eclipse.
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1289799
----
- .classpath | 7 +++++++
- .project | 17 +++++++++++++++++
- mozilla/security/jss/build_java.pl | 2 +-
- mozilla/security/jss/org/mozilla/jss/CryptoManager.java | 14 +++++++-------
- .../security/jss/org/mozilla/jss/asn1/ASN1Header.java | 2 +-
- .../security/jss/org/mozilla/jss/pkcs11/PK11Token.java | 2 +-
- .../security/jss/org/mozilla/jss/pkcs12/CertBag.java | 1 +
- .../security/jss/org/mozilla/jss/pkcs7/ContentInfo.java | 1 -
- .../security/jss/org/mozilla/jss/pkcs7/SignerInfo.java | 17 ++++++++++-------
- .../jss/org/mozilla/jss/pkix/cms/ContentInfo.java | 1 -
- .../jss/org/mozilla/jss/pkix/cms/SignerInfo.java | 17 ++++++++++-------
- .../jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java | 2 +-
- .../jss/org/mozilla/jss/ssl/SSLServerSocket.java | 3 ---
- .../mozilla/jss/util/{Debug_debug.jnot => Debug.java} | 0
- 14 files changed, 56 insertions(+), 30 deletions(-)
- create mode 100644 .classpath
- create mode 100644 .project
- rename mozilla/security/jss/org/mozilla/jss/util/{Debug_debug.jnot => Debug.java} (100%)
-
-diff --git a/.classpath b/.classpath
-new file mode 100644
-index 0000000000000000000000000000000000000000..df092d3f7d8df936b753bea75c11bf4003e1a77f
---- /dev/null
-+++ b/.classpath
-@@ -0,0 +1,7 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<classpath>
-+ <classpathentry excluding="samples/" kind="src" path="mozilla/security/jss"/>
-+ <classpathentry kind="src" path="mozilla/security/jss/samples"/>
-+ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
-+ <classpathentry kind="output" path="bin"/>
-+</classpath>
-diff --git a/.project b/.project
-new file mode 100644
-index 0000000000000000000000000000000000000000..c0b616e95c7512076c9976374bda14e11d7cdd8c
---- /dev/null
-+++ b/.project
-@@ -0,0 +1,17 @@
-+<?xml version="1.0" encoding="UTF-8"?>
-+<projectDescription>
-+ <name>jss-4.2</name>
-+ <comment></comment>
-+ <projects>
-+ </projects>
-+ <buildSpec>
-+ <buildCommand>
-+ <name>org.eclipse.jdt.core.javabuilder</name>
-+ <arguments>
-+ </arguments>
-+ </buildCommand>
-+ </buildSpec>
-+ <natures>
-+ <nature>org.eclipse.jdt.core.javanature</nature>
-+ </natures>
-+</projectDescription>
-diff --git a/mozilla/security/jss/build_java.pl b/mozilla/security/jss/build_java.pl
-index c34473e0eec883323b6b100e671018a9edafe442..379a5e05dbc0599c95d2228bd14f659d3e493d0b 100644
---- a/mozilla/security/jss/build_java.pl
-+++ b/mozilla/security/jss/build_java.pl
-@@ -137,7 +137,7 @@ sub setup_vars {
- $class_jar = "$dist_dir/$cmdline_vars{XPCLASS_DBG_JAR}";
- $class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DBG_DIR}";
- $javac_opt_flag = "-g";
-- $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot";
-+ $debug_source_file = "org/mozilla/jss/util/Debug.java";
- }
- $jni_header_dir = "$dist_dir/private/jss/_jni";
-
-diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-index 08aad8fe3c3a62ae8e233fc1035723690adf4581..6ef0256a3b777db48461f19da0fa64ec7857ed6b 100644
---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-@@ -600,7 +600,7 @@ public final class CryptoManager implements TokenSupplier
- * loaded cryptographic modules for the token.
- *
- * @param name The name of the token.
-- * @exception org.mozilla.jss.crypto.NoSuchTokenException If no token
-+ * @exception NoSuchTokenException If no token
- * is found with the given name.
- */
- public synchronized CryptoToken getTokenByName(String name)
-@@ -855,9 +855,9 @@ public final class CryptoManager implements TokenSupplier
- * <code>initialize()</code>.
- *
- * @param configDir The directory containing the security databases.
-- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
-+ * @exception KeyDatabaseException Unable to open
- * the key database, or it was currupted.
-- * @exception org.mozilla.jss.util.CertDatabaseException Unable
-+ * @exception CertDatabaseException Unable
- * to open the certificate database, or it was currupted.
- **/
- public static synchronized void initialize( String configDir )
-@@ -878,9 +878,9 @@ public final class CryptoManager implements TokenSupplier
- * <code>initialize()</code>.
- *
- * @param values The options with which to initialize CryptoManager.
-- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
-+ * @exception KeyDatabaseException Unable to open
- * the key database, or it was currupted.
-- * @exception org.mozilla.jss.util.CertDatabaseException Unable
-+ * @exception CertDatabaseException Unable
- * to open the certificate database, or it was currupted.
- **/
- public static synchronized void initialize( InitializationValues values )
-@@ -1021,7 +1021,7 @@ public final class CryptoManager implements TokenSupplier
- * @return The leaf certificate from the chain.
- * @exception CertificateEncodingException If the package encoding
- * was not recognized.
-- * @exception CertificateNicknameConflictException If the leaf certificate
-+ * @exception NicknameConflictException If the leaf certificate
- * is a user certificate, and another certificate already has the
- * given nickname.
- * @exception UserCertConflictException If the leaf certificate
-@@ -1059,7 +1059,7 @@ public final class CryptoManager implements TokenSupplier
- * @return The leaf certificate from the chain.
- * @exception CertificateEncodingException If the package encoding
- * was not recognized.
-- * @exception CertificateNicknameConflictException If the leaf certificate
-+ * @exception NicknameConflictException If the leaf certificate
- * another certificate already has the given nickname.
- * @exception UserCertConflictException If the leaf certificate
- * has already been imported.
-diff --git a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
-index bfa37c9f5eba1c5df9bb275cad16c1bf57c9c65d..d15be4922b52d16a25e3212b2b25809cd7ddf3b6 100644
---- a/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
-+++ b/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Header.java
-@@ -259,7 +259,7 @@ public class ASN1Header {
- /**
- * This constructor is to be called when we are constructing an ASN1Value
- * rather than decoding it.
-- * @param contentLength Must be >=0. Although indefinite length
-+ * @param contentLength Must be >=0. Although indefinite length
- * <i>decoding</i> is supported, indefinite length <i>encoding</i>
- * is not.
- */
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
-index e521b6108b90daeb7035413bba50a41e9b20ec49..98e93f0e858b09402364b4dc89c36a63e7ef0f7b 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
-@@ -236,7 +236,7 @@ public final class PK11Token implements CryptoToken {
- *
- * @param ssopwcb The security officer's current password callback.
- * @param userpwcb The user's new password callback.
-- * @exception IncorrectPinException If the security officer PIN is
-+ * @exception IncorrectPasswordException If the security officer PIN is
- * incorrect.
- * @exception TokenException If the PIN was already initialized,
- * or there was an unspecified error in the token.
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
-index a1b08d2e9ee9dfcb4ee809e101f3074611664384..61ad979d65d5ecc6659281218c58e8ec9a48211c 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkcs12/CertBag.java
-@@ -91,6 +91,7 @@ public class CertBag implements ASN1Value {
- * <li>If the type is <code>SDSI_CERT_TYPE</code>, returns
- * an IA5String.
- * <li>For all other types, returns an ANY.
-+ * </ul>
- *
- * @exception InvalidBERException If the cert is not encoded correctly.
- */
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
-index 4db7a42c75cc21d71841e20dcb9a4c1494ff08c2..4578e9bcd8abdb4e7b6717b07aee932dd887d675 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
-@@ -169,7 +169,6 @@ public class ContentInfo implements ASN1Value {
- * an OCTET_STRING will be returned.
- * <p>If the contentType is <b>not</b> one of the six standard types,
- * the returned object will be an ANY.
-- * </ul>
- */
- public ASN1Value getInterpretedContent() throws InvalidBERException {
- if(contentType.equals(DATA)) {
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
-index 300e993cffd9dcadaf996609abeebf8627eafde8..c49107c80543ec94fbb3117a1a9a1088f851a6b3 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
-@@ -129,7 +129,7 @@ public class SignerInfo implements ASN1Value {
- /**
- * Retrieves the DigestAlgorithm used in this SignerInfo.
- *
-- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
-+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
- */
- public DigestAlgorithm getDigestAlgorithm()
- throws NoSuchAlgorithmException
-@@ -402,10 +402,12 @@ public class SignerInfo implements ASN1Value {
- /**
- * Verifies that this SignerInfo contains a valid signature of the
- * given message digest. If any authenticated attributes are present,
-- * they are also validated. The verification algorithm is as follows:<ul>
-- * <p>Note that this does <b>not</b> verify the validity of the
-- * the certificate itself, only the signature.
-+ * they are also validated. The verification algorithm is as follows:
- *
-+ * Note that this does <b>not</b> verify the validity of the
-+ * the certificate itself, only the signature.
-+ *
-+ * <ul>
- * <li>If no authenticated attributes are present, the content type is
- * verified to be <i>data</i>. Then it is verified that the message
- * digest passed
-@@ -413,24 +415,25 @@ public class SignerInfo implements ASN1Value {
- * digest in the SignerInfo.
- *
- * <li>If authenticated attributes are present,
-- * two particular attributes must be present: <ul>
-+ * two particular attributes must be present:
-+ * <ul>
- * <li>PKCS #9 Content-Type, the type of content that is being signed.
- * This must match the contentType parameter.
- * <li>PKCS #9 Message-Digest, the digest of the content that is being
- * signed. This must match the messageDigest parameter.
- * </ul>
-+ *
- * After these two attributes are verified to be both present and correct,
- * the encryptedDigest field of the SignerInfo is verified to be the
- * signature of the contents octets of the DER encoding of the
- * authenticatedAttributes field.
-- *
- * </ul>
- *
- * @param messageDigest The hash of the content that is signed by this
- * SignerInfo.
- * @param contentType The type of the content that is signed by this
- * SignerInfo.
-- * @exception NoSuchObjectException If no certificate matching the
-+ * @exception ObjectNotFoundException If no certificate matching the
- * the issuer name and serial number can be found.
- */
- public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
-index 91ae770c94b3a8817c13e4cb86609c432ef682b8..9f61e605b416dffc38525ccec4dcce9f380c7dcc 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
-@@ -168,7 +168,6 @@ public class ContentInfo implements ASN1Value {
- * an OCTET_STRING will be returned.
- * <p>If the contentType is <b>not</b> one of the six standard types,
- * the returned object will be an ANY.
-- * </ul>
- */
- public ASN1Value getInterpretedContent() throws InvalidBERException {
- if(contentType.equals(DATA)) {
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
-index ff34a554e4d5f43b6ce18acfac01899858d62117..e7feb934dc0a78fbc40a6ff7d8db87f0af9177fe 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
-@@ -130,7 +130,7 @@ public class SignerInfo implements ASN1Value {
- /**
- * Retrieves the DigestAlgorithm used in this SignerInfo.
- *
-- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
-+ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
- */
- public DigestAlgorithm getDigestAlgorithm()
- throws NoSuchAlgorithmException
-@@ -403,10 +403,12 @@ public class SignerInfo implements ASN1Value {
- /**
- * Verifies that this SignerInfo contains a valid signature of the
- * given message digest. If any signed attributes are present,
-- * they are also validated. The verification algorithm is as follows:<ul>
-- * <p>Note that this does <b>not</b> verify the validity of the
-- * the certificate itself, only the signature.
-+ * they are also validated. The verification algorithm is as follows:
- *
-+ * Note that this does <b>not</b> verify the validity of the
-+ * the certificate itself, only the signature.
-+ *
-+ * <ul>
- * <li>If no signed attributes are present, the content type is
- * verified to be <i>data</i>. Then it is verified that the message
- * digest passed
-@@ -414,24 +416,25 @@ public class SignerInfo implements ASN1Value {
- * digest in the SignerInfo.
- *
- * <li>If signed attributes are present,
-- * two particular attributes must be present: <ul>
-+ * two particular attributes must be present:
-+ * <ul>
- * <li>PKCS #9 Content-Type, the type of content that is being signed.
- * This must match the contentType parameter.
- * <li>PKCS #9 Message-Digest, the digest of the content that is being
- * signed. This must match the messageDigest parameter.
- * </ul>
-+ *
- * After these two attributes are verified to be both present and correct,
- * the encryptedDigest field of the SignerInfo is verified to be the
- * signature of the contents octets of the DER encoding of the
- * signedAttributes field.
-- *
- * </ul>
- *
- * @param messageDigest The hash of the content that is signed by this
- * SignerInfo.
- * @param contentType The type of the content that is signed by this
- * SignerInfo.
-- * @exception NoSuchObjectException If no certificate matching the
-+ * @exception ObjectNotFoundException If no certificate matching the
- * the issuer name and serial number can be found.
- */
- public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
-diff --git a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
-index 53d162b69673caeed3e998dc9c2e221b95dfc6db..c6637039c87043f36dd1a1e449a819edbcc816e3 100644
---- a/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
-+++ b/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
-@@ -112,7 +112,7 @@ public class CertReqMsg implements ASN1Value {
-
- /**
- * Constructs a <i>CertReqmsg</i> from a <i>CertRequest</i> and, optionally,
-- * a <i>pop>/i> and a <i>regInfo</i>.
-+ * a <i>pop</i> and a <i>regInfo</i>.
- * @param pop May be NULL.
- * @param regInfo May be NULL.
- */
-diff --git a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
-index 2043a598cf3e8d023287c0f7142045c1e4f68e4d..58d14496e5ad92aa91a966e119e14f470da4fd4a 100644
---- a/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
-+++ b/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
-@@ -174,9 +174,6 @@ public class SSLServerSocket extends java.net.ServerSocket {
- * @return java.net.Socket Local socket for client communication
- *
- * @throws IOException If an input or output exception occurred
-- * @throws SocketTimeoutException If the socket timesout trying to connect
-- * @throws InterruptedIOException If an input or output is interrupted
-- * @throws SSLSocketException JSS subclass of java.net.SocketException
- */
- public Socket accept() throws IOException {
- synchronized (acceptLock) {
-diff --git a/mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot b/mozilla/security/jss/org/mozilla/jss/util/Debug.java
-similarity index 100%
-rename from mozilla/security/jss/org/mozilla/jss/util/Debug_debug.jnot
-rename to mozilla/security/jss/org/mozilla/jss/util/Debug.java
---
-2.4.3
-
diff --git a/SOURCES/jss-HSM-manufacturerID.patch b/SOURCES/jss-HSM-manufacturerID.patch
deleted file mode 100644
index 2a7bdff..0000000
--- a/SOURCES/jss-HSM-manufacturerID.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800
-@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE
- }
- PR_GetErrorText(errBuf);
- }
-- msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
-+ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s",
-+ PR_GetError(),
- errLength>0? errBuf : "");
- if(errLength>0) {
- PR_Free(errBuf);
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800
-@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- PRBool isExtractable = PR_FALSE;
-
- /* special case nethsm and lunasa*/
-- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
-- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
-+ const int numManufacturerIDchars = 7;
-+ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'};
-+ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'};
- PRBool isNethsm = PR_TRUE;
- PRBool isLunasa = PR_TRUE;
-
-+ tokenInfo.manufacturerID[0] = 0;
-+
- if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
- /* exception was thrown */
- goto finish;
- }
-
-- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
-+ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) &&
-+ (tokenInfo.manufacturerID[0] != 0)) {
- int ix = 0;
-- for(ix=0; ix < 4; ix++) {
-- if (tokenInfo.label[ix] != nethsmLabel[ix]) {
-+
-+ for(ix=0; ix < numManufacturerIDchars; ix++) {
-+ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) {
- isNethsm = PR_FALSE;
- break;
- }
- }
-- ix = 0;
-- for(ix=0; ix < 4; ix++) {
-- if (tokenInfo.label[ix] != lunasaLabel[ix]) {
-+
-+ for(ix=0; ix < numManufacturerIDchars; ix++) {
-+ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) {
- isLunasa = PR_FALSE;
- break;
- }
- }
--
- } else {
- isNethsm = PR_FALSE;
- isLunasa = PR_FALSE;
diff --git a/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch b/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch
deleted file mode 100644
index 068e4d7..0000000
--- a/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch
+++ /dev/null
@@ -1,328 +0,0 @@
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700
-@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
- /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
- /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
- /* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
-+/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG},
-+/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG},
-+/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
- /* REMEMBER TO UPDATE NUM_ALGS!!! */
- };
-
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700
-@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
- JSS_AlgType type;
- } JSS_AlgInfo;
-
--#define NUM_ALGS 51
-+#define NUM_ALGS 54
-
- extern JSS_AlgInfo JSS_AlgTable[];
- extern CK_ULONG JSS_symkeyUsage[];
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700
-@@ -233,5 +233,9 @@ public class Algorithm {
- protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
- protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
- protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
-+ //PKCS5 V2
-+ protected static final short SEC_OID_PKCS5_PBKDF2=51;
-+ protected static final short SEC_OID_PKCS5_PBES2=52;
-+ protected static final short SEC_OID_PKCS5_PBMAC1=53;
-
- }
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700
-@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen
- ///////////////////////////////////////////////////////////////////////
-
- //////////////////////////////////////////////////////////////
-+ // PKCS 5 v2
-+ public static final PBEAlgorithm
-+ PBE_PKCS5_PBKDF2 = new PBEAlgorithm(
-+ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128,
-+ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 );
-+
-+ //////////////////////////////////////////////////////////////
-+ // PKCS 5 v2
-+ public static final PBEAlgorithm
-+ PBE_PKCS5_PBES2 = new PBEAlgorithm(
-+ SEC_OID_PKCS5_PBES2, "PBES2", 128,
-+ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 );
-+
-+ //////////////////////////////////////////////////////////////
-+ // PKCS 5 v2
-+ public static final PBEAlgorithm
-+ PBE_PKCS5_PBMAC1 = new PBEAlgorithm(
-+ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128,
-+ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 );
-+
-+ //////////////////////////////////////////////////////////////
- public static final PBEAlgorithm
- PBE_MD2_DES_CBC = new PBEAlgorithm(
- SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56,
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700
-@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
- }
- /* print_secitem(pwitem); */
-
--
- mech = JSS_getPK11MechFromAlg(env, alg);
-
- if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) {
-@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
- PR_ASSERT(oidTag != SEC_OID_UNKNOWN);
-
- /* create algid */
-- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt);
-+ algid = PK11_CreatePBEV2AlgorithmID(
-+ oidTag,
-+ SEC_OID_DES_EDE3_CBC,
-+ SEC_OID_HMAC_SHA1,
-+ 168/8,
-+ iterationCount,
-+ salt);
-+
- if( algid == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION,
- "Unable to process PBE parameters");
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700
-@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL;
- SECItem label; /* empty secitem, doesn't need to be freed */
- PRBool token;
-- CK_ATTRIBUTE_TYPE attribs[4];
-- int numAttribs;
-+ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0};
-+ int numAttribs = 0;
-+ CK_TOKEN_INFO tokenInfo;
-+
-+ PRBool isSensitive = PR_TRUE;
-+ PRBool isExtractable = PR_FALSE;
-+ /* special case nethsm*/
-+ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
-+ PRBool isNethsm = PR_TRUE;
-
- if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
- /* exception was thrown */
- goto finish;
- }
-
-+ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
-+ int ix = 0;
-+ for(ix=0; ix < 4; ix++) {
-+ if (tokenInfo.label[ix] != nethsmLabel[ix]) {
-+ isNethsm = PR_FALSE;
-+ break;
-+ }
-+ }
-+
-+ } else {
-+ isNethsm = PR_FALSE;
-+ }
-+
- /* get unwrapping key */
- if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey)
- != PR_SUCCESS) {
-@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- }
- keyType = PK11_GetKeyType(keyTypeMech, 0);
-
-+ if( isNethsm ) {
-+ isSensitive = PR_FALSE;
-+ isExtractable = PR_FALSE;
-+ }
-+
-+setAttrs:
- /* figure out which operations to enable for this key */
- switch (keyType) {
- case CKK_RSA:
- attribs[0] = CKA_SIGN;
-- attribs[1] = CKA_DECRYPT;
-- attribs[2] = CKA_SIGN_RECOVER;
-- attribs[3] = CKA_UNWRAP;
-- numAttribs = 4;
-+ attribs[1] = CKA_SIGN_RECOVER;
-+ attribs[2] = CKA_UNWRAP;
-+ if (isExtractable) {
-+ attribs[3] = CKA_EXTRACTABLE;
-+ numAttribs = 4;
-+ } else {
-+ numAttribs = 3;
-+ }
- break;
- case CKK_DSA:
- attribs[0] = CKA_SIGN;
-@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
-
- /* perform the unwrap */
- privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped,
-- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType,
-+ &label, pubValue, token, isSensitive /*sensitive*/, keyType,
- attribs, numAttribs, NULL /*wincx*/);
- if( privk == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700
-@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke
- if( key==null ) {
- throw new InvalidKeyException("Key is null");
- }
-- if( ! key.getOwningToken().equals(token) ) {
-- throw new InvalidKeyException("Key does not reside on the "+
-- "current token");
-- }
-- if( ! (key instanceof PK11SymKey) ) {
-- throw new InvalidKeyException("Key is not a PKCS #11 key");
-- }
- try {
-+ if( ! key.getOwningToken().equals(token) ) {
-+ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
-+ key.getOwningToken().getName());
-+ }
-+ if( ! (key instanceof PK11SymKey) ) {
-+ throw new InvalidKeyException("Key is not a PKCS #11 key");
-+ }
- if( ((PK11SymKey)key).getKeyType() !=
-- KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
-- throw new InvalidKeyException("Key is not the right type for"+
-+ KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
-+ throw new InvalidKeyException("Key is not the right type for"+
- " this algorithm");
- }
- } catch( NoSuchAlgorithmException e ) {
- Assert.notReached("Unknown algorithm");
-+ } catch (Exception e) {
-+ Assert.notReached("Exception:"+ e.toString());
- }
- }
-
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700
-@@ -106,10 +106,13 @@ public final class PK11Token implements
- getKeyGenerator(KeyGenAlgorithm algorithm)
- throws NoSuchAlgorithmException, TokenException
- {
-+/* NSS is capable of finding the right token to do algorithm,
-+ so this call is prematurely bailing
- if( ! doesAlgorithm(algorithm) ) {
- throw new NoSuchAlgorithmException(
- algorithm+" is not supported by this token");
- }
-+*/
- return new PK11KeyGenerator(this, algorithm);
- }
-
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
---- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700
-@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert;
- import java.security.*;
- import org.mozilla.jss.CryptoManager;
- import org.mozilla.jss.util.Password;
-+import org.mozilla.jss.crypto.PrivateKey;
- import java.security.spec.AlgorithmParameterSpec;
-
- /**
-@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp
- return null;
- }
-
-+
-+ /**
-+ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted
-+ * with a password-based key-
-+ * with wrapping/unwrapping happening on token.
-+ *
-+ * @param keyGenAlg The algorithm for generating a symmetric key from
-+ * a password, salt, and iteration count.
-+ * @param password The password to use in generating the key.
-+ * @param salt The salt to use in generating the key.
-+ * @param iterationCount The number of hashing iterations to perform
-+ * while generating the key.
-+ * @param charToByteConverter The mechanism for converting the characters
-+ * in the password into bytes. If null, the default mechanism
-+ * will be used, which is UTF8.
-+ * @param pri The PrivateKey to be encrypted and stored in the
-+ * EncryptedContentInfo.
-+ */
-+ public static EncryptedPrivateKeyInfo
-+ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt,
-+ int iterationCount,
-+ KeyGenerator.CharToByteConverter charToByteConverter,
-+ PrivateKey pri, CryptoToken token)
-+ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
-+ InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
-+ CharConversionException
-+ {
-+ try {
-+
-+ // check key gen algorithm
-+
-+ if( ! (keyGenAlg instanceof PBEAlgorithm) ) {
-+ throw new NoSuchAlgorithmException("Key generation algorithm"+
-+ " is not a PBE algorithm");
-+ }
-+
-+ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg;
-+
-+ // generate key
-+
-+ KeyGenerator kg = token.getKeyGenerator( keyGenAlg );
-+ PBEKeyGenParams pbekgParams = new PBEKeyGenParams(
-+ password, salt, iterationCount);
-+ if( charToByteConverter != null ) {
-+ kg.setCharToByteConverter( charToByteConverter );
-+ }
-+ kg.initialize(pbekgParams);
-+ kg.temporaryKeys(true);
-+ SymmetricKey key = kg.generate();
-+
-+ // generate IV
-+ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
-+ AlgorithmParameterSpec params=null;
-+ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) {
-+ params = new IVParameterSpec( kg.generatePBE_IV() );
-+ }
-+
-+ KeyWrapper wrapper = token.getKeyWrapper(
-+ KeyWrapAlgorithm.DES3_CBC);
-+ wrapper.initWrap(key, params);
-+ byte encrypted[] = wrapper.wrap(pri);
-+
-+ // make encryption algorithm identifier
-+ PBEParameter pbeParam = new PBEParameter( salt, iterationCount );
-+ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier(
-+ keyGenAlg.toOID(), pbeParam);
-+
-+ // create EncryptedPrivateKeyInfo
-+ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo (
-+ encAlgID,
-+ new OCTET_STRING(encrypted) );
-+
-+ return epki;
-+
-+ } catch (Exception e) {
-+ Assert.notReached("EncryptedPrivateKeyInfo exception:"
-+ +".createPBE");
-+ }
-+
-+ return null;
-+ }
-+
-+
- /**
- * Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE
- * algorithm. The algorithm and its parameters are extracted from
diff --git a/SOURCES/jss-PKCS12-FIPS.patch b/SOURCES/jss-PKCS12-FIPS.patch
deleted file mode 100644
index b2aa854..0000000
--- a/SOURCES/jss-PKCS12-FIPS.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700
-@@ -239,40 +239,47 @@ print_secitem(SECItem *item) {
- * TokenException if an error occurs.
- */
- static PK11SymKey*
--constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt,
-+constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt,
- int iterationCount)
- {
-- PBEBitGenContext* pbeCtxt=NULL;
-- SECItem *keyBits=NULL;
- PK11SymKey *key=NULL;
-
-- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey,
-- pwitem, salt, 160 /* SHA1 key length */, iterationCount);
-- if( pbeCtxt == NULL ) {
-- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context");
-+ unsigned char ivData[8];
-+ SECItem mechItem;
-+ CK_PBE_PARAMS pbe_params;
-+
-+ if( pwitem == NULL ) {
-+ JSS_throwMsg(env, TOKEN_EXCEPTION,
-+ "constructSHA1PAKey:"
-+ " pwitem NULL");
- goto finish;
- }
--
-- keyBits = PBE_GenerateBits(pbeCtxt);
-- if( keyBits == NULL ) {
-- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from"
-- "PBE context");
-+ if( salt == NULL ) {
-+ JSS_throwMsg(env, TOKEN_EXCEPTION,
-+ "constructSHA1PAKey:"
-+ " salt NULL");
- goto finish;
- }
-
-- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1,
-- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL);
-+ pbe_params.pInitVector = ivData;
-+ pbe_params.pPassword = pwitem->data;
-+ pbe_params.ulPasswordLen = pwitem->len;
-+ pbe_params.pSalt = salt->data;
-+ pbe_params.ulSaltLen = salt->len;
-+ pbe_params.ulIteration = iterationCount;
-+ mechItem.data = (unsigned char *) &pbe_params;
-+ mechItem.len = sizeof(pbe_params);
-+
-+ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL);
-+
- if( key == NULL ) {
-- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from"
-- " PBA-generated bits");
-+ JSS_throwMsg(env, TOKEN_EXCEPTION,
-+ "PK11_RawPBEKeyGen:"
-+ " failed to generate key");
- goto finish;
- }
-
- finish:
-- if( pbeCtxt ) {
-- PBE_DestroyContext(pbeCtxt);
-- }
-- /* keyBits == pbeCtxt, so we don't need to free it */
- return key;
- }
-
-@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
-
- /* special case, construct key by hand. Bug #336587 */
-
-- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount);
-+ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount);
- if( skey==NULL ) {
- /* exception was thrown */
- goto finish;
diff --git a/SOURCES/jss-RC4-strengh-verify.patch b/SOURCES/jss-RC4-strengh-verify.patch
deleted file mode 100644
index 59b6577..0000000
--- a/SOURCES/jss-RC4-strengh-verify.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java.nkinderSaved 2014-09-26 14:40:03.452845047 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenAlgorithm.java 2014-09-26 14:41:02.101598146 -0700
-@@ -127,7 +127,7 @@ public class KeyGenAlgorithm extends Alg
- RC4 = new KeyGenAlgorithm(CKM_RC4_KEY_GEN, "RC4",
- new KeyStrengthValidator() {
- public boolean isValidKeyStrength(int strength) {
-- return true;
-+ return strength>=40 && strength <= (256*8);
- }
- }, null, null);
-
diff --git a/SOURCES/jss-SHA-OID-fix.patch b/SOURCES/jss-SHA-OID-fix.patch
deleted file mode 100644
index fdda50f..0000000
--- a/SOURCES/jss-SHA-OID-fix.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.jn 2014-09-10 09:21:52.663959115 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2014-09-10 09:22:38.662788747 -0700
-@@ -117,7 +117,7 @@ public class OBJECT_IDENTIFIER implement
- * The OID space for FIPS-180-2 SHA256/SHA384/SHA512 standardized algorithms.
- */
- public static final OBJECT_IDENTIFIER HASH_ALGORITHM =
-- new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4 } );
-+ new OBJECT_IDENTIFIER( new long[] {2, 16, 840, 1, 101, 3, 4, 2 } );
-
-
- /**
diff --git a/SOURCES/jss-VerifyCertificate-enhancement.patch b/SOURCES/jss-VerifyCertificate-enhancement.patch
deleted file mode 100644
index 6582b41..0000000
--- a/SOURCES/jss-VerifyCertificate-enhancement.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001
-From: "Endi S. Dewata" <edewata@redhat.com>
-Date: Wed, 9 Dec 2015 00:30:50 +0100
-Subject: [PATCH] Added verifyCertificate() method.
-
-A new CryptoManager.verifyCertificate() method has been added as
-an alternative to isCertValid(). If there is a certificate
-validation problem, the method will throw a CertificateValidation
-exception that contains the NSS error message and code. The
-exception will also provide a stack trace to help troubleshoot
-validation issues.
-
-https://fedorahosted.org/pki/ticket/850
----
- .../jss/org/mozilla/jss/CryptoManager.java | 54 ++++++++------
- mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 83 +++++++++++++++++++---
- .../jss/org/mozilla/jss/util/jss_exceptions.h | 2 +
- 3 files changed, 110 insertions(+), 29 deletions(-)
-
-diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644
---- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-+++ b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
-@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier
- CertificateUsage certificateUsage)
- throws ObjectNotFoundException, InvalidNicknameException
- {
-- if (nickname==null) {
-- throw new InvalidNicknameException("Nickname must be non-null");
-- }
-- // 0 certificate usage will get current usage
-- // should call isCertValid() call above that returns certificate usage
-- if ((certificateUsage == null) ||
-- (certificateUsage == CertificateUsage.CheckAllUsages)){
-- int currCertificateUsage = 0x0000;
-- currCertificateUsage = verifyCertificateNowCUNative(nickname,
-- checkSig);
-+ try {
-+ verifyCertificate(nickname, checkSig, certificateUsage);
-+ return true;
-+
-+ } catch (ObjectNotFoundException | InvalidNicknameException e) {
-+ throw e;
-
-- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
-- // cert is good for nothing
-- return false;
-- } else
-- return true;
-- } else {
-- return verifyCertificateNowNative(nickname, checkSig,
-- certificateUsage.getUsage());
-+ } catch (CertificateException e) {
-+ return false;
- }
- }
-
-- private native boolean verifyCertificateNowNative(String nickname,
-- boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
-+ /**
-+ * Verify a certificate that exists in the given cert database,
-+ * check if it's valid and that we trust the issuer. Verify time
-+ * against now.
-+ * @param nickname nickname of the certificate to verify.
-+ * @param checkSig verify the signature of the certificate
-+ * @param certificateUsage see certificate usage defined to verify certificate
-+ *
-+ * @exception InvalidNicknameException If the nickname is null.
-+ * @exception ObjectNotFoundException If no certificate could be found
-+ * with the given nickname.
-+ * @exception CertificateException If certificate is invalid.
-+ */
-+ public void verifyCertificate(String nickname,
-+ boolean checkSig,
-+ CertificateUsage certificateUsage)
-+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException {
-+ int usage = certificateUsage == null ? 0 : certificateUsage.getUsage();
-+ verifyCertificateNowNative(nickname, checkSig, usage);
-+ }
-+
-+ private native void verifyCertificateNowNative(
-+ String nickname,
-+ boolean checkSig,
-+ int certificateUsage)
-+ throws ObjectNotFoundException, InvalidNicknameException, CertificateException;
-
- /**
- * note: this method calls obsolete function in NSS
-diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
-index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644
---- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
-+++ b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
-@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
- /***********************************************************************
- * CryptoManager.verifyCertificateNowNative
- *
-- * Returns JNI_TRUE if success, JNI_FALSE otherwise
-+ * Verify a certificate that exists in the given cert database,
-+ * check if it's valid and that we trust the issuer. Verify time
-+ * against now.
-+ * @param nickname nickname of the certificate to verify.
-+ * @param checkSig verify the signature of the certificate
-+ * @param certificateUsage see certificate usage defined to verify certificate
-+ *
-+ * @exception InvalidNicknameException If the nickname is null.
-+ * @exception ObjectNotFoundException If no certificate could be found
-+ * with the given nickname.
-+ * @exception CertificateException If certificate is invalid.
- */
--JNIEXPORT jboolean JNICALL
-+JNIEXPORT void JNICALL
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
-- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
-+ jobject self, jstring nickString, jboolean checkSig, jint certificateUsage)
- {
-- SECStatus rv = SECFailure;
- SECCertificateUsage currUsage = 0x0000;
-+ SECStatus rv = SECFailure;
-+ CERTCertificate *cert = NULL;
-+ char *nickname = NULL;
-
-- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
-+ if (nickString == NULL) {
-+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
-+ goto finish;
-+ }
-
-- if( rv == SECSuccess) {
-- return JNI_TRUE;
-- } else {
-- return JNI_FALSE;
-+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
-+
-+ if (nickname == NULL) {
-+ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
-+ goto finish;
-+ }
-+
-+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
-+
-+ if (cert == NULL) {
-+ char *msgBuf;
-+ msgBuf = PR_smprintf("Certificate not found: %s", nickname);
-+ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf);
-+ PR_Free(msgBuf);
-+ goto finish;
-+ }
-+
-+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
-+ * retrieve the current valid usage into currUsage
-+ */
-+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
-+ checkSig, certificateUsage, NULL, &currUsage);
-+
-+ if (rv != SECSuccess) {
-+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate");
-+ goto finish;
-+ }
-+
-+ if ((certificateUsage == 0x0000) &&
-+ (currUsage ==
-+ ( certUsageUserCertImport |
-+ certUsageVerifyCA |
-+ certUsageProtectedObjectSigner |
-+ certUsageAnyCA ))) {
-+
-+ /* The certificate is good for nothing.
-+ * The following usages cannot be verified:
-+ * certUsageAnyCA
-+ * certUsageProtectedObjectSigner
-+ * certUsageUserCertImport
-+ * certUsageVerifyCA
-+ * (0x0b80)
-+ */
-+
-+ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate");
-+ goto finish;
-+ }
-+
-+finish:
-+ if (nickname != NULL) {
-+ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
-+ }
-+ if (cert != NULL) {
-+ CERT_DestroyCertificate(cert);
- }
- }
-
-diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
-index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644
---- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
-+++ b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
-@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C
-
- #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException"
-
-+#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException"
-+
- #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException"
-
- #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException"
---
-2.5.0
-
diff --git a/SOURCES/jss-VerifyCertificate.patch b/SOURCES/jss-VerifyCertificate.patch
deleted file mode 100644
index a017b77..0000000
--- a/SOURCES/jss-VerifyCertificate.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700
-@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
- Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
- Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
- Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
-+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
- ;+ local:
- ;+ *;
- ;+};
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700
-@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
- public final class CryptoManager implements TokenSupplier
- {
- /**
-+ * note: this is obsolete in NSS
- * CertUsage options for validation
- */
- public final static class CertUsage {
-@@ -86,8 +87,6 @@ public final class CryptoManager impleme
- return name;
- }
-
--
--
- // certUsage, these must be kept in sync with nss/lib/certdb/certt.h
- public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
- public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
-@@ -103,6 +102,63 @@ public final class CryptoManager impleme
- public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
- }
-
-+ /**
-+ * CertificateUsage options for validation
-+ */
-+ public final static class CertificateUsage {
-+ private int usage;
-+ private String name;
-+
-+ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
-+ private static final int certificateUsageCheckAllUsages = 0x0000;
-+ private static final int certificateUsageSSLClient = 0x0001;
-+ private static final int certificateUsageSSLServer = 0x0002;
-+ private static final int certificateUsageSSLServerWithStepUp = 0x0004;
-+ private static final int certificateUsageSSLCA = 0x0008;
-+ private static final int certificateUsageEmailSigner = 0x0010;
-+ private static final int certificateUsageEmailRecipient = 0x0020;
-+ private static final int certificateUsageObjectSigner = 0x0040;
-+ private static final int certificateUsageUserCertImport = 0x0080;
-+ private static final int certificateUsageVerifyCA = 0x0100;
-+ private static final int certificateUsageProtectedObjectSigner = 0x0200;
-+ private static final int certificateUsageStatusResponder = 0x0400;
-+ private static final int certificateUsageAnyCA = 0x0800;
-+
-+ static private ArrayList list = new ArrayList();
-+ private CertificateUsage() {};
-+ private CertificateUsage(int usage, String name) {
-+ this.usage = usage;
-+ this.name = name;
-+ this.list.add(this);
-+
-+ }
-+ public int getUsage() {
-+ return usage;
-+ }
-+
-+ static public Iterator getCertificateUsages() {
-+ return list.iterator();
-+
-+ }
-+ public String toString() {
-+ return name;
-+ }
-+
-+ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
-+ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
-+ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
-+ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
-+ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
-+ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
-+ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
-+ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
-+ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
-+ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
-+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
-+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
-+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
-+ }
-+
- public final static class NotInitializedException extends Exception {}
- public final static class NicknameConflictException extends Exception {}
- public final static class UserCertConflictException extends Exception {}
-@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
- }
- return tok;
- }
-+
- /////////////////////////////////////////////////////////////
- // isCertValid
- /////////////////////////////////////////////////////////////
-@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
- * against Now.
- * @param nickname The nickname of the certificate to verify.
- * @param checkSig verify the signature of the certificate
-+ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
-+ * @return true for success; false otherwise
-+ *
-+ * @exception InvalidNicknameException If the nickname is null
-+ * @exception ObjectNotFoundException If no certificate could be found
-+ * with the given nickname.
-+ */
-+
-+ public boolean isCertValid(String nickname, boolean checkSig,
-+ CertificateUsage certificateUsage)
-+ throws ObjectNotFoundException, InvalidNicknameException
-+ {
-+ if (nickname==null) {
-+ throw new InvalidNicknameException("Nickname must be non-null");
-+ }
-+ // 0 certificate usage was supposed to get current usage, however,
-+ // it is not exposed at this point
-+ return verifyCertificateNowNative(nickname,
-+ checkSig,
-+ (certificateUsage == null) ? 0:certificateUsage.getUsage());
-+ }
-+
-+ private native boolean verifyCertificateNowNative(String nickname,
-+ boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
-+
-+ /**
-+ * note: this method calls obsolete function in NSS
-+ *
-+ * Verify a certificate that exists in the given cert database,
-+ * check if is valid and that we trust the issuer. Verify time
-+ * against Now.
-+ * @param nickname The nickname of the certificate to verify.
-+ * @param checkSig verify the signature of the certificate
- * @param certUsage see exposed certUsage defines to verify Certificate
- * @return true for success; false otherwise
- *
-@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
- return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
- }
-
-+ /*
-+ * Obsolete in NSS
-+ */
- private native boolean verifyCertNowNative(String nickname,
- boolean checkSig, int cUsage) throws ObjectNotFoundException;
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700
-@@ -1575,11 +1575,62 @@ finish:
- }
-
- /***********************************************************************
-- * CryptoManager.verifyCertNowNative
-+ * CryptoManager.verifyCertificateNowNative
- *
- * Returns JNI_TRUE if success, JNI_FALSE otherwise
- */
- JNIEXPORT jboolean JNICALL
-+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
-+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
-+{
-+ SECStatus rv = SECFailure;
-+ SECCertificateUsage certificateUsage;
-+ SECCertificateUsage currUsage; /* unexposed for now */
-+ CERTCertificate *cert=NULL;
-+ char *nickname=NULL;
-+
-+ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
-+ if( nickname == NULL ) {
-+ goto finish;
-+ }
-+
-+ certificateUsage = required_certificateUsage;
-+
-+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
-+
-+ if (cert == NULL) {
-+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
-+ goto finish;
-+ } else {
-+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
-+ * just get the current usage (which we are not passing back for now
-+ * but will bypass the certificate usage check
-+ */
-+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
-+ checkSig, certificateUsage, NULL, &currUsage );
-+ }
-+
-+finish:
-+ if(nickname != NULL) {
-+ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
-+ }
-+ if(cert != NULL) {
-+ CERT_DestroyCertificate(cert);
-+ }
-+ if( rv == SECSuccess) {
-+ return JNI_TRUE;
-+ } else {
-+ return JNI_FALSE;
-+ }
-+}
-+
-+
-+/***********************************************************************
-+ * CryptoManager.verifyCertNowNative
-+ * note: this calls obsolete NSS function
-+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
-+ */
-+JNIEXPORT jboolean JNICALL
- Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
- jobject self, jstring nickString, jboolean checkSig, jint cUsage)
- {
diff --git a/SOURCES/jss-VerifyCertificateReturnCU.patch b/SOURCES/jss-VerifyCertificateReturnCU.patch
deleted file mode 100644
index 7d220ef..0000000
--- a/SOURCES/jss-VerifyCertificateReturnCU.patch
+++ /dev/null
@@ -1,227 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
-@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
- Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
- Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
-+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
- ;+ local:
- ;+ *;
- ;+};
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
-@@ -157,6 +157,19 @@ public final class CryptoManager impleme
- public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
- public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
- public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
-+
-+ /*
-+ The folllowing usages cannot be verified:
-+ certUsageAnyCA
-+ certUsageProtectedObjectSigner
-+ certUsageUserCertImport
-+ certUsageVerifyCA
-+ */
-+ public static final int basicCertificateUsages = /*0x0b80;*/
-+ certificateUsageUserCertImport |
-+ certificateUsageVerifyCA |
-+ certificateUsageProtectedObjectSigner |
-+ certificateUsageAnyCA ;
- }
-
- public final static class NotInitializedException extends Exception {}
-@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
- * against Now.
- * @param nickname The nickname of the certificate to verify.
- * @param checkSig verify the signature of the certificate
-- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
-- * @return true for success; false otherwise
-+ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
- *
- * @exception InvalidNicknameException If the nickname is null
- * @exception ObjectNotFoundException If no certificate could be found
- * with the given nickname.
- */
-+ public int isCertValid(String nickname, boolean checkSig)
-+ throws ObjectNotFoundException, InvalidNicknameException
-+ {
-+ if (nickname==null) {
-+ throw new InvalidNicknameException("Nickname must be non-null");
-+ }
-+ int currCertificateUsage = 0x0000; // initialize it to 0
-+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
-+ checkSig);
-+ return currCertificateUsage;
-+ }
-+
-+ private native int verifyCertificateNowCUNative(String nickname,
-+ boolean checkSig) throws ObjectNotFoundException;
-
-+ /////////////////////////////////////////////////////////////
-+ // isCertValid
-+ /////////////////////////////////////////////////////////////
-+ /**
-+ * Verify a certificate that exists in the given cert database,
-+ * check if is valid and that we trust the issuer. Verify time
-+ * against Now.
-+ * @param nickname The nickname of the certificate to verify.
-+ * @param checkSig verify the signature of the certificate
-+ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
-+ * @return true for success; false otherwise
-+ *
-+ * @exception InvalidNicknameException If the nickname is null
-+ * @exception ObjectNotFoundException If no certificate could be found
-+ * with the given nickname.
-+ */
- public boolean isCertValid(String nickname, boolean checkSig,
- CertificateUsage certificateUsage)
- throws ObjectNotFoundException, InvalidNicknameException
-@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
- if (nickname==null) {
- throw new InvalidNicknameException("Nickname must be non-null");
- }
-- // 0 certificate usage was supposed to get current usage, however,
-- // it is not exposed at this point
-- return verifyCertificateNowNative(nickname,
-- checkSig,
-- (certificateUsage == null) ? 0:certificateUsage.getUsage());
-+ // 0 certificate usage will get current usage
-+ // should call isCertValid() call above that returns certificate usage
-+ if ((certificateUsage == null) ||
-+ (certificateUsage == CertificateUsage.CheckAllUsages)){
-+ int currCertificateUsage = 0x0000;
-+ currCertificateUsage = verifyCertificateNowCUNative(nickname,
-+ checkSig);
-+
-+ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
-+ // cert is good for nothing
-+ return false;
-+ } else
-+ return true;
-+ } else {
-+ return verifyCertificateNowNative(nickname, checkSig,
-+ certificateUsage.getUsage());
-+ }
- }
-
- private native boolean verifyCertificateNowNative(String nickname,
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
-@@ -1574,18 +1574,16 @@ finish:
- }
- }
-
-+
- /***********************************************************************
-- * CryptoManager.verifyCertificateNowNative
-- *
-- * Returns JNI_TRUE if success, JNI_FALSE otherwise
-+ * CryptoManager.verifyCertificateNow
- */
--JNIEXPORT jboolean JNICALL
--Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
-- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
-+SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
-+ jboolean checkSig, jint required_certificateUsage,
-+ SECCertificateUsage *currUsage)
- {
- SECStatus rv = SECFailure;
- SECCertificateUsage certificateUsage;
-- SECCertificateUsage currUsage; /* unexposed for now */
- CERTCertificate *cert=NULL;
- char *nickname=NULL;
-
-@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
- goto finish;
- } else {
-- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
-- * just get the current usage (which we are not passing back for now
-- * but will bypass the certificate usage check
-+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
-+ * retrieve the current valid usage into currUsage
- */
- rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
-- checkSig, certificateUsage, NULL, &currUsage );
-+ checkSig, certificateUsage, NULL, currUsage );
-+ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
-+ if (*currUsage ==
-+ ( certUsageUserCertImport |
-+ certUsageVerifyCA |
-+ certUsageProtectedObjectSigner |
-+ certUsageAnyCA )) {
-+
-+ /* the cert is good for nothing
-+ The folllowing usages cannot be verified:
-+ certUsageAnyCA
-+ certUsageProtectedObjectSigner
-+ certUsageUserCertImport
-+ certUsageVerifyCA
-+ (0x0b80) */
-+ rv =SECFailure;
-+ }
-+ }
- }
-
- finish:
-@@ -1617,6 +1631,49 @@ finish:
- if(cert != NULL) {
- CERT_DestroyCertificate(cert);
- }
-+
-+ return rv;
-+}
-+
-+/***********************************************************************
-+ * CryptoManager.verifyCertificateNowCUNative
-+ *
-+ * Returns jint which contains bits in SECCertificateUsage that reflects
-+ * the cert usage(s) that the cert is good for
-+ * if the cert is good for nothing, returned value is
-+ * (0x0b80):
-+ * certUsageUserCertImport |
-+ * certUsageVerifyCA |
-+ * certUsageProtectedObjectSigner |
-+ * certUsageAnyCA
-+ */
-+JNIEXPORT jint JNICALL
-+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
-+ jobject self, jstring nickString, jboolean checkSig)
-+{
-+ SECStatus rv = SECFailure;
-+ SECCertificateUsage currUsage = 0x0000;
-+
-+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
-+ /* rv is ignored */
-+
-+ return currUsage;
-+}
-+
-+/***********************************************************************
-+ * CryptoManager.verifyCertificateNowNative
-+ *
-+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
-+ */
-+JNIEXPORT jboolean JNICALL
-+Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
-+ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
-+{
-+ SECStatus rv = SECFailure;
-+ SECCertificateUsage currUsage = 0x0000;
-+
-+ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
-+
- if( rv == SECSuccess) {
- return JNI_TRUE;
- } else {
-@@ -1624,7 +1681,6 @@ finish:
- }
- }
-
--
- /***********************************************************************
- * CryptoManager.verifyCertNowNative
- * note: this calls obsolete NSS function
diff --git a/SOURCES/jss-WindowsCompileFix.patch b/SOURCES/jss-WindowsCompileFix.patch
deleted file mode 100644
index 20e2ea3..0000000
--- a/SOURCES/jss-WindowsCompileFix.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu 2015-04-23 13:25:45.104249135 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-23 13:39:29.958813779 -0700
-@@ -49,10 +49,12 @@
-
- #ifdef WINNT
- #include <private/pprio.h>
-+#define AF_INET6 23
- #endif
-
- #ifdef WIN32
- #include <winsock.h>
-+#define AF_INET6 23
- #endif
-
-
-@@ -66,6 +68,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
- {
- SECStatus status;
- SSLVersionRange vrange;
-+ SSLVersionRange supported_range;
-
- if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
- min <0 || min >= JSSL_enums_size ||
-@@ -80,7 +83,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
- vrange.max = JSSL_enums[max];
-
- /* get supported range */
-- SSLVersionRange supported_range;
- status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
- &supported_range);
- if( status != SECSuccess ) {
diff --git a/SOURCES/jss-WindowsLoadLibrary.patch b/SOURCES/jss-WindowsLoadLibrary.patch
deleted file mode 100644
index 23b8913..0000000
--- a/SOURCES/jss-WindowsLoadLibrary.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu 2015-07-08 12:02:13.192000000 +0200
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2015-07-08 12:04:56.213000000 +0200
-@@ -1404,17 +1404,23 @@ public final class CryptoManager impleme
- synchronized static void loadNativeLibraries()
- {
- if( ! mNativeLibrariesLoaded ) {
-- try {
-+ try { // 64 bit rhel/fedora
- System.load( "/usr/lib64/jss/libjss4.so" );
- Debug.trace(Debug.VERBOSE, "jss library loaded");
- mNativeLibrariesLoaded = true;
- } catch( UnsatisfiedLinkError e ) {
-- try {
-+ try { // 32 bit rhel/fedora
- System.load( "/usr/lib/jss/libjss4.so" );
- Debug.trace(Debug.VERBOSE, "jss library loaded");
- mNativeLibrariesLoaded = true;
- } catch( UnsatisfiedLinkError f ) {
-- Debug.trace(Debug.VERBOSE, "jss library load failed");
-+ try {// possibly other platforms
-+ System.loadLibrary( "jss4" );
-+ Debug.trace(Debug.VERBOSE, "jss library loaded");
-+ mNativeLibrariesLoaded = true;
-+ } catch( UnsatisfiedLinkError g ) {
-+ Debug.trace(Debug.VERBOSE, "jss library load failed");
-+ }
- }
- }
- }
diff --git a/SOURCES/jss-bad-error-string-pointer.patch b/SOURCES/jss-bad-error-string-pointer.patch
deleted file mode 100644
index 05244c3..0000000
--- a/SOURCES/jss-bad-error-string-pointer.patch
+++ /dev/null
@@ -1,27 +0,0 @@
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-17 18:54:56.000000000 -0500
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-18 09:46:34.000000000 -0500
-@@ -124,20 +124,16 @@
- /* Clean up after PR_interrupt. */
- PR_NT_CancelIo(sock->fd);
- #endif
-- JSSL_throwSSLSocketException(env,
-- "Accept operation interrupted with error code " + err);
-+ JSSL_throwSSLSocketException(env, "Accept operation interrupted");
- } else if( err == PR_IO_TIMEOUT_ERROR ) {
- #ifdef WINNT
- PR_NT_CancelIo(sock->fd);
- #endif
-- JSSL_throwSSLSocketException(env,
-- "Accept operation timed out with error code " + err);
-+ JSSL_throwSSLSocketException(env, "Accept operation timed out");
- } else if( err == PR_IO_ERROR ) {
-- JSSL_throwSSLSocketException(env,
-- "Accept operation received IO error with error code " + err);
-+ JSSL_throwSSLSocketException(env, "Accept operation received IO error");
- } else {
-- JSSL_throwSSLSocketException(env,
-- "Accept operation failed with error code " + err);
-+ JSSL_throwSSLSocketException(env, "Accept operation failed");
- }
- goto finish;
- }
diff --git a/SOURCES/jss-crmf-envelopedData.patch b/SOURCES/jss-crmf-envelopedData.patch
deleted file mode 100644
index 13c21d7..0000000
--- a/SOURCES/jss-crmf-envelopedData.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh 2016-06-24 14:51:48.929122053 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java 2016-06-24 14:52:29.487027005 -0700
-@@ -127,7 +127,8 @@ public class EncryptedKey implements ASN
- } else {
- Assert._assert(type == ENVELOPED_DATA);
- Assert._assert(envelopedData != null);
-- envelopedData.encode(implicitTag, ostream);
-+ EXPLICIT explicit = new EXPLICIT( new Tag(0), envelopedData );
-+ explicit.encode(tag, ostream);
- }
- }
-
-@@ -147,7 +148,9 @@ public class EncryptedKey implements ASN
- choicet = new CHOICE.Template();
-
- choicet.addElement( EncryptedValue.getTemplate() );
-- choicet.addElement( new Tag(0), ANY.getTemplate() );
-+ choicet.addElement( new EXPLICIT.Template(
-+ new Tag(0),
-+ ANY.getTemplate() ));
- }
-
- public boolean tagMatch(Tag tag) {
-@@ -164,7 +167,7 @@ public class EncryptedKey implements ASN
- return new EncryptedKey( (EncryptedValue) choice.getValue() );
- } else {
- Assert._assert( choice.getTag().equals(new Tag(0)) );
-- return new EncryptedKey( (ANY) choice.getValue() );
-+ return new EncryptedKey( (ANY) ((EXPLICIT) choice.getValue()).getContent() );
- }
-
- } catch(InvalidBERException e) {
diff --git a/SOURCES/jss-eliminate-java-compiler-warnings.patch b/SOURCES/jss-eliminate-java-compiler-warnings.patch
deleted file mode 100644
index 1df99d3..0000000
--- a/SOURCES/jss-eliminate-java-compiler-warnings.patch
+++ /dev/null
@@ -1,641 +0,0 @@
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700
-@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme
- * Imports a single certificate into the permanent certificate
- * database.
- *
-- * @param derCert the certificate you want to add
-+ * @param cert the certificate you want to add
- * @param nickname the nickname you want to refer to the certificate as
- * (must not be null)
- */
-@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme
- public static final String
- JAR_JDK_VERSION = "JDK_VERSION = N/A";
- public static final String
-- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM";
-+ JAR_NSS_VERSION = "NSS_VERSION = N/A";
- public static final String
- JAR_DBM_VERSION = "DBM_VERSION = N/A";
- public static final String
-- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM";
-+ JAR_NSPR_VERSION = "NSPR_VERSION = N/A";
-
- /**
- * Loads the JSS dynamic library if necessary.
-@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme
- * this thread's token to <tt>null</tt> will also cause the
- * InternalKeyStorageToken to be used.
- *
-- * @param The token to use for crypto operations. Specifying <tt>null</tt>
-- * will cause the InternalKeyStorageToken to be used.
-+ * @param token The token to use for crypto operations. Specifying
-+ * <tt>null</tt> will cause the InternalKeyStorageToken to be used.
- */
- public void setThreadToken(CryptoToken token) {
- if( token != null ) {
-@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme
- * Verify a certificate in memory. Check if
- * valid and that we trust the issuer. Verify time
- * against Now.
-- * @param certificate in memory
-+ * @param certPackage certificate in memory
- * @param checkSig verify the signature of the certificate
- * @param certUsage see exposed certUsage defines to verify Certificate
- * @return true for success; false otherwise
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700
-@@ -51,7 +51,7 @@ public final class JSSProvider extends j
-
- private static int JSS_MAJOR_VERSION = 4;
- private static int JSS_MINOR_VERSION = 2;
-- private static int JSS_PATCH_VERSION = 5;
-+ private static int JSS_PATCH_VERSION = 6;
- private static double JSS_VERSION = JSS_MAJOR_VERSION +
- (JSS_MINOR_VERSION * 100 +
- JSS_PATCH_VERSION)/10000.0;
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700
-@@ -144,8 +144,8 @@ public abstract class Cipher {
- * <i>B</i> is the block size, the padding string consists of
- * <i>B</i> - (<i>M</i> mod <i>B</i>) octets, each having the value
- * <i>B</i> - (<i>M</i> mod <i>B</i>).
-- * @param The block size of the encryption algorithm. Must be greater
-- * than zero.
-+ * @param blockSize The block size of the encryption algorithm.
-+ * Must be greater than zero.
- * @see #unPad
- */
- public static byte[]
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700
-@@ -194,7 +194,7 @@ public interface CryptoToken {
- * Login to the token. If a token is logged in, it will not trigger
- * password callbacks.
- *
-- * @param password The password for this token.
-+ * @param pwcb The password callback for this token.
- * @exception IncorrectPasswordException If the supplied password is
- * incorrect.
- * @see #setLoginMode
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700
-@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest {
- * Completes digestion.
- *
- * @return The, ahem, output of the digest operation.
-- * @param If an error occurs while digesting.
-+ * @exception DigestException If an error occurs while digesting.
- */
- public byte[] digest() throws DigestException {
- byte[] output = new byte[getOutputSize()];
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700
-@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements
- * Must not be null. It is the responsibility of the caller to
- * use the right salt length for the algorithm. Most algorithms
- * use 8 bytes of salt.
-- * @param The iteration count for the PBE algorithm.
-+ * @param iterations The iteration count for the PBE algorithm.
- */
- public PBEKeyGenParams(Password pass, byte[] salt, int iterations) {
- if(pass==null || salt==null) {
-@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements
- * Must not be null. It is the responsibility of the caller to
- * use the right salt length for the algorithm. Most algorithms
- * use 8 bytes of salt.
-- * @param The iteration count for the PBE algorithm.
-+ * @param iterations The iteration count for the PBE algorithm.
- */
- public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) {
- if(pass==null || salt==null) {
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700
-@@ -228,8 +228,8 @@ public final class PK11Token implements
- * Initialize PIN. This sets the user's new PIN, using the current
- * security officer PIN for authentication.
- *
-- * @param ssopw The security officer's current password.
-- * @param userpw The user's new password.
-+ * @param ssopwcb The security officer's current password callback.
-+ * @param userpwcb The user's new password callback.
- * @exception IncorrectPinException If the security officer PIN is
- * incorrect.
- * @exception TokenException If the PIN was already initialized,
-@@ -322,8 +322,8 @@ public final class PK11Token implements
- * Change password. This changes the user's PIN after it has already
- * been initialized.
- *
-- * @param oldPIN The user's old PIN.
-- * @param newPIN The new PIN.
-+ * @param oldPINcb The user's old PIN callback.
-+ * @param newPINcb The new PIN callback.
- * @exception IncorrectPasswordException If the old PIN is incorrect.
- * @exception TokenException If some other error occurs on the token.
- *
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700
-@@ -288,7 +288,7 @@ public final class SafeBag implements AS
- * as the nickname of the associated cert.
- * @param localKeyID The localKeyID for the key; should be the same as
- * the localKeyID of the associated cert.
-- * @param The password used to encrypt the private key.
-+ * @param password The password used to encrypt the private key.
- */
- public static SafeBag
- createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName,
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700
-@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V
- * SignerInfo.
- * @param contentType The type of the content that is signed by this
- * SignerInfo.
-- * @param pubkey The public key to use to verify the signature.
- * @exception NoSuchObjectException If no certificate matching the
- * the issuer name and serial number can be found.
- */
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700
-@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS
- * @param status A CMCStatus constant.
- * @param bodyList The sequence of bodyPartID.
- * @param statusString A String.
-- * @param OtherInfo The OtherInfo choice.
-+ * @param otherInfo The OtherInfo choice.
- */
- public CMCStatusInfo(int status, SEQUENCE bodyList, String
- statusString, OtherInfo otherInfo) {
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700
-@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS
- /**
- * Create a PKIStatusInfo with no failure info.
- * @param status A PKIStatus constant.
-- * @param failInfo The bitwise AND of the PKIFailureInfo constants.
- */
- public PKIStatusInfo(int status) {
- this.status = new INTEGER(status);
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700
-@@ -115,10 +115,6 @@ public class DirectoryString implements
-
- /**
- * Converts an ASN.1 DirectoryString to a Java string.
-- *
-- * @param dirstr An ANY containing a BER-encoded DirectoryString.
-- * @exception InvalidBERException If the encoding does not contain a
-- * valid DirectoryString.
- */
- public String toString() {
- return asn1String.toString();
-@@ -176,6 +172,8 @@ public class DirectoryString implements
- /**
- * @param implicitTag <b>This paramter is ignored</b>, because
- * DirectoryStrings (being CHOICEs) cannot have implicit tags.
-+ * @exception InvalidBERException If the encoding does not contain a
-+ * valid DirectoryString.
- */
- public ASN1Value decode(Tag implicitTag, InputStream istream)
- throws IOException, InvalidBERException
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700
-@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec
- // versions is to use the reflection API.
- Class specClass = spec.getClass();
- try {
-- Method getSaltMethod = specClass.getMethod("getSalt", null);
-+ Method getSaltMethod = specClass.getMethod("getSalt",
-+ (java.lang.Class) null);
- Method getIterationMethod =
-- specClass.getMethod("getIterationCount", null);
-+ specClass.getMethod("getIterationCount",
-+ (java.lang.Class) null);
-
-- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null);
-+ byte[] salt = (byte[]) getSaltMethod.invoke(spec,
-+ (java.lang.Class) null);
-
- Integer itCountObj =
-- (Integer) getIterationMethod.invoke(spec,null);
-+ (Integer) getIterationMethod.invoke(spec,
-+ (java.lang.Class) null);
- int iterationCount = itCountObj.intValue();
-
- Password pass = new Password(spec.getPassword());
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700
-@@ -182,11 +182,11 @@ public class SSLSocket extends java.net.
- }
-
- /**
-- * Creates an SSL client socket and connects to the specified host and
-+ * Creates an SSL client socket and connects to the specified address and
- * port. Binds to the given local address and port. Installs the given
- * callbacks for certificate approval and client certificate selection.
- *
-- * @param host The hostname to connect to.
-+ * @param address The IP address to connect to.
- * @param port The port to connect to.
- * @param localAddr The local address to bind to. It can be null, in which
- * case an unspecified local address will be chosen.
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700
-@@ -96,7 +96,7 @@ public class HMACTest {
-
- /**
- * Main test method.
-- * @params args[]
-+ * @param argv
- */
- public static void main(String []argv) {
-
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700
-@@ -116,9 +116,9 @@ public class JCASymKeyGen {
- }
- /**
- *
-- * @param key
-- * @param kg
-- * @return
-+ * @param keyType
-+ * @param provider
-+ * @return javax.crypto.SecretKey key
- */
- public javax.crypto.SecretKey genSecretKey(String keyType, String provider){
- javax.crypto.SecretKey key = null;
-@@ -155,7 +155,7 @@ public class JCASymKeyGen {
- *
- * @param keyType
- * @param provider
-- * @return
-+ * @return javax.crypto.SecretKey key
- */
- public javax.crypto.SecretKey genPBESecretKey(String keyType,
- String provider){
-@@ -197,8 +197,10 @@ public class JCASymKeyGen {
- /**
- *
- * @param sKey
-- * @param AlgType
-- * @param provider
-+ * @param algFamily
-+ * @param algType
-+ * @param providerForEncrypt
-+ * @param providerForDecrypt
- */
- public void testCipher(javax.crypto.SecretKey sKey, String algFamily,
- String algType, String providerForEncrypt, String providerForDecrypt)
-@@ -304,8 +306,10 @@ public class JCASymKeyGen {
- /**
- *
- * @param sKey
-- * @param AlgType
-- * @param provider
-+ * @param algFamily
-+ * @param algType
-+ * @param providerForEncrypt
-+ * @param providerForDecrypt
- */
- public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily,
- String algType, String providerForEncrypt, String providerForDecrypt)
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700
-@@ -78,7 +78,7 @@ public class JSSE_SSLClient {
-
- /**
- * Set the protocol type and revision
-- * @param String sslRevision
-+ * @param fSslRevision
- */
- public void setSslRevision(String fSslRevision) {
-
-@@ -91,7 +91,7 @@ public class JSSE_SSLClient {
-
- /**
- * Set the host name to connect to.
-- * @param String hostname
-+ * @param fHost
- */
- public void setHost(String fHost) {
- this.host = fHost;
-@@ -99,7 +99,7 @@ public class JSSE_SSLClient {
-
- /**
- * Set the port number to connect to.
-- * @param int portnumber
-+ * @param fPort
- */
- public void setPort(int fPort) {
- this.port = fPort;
-@@ -107,7 +107,7 @@ public class JSSE_SSLClient {
-
- /**
- * Set the cipher suite name to use.
-- * @param String cipherSuiteName
-+ * @param fCipherSuite
- */
- public void setCipherSuite(String fCipherSuite) {
- this.cipherName = fCipherSuite;
-@@ -115,7 +115,7 @@ public class JSSE_SSLClient {
-
- /**
- * Set the location of rsa.pfx
-- * @param String fKeystoreLoc
-+ * @param fKeystoreLoc
- */
- public void setKeystoreLoc(String fKeystoreLoc) {
- keystoreLoc = fKeystoreLoc + "/" + keystoreLoc;
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700
-@@ -75,7 +75,7 @@ public class JSSE_SSLServer {
-
- /**
- * Set the provider to use.
-- * @param String p
-+ * @param p
- */
- public void setProvider(String p) {
- provider = p;
-@@ -90,7 +90,7 @@ public class JSSE_SSLServer {
- }
- /**
- * Set the location of keystore file.
-- * @param String fconfigDir
-+ * @param fconfigDir
- */
- public void setKeystore(String fconfigDir) {
- configDir = fconfigDir;
-@@ -117,7 +117,7 @@ public class JSSE_SSLServer {
-
- /**
- * Start SSLServer and accept connections.
-- * @param args[]
-+ * @param args
- */
- public void startSSLServer(String[] args) throws Exception {
- String configDir = "";
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700
-@@ -79,7 +79,7 @@ public class JSS_FileUploadClient {
- /**
- * Initialize the desired cipher to be set
- * on the socket.
-- * @param int Cipher
-+ * @param aCipher
- */
- public void setCipher(int aCipher) {
- fCipher = aCipher;
-@@ -87,7 +87,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Initialize the hostname to run the server
-- * @param String ServerName
-+ * @param aHostName
- */
- public void setHostName(String aHostName) {
- serverHost = aHostName;
-@@ -95,7 +95,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Initialize the port to run the server
-- * @param int port
-+ * @param aPort
- */
- public void setPort(int aPort) {
- port = aPort;
-@@ -103,7 +103,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Initialize the passwords file name
-- * @param String passwords
-+ * @param aPasswordFile
- */
- public void setPasswordFile(String aPasswordFile) {
- fPasswordFile = aPasswordFile;
-@@ -111,7 +111,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Initialize the cert db path name
-- * @param String CertDbPath
-+ * @param aCertDbPath
- */
- public void setCertDbPath(String aCertDbPath) {
- fCertDbPath = aCertDbPath;
-@@ -120,7 +120,7 @@ public class JSS_FileUploadClient {
- /**
- * Initialize the name of the file to
- * be used for testing along with full path.
-- * @param String UploadFile
-+ * @param aUploadFile
- */
- public void setUploadFile(String aUploadFile) {
- fUploadFile = aUploadFile;
-@@ -128,7 +128,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Enable/disable Test Cert Callback.
-- * @param boolean
-+ * @param aTestCertCallback
- */
- public void setTestCertCallback(boolean aTestCertCallback) {
- TestCertCallBack = aTestCertCallback;
-@@ -136,7 +136,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Set client certificate
-- * @param String Certificate Nick Name
-+ * @param aClientCertNick Certificate Nick Name
- */
- public void setClientCertNick(String aClientCertNick) {
- clientCertNick = aClientCertNick;
-@@ -170,7 +170,7 @@ public class JSS_FileUploadClient {
-
- /**
- * Set EOF for closinng server socket
-- * @param null for closing server socket
-+ * @param fEof null for closing server socket
- */
- public void setEOF(String fEof) {
- this.EOF = fEof;
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700
-@@ -99,7 +99,7 @@ public class JSS_SSLClient {
- /**
- * Initialize the desired cipher to be set
- * on the socket.
-- * @param int Cipher
-+ * @param aCipher
- */
- public void setCipher(int aCipher) {
- fCipher = aCipher;
-@@ -107,7 +107,7 @@ public class JSS_SSLClient {
-
- /**
- * Initialize the hostname to run the server
-- * @param String ServerName
-+ * @param aHostName
- */
- public void setHostName(String aHostName) {
- serverHost = aHostName;
-@@ -115,7 +115,7 @@ public class JSS_SSLClient {
-
- /**
- * Initialize the port to run the server
-- * @param int port
-+ * @param aPort
- */
- public void setPort(int aPort) {
- port = aPort;
-@@ -123,7 +123,7 @@ public class JSS_SSLClient {
-
- /**
- * Initialize the passwords file name
-- * @param String passwords
-+ * @param aPasswordFile
- */
- public void setPasswordFile(String aPasswordFile) {
- fPasswordFile = aPasswordFile;
-@@ -131,7 +131,7 @@ public class JSS_SSLClient {
-
- /**
- * Initialize the cert db path name
-- * @param String CertDbPath
-+ * @param aCertDbPath
- */
- public static void setCertDbPath(String aCertDbPath) {
- fCertDbPath = aCertDbPath;
-@@ -147,7 +147,7 @@ public class JSS_SSLClient {
-
- /**
- * Enable/disable Test Cert Callback.
-- * @param boolean
-+ * @param bypass
- */
- public void setBypass(boolean bypass) {
- testBypass = bypass;
-@@ -155,7 +155,7 @@ public class JSS_SSLClient {
-
- /**
- * Enable/disable Test Cert Callback.
-- * @param boolean
-+ * @param aTestCertCallback
- */
- public void setTestCertCallback(boolean aTestCertCallback) {
- TestCertCallBack = aTestCertCallback;
-@@ -163,7 +163,7 @@ public class JSS_SSLClient {
-
- /**
- * Set client certificate
-- * @param String Certificate Nick Name
-+ * @param aClientCertNick Certificate Nick Name
- */
- public void setClientCertNick(String aClientCertNick) {
- clientCertNick = aClientCertNick;
-@@ -197,7 +197,7 @@ public class JSS_SSLClient {
-
- /**
- * Set EOF for closinng server socket
-- * @param null for closing server socket
-+ * @param fEof null for closing server socket
- */
- public void setEOF(String fEof) {
- this.EOF = fEof;
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700
-@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen
- /**
- * Initialize the desired ciphersuite to be set
- * on the socket.
-- * @param int Cipher
-+ * @param aCipher
- */
- public void setCipher(int aCipher) {
-
-@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Initialize the hostname to run the server
-- * @param String ServerName
-+ * @param aHostName
- */
- public void setHostName(String aHostName) {
- serverHost = aHostName;
-@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Initialize the port to run the server
-- * @param int port
-+ * @param aPort
- */
- public void setPort(int aPort) {
- port = aPort;
-@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Initialize the passwords file name
-- * @param String passwords
-+ * @param aPasswordFile
- */
- public void setPasswordFile(String aPasswordFile) {
- fPasswordFile = aPasswordFile;
-@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Initialize the cert db path name
-- * @param String CertDbPath
-+ * @param aCertDbPath
- */
- public void setCertDbPath(String aCertDbPath) {
- fCertDbPath = aCertDbPath;
-@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Enable/disable Test Cert Callback.
-- * @param boolean
-+ * @param aTestCertCallback
- */
- public void setTestCertCallback(boolean aTestCertCallback) {
- TestCertCallBack = aTestCertCallback;
-@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen
-
- /**
- * Set client certificate
-- * @param String Certificate Nick Name
-+ * @param aClientCertNick Certificate Nick Name
- */
- public void setClientCertNick(String aClientCertNick) {
- clientCertNick = aClientCertNick;
-diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java
---- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700
-+++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700
-@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru
- * @param rand
- * @param extensions
- * @throws java.lang.Exception
-- * @return
-+ * @return Certificate
- */
- public static Certificate makeCert(String issuerName, String subjectName,
- int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand,
diff --git a/SOURCES/jss-eliminate-native-compiler-warnings.patch b/SOURCES/jss-eliminate-native-compiler-warnings.patch
deleted file mode 100644
index d981eb7..0000000
--- a/SOURCES/jss-eliminate-native-compiler-warnings.patch
+++ /dev/null
@@ -1,621 +0,0 @@
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700
-@@ -55,7 +55,7 @@
-
- #include "pk11util.h"
-
--#if defined(AIX) || defined(HPUX) || defined(LINUX)
-+#if defined(AIX) || defined(HPUX)
- #include <signal.h>
- #endif
-
-@@ -90,11 +90,11 @@ const char * jss_sccsid() {
- /********************************************************************/
-
- /* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */
--static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
-+static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
- /* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */
--static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
-+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
- /* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */
--static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
-+static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
-
-
-
-@@ -106,13 +106,13 @@ static char*
- getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg);
-
- /*************************************************************
-- * AIX, HP, and Linux signal handling madness
-+ * AIX and HP signal handling madness
- *
- * In order for the JVM, kernel, and NSPR to work together, we setup
- * a signal handler for SIGCHLD that does nothing. This is only done
-- * on AIX, HP, and Linux.
-+ * on AIX and HP.
- *************************************************************/
--#if defined(AIX) || defined(HPUX) || defined(LINUX)
-+#if defined(AIX) || defined(HPUX)
-
- static PRStatus
- handleSigChild(JNIEnv *env) {
-@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi
- jboolean initializeJavaOnly )
- {
- SECStatus rv = SECFailure;
-- JavaVM *VMs[5];
-- jint numVMs;
- char *szConfigDir = NULL;
- char *szCertPrefix = NULL;
- char *szKeyPrefix = NULL;
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700
-@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL
- Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative
- (JNIEnv *env, jobject this, jobject Cert)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
- CERTCertificate *cert;
- PK11SlotInfo *slot;
- SECKEYPrivateKey *privKey=NULL;
-@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL
- Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
- (JNIEnv *env, jobject this, jobject leafCert)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
- CERTCertificate *leaf;
- jobjectArray chainArray=NULL;
- CERTCertDBHandle *certdb;
-@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor
- SECItem *derCerts=NULL;
- int certi= -1;
- SECItem theDerCert;
-- int numCerts;
-+ int numCerts = 0;
- jbyte *packageBytes=NULL;
- jsize packageLen;
- SECStatus status;
-@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor
- CERTSignedCrl *crl = NULL;
- SECItem *packageItem = NULL;
- int status = SECFailure;
-- char *url;
-+ char *url = NULL;
- char *errmsg = NULL;
-
- /***************************************************
-@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
- jobject self, jstring nickString, jboolean checkSig)
- {
-- SECStatus rv = SECFailure;
-+ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure;
- SECCertificateUsage currUsage = 0x0000;
-
- rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
-@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif
- SECStatus rv = SECFailure;
- SECCertUsage certUsage;
- SECItem *derCerts[2];
-- SECStatus status;
- CERTCertificate **certArray = NULL;
- CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700
-@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K
- {
- PK11SlotInfo *slot = NULL;
- PK11SymKey *symk = NULL;
-- SECStatus status;
-
- /* get the slot */
- if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) {
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700
-@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa
- /***********************************************************************
- * Perform the verification.
- */
-- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) {
-+ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) {
- JSS_throw(env, OUT_OF_MEMORY_ERROR);
- goto finish;
- }
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700
-@@ -62,7 +62,7 @@
- JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded
- (JNIEnv *env, jobject this)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- CERTCertificate *cert;
- SECItem *derCert;
- jbyteArray derArray=NULL;
-@@ -118,9 +118,9 @@ finish:
- JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion
- (JNIEnv *env, jobject this)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- CERTCertificate *cert;
-- long lVersion;
-+ long lVersion = 0;
-
- pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL);
- PR_ASSERT(pThread != NULL);
-@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get
- {
- CERTCertificate *cert;
- SECKEYPublicKey *pubk=NULL;
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- jobject pubKey=NULL;
-
- PR_ASSERT(env!=NULL && this!=NULL);
-@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re
- (JNIEnv *env, jobject this)
- {
- CERTCertificate *cert;
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
-
- PR_ASSERT(env!=NULL && this!=NULL);
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700
-@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i
- SECItem *iv=NULL;
- PK11Context *context=NULL;
- CK_ATTRIBUTE_TYPE op;
-- jobject contextObj;
-+ jobject contextObj = NULL;
-
- PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL);
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700
-@@ -207,7 +207,7 @@ finish:
- }
- #endif
-
--static void
-+static void FUNCTION_MAY_NOT_BE_USED
- print_secitem(SECItem *item) {
- int i;
- int online;
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700
-@@ -450,7 +450,7 @@ DumpItem(SECItem *item)
- for (i=0; i < item->len; i++) {
- printf(" %02x",data[i]);
- }
-- printf(" : 0x%08x %d\n", data, item->len);
-+ printf(" : %8p %d\n", data, item->len);
- }
-
- /**********************************************************************
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700
-@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- jint keyLen, jbyteArray ivBA, jint usageEnum)
- {
- PK11SymKey *symKey=NULL;
-- CK_MECHANISM_TYPE wrappingMech, keyTypeMech;
-+ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0;
- SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL;
- jobject keyObj=NULL;
- SECKEYPrivateKey *wrappingKey=NULL;
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700
-@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
- PK11Context *context = NULL;
- CK_MECHANISM_TYPE mech;
- SECItem param;
-- PK11SlotInfo *slot=NULL;
- jobject contextObj=NULL;
-
- mech = JSS_getPK11MechFromAlg(env, algObj);
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700
-@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_
- {
- SECMODModule *module;
-
-- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) {
-+ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) {
- ASSERT_OUTOFMEM(env);
- goto finish;
- }
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700
-@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL
- Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType
- (JNIEnv *env, jobject this)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- SECKEYPrivateKey *privk;
- KeyType keyType;
- char* keyTypeFieldName;
-@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr
- (JNIEnv *env, jobject this)
- {
- SECKEYPrivateKey *privk;
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
-
- PR_ASSERT(env!=NULL && this!=NULL);
-
-@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_
- (JNIEnv *env, jobject this)
- {
- SECKEYPrivateKey *key = NULL;
-- PK11SlotInfo *slot = NULL;
- SECItem *idItem = NULL;
- jbyteArray byteArray = NULL;
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700
-@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_
- (JNIEnv *env, jobject this)
- {
- SECKEYPublicKey *pubk;
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
-
- PR_ASSERT(env!=NULL && this!=NULL);
-
-@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL
- Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken
- (JNIEnv *env, jobject this, jobject token)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- SECKEYPublicKey *key = NULL;
- PK11SlotInfo *slot = NULL;
- PK11SlotInfo *keySlot = NULL;
-@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL
- Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType
- (JNIEnv *env, jobject this)
- {
-- PRThread *pThread;
-+ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
- SECKEYPublicKey *pubk;
- KeyType keyType;
- char* keyTypeFieldName;
-@@ -454,7 +454,7 @@ get_public_key_info
- {
- SECKEYPublicKey *pubk;
- jbyteArray byteArray=NULL;
-- SECItem *item;
-+ SECItem *item=NULL;
-
- PR_ASSERT(env!=NULL && this!=NULL);
-
-@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ
- {
- jobject pubkObj=NULL;
- SECKEYPublicKey *pubk=NULL;
-- SECStatus rv;
- SECItem *pubkDER=NULL;
-
- /* validate args */
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700
-@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
- * "C" data members
- */
-
-- PRThread* pThread = NULL;
-+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
- SECStatus status = PR_FALSE;
- PK11SlotInfo* slot = NULL;
-
-@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
- * "C" data members
- */
-
-- PRThread* pThread = NULL;
-+ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
- SECStatus status = PR_FALSE;
-
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700
-@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
- (JNIEnv *env, jobject this, jobject certObject)
- {
- CERTCertificate *cert;
-- SECStatus status;
-+ SECStatus VARIABLE_MAY_NOT_BE_USED status;
-
- PR_ASSERT(env!=NULL && this!=NULL);
- if(certObject == NULL) {
-@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
- (JNIEnv *env, jobject this, jobject certObject)
- {
- CERTCertificate *cert;
-- SECStatus status;
-+ SECStatus VARIABLE_MAY_NOT_BE_USED status;
-
- PR_ASSERT(env!=NULL && this!=NULL);
- if(certObject == NULL) {
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700
-@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g
- jfieldID typeField=NULL;
- jobject typeObject=NULL;
-
-- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) {
-+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) {
- ASSERT_OUTOFMEM(env);
- goto finish;
- }
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700
-@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil
- jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G)
- {
- PK11SlotInfo *slot;
-- const char* c_subject;
-+ const char* c_subject=NULL;
- jboolean isCopy;
-- unsigned char *b64request;
-+ unsigned char *b64request=NULL;
- SECItem p, q, g;
- PQGParams *dsaParams=NULL;
- const char* c_keyType;
-@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env,
- SECStatus rv;
- PRArenaPool *arena;
- SECItem result_der, result;
-- SECItem *blob;
-+ SECItem * VARIABLE_MAY_NOT_BE_USED blob;
- CK_MECHANISM_TYPE signMech;
- CK_MECHANISM_TYPE keygenMech;
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700
-@@ -89,7 +89,6 @@ traverseTokenObjects
- SECKEYPublicKeyList* pubkList = NULL;
- PK11SymKey *symKey = NULL;
- CERTCertList *certList = NULL;
-- SECStatus secstat;
-
- /*
- * Get all private keys
-@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec
- {
- PK11SlotInfo *slot;
- EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
-- jbyteArray derCertBA = NULL;
- PRStatus status = PR_FAILURE;
-
- if( alias == NULL ) goto finish;
-@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur
- PK11SlotInfo *slot;
- EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
- jboolean retVal = JNI_FALSE;
-- SECKEYPrivateKey *privk = NULL;
-
- if( alias == NULL ) goto finish;
-
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700
-@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo
- {
- PRSocketOptionData sockOptions;
- JSSL_SocketData *sock = NULL;
-- jint retval;
-+ jint retval=-1;
- PRStatus status;
-
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
-@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL
- Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable(
- JNIEnv *env, jobject self)
- {
-- jint available;
-+ jint available=0;
- JSSL_SocketData *sock = NULL;
-
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700
-@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env
- jmethodID excepCons;
- jobject excepObj;
- jstring msgString;
-- jint result;
-+ jint VARIABLE_MAY_NOT_BE_USED result;
-
- /*
- * get the error code and error string
-@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
- jbyteArray sdArray = NULL;
- JSSL_SocketData *sockdata = NULL;
- SECStatus status;
-- PRFileDesc *newFD;
-- PRFileDesc *tmpFD;
-+ PRFileDesc *newFD = NULL;
-+ PRFileDesc *tmpFD = NULL;
- PRFilePrivate *priv = NULL;
- int socketFamily = 0;
-
-@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS
- SECStatus status = SECSuccess;
- PRBool bOption = PR_FALSE;
-
-- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) {
-+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
- goto finish;
- }
-
-@@ -649,7 +649,7 @@ JSSL_getSockAddr
- (JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer)
- {
- JSSL_SocketData *sock = NULL;
-- PRStatus status;
-+ PRStatus status=PR_FAILURE;
-
- /* get my fd */
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
-@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P
-
- finish:
- if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) {
-- int ret = (*env)->Throw(env, currentExcep);
-+ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep);
- PR_ASSERT(ret == 0);
- }
- }
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700
-@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
- jmethodID getOutputStream, writeMethod;
- jclass sockClass, osClass;
- jobject outputStream;
-- jint arrayLen;
-+ jint arrayLen=-1;
- PRInt32 retval;
-
- /*
-@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe
- jobject sockObj;
- JNIEnv *env;
- jbyteArray outbufArray;
-- PRInt32 retval;
-+ PRInt32 retval=-1;
-
- if( GET_ENV(fd->secret->javaVM, env) ) goto finish;
-
-@@ -500,7 +500,7 @@ static PRInt32
- jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount,
- PRIntn flags, PRIntervalTime timeout)
- {
-- PRInt32 retval;
-+ PRInt32 retval=-1;
- JNIEnv *env;
- jobject sockObj;
- jbyteArray byteArray;
-@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock
- {
- jclass sockClass;
- jmethodID method;
-- jint retval;
-+ jint retval=0;
-
- sockClass = (*env)->GetObjectClass(env, sock);
- if( sockClass == NULL ) goto finish;
-@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods =
- (PRReservedFN) invalidInt
- };
-
--static const PRIOMethods*
--getJsockMethods()
--{
-- return &jsockMethods;
--}
--
- static void
- jsockDestructor(PRFileDesc *fd)
- {
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700
-@@ -115,7 +115,7 @@ void
- JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) {
-
- jclass throwableClass;
-- jint result;
-+ jint VARIABLE_MAY_NOT_BE_USED result;
-
- /* validate arguments */
- PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL);
-@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl
- jclass throwableClass;
- jobject throwable;
- jmethodID constructor;
-- jint result;
-+ jint VARIABLE_MAY_NOT_BE_USED result;
-
- PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL );
-
-@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl
- PRStatus
- JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr)
- {
-+#ifdef DEBUG
- jclass nativeProxyClass;
-+#endif
- jclass proxyClass;
- jfieldID byteArrayField;
- jbyteArray byteArray;
-@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char
- void
- JSS_assertOutOfMem(JNIEnv *env)
- {
-- jclass memErrClass;
-+ jclass VARIABLE_MAY_NOT_BE_USED memErrClass;
- jthrowable excep;
-
- PR_ASSERT(env != NULL);
-@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI
- goto finish;
- }
-
-- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data);
-+ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data);
-
- finish:
- return array;
-diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h
---- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700
-+++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700
-@@ -36,6 +36,19 @@
- #ifndef JSS_NATIVE_UTIL_H
- #define JSS_NATIVE_UTIL_H
-
-+/* The following #defines are used to suppress undesired compiler warnings
-+ * that have been deemed inappropriate.
-+ *
-+ * IMPORTANT: These are ONLY used on an "as-needed" basis!
-+ */
-+#ifdef __GNUC__
-+#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused))
-+#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused))
-+#else
-+#define FUNCTION_MAY_NOT_BE_USED
-+#define VARIABLE_MAY_NOT_BE_USED
-+#endif
-+
- /* Need to include these first.
- * #include <nspr.h>
- * #include <jni.h>
diff --git a/SOURCES/jss-eliminate-native-coverity-defects.patch b/SOURCES/jss-eliminate-native-coverity-defects.patch
deleted file mode 100644
index 68e0fad..0000000
--- a/SOURCES/jss-eliminate-native-coverity-defects.patch
+++ /dev/null
@@ -1,253 +0,0 @@
-diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c
---- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700
-+++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700
-@@ -275,9 +275,11 @@ diagnosePath(const char * path)
- rv = readlink(myPath, buf, sizeof buf);
- if (rv < 0) {
- perror("readlink");
-- buf[0] = 0;
-- } else {
-+ buf[0] = 0;
-+ } else if ( rv < BUFSIZ ) {
- buf[rv] = 0;
-+ } else {
-+ buf[BUFSIZ-1] = 0;
- }
- fprintf(stderr, "%s is a link to %s\n", myPath, buf);
- } else if (S_ISDIR(sb.st_mode)) {
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700
-@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR
- }
-
- finish:
-- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
- #ifdef DEBUG
-+ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
- jclass giveupClass;
- jmethodID printStackTrace;
- jclass excepClass;
--#endif
-+
- (*env)->ExceptionClear(env);
--#ifdef DEBUG
-+
- giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION);
- PR_ASSERT(giveupClass != NULL);
- if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) {
-@@ -746,8 +746,12 @@ finish:
- PR_ASSERT( PR_FALSE );
- }
- PR_ASSERT(returnchars==NULL);
--#endif
- }
-+#else
-+ if( ((*env)->ExceptionOccurred(env)) != NULL) {
-+ (*env)->ExceptionClear(env);
-+ }
-+#endif
- return returnchars;
- }
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700
-@@ -768,6 +768,10 @@ static int find_leaf_cert(
- int *linked = NULL;
-
- linked = PR_Malloc( sizeof(int) * numCerts );
-+ if (linked == NULL) {
-+ status = 0;
-+ goto finish;
-+ }
-
- /* initialize the bitmap */
- for (i = 0; i < numCerts; i++) {
-@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif
- {
- SECStatus rv = SECFailure;
- SECCertUsage certUsage;
-- SECItem *derCerts[2];
-+ SECItem *derCerts[2] = { NULL, NULL };
- CERTCertificate **certArray = NULL;
- CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
-
-@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif
- }
- PR_ASSERT(certdb != NULL);
-
-- derCerts[0] = NULL;
- derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
- derCerts[1] = NULL;
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700
-@@ -235,7 +235,7 @@ static PRStatus
- getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info)
- {
- jint index;
-- PRStatus status;
-+ PRStatus status = PR_FAILURE;
-
- PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL);
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700
-@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
- PK11Context *context=NULL;
- jbyte *bytes=NULL;
- SECStatus status;
-- unsigned int outLen;
-+ unsigned int outLen = 0;
-
- if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) {
- /* exception was thrown */
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700
-@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g
- break;
- case keaKey:
- keyTypeFieldName = KEA_KEYTYPE_FIELD;
-+ break;
- default:
- PR_ASSERT(PR_FALSE);
- keyTypeFieldName = NULL_KEYTYPE_FIELD;
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700
-@@ -390,12 +390,6 @@ importPrivateKey
- SECStatus status;
- SECItem nickname;
-
-- keyType = JSS_PK11_getKeyType(env, keyTypeObj);
-- if( keyType == nullKey ) {
-- /* exception was thrown */
-- goto finish;
-- }
--
- /*
- * initialize so we can goto finish
- */
-@@ -403,6 +397,12 @@ importPrivateKey
- derPK.len = 0;
-
-
-+ keyType = JSS_PK11_getKeyType(env, keyTypeObj);
-+ if( keyType == nullKey ) {
-+ /* exception was thrown */
-+ goto finish;
-+ }
-+
- PR_ASSERT(env!=NULL && this!=NULL);
-
- if(keyArray == NULL) {
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700
-@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil
- {
- PK11SlotInfo *slot;
- const char* c_subject=NULL;
-- jboolean isCopy;
-+ jboolean isCopy = JNI_FALSE;
- unsigned char *b64request=NULL;
- SECItem p, q, g;
- PQGParams *dsaParams=NULL;
- const char* c_keyType;
-- jboolean k_isCopy;
-+ jboolean k_isCopy = JNI_FALSE;
- SECOidTag signType = SEC_OID_UNKNOWN;
- PK11RSAGenParams rsaParams;
- void *params = NULL;
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700
-@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
- goto finish;
- }
-
-- if( addrBAelems == NULL ) {
-- ASSERT_OUTOFMEM(env);
-- goto finish;
-- }
--
- if(addrBALen != 4 && addrBALen != 16) {
- JSSL_throwSSLSocketException(env, "Invalid address in connect!");
- goto finish;
-@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi
- {
- JSSL_SocketData *sock=NULL;
- SECStatus status;
-- PRBool enabled;
-+ PRBool enabled = PR_FAILURE;
-
- /* get the fd */
- if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) {
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700
-@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P
- * Now check the name field in the cert against the desired hostname.
- * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
- */
-- if( peerCert == NULL ) {
-- rv = SECFailure;
-+ char* hostname = NULL;
-+ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
-+ if (hostname && hostname[0]) {
-+ rv = CERT_VerifyCertName(peerCert, hostname);
-+ PORT_Free(hostname);
- } else {
-- char* hostname = NULL;
-- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
-- if (hostname && hostname[0]) {
-- rv = CERT_VerifyCertName(peerCert, hostname);
-- PORT_Free(hostname);
-- } else {
-- rv = SECFailure;
-- }
-+ rv = SECFailure;
- }
- }
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700
-@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
- jint arrayLen=-1;
- PRInt32 retval;
-
-+ if( env == NULL ) {
-+ goto finish;
-+ }
-+
- /*
- * get the OutputStream
- */
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700
-@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo
- #endif
-
- key.native = nativeErrcode;
-+ key.java = -1;
- target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode),
- errcodeCompare );
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700
-@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array)
- */
- static char* getPWFromConsole()
- {
-- char c;
-+ int c;
- char *ret;
- int i;
- char buf[200]; /* no buffer overflow: we bail after 200 chars */
diff --git a/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch b/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch
deleted file mode 100644
index 6ffc952..0000000
--- a/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/config.mk jss-4.2.6/mozilla/security/coreconf/config.mk
---- jss-4.2.6.orig/mozilla/security/coreconf/config.mk 2007-05-03 23:54:05.000000000 -0700
-+++ jss-4.2.6/mozilla/security/coreconf/config.mk 2013-07-22 18:42:19.000000000 -0700
-@@ -68,8 +68,19 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD Open
- ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
- include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
- else
-+ifeq ($(OS_TARGET), Linux)
-+OS_RELEASE_VER_MAJOR := $(shell echo $(OS_RELEASE) | cut -f1 -d.)
-+OS_RELEASE_VER_MINOR := $(shell echo $(OS_RELEASE) | cut -f2 -d.)
-+OS_RELEASE_GT_2_6 := $(shell [ $(OS_RELEASE_VER_MAJOR) -ge 2 -o \( $(OS_RELEASE_VER_MAJOR) -eq 2 -a $(OS_RELEASE_VER_MINOR) -ge 6 \) ] && echo true)
-+ifeq ($(OS_RELEASE_GT_2_6),true)
-+include $(CORE_DEPTH)/coreconf/Linux2.6.mk
-+else
- include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
- endif
-+else
-+include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk
-+endif
-+endif
-
- #######################################################################
- # [4.0] Master "Core Components" source and release <platform> tags #
diff --git a/SOURCES/jss-ipv6.patch b/SOURCES/jss-ipv6.patch
deleted file mode 100644
index 9fd5fb9..0000000
--- a/SOURCES/jss-ipv6.patch
+++ /dev/null
@@ -1,623 +0,0 @@
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def 2009-06-24 17:08:59.784371000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-06-19 17:56:00.000000000 -0700
-@@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket
- Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake;
- Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive;
- Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative;
-+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative;
- Java_org_mozilla_jss_ssl_SSLSocket_getPort;
- Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize;
- Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize;
-@@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
- Java_org_mozilla_jss_ssl_SSLSocket_socketWrite;
- Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative;
- Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative;
-+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative;
- Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative;
- Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative;
- Java_org_mozilla_jss_ssl_SocketBase_setSSLOption;
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2007-03-20 15:39:28.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2009-06-24 13:46:49.000000000 -0700
-@@ -36,7 +36,8 @@
-
- package org.mozilla.jss.ssl;
-
--import java.net.InetAddress;
-+import java.util.*;
-+import java.net.*;
- import java.io.IOException;
- import java.net.Socket;
- import java.net.SocketException;
-@@ -138,34 +139,34 @@ public class SSLServerSocket extends jav
- super.close();
-
- // create the socket
-+
-+ int socketFamily = SocketBase.SSL_AF_INET;
-+ if(SocketBase.supportsIPV6()) {
-+ socketFamily = SocketBase.SSL_AF_INET6;
-+ }
-+
- sockProxy = new SocketProxy(
-- base.socketCreate(this, certApprovalCallback, null) );
-+ base.socketCreate(this, certApprovalCallback, null,socketFamily) );
-
- base.setProxy(sockProxy);
-
- setReuseAddress(reuseAddr);
-
-- // bind it to the local address and port
-- if( bindAddr == null ) {
-- bindAddr = anyLocalAddr;
-- }
- byte[] bindAddrBA = null;
- if( bindAddr != null ) {
- bindAddrBA = bindAddr.getAddress();
- }
- base.socketBind(bindAddrBA, port);
-+
-+ String hostName = null;
-+ if(bindAddr != null) {
-+ hostName = bindAddr.getCanonicalHostName();
-+ }
- socketListen(backlog);
- }
-
- private native void socketListen(int backlog) throws SocketException;
-
-- private static InetAddress anyLocalAddr;
-- static {
-- try {
-- anyLocalAddr = InetAddress.getByName("0.0.0.0");
-- } catch (java.net.UnknownHostException e) { }
-- }
--
- /**
- * Accepts a connection. This call will block until a connection is made
- * or the timeout is reached.
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-08 18:40:14.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2009-06-24 13:27:15.000000000 -0700
-@@ -460,10 +460,15 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
- JSSL_SocketData *sock;
- PRNetAddr addr;
- jbyte *addrBAelems = NULL;
-+ int addrBALen = 0;
- PRStatus status;
- int stat;
- const char *hostnameStr=NULL;
-
-+ jmethodID supportsIPV6ID;
-+ jclass socketBaseClass;
-+ jboolean supportsIPV6 = 0;
-+
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
- /* exception was thrown */
- goto finish;
-@@ -472,16 +477,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
- /*
- * setup the PRNetAddr structure
- */
-- addr.inet.family = AF_INET;
-- addr.inet.port = htons(port);
-- PR_ASSERT(sizeof(addr.inet.ip) == 4);
-- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4);
-+
-+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME);
-+ if( socketBaseClass == NULL ) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass,
-+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG);
-+
-+ if( supportsIPV6ID == NULL ) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+
-+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass,
-+ supportsIPV6ID);
-+
- addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL);
-+ addrBALen = (*env)->GetArrayLength(env, addrBA);
-+
-+ PR_ASSERT(addrBALen != 0);
-+
- if( addrBAelems == NULL ) {
- ASSERT_OUTOFMEM(env);
- goto finish;
- }
-- memcpy(&addr.inet.ip, addrBAelems, 4);
-
- /*
- * Tell SSL the URL we think we want to connect to.
-@@ -495,6 +516,38 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
- goto finish;
- }
-
-+ if( addrBAelems == NULL ) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+
-+ if(addrBALen != 4 && addrBALen != 16) {
-+ JSSL_throwSSLSocketException(env, "Invalid address in connect!");
-+ goto finish;
-+ }
-+
-+ if( addrBALen == 4) {
-+ addr.inet.family = AF_INET;
-+ addr.inet.port = PR_htons(port);
-+ memcpy(&addr.inet.ip, addrBAelems, 4);
-+
-+ if(supportsIPV6) {
-+ addr.ipv6.family = AF_INET6;
-+ addr.ipv6.port = PR_htons(port);
-+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip);
-+ }
-+
-+ } else { /* Must be 16 and ipv6 */
-+ if(supportsIPV6) {
-+ addr.ipv6.family = AF_INET6;
-+ addr.ipv6.port = PR_htons(port);
-+ memcpy(&addr.ipv6.ip,addrBAelems, 16);
-+ } else {
-+ JSSL_throwSSLSocketException(env, "Invalid address in connect!");
-+ goto finish;
-+ }
-+ }
-+
- /*
- * make the connect call
- */
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2007-05-08 18:40:14.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2009-06-24 13:45:59.000000000 -0700
-@@ -243,11 +243,16 @@ public class SSLSocket extends java.net.
- SSLClientCertificateSelectionCallback clientCertSelectionCallback)
- throws IOException
- {
-+
-+ int socketFamily = SocketBase.SSL_AF_INET;
-+ if(SocketBase.supportsIPV6()) {
-+ socketFamily = SocketBase.SSL_AF_INET6;
-+ }
- // create the socket
- sockProxy =
- new SocketProxy(
- base.socketCreate(
-- this, certApprovalCallback, clientCertSelectionCallback) );
-+ this, certApprovalCallback, clientCertSelectionCallback,socketFamily) );
-
- base.setProxy(sockProxy);
-
-@@ -288,7 +293,7 @@ public class SSLSocket extends java.net.
- new SocketProxy(
- base.socketCreate(
- this, certApprovalCallback, clientCertSelectionCallback,
-- s, host ) );
-+ s, host,SocketBase.SSL_AF_INET ) );
-
- base.setProxy(sockProxy);
- resetHandshake();
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2007-03-20 15:39:28.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2009-06-24 13:50:32.000000000 -0700
-@@ -70,16 +70,16 @@ class SocketBase {
- native byte[] socketCreate(Object socketObject,
- SSLCertificateApprovalCallback certApprovalCallback,
- SSLClientCertificateSelectionCallback clientCertSelectionCallback,
-- java.net.Socket javaSock, String host)
-+ java.net.Socket javaSock, String host,int family)
- throws SocketException;
-
- byte[] socketCreate(Object socketObject,
- SSLCertificateApprovalCallback certApprovalCallback,
-- SSLClientCertificateSelectionCallback clientCertSelectionCallback)
-+ SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family)
- throws SocketException
- {
- return socketCreate(socketObject, certApprovalCallback,
-- clientCertSelectionCallback, null, null);
-+ clientCertSelectionCallback, null, null,family);
- }
-
- native void socketBind(byte[] addrBA, int port) throws SocketException;
-@@ -115,6 +115,10 @@ class SocketBase {
- static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
- static final int SSL_REQUIRE_NO_ERROR = 21;
-
-+
-+ static final int SSL_AF_INET = 50;
-+ static final int SSL_AF_INET6 = 51;
-+
- void close() throws IOException {
- socketClose();
- }
-@@ -281,13 +285,25 @@ class SocketBase {
- return in;
- }
-
-+ private native byte[] getLocalAddressByteArrayNative() throws SocketException;
-+ private native byte[] getPeerAddressByteArrayNative() throws SocketException;
- /**
- * @return the InetAddress of the peer end of the socket.
- */
- InetAddress getInetAddress()
- {
- try {
-- return convertIntToInetAddress( getPeerAddressNative() );
-+ byte[] address = getPeerAddressByteArrayNative();
-+
-+ InetAddress iAddr = null;
-+
-+ try {
-+
-+ iAddr = InetAddress.getByAddress(address);
-+ } catch(UnknownHostException e) {
-+ }
-+
-+ return iAddr;
- } catch(SocketException e) {
- return null;
- }
-@@ -299,7 +315,17 @@ class SocketBase {
- */
- InetAddress getLocalAddress() {
- try {
-- return convertIntToInetAddress( getLocalAddressNative() );
-+ byte[] address = getLocalAddressByteArrayNative();
-+
-+ InetAddress lAddr = null;
-+
-+ try {
-+
-+ lAddr = InetAddress.getByAddress(address);
-+ } catch(UnknownHostException e) {
-+ }
-+
-+ return lAddr;
- } catch(SocketException e) {
- return null;
- }
-@@ -378,4 +404,45 @@ class SocketBase {
- return topException;
- }
- }
-+
-+ static private int supportsIPV6 = -1;
-+ static boolean supportsIPV6() {
-+
-+ if(supportsIPV6 >= 0) {
-+ if(supportsIPV6 > 0) {
-+ return true;
-+ } else {
-+ return false;
-+ }
-+ }
-+
-+ Enumeration netInter;
-+ try {
-+ netInter = NetworkInterface.getNetworkInterfaces();
-+ } catch (SocketException e) {
-+
-+ return false;
-+ }
-+ while ( netInter.hasMoreElements() )
-+ {
-+ NetworkInterface ni = (NetworkInterface)netInter.nextElement();
-+ Enumeration addrs = ni.getInetAddresses();
-+ while ( addrs.hasMoreElements() )
-+ {
-+ Object o = addrs.nextElement();
-+ if ( o.getClass() == InetAddress.class ||
-+ o.getClass() == Inet4Address.class ||
-+ o.getClass() == Inet6Address.class )
-+ {
-+ InetAddress iaddr = (InetAddress) o;
-+ if(o.getClass() == Inet6Address.class) {
-+ supportsIPV6 = 1;
-+ return true;
-+ }
-+ }
-+ }
-+ }
-+ supportsIPV6 = 0;
-+ return false;
-+ }
- }
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2007-04-24 11:34:58.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2009-06-24 14:22:02.000000000 -0700
-@@ -33,7 +33,6 @@
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
--
- #include <nspr.h>
- #include <jni.h>
- #include <pk11func.h>
-@@ -51,6 +50,9 @@
- #include <winsock.h>
- #endif
-
-+#define SSL_AF_INET 50
-+#define SSL_AF_INET6 51
-+
- void
- JSSL_throwSSLSocketException(JNIEnv *env, char *message)
- {
-@@ -142,7 +144,7 @@ finish:
- JNIEXPORT jbyteArray JNICALL
- Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self,
- jobject sockObj, jobject certApprovalCallback,
-- jobject clientCertSelectionCallback, jobject javaSock, jstring host)
-+ jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family)
- {
- jbyteArray sdArray = NULL;
- JSSL_SocketData *sockdata = NULL;
-@@ -150,10 +152,21 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
- PRFileDesc *newFD;
- PRFileDesc *tmpFD;
- PRFilePrivate *priv = NULL;
-+ int socketFamily = 0;
-+
-+ if (family != SSL_AF_INET6 && family != SSL_AF_INET) {
-+ JSSL_throwSSLSocketException(env,
-+ "socketCreate() Invalid family!");
-+ goto finish;
-+ }
-+ if( family == SSL_AF_INET)
-+ socketFamily = PR_AF_INET;
-+ else
-+ socketFamily = PR_AF_INET6;
-
- if( javaSock == NULL ) {
- /* create a TCP socket */
-- newFD = PR_NewTCPSocket();
-+ newFD = PR_OpenTCPSocket(socketFamily);
- if( newFD == NULL ) {
- JSSL_throwSSLSocketException(env,
- "PR_NewTCPSocket() returned NULL");
-@@ -394,10 +407,10 @@ PRInt32 JSSL_enums[] = {
- SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
- SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
- SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
--
- 0
- };
-
-+
- JNIEXPORT void JNICALL
- Java_org_mozilla_jss_ssl_SocketBase_socketBind
- (JNIEnv *env, jobject self, jbyteArray addrBA, jint port)
-@@ -405,8 +418,13 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
- JSSL_SocketData *sock;
- PRNetAddr addr;
- jbyte *addrBAelems = NULL;
-+ int addrBALen = 0;
- PRStatus status;
-
-+ jmethodID supportsIPV6ID;
-+ jclass socketBaseClass;
-+ jboolean supportsIPV6 = 0;
-+
- if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) {
- /* exception was thrown */
- goto finish;
-@@ -415,19 +433,72 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
- /*
- * setup the PRNetAddr structure
- */
-- addr.inet.family = AF_INET;
-- addr.inet.port = htons(port);
-+
-+ /*
-+ * Do we support IPV6?
-+ */
-+
-+ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME);
-+ if( socketBaseClass == NULL ) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass,
-+ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG);
-+
-+ if( supportsIPV6ID == NULL ) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+
-+ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass,
-+ supportsIPV6ID);
-+
-+ memset( &addr, 0, sizeof( PRNetAddr ));
-+
- if( addrBA != NULL ) {
-- PR_ASSERT(sizeof(addr.inet.ip) == 4);
-- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4);
- addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL);
-+ addrBALen = (*env)->GetArrayLength(env, addrBA);
-+
- if( addrBAelems == NULL ) {
- ASSERT_OUTOFMEM(env);
- goto finish;
- }
-- memcpy(&addr.inet.ip, addrBAelems, 4);
-+
-+ if(addrBALen != 4 && addrBALen != 16) {
-+ JSS_throwMsgPrErr(env, BIND_EXCEPTION,
-+ "Invalid address in bind!");
-+ goto finish;
-+ }
-+
-+ if( addrBALen == 4) {
-+ addr.inet.family = PR_AF_INET;
-+ addr.inet.port = PR_htons(port);
-+ memcpy(&addr.inet.ip, addrBAelems, 4);
-+
-+ if(supportsIPV6) {
-+ addr.inet.family = PR_AF_INET6;
-+ addr.ipv6.port = PR_htons(port);
-+ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip);
-+ }
-+
-+ } else { /* Must be 16 and ipv6 */
-+ if(supportsIPV6) {
-+ addr.ipv6.family = PR_AF_INET6;
-+ addr.ipv6.port = PR_htons(port);
-+ memcpy(&addr.ipv6.ip,addrBAelems, 16);
-+ } else {
-+ JSS_throwMsgPrErr(env, BIND_EXCEPTION,
-+ "Invalid address in bind!");
-+ goto finish;
-+ }
-+ }
- } else {
-- addr.inet.ip = PR_htonl(INADDR_ANY);
-+ if(supportsIPV6) {
-+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr);
-+ } else {
-+ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr);
-+ }
- }
-
- /* do the bind() call */
-@@ -601,6 +672,78 @@ finish:
- return status;
- }
-
-+JNIEXPORT jbyteArray JNICALL
-+Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative
-+ (JNIEnv *env, jobject self)
-+{
-+ jbyteArray byteArray=NULL;
-+ PRNetAddr addr;
-+ jbyte *address=NULL;
-+ int size=4;
-+
-+ if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) {
-+ goto finish;
-+ }
-+
-+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) {
-+ size = 16;
-+ address = (jbyte *) &addr.ipv6.ip;
-+ } else {
-+ address = (jbyte *) &addr.inet.ip;
-+ }
-+
-+ byteArray = (*env)->NewByteArray(env,size);
-+ if(byteArray == NULL) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+ (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address);
-+ if( (*env)->ExceptionOccurred(env) != NULL) {
-+ PR_ASSERT(PR_FALSE);
-+ goto finish;
-+ }
-+
-+finish:
-+ return byteArray;
-+}
-+
-+JNIEXPORT jbyteArray JNICALL
-+Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative
-+ (JNIEnv *env, jobject self)
-+{
-+ jbyteArray byteArray=NULL;
-+ PRNetAddr addr;
-+ jbyte *address=NULL;
-+ int size=4;
-+
-+ if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) {
-+ goto finish;
-+ }
-+
-+ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) {
-+ size = 16;
-+ address = (jbyte *) &addr.ipv6.ip;
-+ } else {
-+ address = (jbyte *) &addr.inet.ip;
-+ }
-+
-+ byteArray = (*env)->NewByteArray(env,size);
-+ if(byteArray == NULL) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+ (*env)->SetByteArrayRegion(env, byteArray, 0,size,address);
-+ if( (*env)->ExceptionOccurred(env) != NULL) {
-+ PR_ASSERT(PR_FALSE);
-+ goto finish;
-+ }
-+
-+finish:
-+ return byteArray;
-+}
-+
-+/* Leave the original versions of these functions for compatibility */
-+
- JNIEXPORT jint JNICALL
- Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative
- (JNIEnv *env, jobject self)
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 11:34:58.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2009-06-24 13:43:13.000000000 -0700
-@@ -290,6 +290,7 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
- jobject inetAddress;
- jbyteArray addrByteArray;
- jint port;
-+ int addrBALen = 0;
-
- if( GET_ENV(fd->secret->javaVM, env) ) goto finish;
-
-@@ -377,8 +378,9 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
-
- memset(addr, 0, sizeof(PRNetAddr));
-
-- /* we only handle IPV4 */
-- PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 );
-+ addrBALen = (*env)->GetArrayLength(env, addrByteArray);
-+
-+ PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) );
-
- /* make sure you release them later */
- addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL);
-@@ -388,9 +390,16 @@ getInetAddress(PRFileDesc *fd, PRNetAddr
- }
-
- /* ip field is in network byte order */
-- memcpy( (void*) &addr->inet.ip, addrBytes, 4);
-- addr->inet.family = PR_AF_INET;
-- addr->inet.port = port;
-+
-+ if (addrBALen == 4) {
-+ memcpy( (void*) &addr->inet.ip, addrBytes, 4);
-+ addr->inet.family = PR_AF_INET;
-+ addr->inet.port = port;
-+ } else {
-+ memcpy( (void*) &addr->ipv6.ip,addrBytes, 16);
-+ addr->inet.family = PR_AF_INET6;
-+ addr->inet.port = port;
-+ }
-
- (*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes,
- JNI_ABORT);
-diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h
---- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2006-02-22 17:21:52.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2009-06-19 17:56:00.000000000 -0700
-@@ -312,6 +312,8 @@ PR_BEGIN_EXTERN_C
- #define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase"
- #define PROCESS_EXCEPTIONS_NAME "processExceptions"
- #define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;"
-+#define SUPPORTS_IPV6_NAME "supportsIPV6"
-+#define SUPPORTS_IPV6_SIG "()Z"
-
- /*
- * SSLCertificateApprovalCallback
diff --git a/SOURCES/jss-javadocs-param.patch b/SOURCES/jss-javadocs-param.patch
deleted file mode 100644
index 5cf92e3..0000000
--- a/SOURCES/jss-javadocs-param.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java.orig 2008-01-18 16:39:46.000000000 -0500
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2009-06-05 11:08:54.000000000 -0400
-@@ -116,7 +116,9 @@
- }
- /**
- *
-- * @param
-+ * @param key
-+ * @param kg
-+ * @return
- */
- public javax.crypto.SecretKey genSecretKey(String keyType, String provider){
- javax.crypto.SecretKey key = null;
diff --git a/SOURCES/jss-key_pair_usage_with_op_flags.patch b/SOURCES/jss-key_pair_usage_with_op_flags.patch
deleted file mode 100644
index a7ca9df..0000000
--- a/SOURCES/jss-key_pair_usage_with_op_flags.patch
+++ /dev/null
@@ -1,544 +0,0 @@
-diff -rupN jss-4.2.5/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.5/mozilla/security/jss/lib/jss.def 2007-05-08 18:40:14.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-05-30 01:57:48.000000000 -0700
-@@ -316,3 +316,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_isFip
- ;+ local:
- ;+ *;
- ;+};
-+;+JSS_4.2.6 { # JSS 4.2.6 release
-+;+ global:
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags;
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags;
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
-+;+ local:
-+;+ *;
-+;+};
-+
-diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2005-11-14 14:15:06.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2009-05-22 07:40:14.000000000 -0700
-@@ -81,7 +81,6 @@ public class KeyPairGenerator {
- genKeyPair() throws TokenException {
- return engine.generateKeyPair();
- }
--
- /**
- * @return The type of key that this generator generates.
- */
-@@ -192,6 +191,15 @@ public class KeyPairGenerator {
- engine.extractablePairs(extractable);
- }
-
-+ public void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
-+ KeyPairGeneratorSpi.Usage[] usages_mask) {
-+ engine.setKeyPairUsages(usages,usages_mask);
-+ }
-+
-+
-+
-+
-+
- protected KeyPairAlgorithm algorithm;
- protected KeyPairGeneratorSpi engine;
- }
-diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java
---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2005-11-14 14:15:06.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2009-05-30 03:24:31.000000000 -0700
-@@ -60,4 +60,38 @@ public abstract class KeyPairGeneratorSp
- public abstract void extractablePairs(boolean extractable);
-
- public abstract boolean keygenOnInternalToken();
-+
-+ /**
-+ * In PKCS #11, each keypair can be marked with the operations it will
-+ * be used to perform. Some tokens require that a key be marked for
-+ * an operation before the key can be used to perform that operation;
-+ * other tokens don't care. NSS provides a way to specify a set of
-+ * flags and a corresponding mask for these flags. If a specific usage
-+ * is desired set the value for that usage. If it is not set, let NSS
-+ * behave in it's default fashion. If a behavior is desired, also set
-+ * that behavior in the mask as well as the flags.
-+ *
-+ */
-+ public final static class Usage {
-+ private Usage() { }
-+ private Usage(int val) { this.val = val;}
-+ private int val;
-+
-+ public int getVal() { return val; }
-+
-+ // these enums must match the
-+ // and the opFlagForUsage list in PK11KeyPairGenerator.java
-+ public static final Usage ENCRYPT = new Usage(0);
-+ public static final Usage DECRYPT = new Usage(1);
-+ public static final Usage SIGN = new Usage(2);
-+ public static final Usage SIGN_RECOVER = new Usage(3);
-+ public static final Usage VERIFY = new Usage(4);
-+ public static final Usage VERIFY_RECOVER = new Usage(5);
-+ public static final Usage WRAP = new Usage(6);
-+ public static final Usage UNWRAP = new Usage(7);
-+ public static final Usage DERIVE = new Usage(8);
-+ }
-+
-+ public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages,
-+ KeyPairGeneratorSpi.Usage[] usages_mask);
- }
-diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2006-02-22 17:21:42.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2009-06-02 10:36:46.819581000 -0700
-@@ -120,13 +120,11 @@ finish:
-
- int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int);
-
--/*
-- * make a common key gen function for both this file and PK11Token.c
-- */
- SECStatus
--JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
-+JSS_PK11_generateKeyPairWithOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
- PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
-- void *params, PRBool temporary, jint sensitive, jint extractable)
-+ void *params, PRBool temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask)
- {
- PK11AttrFlags attrFlags = 0;
- *privk=NULL;
-@@ -173,12 +171,16 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK
- } else {
- attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC);
- }
-- *privk = PK11_GenerateKeyPairWithFlags(slot,
-+
-+ *privk = PK11_GenerateKeyPairWithOpFlags(slot,
- mechanism,
- params,
- pubk,
- attrFlags,
-+ (CK_FLAGS) op_flags,
-+ (CK_FLAGS) op_flags_mask/* the ones we don't want*/,
- NULL /* default PW callback */ );
-+
- if( *privk == NULL ) {
- int errLength;
- char *errBuf;
-@@ -217,13 +219,28 @@ finish:
- return SECFailure;
- }
-
-+/*
-+ * make a common key gen function for both this file and PK11Token.c
-+ */
-+SECStatus
-+JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
-+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
-+ void *params, PRBool temporary, jint sensitive, jint extractable)
-+{
-+
-+ return JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, pubk, privk, params, temporary, sensitive, extractable, 0, 0);
-+}
-+
-+
- /**********************************************************************
-- * Local generic helper
-+ * Local generic helpers
- */
-+
- static jobject
--PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token,
-+PK11KeyPairGeneratorWithOpFlags(JNIEnv *env, jobject this, jobject token,
- CK_MECHANISM_TYPE mechanism, void *params,
-- jboolean temporary, jint sensitive, jint extractable)
-+ jboolean temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask)
- {
- PK11SlotInfo* slot;
- SECKEYPrivateKey *privk=NULL;
-@@ -242,8 +259,8 @@ PK11KeyPairGenerator(JNIEnv *env, jobjec
- }
- PR_ASSERT(slot != NULL);
-
-- rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk,
-- params, temporary, sensitive, extractable);
-+ rv = JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, &pubk, &privk,
-+ params, temporary, sensitive, extractable, op_flags, op_flags_mask);
- if (rv != SECSuccess) {
- goto finish;
- }
-@@ -267,6 +284,16 @@ finish:
- return keyPair;
- }
-
-+static jobject
-+PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token,
-+ CK_MECHANISM_TYPE mechanism, void *params,
-+ jboolean temporary, jint sensitive, jint extractable)
-+{
-+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, mechanism, params, temporary, sensitive, extractable, 0, 0);
-+}
-+
-+
-+
- /**********************************************************************
- * PK11KeyPairGenerator.generateRSAKeyPair
- */
-@@ -289,6 +316,30 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
- ¶ms, temporary, sensitive, extractable);
- }
-
-+/**********************************************************************
-+ * PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags
-+ */
-+JNIEXPORT jobject JNICALL
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags
-+ (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent,
-+ jboolean temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask)
-+{
-+ PK11RSAGenParams params;
-+
-+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL);
-+
-+ /**************************************************
-+ * setup parameters
-+ *************************************************/
-+ params.keySizeInBits = keySize;
-+ params.pe = publicExponent;
-+
-+ return PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN,
-+ ¶ms, temporary, sensitive, extractable, op_flags, op_flags_mask);
-+}
-+
-+
- #define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;}
-
- /**********************************************************************
-@@ -339,6 +390,57 @@ finish:
- return keyPair;
- }
-
-+/**********************************************************************
-+ *
-+ * PK11KeyPairGenerator.generateDSAKeyPair
-+ *
-+ */
-+JNIEXPORT jobject JNICALL
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags
-+ (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q,
-+ jbyteArray G, jboolean temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask)
-+{
-+ SECItem p, q, g;
-+ PQGParams *params=NULL;
-+ jobject keyPair=NULL;
-+
-+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL
-+ && G!=NULL);
-+
-+ /* zero these so we can free them indiscriminately later */
-+ ZERO_SECITEM(p);
-+ ZERO_SECITEM(q);
-+ ZERO_SECITEM(g);
-+
-+ /**************************************************
-+ * Setup the parameters
-+ *************************************************/
-+ if( JSS_ByteArrayToOctetString(env, P, &p) ||
-+ JSS_ByteArrayToOctetString(env, Q, &q) ||
-+ JSS_ByteArrayToOctetString(env, G, &g) )
-+ {
-+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
-+ goto finish;
-+ }
-+ params = PK11_PQG_NewParams(&p, &q, &g);
-+ if(params == NULL) {
-+ JSS_throw(env, OUT_OF_MEMORY_ERROR);
-+ goto finish;
-+ }
-+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_DSA_KEY_PAIR_GEN,
-+ params, temporary, sensitive, extractable,
-+ op_flags, op_flags_mask);
-+
-+finish:
-+ SECITEM_FreeItem(&p, PR_FALSE);
-+ SECITEM_FreeItem(&q, PR_FALSE);
-+ SECITEM_FreeItem(&g, PR_FALSE);
-+ PK11_PQG_DestroyParams(params);
-+ return keyPair;
-+}
-+
-+
- void
- DumpItem(SECItem *item)
- {
-@@ -361,6 +463,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
- (JNIEnv *env, jobject this, jobject token, jbyteArray Curve,
- jboolean temporary, jint sensitive, jint extractable)
- {
-+
- SECItem curve;
- jobject keyPair=NULL;
-
-@@ -385,3 +488,39 @@ finish:
- SECITEM_FreeItem(&curve, PR_FALSE);
- return keyPair;
- }
-+
-+/**********************************************************************
-+ *
-+ * PK11KeyPairGenerator.generateECKeyPairWithOpFlags
-+ *
-+ */
-+JNIEXPORT jobject JNICALL
-+Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags
-+ (JNIEnv *env, jobject this, jobject token, jbyteArray Curve,
-+ jboolean temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask)
-+{
-+ SECItem curve;
-+ jobject keyPair=NULL;
-+
-+ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL );
-+
-+ /* zero these so we can free them indiscriminately later */
-+ ZERO_SECITEM(curve);
-+
-+ /**************************************************
-+ * Setup the parameters
-+ *************************************************/
-+ if( JSS_ByteArrayToOctetString(env, Curve, &curve))
-+ {
-+ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
-+ goto finish;
-+ }
-+ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_EC_KEY_PAIR_GEN,
-+ &curve, temporary, sensitive, extractable,
-+ op_flags, op_flags_mask);
-+
-+finish:
-+ SECITEM_FreeItem(&curve, PR_FALSE);
-+ return keyPair;
-+}
-diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java
---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2006-02-22 17:21:42.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2009-05-30 05:30:25.000000000 -0700
-@@ -55,6 +55,39 @@ public final class PK11KeyPairGenerator
- extends org.mozilla.jss.crypto.KeyPairGeneratorSpi
- {
-
-+ // opFlag constants: each of these flags specifies a crypto operation
-+ // the key will support. Their values must match the same-named C
-+ // preprocessor macros defined in the PKCS #11 header pkcs11t.h.
-+ private static final int CKF_ENCRYPT = 0x00000100;
-+ private static final int CKF_DECRYPT = 0x00000200;
-+ private static final int CKF_SIGN = 0x00000800;
-+ private static final int CKF_SIGN_RECOVER = 0x00001000;
-+ private static final int CKF_VERIFY = 0x00002000;
-+ private static final int CKF_VERIFY_RECOVER = 0x00004000;
-+ private static final int CKF_WRAP = 0x00020000;
-+ private static final int CKF_UNWRAP = 0x00040000;
-+ private static final int CKF_DERIVE = 0x00080000;
-+
-+ // A table for mapping SymmetricKey.Usage to opFlag. This must be
-+ // synchronized with SymmetricKey.Usage.
-+ private static final int opFlagForUsage[] = {
-+ CKF_ENCRYPT, /* 0 */
-+ CKF_DECRYPT, /* 1 */
-+ CKF_SIGN, /* 2 */
-+ CKF_SIGN_RECOVER, /* 3 */
-+ CKF_VERIFY, /* 4 */
-+ CKF_VERIFY_RECOVER, /* 5 */
-+ CKF_WRAP, /* 6 */
-+ CKF_UNWRAP, /* 7 */
-+ CKF_DERIVE /* 8 */
-+ };
-+
-+ // The crypto operations the key will support. It is the logical OR
-+ // of the opFlag constants, each specifying a supported operation.
-+ private int opFlags = 0;
-+ private int opFlagsMask = 0;
-+
-+
- ///////////////////////////////////////////////////////////////////////
- ///////////////////////////////////////////////////////////////////////
- // Constructors
-@@ -189,41 +222,45 @@ public final class PK11KeyPairGenerator
- * Generates a key pair on a token. Uses parameters if they were passed
- * in through a call to <code>initialize</code>, otherwise uses defaults.
- */
-+
- public KeyPair generateKeyPair()
- throws TokenException
- {
- if(algorithm == KeyPairAlgorithm.RSA) {
- if(params != null) {
- RSAParameterSpec rsaparams = (RSAParameterSpec)params;
-- return generateRSAKeyPair(
-+ return generateRSAKeyPairWithOpFlags(
- token,
- rsaparams.getKeySize(),
- rsaparams.getPublicExponent().longValue(),
- temporaryPairMode,
- sensitivePairMode,
-- extractablePairMode);
-+ extractablePairMode,
-+ opFlags, opFlagsMask);
- } else {
-- return generateRSAKeyPair(
-+ return generateRSAKeyPairWithOpFlags(
- token,
- DEFAULT_RSA_KEY_SIZE,
- DEFAULT_RSA_PUBLIC_EXPONENT.longValue(),
- temporaryPairMode,
- sensitivePairMode,
-- extractablePairMode);
-+ extractablePairMode,
-+ opFlags, opFlagsMask);
- }
- } else if(algorithm == KeyPairAlgorithm.DSA ) {
- if(params==null) {
- params = PQG1024;
- }
- DSAParameterSpec dsaParams = (DSAParameterSpec)params;
-- return generateDSAKeyPair(
-+ return generateDSAKeyPairWithOpFlags(
- token,
- PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getP()),
- PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getQ()),
- PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getG()),
- temporaryPairMode,
- sensitivePairMode,
-- extractablePairMode);
-+ extractablePairMode,
-+ opFlags, opFlagsMask);
- } else {
- Assert._assert( algorithm == KeyPairAlgorithm.EC );
- // requires JAVA 1.5 for ECParameters.
-@@ -233,12 +270,14 @@ public final class PK11KeyPairGenerator
- // ecParams.init(params);
- PK11ParameterSpec ecParams = (PK11ParameterSpec) params;
-
-- return generateECKeyPair(
-+ return generateECKeyPairWithOpFlags(
- token,
- ecParams.getEncoded(), /* curve */
- temporaryPairMode,
- sensitivePairMode,
-- extractablePairMode);
-+ extractablePairMode,
-+ opFlags,
-+ opFlagsMask);
- }
- }
-
-@@ -266,6 +305,17 @@ public final class PK11KeyPairGenerator
- throws TokenException;
-
- /**
-+ * Generates an RSA key pair with the given size and public exponent.
-+ * Adds the ability to specify a set of flags and masks
-+ * to control how NSS generates the key pair.
-+ */
-+ private native KeyPair
-+ generateRSAKeyPairWithOpFlags(PK11Token token, int keySize, long publicExponent,
-+ boolean temporary, int sensitive, int extractable,
-+ int op_flags, int op_flags_mask)
-+ throws TokenException;
-+
-+ /**
- * Generates a DSA key pair with the given P, Q, and G values.
- * P, Q, and G are stored as big-endian twos-complement octet strings.
- */
-@@ -275,6 +325,19 @@ public final class PK11KeyPairGenerator
- throws TokenException;
-
- /**
-+ * Generates a DSA key pair with the given P, Q, and G values.
-+ * P, Q, and G are stored as big-endian twos-complement octet strings.
-+ * Adds the ability to specify a set of flags and masks
-+ * to control how NSS generates the key pair.
-+ */
-+ private native KeyPair
-+ generateDSAKeyPairWithOpFlags(PK11Token token, byte[] P, byte[] Q, byte[] G,
-+ boolean temporary, int sensitive, int extractable,
-+ int op_flags, int op_flags_mask)
-+ throws TokenException;
-+
-+
-+ /**
- * Generates a EC key pair with the given a curve.
- * Curves are stored as DER Encoded Parameters.
- */
-@@ -282,6 +345,18 @@ public final class PK11KeyPairGenerator
- generateECKeyPair(PK11Token token, byte[] Curve,
- boolean temporary, int sensitive, int extractable)
- throws TokenException;
-+ /**
-+ * Generates a EC key pair with the given a curve.
-+ * Curves are stored as DER Encoded Parameters.
-+ * Adds the ability to specify a set of flags and masks
-+ * to control how NSS generates the key pair.
-+ */
-+
-+ private native KeyPair
-+ generateECKeyPairWithOpFlags(PK11Token token, byte[] Curve,
-+ boolean temporary, int sensitive, int extractable,
-+ int op_flags, int op_flags_mask)
-+ throws TokenException;
-
- ///////////////////////////////////////////////////////////////////////
- ///////////////////////////////////////////////////////////////////////
-@@ -397,6 +472,38 @@ public final class PK11KeyPairGenerator
- extractablePairMode = extractable ? 1 : 0;
- }
-
-+ /**
-+ * Sets the requested key usages desired for the
-+ * generated key pair.
-+ * This allows the caller to suggest how NSS generates the key pair.
-+ * @param usages List of desired key usages.
-+ * @param usages_mask Corresponding mask for the key usages.
-+ * if a usages is desired, make sure it is in the mask as well.
-+ */
-+
-+ public void setKeyPairUsages(org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages,
-+ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages_mask) {
-+
-+ this.opFlags = 0;
-+ this.opFlagsMask = 0;
-+
-+ if(usages != null) {
-+ for( int i = 0; i < usages.length; i++ ) {
-+ if( usages[i] != null ) {
-+ this.opFlags |= opFlagForUsage[usages[i].getVal()];
-+ }
-+ }
-+ }
-+
-+ if(usages_mask != null) {
-+ for( int i = 0; i < usages_mask.length; i++ ) {
-+ if( usages_mask[i] != null ) {
-+ this.opFlagsMask |= opFlagForUsage[usages_mask[i].getVal()];
-+ }
-+ }
-+ }
-+ }
-+
- //
- // requires JAVA 1.5
- //
-diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h
---- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2006-02-22 17:21:42.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2009-05-29 08:34:24.000000000 -0700
-@@ -157,6 +157,12 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK
- PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK,
- void *params, PRBool temporary, jint senstive, jint extractable);
-
-+SECStatus
-+JSS_PK11_generateKeyPair_withOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism,
-+ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk,
-+ void *params, PRBool temporary, jint sensitive, jint extractable,
-+ jint op_flags, jint op_flags_mask);
-+
- /*=====================================================================
- C E R T I F I C A T E S
- =====================================================================*/
diff --git a/SOURCES/jss-loadlibrary.patch b/SOURCES/jss-loadlibrary.patch
deleted file mode 100644
index a8643a4..0000000
--- a/SOURCES/jss-loadlibrary.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -uN --recursive jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2008-01-31 17:29:16.000000000 -0500
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-01-07 10:47:04.000000000 -0500
-@@ -1334,11 +1334,20 @@
- */
- synchronized static void loadNativeLibraries()
- {
-- if( ! mNativeLibrariesLoaded )
-- {
-- System.loadLibrary("jss4");
-- Debug.trace(Debug.VERBOSE, "jss library loaded");
-- mNativeLibrariesLoaded = true;
-+ if( ! mNativeLibrariesLoaded ) {
-+ try {
-+ System.load( "/usr/lib64/jss/libjss4.so" );
-+ Debug.trace(Debug.VERBOSE, "jss library loaded");
-+ mNativeLibrariesLoaded = true;
-+ } catch( UnsatisfiedLinkError e ) {
-+ try {
-+ System.load( "/usr/lib/jss/libjss4.so" );
-+ Debug.trace(Debug.VERBOSE, "jss library loaded");
-+ mNativeLibrariesLoaded = true;
-+ } catch( UnsatisfiedLinkError f ) {
-+ Debug.trace(Debug.VERBOSE, "jss library load failed");
-+ }
-+ }
- }
- }
- static private boolean mNativeLibrariesLoaded = false;
diff --git a/SOURCES/jss-lunasaUnwrap.patch b/SOURCES/jss-lunasaUnwrap.patch
deleted file mode 100644
index 5021bd6..0000000
--- a/SOURCES/jss-lunasaUnwrap.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700
-@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- isSensitive = PR_FALSE;
- isExtractable = PR_FALSE;
- } else if ( isLunasa) {
-- isSensitive = PR_FALSE;
-+ isSensitive = PR_TRUE;
- isExtractable = PR_TRUE;
- }
-
diff --git a/SOURCES/jss-ocspSettings.patch b/SOURCES/jss-ocspSettings.patch
deleted file mode 100644
index c9ac226..0000000
--- a/SOURCES/jss-ocspSettings.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.orig jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6/mozilla/security/jss/lib/jss.def.orig 2009-11-04 14:26:26.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-11-04 14:11:05.000000000 -0800
-@@ -329,6 +329,8 @@ Java_org_mozilla_jss_pkcs11_PK11Token_ne
- Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags;
- Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags;
- Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
-+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
-+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
- ;+ local:
- ;+ *;
- ;+};
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig 2009-11-04 14:20:43.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2009-11-05 10:48:32.590000000 -0800
-@@ -976,3 +976,45 @@ Java_org_mozilla_jss_CryptoManager_confi
- }
- }
-
-+
-+/**********************************************************************
-+* OCSPCacheSettingsNative
-+*
-+* Allows configuration of the OCSP responder cache during runtime.
-+*/
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative(
-+ JNIEnv *env, jobject this,
-+ jint ocsp_cache_size,
-+ jint ocsp_min_cache_entry_duration,
-+ jint ocsp_max_cache_entry_duration)
-+{
-+ SECStatus rv = SECFailure;
-+
-+ rv = CERT_OCSPCacheSettings(
-+ ocsp_cache_size, ocsp_min_cache_entry_duration,
-+ ocsp_max_cache_entry_duration);
-+
-+ if (rv != SECSuccess) {
-+ JSS_throwMsgPrErr(env,
-+ GENERAL_SECURITY_EXCEPTION,
-+ "Failed to set OCSP cache: error "+ PORT_GetError());
-+ }
-+}
-+
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative(
-+ JNIEnv *env, jobject this,
-+ jint ocsp_timeout )
-+{
-+ SECStatus rv = SECFailure;
-+
-+ rv = CERT_SetOCSPTimeout(ocsp_timeout);
-+
-+ if (rv != SECSuccess) {
-+ JSS_throwMsgPrErr(env,
-+ GENERAL_SECURITY_EXCEPTION,
-+ "Failed to set OCSP timeout: error "+ PORT_GetError());
-+ }
-+}
-+
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig 2009-11-04 14:20:33.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2009-11-05 10:48:59.415001000 -0800
-@@ -1479,4 +1479,41 @@ public final class CryptoManager impleme
- String ocspResponderCertNickname )
- throws GeneralSecurityException;
-
-+ /**
-+ * change OCSP cache settings
-+ * * @param ocsp_cache_size max cache entries
-+ * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt
-+ * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt
-+ */
-+ public void OCSPCacheSettings(
-+ int ocsp_cache_size,
-+ int ocsp_min_cache_entry_duration,
-+ int ocsp_max_cache_entry_duration)
-+ throws GeneralSecurityException
-+ {
-+ OCSPCacheSettingsNative(ocsp_cache_size,
-+ ocsp_min_cache_entry_duration,
-+ ocsp_max_cache_entry_duration);
-+ }
-+
-+ private native void OCSPCacheSettingsNative(
-+ int ocsp_cache_size,
-+ int ocsp_min_cache_entry_duration,
-+ int ocsp_max_cache_entry_duration)
-+ throws GeneralSecurityException;
-+
-+ /**
-+ * set OCSP timeout value
-+ * * @param ocspTimeout OCSP timeout in seconds
-+ */
-+ public void setOCSPTimeout(
-+ int ocsp_timeout )
-+ throws GeneralSecurityException
-+ {
-+ setOCSPTimeoutNative( ocsp_timeout);
-+ }
-+
-+ private native void setOCSPTimeoutNative(
-+ int ocsp_timeout )
-+ throws GeneralSecurityException;
- }
diff --git a/SOURCES/jss-post-rebase.patch b/SOURCES/jss-post-rebase.patch
new file mode 100644
index 0000000..225ee96
--- /dev/null
+++ b/SOURCES/jss-post-rebase.patch
@@ -0,0 +1,5484 @@
+From e06171a21b19b1f6f5ce1749cebe2ecf942da614 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 17 Mar 2017 16:45:18 -0700
+Subject: [PATCH 01/11] Added Eclipse project files. Eclipse project file,
+ classpath, settings have been added to automate cleanups and certain
+ formattings which will simplify and standardize the development.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1347394
+---
+ .classpath | 7 +
+ .gitignore | 1 +
+ .project | 17 +++
+ .settings/org.eclipse.jdt.core.prefs | 282 +++++++++++++++++++++++++++++++++++
+ .settings/org.eclipse.jdt.ui.prefs | 56 +++++++
+ 5 files changed, 363 insertions(+)
+ create mode 100644 .classpath
+ create mode 100644 .gitignore
+ create mode 100644 .project
+ create mode 100644 .settings/org.eclipse.jdt.core.prefs
+ create mode 100644 .settings/org.eclipse.jdt.ui.prefs
+
+diff --git a/.classpath b/.classpath
+new file mode 100644
+index 0000000..68f6f4f
+--- /dev/null
++++ b/.classpath
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<classpath>
++ <classpathentry excluding="samples/" kind="src" path=""/>
++ <classpathentry kind="src" path="samples"/>
++ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
++ <classpathentry kind="output" path="bin"/>
++</classpath>
+diff --git a/.gitignore b/.gitignore
+new file mode 100644
+index 0000000..ba077a4
+--- /dev/null
++++ b/.gitignore
+@@ -0,0 +1 @@
++bin
+diff --git a/.project b/.project
+new file mode 100644
+index 0000000..7f7adff
+--- /dev/null
++++ b/.project
+@@ -0,0 +1,17 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<projectDescription>
++ <name>jss</name>
++ <comment></comment>
++ <projects>
++ </projects>
++ <buildSpec>
++ <buildCommand>
++ <name>org.eclipse.jdt.core.javabuilder</name>
++ <arguments>
++ </arguments>
++ </buildCommand>
++ </buildSpec>
++ <natures>
++ <nature>org.eclipse.jdt.core.javanature</nature>
++ </natures>
++</projectDescription>
+diff --git a/.settings/org.eclipse.jdt.core.prefs b/.settings/org.eclipse.jdt.core.prefs
+new file mode 100644
+index 0000000..d2fbe82
+--- /dev/null
++++ b/.settings/org.eclipse.jdt.core.prefs
+@@ -0,0 +1,282 @@
++eclipse.preferences.version=1
++org.eclipse.jdt.core.formatter.align_type_members_on_columns=false
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_allocation_expression=16
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_annotation=0
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_enum_constant=16
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_explicit_constructor_call=16
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_method_invocation=16
++org.eclipse.jdt.core.formatter.alignment_for_arguments_in_qualified_allocation_expression=16
++org.eclipse.jdt.core.formatter.alignment_for_assignment=0
++org.eclipse.jdt.core.formatter.alignment_for_binary_expression=16
++org.eclipse.jdt.core.formatter.alignment_for_compact_if=16
++org.eclipse.jdt.core.formatter.alignment_for_conditional_expression=80
++org.eclipse.jdt.core.formatter.alignment_for_enum_constants=0
++org.eclipse.jdt.core.formatter.alignment_for_expressions_in_array_initializer=16
++org.eclipse.jdt.core.formatter.alignment_for_method_declaration=0
++org.eclipse.jdt.core.formatter.alignment_for_multiple_fields=16
++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_constructor_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_parameters_in_method_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_resources_in_try=80
++org.eclipse.jdt.core.formatter.alignment_for_selector_in_method_invocation=16
++org.eclipse.jdt.core.formatter.alignment_for_superclass_in_type_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_enum_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_superinterfaces_in_type_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_constructor_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_throws_clause_in_method_declaration=16
++org.eclipse.jdt.core.formatter.alignment_for_union_type_in_multicatch=16
++org.eclipse.jdt.core.formatter.blank_lines_after_imports=1
++org.eclipse.jdt.core.formatter.blank_lines_after_package=1
++org.eclipse.jdt.core.formatter.blank_lines_before_field=0
++org.eclipse.jdt.core.formatter.blank_lines_before_first_class_body_declaration=0
++org.eclipse.jdt.core.formatter.blank_lines_before_imports=1
++org.eclipse.jdt.core.formatter.blank_lines_before_member_type=1
++org.eclipse.jdt.core.formatter.blank_lines_before_method=1
++org.eclipse.jdt.core.formatter.blank_lines_before_new_chunk=1
++org.eclipse.jdt.core.formatter.blank_lines_before_package=0
++org.eclipse.jdt.core.formatter.blank_lines_between_import_groups=1
++org.eclipse.jdt.core.formatter.blank_lines_between_type_declarations=1
++org.eclipse.jdt.core.formatter.brace_position_for_annotation_type_declaration=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_anonymous_type_declaration=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_array_initializer=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_block=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_block_in_case=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_constructor_declaration=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_enum_constant=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_enum_declaration=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_method_declaration=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_switch=end_of_line
++org.eclipse.jdt.core.formatter.brace_position_for_type_declaration=end_of_line
++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_block_comment=false
++org.eclipse.jdt.core.formatter.comment.clear_blank_lines_in_javadoc_comment=false
++org.eclipse.jdt.core.formatter.comment.format_block_comments=false
++org.eclipse.jdt.core.formatter.comment.format_header=false
++org.eclipse.jdt.core.formatter.comment.format_html=true
++org.eclipse.jdt.core.formatter.comment.format_javadoc_comments=true
++org.eclipse.jdt.core.formatter.comment.format_line_comments=false
++org.eclipse.jdt.core.formatter.comment.format_source_code=true
++org.eclipse.jdt.core.formatter.comment.indent_parameter_description=true
++org.eclipse.jdt.core.formatter.comment.indent_root_tags=true
++org.eclipse.jdt.core.formatter.comment.insert_new_line_before_root_tags=insert
++org.eclipse.jdt.core.formatter.comment.insert_new_line_for_parameter=do not insert
++org.eclipse.jdt.core.formatter.comment.line_length=120
++org.eclipse.jdt.core.formatter.comment.new_lines_at_block_boundaries=true
++org.eclipse.jdt.core.formatter.comment.new_lines_at_javadoc_boundaries=true
++org.eclipse.jdt.core.formatter.comment.preserve_white_space_between_code_and_line_comments=false
++org.eclipse.jdt.core.formatter.compact_else_if=true
++org.eclipse.jdt.core.formatter.continuation_indentation=2
++org.eclipse.jdt.core.formatter.continuation_indentation_for_array_initializer=2
++org.eclipse.jdt.core.formatter.disabling_tag=@formatter\:off
++org.eclipse.jdt.core.formatter.enabling_tag=@formatter\:on
++org.eclipse.jdt.core.formatter.format_guardian_clause_on_one_line=false
++org.eclipse.jdt.core.formatter.format_line_comment_starting_on_first_column=false
++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_annotation_declaration_header=true
++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_constant_header=true
++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_enum_declaration_header=true
++org.eclipse.jdt.core.formatter.indent_body_declarations_compare_to_type_header=true
++org.eclipse.jdt.core.formatter.indent_breaks_compare_to_cases=true
++org.eclipse.jdt.core.formatter.indent_empty_lines=false
++org.eclipse.jdt.core.formatter.indent_statements_compare_to_block=true
++org.eclipse.jdt.core.formatter.indent_statements_compare_to_body=true
++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_cases=true
++org.eclipse.jdt.core.formatter.indent_switchstatements_compare_to_switch=false
++org.eclipse.jdt.core.formatter.indentation.size=8
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_field=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_local_variable=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_member=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_method=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_package=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_parameter=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_annotation_on_type=insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_label=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_after_opening_brace_in_array_initializer=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_at_end_of_file_if_missing=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_before_catch_in_try_statement=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_before_closing_brace_in_array_initializer=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_before_else_in_if_statement=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_before_finally_in_try_statement=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_before_while_in_do_statement=do not insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_annotation_declaration=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_anonymous_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_block=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_constant=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_enum_declaration=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_method_body=insert
++org.eclipse.jdt.core.formatter.insert_new_line_in_empty_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_after_and_in_type_parameter=insert
++org.eclipse.jdt.core.formatter.insert_space_after_assignment_operator=insert
++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_at_in_annotation_type_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_binary_operator=insert
++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_arguments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_closing_angle_bracket_in_type_parameters=insert
++org.eclipse.jdt.core.formatter.insert_space_after_closing_brace_in_block=insert
++org.eclipse.jdt.core.formatter.insert_space_after_closing_paren_in_cast=insert
++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_assert=insert
++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_case=insert
++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_conditional=insert
++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_for=insert
++org.eclipse.jdt.core.formatter.insert_space_after_colon_in_labeled_statement=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_allocation_expression=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_annotation=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_array_initializer=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_parameters=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_constructor_declaration_throws=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_constant_arguments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_enum_declarations=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_explicitconstructorcall_arguments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_increments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_for_inits=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_parameters=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_declaration_throws=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_method_invocation_arguments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_field_declarations=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_multiple_local_declarations=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_parameterized_type_reference=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_superinterfaces=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_arguments=insert
++org.eclipse.jdt.core.formatter.insert_space_after_comma_in_type_parameters=insert
++org.eclipse.jdt.core.formatter.insert_space_after_ellipsis=insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_parameterized_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_angle_bracket_in_type_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_brace_in_array_initializer=insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_allocation_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_bracket_in_array_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_annotation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_cast=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_catch=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_constructor_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_enum_constant=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_for=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_if=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_method_invocation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_parenthesized_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_switch=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_synchronized=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_try=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_opening_paren_in_while=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_postfix_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_prefix_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_question_in_conditional=insert
++org.eclipse.jdt.core.formatter.insert_space_after_question_in_wildcard=do not insert
++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_for=insert
++org.eclipse.jdt.core.formatter.insert_space_after_semicolon_in_try_resources=insert
++org.eclipse.jdt.core.formatter.insert_space_after_unary_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_and_in_type_parameter=insert
++org.eclipse.jdt.core.formatter.insert_space_before_assignment_operator=insert
++org.eclipse.jdt.core.formatter.insert_space_before_at_in_annotation_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_binary_operator=insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_parameterized_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_angle_bracket_in_type_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_brace_in_array_initializer=insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_allocation_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_bracket_in_array_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_annotation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_cast=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_catch=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_constructor_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_enum_constant=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_for=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_if=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_method_invocation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_parenthesized_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_switch=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_synchronized=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_try=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_closing_paren_in_while=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_assert=insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_case=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_conditional=insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_default=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_for=insert
++org.eclipse.jdt.core.formatter.insert_space_before_colon_in_labeled_statement=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_allocation_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_annotation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_array_initializer=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_constructor_declaration_throws=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_constant_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_enum_declarations=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_explicitconstructorcall_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_increments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_for_inits=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_declaration_throws=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_method_invocation_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_field_declarations=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_multiple_local_declarations=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_parameterized_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_superinterfaces=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_comma_in_type_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_ellipsis=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_parameterized_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_arguments=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_angle_bracket_in_type_parameters=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_annotation_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_anonymous_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_array_initializer=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_block=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_constructor_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_constant=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_enum_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_method_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_switch=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_brace_in_type_declaration=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_allocation_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_bracket_in_array_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_annotation_type_member_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_catch=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_constructor_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_enum_constant=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_for=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_if=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_method_invocation=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_parenthesized_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_switch=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_synchronized=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_try=insert
++org.eclipse.jdt.core.formatter.insert_space_before_opening_paren_in_while=insert
++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_return=insert
++org.eclipse.jdt.core.formatter.insert_space_before_parenthesized_expression_in_throw=insert
++org.eclipse.jdt.core.formatter.insert_space_before_postfix_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_prefix_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_question_in_conditional=insert
++org.eclipse.jdt.core.formatter.insert_space_before_question_in_wildcard=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_semicolon=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_for=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_semicolon_in_try_resources=do not insert
++org.eclipse.jdt.core.formatter.insert_space_before_unary_operator=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_brackets_in_array_type_reference=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_braces_in_array_initializer=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_brackets_in_array_allocation_expression=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_annotation_type_member_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_constructor_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_enum_constant=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_declaration=do not insert
++org.eclipse.jdt.core.formatter.insert_space_between_empty_parens_in_method_invocation=do not insert
++org.eclipse.jdt.core.formatter.join_lines_in_comments=false
++org.eclipse.jdt.core.formatter.join_wrapped_lines=false
++org.eclipse.jdt.core.formatter.keep_else_statement_on_same_line=false
++org.eclipse.jdt.core.formatter.keep_empty_array_initializer_on_one_line=false
++org.eclipse.jdt.core.formatter.keep_imple_if_on_one_line=false
++org.eclipse.jdt.core.formatter.keep_then_statement_on_same_line=false
++org.eclipse.jdt.core.formatter.lineSplit=120
++org.eclipse.jdt.core.formatter.never_indent_block_comments_on_first_column=false
++org.eclipse.jdt.core.formatter.never_indent_line_comments_on_first_column=false
++org.eclipse.jdt.core.formatter.number_of_blank_lines_at_beginning_of_method_body=0
++org.eclipse.jdt.core.formatter.number_of_empty_lines_to_preserve=1
++org.eclipse.jdt.core.formatter.put_empty_statement_on_new_line=true
++org.eclipse.jdt.core.formatter.tabulation.char=space
++org.eclipse.jdt.core.formatter.tabulation.size=4
++org.eclipse.jdt.core.formatter.use_on_off_tags=false
++org.eclipse.jdt.core.formatter.use_tabs_only_for_leading_indentations=false
++org.eclipse.jdt.core.formatter.wrap_before_binary_operator=true
++org.eclipse.jdt.core.formatter.wrap_before_or_operator_multicatch=true
++org.eclipse.jdt.core.formatter.wrap_outer_expressions_when_nested=true
+diff --git a/.settings/org.eclipse.jdt.ui.prefs b/.settings/org.eclipse.jdt.ui.prefs
+new file mode 100644
+index 0000000..40b7812
+--- /dev/null
++++ b/.settings/org.eclipse.jdt.ui.prefs
+@@ -0,0 +1,56 @@
++eclipse.preferences.version=1
++editor_save_participant_org.eclipse.jdt.ui.postsavelistener.cleanup=true
++formatter_profile=_PKI Project Profile
++formatter_settings_version=12
++sp_cleanup.add_default_serial_version_id=true
++sp_cleanup.add_generated_serial_version_id=false
++sp_cleanup.add_missing_annotations=false
++sp_cleanup.add_missing_deprecated_annotations=true
++sp_cleanup.add_missing_methods=false
++sp_cleanup.add_missing_nls_tags=false
++sp_cleanup.add_missing_override_annotations=true
++sp_cleanup.add_missing_override_annotations_interface_methods=true
++sp_cleanup.add_serial_version_id=false
++sp_cleanup.always_use_blocks=true
++sp_cleanup.always_use_parentheses_in_expressions=false
++sp_cleanup.always_use_this_for_non_static_field_access=false
++sp_cleanup.always_use_this_for_non_static_method_access=false
++sp_cleanup.convert_to_enhanced_for_loop=false
++sp_cleanup.correct_indentation=false
++sp_cleanup.format_source_code=false
++sp_cleanup.format_source_code_changes_only=false
++sp_cleanup.make_local_variable_final=false
++sp_cleanup.make_parameters_final=false
++sp_cleanup.make_private_fields_final=true
++sp_cleanup.make_type_abstract_if_missing_method=false
++sp_cleanup.make_variable_declarations_final=false
++sp_cleanup.never_use_blocks=false
++sp_cleanup.never_use_parentheses_in_expressions=true
++sp_cleanup.on_save_use_additional_actions=true
++sp_cleanup.organize_imports=true
++sp_cleanup.qualify_static_field_accesses_with_declaring_class=false
++sp_cleanup.qualify_static_member_accesses_through_instances_with_declaring_class=true
++sp_cleanup.qualify_static_member_accesses_through_subtypes_with_declaring_class=true
++sp_cleanup.qualify_static_member_accesses_with_declaring_class=false
++sp_cleanup.qualify_static_method_accesses_with_declaring_class=false
++sp_cleanup.remove_private_constructors=true
++sp_cleanup.remove_trailing_whitespaces=true
++sp_cleanup.remove_trailing_whitespaces_all=true
++sp_cleanup.remove_trailing_whitespaces_ignore_empty=false
++sp_cleanup.remove_unnecessary_casts=true
++sp_cleanup.remove_unnecessary_nls_tags=false
++sp_cleanup.remove_unused_imports=true
++sp_cleanup.remove_unused_local_variables=false
++sp_cleanup.remove_unused_private_fields=true
++sp_cleanup.remove_unused_private_members=false
++sp_cleanup.remove_unused_private_methods=true
++sp_cleanup.remove_unused_private_types=true
++sp_cleanup.sort_members=false
++sp_cleanup.sort_members_all=false
++sp_cleanup.use_blocks=false
++sp_cleanup.use_blocks_only_for_return_and_throw=false
++sp_cleanup.use_parentheses_in_expressions=false
++sp_cleanup.use_this_for_non_static_field_access=false
++sp_cleanup.use_this_for_non_static_field_access_only_if_necessary=true
++sp_cleanup.use_this_for_non_static_method_access=false
++sp_cleanup.use_this_for_non_static_method_access_only_if_necessary=true
+--
+2.9.3
+
+
+From 8019c869865593a8fc078ca6dd555191711dad7b Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 17 Mar 2017 16:45:25 -0700
+Subject: [PATCH 02/11] Cleaned up SSLSocket class. The SSLSocket class has
+ been cleaned up using Eclipse to remove trailing white spaces and wildcards
+ in import statements.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1347394
+---
+ org/mozilla/jss/ssl/SSLSocket.java | 179 +++++++++++++++++++------------------
+ 1 file changed, 90 insertions(+), 89 deletions(-)
+
+diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java
+index f91b218..642a3e6 100644
+--- a/org/mozilla/jss/ssl/SSLSocket.java
++++ b/org/mozilla/jss/ssl/SSLSocket.java
+@@ -4,12 +4,13 @@
+
+ package org.mozilla.jss.ssl;
+
+-import java.lang.IllegalArgumentException;
+-import java.net.*;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.net.InetAddress;
+ import java.net.SocketException;
+ import java.net.SocketTimeoutException;
+-import java.io.*;
+-import java.io.IOException;
++import java.net.UnknownHostException;
+ import java.util.Vector;
+
+ /**
+@@ -41,13 +42,13 @@ public class SSLSocket extends java.net.Socket {
+ private boolean open = false;
+ private boolean handshakeAsClient = true;
+ private SocketBase base = new SocketBase();
+- static final public int SSL_REQUIRE_NEVER =
++ static final public int SSL_REQUIRE_NEVER =
+ org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NEVER;
+- static final public int SSL_REQUIRE_ALWAYS =
++ static final public int SSL_REQUIRE_ALWAYS =
+ org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_ALWAYS;
+- static final public int SSL_REQUIRE_FIRST_HANDSHAKE =
++ static final public int SSL_REQUIRE_FIRST_HANDSHAKE =
+ org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_FIRST_HANDSHAKE;
+- static final public int SSL_REQUIRE_NO_ERROR =
++ static final public int SSL_REQUIRE_NO_ERROR =
+ org.mozilla.jss.ssl.SocketBase.SSL_REQUIRE_NO_ERROR;
+ static final public int SSL_RENEGOTIATE_NEVER =
+ org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_NEVER;
+@@ -411,12 +412,12 @@ public class SSLSocket extends java.net.Socket {
+ */
+ public native void setReceiveBufferSize(int size) throws SocketException;
+
+- /**
++ /**
+ * Returnst he size (in bytes) of the receive buffer.
+ */
+ public native int getReceiveBufferSize() throws SocketException;
+
+- /**
++ /**
+ * Closes this socket.
+ */
+ public void close() throws IOException {
+@@ -488,7 +489,7 @@ public class SSLSocket extends java.net.Socket {
+ l.handshakeCompleted(event);
+ }
+ }
+-
++
+
+ /**
+ * Enables SSL v2 on this socket. It is enabled by default, unless the
+@@ -534,10 +535,10 @@ public class SSLSocket extends java.net.Socket {
+ static public void enableTLSDefault(boolean enable) throws SocketException{
+ setSSLDefaultOption(SocketBase.SSL_ENABLE_TLS, enable);
+ }
+-
++
+ /**
+- * Enables Session tickets on this socket. It is disabled by default,
+- * unless the default has been changed with
++ * Enables Session tickets on this socket. It is disabled by default,
++ * unless the default has been changed with
+ * <code>enableSessionTicketsDefault</code>.
+ */
+ public void enableSessionTickets(boolean enable) throws SocketException {
+@@ -547,7 +548,7 @@ public class SSLSocket extends java.net.Socket {
+ /**
+ * Sets the default for Session Tickets for all new sockets.
+ */
+- static public void enableSessionTicketsDefault(boolean enable)
++ static public void enableSessionTicketsDefault(boolean enable)
+ throws SocketException{
+ setSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS, enable);
+ }
+@@ -643,26 +644,26 @@ public class SSLSocket extends java.net.Socket {
+
+ /**
+ * Enable rollback detection for this socket.
+- * It is enabled by default, unless the default has been changed
++ * It is enabled by default, unless the default has been changed
+ * with <code>enableRollbackDetectionDefault</code>.
+ */
+- public void enableRollbackDetection(boolean enable)
+- throws SocketException
++ public void enableRollbackDetection(boolean enable)
++ throws SocketException
+ {
+ base.enableRollbackDetection(enable);
+ }
+-
++
+ /**
+ * Sets the default rollback detection for all new sockets.
+ */
+- static void enableRollbackDetectionDefault(boolean enable)
+- throws SocketException
++ static void enableRollbackDetectionDefault(boolean enable)
++ throws SocketException
+ {
+ setSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION, enable);
+ }
+-
++
+ /**
+- * This option, enableStepDown, is concerned with the generation
++ * This option, enableStepDown, is concerned with the generation
+ * of step-down keys which are used with export suites.
+ * If the server cert's public key is 512 bits or less
+ * this option is ignored because step-down keys don't
+@@ -673,15 +674,15 @@ public class SSLSocket extends java.net.Socket {
+ * enable=false: don't generate step-down keys; disable
+ * export cipher suites
+ *
+- * This option is enabled by default; unless the default has
++ * This option is enabled by default; unless the default has
+ * been changed with <code>SSLSocket.enableStepDownDefault</code>.
+ */
+ public void enableStepDown(boolean enable) throws SocketException {
+ base.enableStepDown(enable);
+ }
+ /**
+- * This option, enableStepDownDefault, is concerned with the
+- * generation of step-down keys which are used with export suites.
++ * This option, enableStepDownDefault, is concerned with the
++ * generation of step-down keys which are used with export suites.
+ * This options will set the default for all sockets.
+ * If the server cert's public key is 512 bits of less,
+ * this option is ignored because step-down keys don't
+@@ -694,92 +695,92 @@ public class SSLSocket extends java.net.Socket {
+ *
+ * This option is enabled by default for all sockets.
+ */
+- static void enableStepDownDefault(boolean enable)
+- throws SocketException
++ static void enableStepDownDefault(boolean enable)
++ throws SocketException
+ {
+ setSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN, enable);
+ }
+
+ /**
+- * Enable simultaneous read/write by separate read and write threads
++ * Enable simultaneous read/write by separate read and write threads
+ * (full duplex) for this socket.
+- * It is disabled by default, unless the default has been changed
++ * It is disabled by default, unless the default has been changed
+ * with <code>enableFDXDefault</code>.
+ */
+- public void enableFDX(boolean enable)
+- throws SocketException
++ public void enableFDX(boolean enable)
++ throws SocketException
+ {
+ base.enableFDX(enable);
+ }
+-
++
+ /**
+- * Sets the default to permit simultaneous read/write
++ * Sets the default to permit simultaneous read/write
+ * by separate read and write threads (full duplex)
+ * for all new sockets.
+ */
+- static void enableFDXDefault(boolean enable)
+- throws SocketException
++ static void enableFDXDefault(boolean enable)
++ throws SocketException
+ {
+ setSSLDefaultOption(SocketBase.SSL_ENABLE_FDX, enable);
+ }
+
+ /**
+ * Enable sending v3 client hello in v2 format for this socket.
+- * It is enabled by default, unless the default has been changed
++ * It is enabled by default, unless the default has been changed
+ * with <code>enableV2CompatibleHelloDefault</code>.
+ */
+- public void enableV2CompatibleHello(boolean enable)
+- throws SocketException
++ public void enableV2CompatibleHello(boolean enable)
++ throws SocketException
+ {
+ base.enableV2CompatibleHello(enable);
+ }
+-
+- /**
++
++ /**
+ * Sets the default to send v3 client hello in v2 format
+ * for all new sockets.
+ */
+- static void enableV2CompatibleHelloDefault(boolean enable)
+- throws SocketException
++ static void enableV2CompatibleHelloDefault(boolean enable)
++ throws SocketException
+ {
+ setSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO, enable);
+ }
+-
++
+ /**
+ * @return a String listing the current SSLOptions for this SSLSocket.
+ */
+ public String getSSLOptions() {
+ return base.getSSLOptions();
+ }
+-
++
+ /**
+- *
+- * @param option
+- * @return 0 for option disabled 1 for option enabled.
++ *
++ * @param option
++ * @return 0 for option disabled 1 for option enabled.
+ */
+ static private native int getSSLDefaultOption(int option)
+ throws SocketException;
+
+ /**
+- *
++ *
+ * @return a String listing the Default SSLOptions for all SSLSockets.
+ */
+ static public String getSSLDefaultOptions() {
+ StringBuffer buf = new StringBuffer();
+ try {
+ buf.append("Default Options configured for all SSLSockets: ");
+- buf.append("\nSSL_ENABLE_SSL2" +
++ buf.append("\nSSL_ENABLE_SSL2" +
+ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL2) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_SSL3" +
+- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0)
++ buf.append("\nSSL_ENABLE_SSL3" +
++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SSL3) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_TLS" +
+- ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0)
++ buf.append("\nSSL_ENABLE_TLS" +
++ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_TLS) != 0)
+ ? "=on" : "=off"));
+ buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
+ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS)
+ != 0) ? "=on" : "=off"));
+- buf.append("\nSSL_REQUIRE_CERTIFICATE");
++ buf.append("\nSSL_REQUIRE_CERTIFICATE");
+ switch (getSSLDefaultOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) {
+ case 0:
+ buf.append("=Never");
+@@ -797,23 +798,23 @@ public class SSLSocket extends java.net.Socket {
+ buf.append("=Report JSS Bug this option has a status.");
+ break;
+ } //end switch
+- buf.append("\nSSL_REQUEST_CERTIFICATE" +
+- ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
++ buf.append("\nSSL_REQUEST_CERTIFICATE" +
++ ((getSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_NO_CACHE" +
++ buf.append("\nSSL_NO_CACHE" +
+ ((getSSLDefaultOption(SocketBase.SSL_NO_CACHE) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_ROLLBACK_DETECTION" +
++ buf.append("\nSSL_ROLLBACK_DETECTION" +
+ ((getSSLDefaultOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_NO_STEP_DOWN" +
++ buf.append("\nSSL_NO_STEP_DOWN" +
+ ((getSSLDefaultOption(SocketBase.SSL_NO_STEP_DOWN) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_FDX" +
++ buf.append("\nSSL_ENABLE_FDX" +
+ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_FDX) != 0)
+ ? "=on" : "=off"));
+- buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
+- ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
++ buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
++ ((getSSLDefaultOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
+ ? "=on" : "=off"));
+ buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
+ ((getSSLDefaultOption(SocketBase.SSL_ENABLE_SESSION_TICKETS)
+@@ -845,7 +846,7 @@ public class SSLSocket extends java.net.Socket {
+ }
+ return buf.toString();
+ }
+-
++
+ /**
+ * Sets whether the socket requires client authentication from the remote
+ * peer. If requestClientAuth() has not already been called, this
+@@ -863,19 +864,19 @@ public class SSLSocket extends java.net.Socket {
+ * Sets whether the socket requires client authentication from the remote
+ * peer. If requestClientAuth() has not already been called, this method
+ * will tell the socket to request client auth as well as requiring it.
+- * This is only meaningful for the server end of the SSL connection.
+- * During the next handshake, the remote peer will be asked to
++ * This is only meaningful for the server end of the SSL connection.
++ * During the next handshake, the remote peer will be asked to
+ * authenticate itself with the requirement that was set.
+ *
+- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
+- * SSLSocket.SSL_REQUIRE_ALWAYS,
+- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
++ * SSLSocket.SSL_REQUIRE_ALWAYS,
++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
+ * SSLSocket.SSL_REQUIRE_NO_ERROR
+ */
+ public void requireClientAuth(int mode)
+ throws SocketException
+ {
+- if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
++ if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
+ mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
+ base.requireClientAuth(mode);
+ } else {
+@@ -900,15 +901,15 @@ public class SSLSocket extends java.net.Socket {
+ * All subsequently created sockets will use this default setting
+ * This is only meaningful for the server end of the SSL connection.
+ *
+- * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
+- * SSLSocket.SSL_REQUIRE_ALWAYS,
+- * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
++ * @param mode One of: SSLSocket.SSL_REQUIRE_NEVER,
++ * SSLSocket.SSL_REQUIRE_ALWAYS,
++ * SSLSocket.SSL_REQUIRE_FIRST_HANDSHAKE,
+ * SSLSocket.SSL_REQUIRE_NO_ERROR
+ */
+ static public void requireClientAuthDefault(int mode)
+ throws SocketException
+ {
+- if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
++ if (mode >= SocketBase.SSL_REQUIRE_NEVER &&
+ mode <= SocketBase.SSL_REQUIRE_NO_ERROR) {
+ setSSLDefaultOption(SocketBase.SSL_REQUEST_CERTIFICATE, true);
+ setSSLDefaultOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE,mode);
+@@ -924,7 +925,7 @@ public class SSLSocket extends java.net.Socket {
+ */
+ public native void forceHandshake() throws SocketException;
+
+- /**
++ /**
+ * Determines whether this end of the socket is the client or the server
+ * for purposes of the SSL protocol. By default, it is the client.
+ * @param b true if this end of the socket is the SSL slient, false
+@@ -1031,7 +1032,7 @@ public class SSLSocket extends java.net.Socket {
+ base.useCache(b);
+ }
+
+- /**
++ /**
+ * Sets the default setting for use of the session cache.
+ */
+ public void useCacheDefault(boolean b) throws SocketException {
+@@ -1090,7 +1091,7 @@ public class SSLSocket extends java.net.Socket {
+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum());
+ }
+
+- /**
++ /**
+ * Sets SSL Version Range Default
+ */
+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max)
+@@ -1102,13 +1103,13 @@ public class SSLSocket extends java.net.Socket {
+ setSSLDefaultOption(option, on ? 1 : 0);
+ }
+
+- /**
++ /**
+ * Sets SSL Default options that have simple enable/disable values.
+ */
+ private static native void setSSLDefaultOption(int option, int on)
+ throws SocketException;
+
+- /**
++ /**
+ * Set SSL default options that have more modes than enable/disable.
+ */
+ private static native void setSSLDefaultOptionMode(int option, int mode)
+@@ -1141,19 +1142,19 @@ public class SSLSocket extends java.net.Socket {
+ native int socketAvailable()
+ throws IOException;
+
+- int read(byte[] b, int off, int len)
++ int read(byte[] b, int off, int len)
+ throws IOException, SocketTimeoutException {
+ synchronized (readLock) {
+ synchronized (this) {
+ if ( isClosed ) { /* abort read if socket is closed */
+ throw new IOException(
+- "Socket has been closed, and cannot be reused.");
++ "Socket has been closed, and cannot be reused.");
+ }
+- inRead = true;
++ inRead = true;
+ }
+ int iRet;
+ try {
+- iRet = socketRead(b, off, len, base.getTimeout());
++ iRet = socketRead(b, off, len, base.getTimeout());
+ } catch (SocketTimeoutException ste) {
+ throw new SocketTimeoutException(
+ "SocketTimeoutException cannot read on socket");
+@@ -1169,13 +1170,13 @@ public class SSLSocket extends java.net.Socket {
+ }
+ }
+
+- void write(byte[] b, int off, int len)
++ void write(byte[] b, int off, int len)
+ throws IOException, SocketTimeoutException {
+ synchronized (writeLock) {
+ synchronized (this) {
+ if ( isClosed ) { /* abort write if socket is closed */
+ throw new IOException(
+- "Socket has been closed, and cannot be reused.");
++ "Socket has been closed, and cannot be reused.");
+ }
+ inWrite = true;
+ }
+@@ -1284,9 +1285,9 @@ public class SSLSocket extends java.net.Socket {
+ }
+
+ /**
+- * isFipsCipherSuite
++ * isFipsCipherSuite
+ *
+- *@return true if the ciphersuite isFIPS, false otherwise
++ *@return true if the ciphersuite isFIPS, false otherwise
+ */
+ public static boolean isFipsCipherSuite(int ciphersuite) throws SocketException {
+ return isFipsCipherSuiteNative(ciphersuite);
+@@ -1364,12 +1365,12 @@ public class SSLSocket extends java.net.Socket {
+
+ public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062;
+ public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064;
+-
++
+ public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
+ public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
+ public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+
+-// New TLS cipher suites in NSS 3.4
++// New TLS cipher suites in NSS 3.4
+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
+ public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030;
+ public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
+--
+2.9.3
+
+
+From 0138f3f47e061c088ca231f9b177363beb2c2f62 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 17 Mar 2017 16:58:28 -0700
+Subject: [PATCH 03/11] Reformatted cipher definitions in SSLSocket class. The
+ cipher definitions in SSLSocket class have been moved to the top of the class
+ and reformatted for better readability.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1347429
+---
+ org/mozilla/jss/ssl/SSLSocket.java | 289 ++++++++++++++++++-------------------
+ 1 file changed, 144 insertions(+), 145 deletions(-)
+
+diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java
+index 642a3e6..ce39987 100644
+--- a/org/mozilla/jss/ssl/SSLSocket.java
++++ b/org/mozilla/jss/ssl/SSLSocket.java
+@@ -18,6 +18,150 @@ import java.util.Vector;
+ */
+ public class SSLSocket extends java.net.Socket {
+
++ /**
++ *
++ * Note the following cipher-suites constants are not all implemented.
++ * You need to call getImplementedCiphersuites.
++ *
++ */
++
++ public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01;
++ public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02;
++ public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03;
++ public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04;
++ public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05;
++ public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06;
++ public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07;
++
++ public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001;
++ public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002;
++ public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
++ public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004;
++ public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005;
++ public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
++ public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007;
++ public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
++ public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009;
++ public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a;
++
++ public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b;
++ public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c;
++ public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d;
++ public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e;
++ public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f;
++ public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
++
++ public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
++ public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
++ public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
++ public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
++ public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
++ public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
++
++ public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017;
++ public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018;
++ public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
++ public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a;
++ public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b;
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA
++ * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for
++ * backward compatibility.
++ */
++ public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c;
++ public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d;
++ public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e;
++
++ public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff;
++ public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe;
++
++ public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062;
++ public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064;
++
++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
++ public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
++ public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
++
++ // New TLS cipher suites in NSS 3.4
++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
++ public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030;
++ public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
++ public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032;
++ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033;
++ public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034;
++
++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035;
++ public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036;
++ public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037;
++ public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
++ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
++ public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
++ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B;
++ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
++ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
++
++ public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
++ public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
++ public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
++ public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
++
++ public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
++ public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
++ public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
++ public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
++ public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
++ public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
++
++ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
++
++ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
++ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
++ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
++
++ public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
++ public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
++ public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004;
++ public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005;
++
++ public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006;
++ public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007;
++ public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008;
++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009;
++ public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a;
++
++ public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b;
++ public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c;
++ public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d;
++ public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e;
++ public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f;
++
++ public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010;
++ public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011;
++ public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012;
++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013;
++ public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014;
++
++ public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015;
++ public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016;
++ public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017;
++ public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
++ public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
++
++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023;
++ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027;
++
++ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B;
++ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D;
++ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F;
++ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031;
++
+ /*
+ * Locking strategy of SSLSocket
+ *
+@@ -1303,149 +1447,4 @@ public class SSLSocket extends java.net.Socket {
+ * <tt>TLS_RSA_WITH_AES_128_CBC_SHA</tt>).
+ */
+ public static native int[] getImplementedCipherSuites();
+-
+- /**
+- *
+- * Note the following cipher-suites constants are not all implemented.
+- * You need to call getImplementedCiphersuites.
+- *
+- */
+-
+- public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01;
+- public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02;
+- public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03;
+- public final static int SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 = 0xFF04;
+- public final static int SSL2_IDEA_128_CBC_WITH_MD5 = 0xFF05;
+- public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06;
+- public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07;
+-
+- public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001;
+- public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002;
+- public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
+- public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004;
+- public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005;
+- public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
+- public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007;
+- public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
+- public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009;
+- public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a;
+-
+- public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b;
+- public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c;
+- public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d;
+- public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e;
+- public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f;
+- public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
+-
+- public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
+- public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
+- public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
+- public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
+- public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
+- public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
+-
+- public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017;
+- public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018;
+- public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
+- public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a;
+- public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b;
+-
+- /**
+- * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
+- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA
+- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for
+- * backward compatibility.
+- */
+- public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c;
+- public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA= 0x001d;
+- public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e;
+-
+- public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff;
+- public final static int SSL_RSA_FIPS_WITH_DES_CBC_SHA = 0xfefe;
+-
+- public final static int TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = 0x0062;
+- public final static int TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = 0x0064;
+-
+- public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
+- public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
+- public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
+-
+-// New TLS cipher suites in NSS 3.4
+- public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
+- public final static int TLS_DH_DSS_WITH_AES_128_CBC_SHA = 0x0030;
+- public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
+- public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032;
+- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033;
+- public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034;
+-
+- public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035;
+- public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036;
+- public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037;
+- public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
+- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
+- public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003a;
+- public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003b;
+- public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003c;
+- public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003d;
+-
+- public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
+- public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
+- public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
+- public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
+- public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
+- public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
+-
+- public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
+- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006b;
+-
+- public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
+- public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
+- public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
+- public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
+- public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
+- public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
+-
+- public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+-
+- public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009c;
+- public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009e;
+- public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
+-
+- public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
+- public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
+- public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
+- public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004;
+- public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005;
+-
+- public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006;
+- public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007;
+- public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008;
+- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009;
+- public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a;
+-
+- public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b;
+- public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c;
+- public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d;
+- public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e;
+- public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f;
+-
+- public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010;
+- public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011;
+- public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012;
+- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013;
+- public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014;
+-
+- public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015;
+- public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016;
+- public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017;
+- public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
+- public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
+-
+- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023;
+- public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027;
+- public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02b;
+- public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D;
+- public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02f;
+- public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031;
+ }
+-
+--
+2.9.3
+
+
+From 71f8cd5a15610690f6e8f226fc081b10f9dd9cb6 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Fri, 17 Mar 2017 16:59:11 -0700
+Subject: [PATCH 04/11] Added annotations for deprecated SSL 3.0 ciphers. Some
+ SSL 3.0 ciphers have deprecated according to this list:
+ https://github.com/nss-dev/nss/blob/master/lib/ssl/sslproto.h
+
+The deprecated cipher definitions have been marked accordingly
+in the SSLSocket class. The replacement cipher definitions (if
+any) have been added with the same cipher IDs.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1347429
+---
+ org/mozilla/jss/ssl/SSLSocket.java | 152 ++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 149 insertions(+), 3 deletions(-)
+
+diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java
+index ce39987..2e1ac54 100644
+--- a/org/mozilla/jss/ssl/SSLSocket.java
++++ b/org/mozilla/jss/ssl/SSLSocket.java
+@@ -33,45 +33,166 @@ public class SSLSocket extends java.net.Socket {
+ public final static int SSL2_DES_64_CBC_WITH_MD5 = 0xFF06;
+ public final static int SSL2_DES_192_EDE3_CBC_WITH_MD5 = 0xFF07;
+
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_NULL_MD5 = 0x0001;
++ public final static int TLS_RSA_WITH_NULL_MD5 = 0x0001;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_NULL_SHA = 0x0002;
++ public final static int TLS_RSA_WITH_NULL_SHA = 0x0002;
++
+ public final static int SSL3_RSA_EXPORT_WITH_RC4_40_MD5 = 0x0003;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_RC4_128_MD5 = 0x0004;
++ public final static int TLS_RSA_WITH_RC4_128_MD5 = 0x0004;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_RC4_128_SHA = 0x0005;
++ public final static int TLS_RSA_WITH_RC4_128_SHA = 0x0005;
++
+ public final static int SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = 0x0006;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_IDEA_CBC_SHA = 0x0007;
++ public final static int TLS_RSA_WITH_IDEA_CBC_SHA = 0x0007;
++
+ public final static int SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0008;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_DES_CBC_SHA = 0x0009;
++ public final static int TLS_RSA_WITH_DES_CBC_SHA = 0x0009;
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a;
++ public final static int TLS_RSA_WITH_3DES_EDE_CBC_SHA = 0x000a;
+
+ public final static int SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x000b;
++
++ /**
++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_DSS_WITH_DES_CBC_SHA = 0x000c;
++ public final static int TLS_DH_DSS_WITH_DES_CBC_SHA = 0x000c;
++
++ /**
++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d;
++ public final static int TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = 0x000d;
++
+ public final static int SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x000e;
++
++ /**
++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_RSA_WITH_DES_CBC_SHA = 0x000f;
++ public final static int TLS_DH_RSA_WITH_DES_CBC_SHA = 0x000f;
++
++ /**
++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
++ public final static int TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = 0x0010;
+
+ public final static int SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = 0x0011;
++
++ /**
++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
++ public final static int TLS_DHE_DSS_WITH_DES_CBC_SHA = 0x0012;
++
++ /**
++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
++ public final static int TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = 0x0013;
++
+ public final static int SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = 0x0014;
++
++ /**
++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
++ public final static int TLS_DHE_RSA_WITH_DES_CBC_SHA = 0x0015;
++
++ /**
++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
++ public final static int TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x0016;
+
+ public final static int SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 = 0x0017;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5.
++ */
++ @Deprecated
+ public final static int SSL3_DH_ANON_WITH_RC4_128_MD5 = 0x0018;
++ public final static int TLS_DH_anon_WITH_RC4_128_MD5 = 0x0018;
++
+ public final static int SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA = 0x0019;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_ANON_WITH_DES_CBC_SHA = 0x001a;
++ public final static int TLS_DH_anon_WITH_DES_CBC_SHA = 0x001a;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
+ public final static int SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA = 0x001b;
++ public final static int TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = 0x001b;
+
+ /**
+ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
+- * SSL3_FORTEZZA_DMS_WITH_NULL_SHA, SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA
+- * and SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA are placeholders for
+- * backward compatibility.
+ */
++ @Deprecated
+ public final static int SSL3_FORTEZZA_DMS_WITH_NULL_SHA = 0x001c;
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ */
++ @Deprecated
+ public final static int SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA = 0x001d;
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ */
++ @Deprecated
+ public final static int SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA = 0x001e;
+
+ public final static int SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA = 0xfeff;
+@@ -92,14 +213,27 @@ public class SSLSocket extends java.net.Socket {
+ public final static int TLS_DH_RSA_WITH_AES_128_CBC_SHA = 0x0031;
+ public final static int TLS_DHE_DSS_WITH_AES_128_CBC_SHA = 0x0032;
+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA = 0x0033;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA.
++ */
++ @Deprecated
+ public final static int TLS_DH_ANON_WITH_AES_128_CBC_SHA = 0x0034;
++ public final static int TLS_DH_anon_WITH_AES_128_CBC_SHA = 0x0034;
+
+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA = 0x0035;
+ public final static int TLS_DH_DSS_WITH_AES_256_CBC_SHA = 0x0036;
+ public final static int TLS_DH_RSA_WITH_AES_256_CBC_SHA = 0x0037;
+ public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA.
++ */
++ @Deprecated
+ public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
++ public final static int TLS_DH_anon_WITH_AES_256_CBC_SHA = 0x003A;
++
+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B;
+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
+@@ -109,14 +243,26 @@ public class SSLSocket extends java.net.Socket {
+ public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
+ public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
+ public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA.
++ */
++ @Deprecated
+ public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
++ public final static int TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
+
+ public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
+ public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
+ public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
+ public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
+ public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA.
++ */
++ @Deprecated
+ public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
++ public final static int TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
+
+ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
+
+--
+2.9.3
+
+
+From 7027cbab0757376f4719674173206df0cdadd592 Mon Sep 17 00:00:00 2001
+From: "Endi S. Edewata" <edewata@redhat.com>
+Date: Tue, 21 Mar 2017 13:09:37 -0700
+Subject: [PATCH 05/11] Added SSLSocketListener. The SSLSocket has been
+ modified to support SSLSocketListener which will be invoked when an SSL alert
+ has been sent or received, also when an SSL handshake has been completed.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1348856
+---
+ org/mozilla/jss/ssl/SSLAlertDescription.java | 64 ++++++++++++++
+ org/mozilla/jss/ssl/SSLAlertEvent.java | 39 +++++++++
+ org/mozilla/jss/ssl/SSLAlertLevel.java | 29 +++++++
+ org/mozilla/jss/ssl/SSLSocket.java | 53 ++++++++----
+ org/mozilla/jss/ssl/SSLSocketListener.java | 11 +++
+ org/mozilla/jss/ssl/callbacks.c | 119 +++++++++++++++++++++++++++
+ org/mozilla/jss/ssl/common.c | 19 +++++
+ org/mozilla/jss/ssl/jssl.h | 8 ++
+ org/mozilla/jss/util/java_ids.h | 8 ++
+ 9 files changed, 332 insertions(+), 18 deletions(-)
+ create mode 100644 org/mozilla/jss/ssl/SSLAlertDescription.java
+ create mode 100644 org/mozilla/jss/ssl/SSLAlertEvent.java
+ create mode 100644 org/mozilla/jss/ssl/SSLAlertLevel.java
+ create mode 100644 org/mozilla/jss/ssl/SSLSocketListener.java
+
+diff --git a/org/mozilla/jss/ssl/SSLAlertDescription.java b/org/mozilla/jss/ssl/SSLAlertDescription.java
+new file mode 100644
+index 0000000..c2ed060
+--- /dev/null
++++ b/org/mozilla/jss/ssl/SSLAlertDescription.java
+@@ -0,0 +1,64 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++package org.mozilla.jss.ssl;
++
++public enum SSLAlertDescription {
++
++ // see lib/ssl/ssl3prot.h in NSS
++ CLOSE_NOTIFY (0),
++ END_OF_EARLY_DATA (1), // TLS 1.3
++ UNEXPECTED_MESSAGE (10),
++ BAD_RECORD_MAC (20),
++ DECRYPTION_FAILED (21), // RFC 5246
++ RECORD_OVERFLOW (22), // TLS only
++ DECOMPRESSION_FAILURE (30),
++ HANDSHAKE_FAILURE (40),
++ NO_CERTIFICATE (41), // SSL3 only, NOT TLS
++ BAD_CERTIFICATE (42),
++ UNSUPPORTED_CERTIFICATE (43),
++ CERTIFICATE_REVOKED (44),
++ CERTIFICATE_EXPIRED (45),
++ CERTIFICATE_UNKNOWN (46),
++ ILLEGAL_PARAMETER (47),
++
++ // All alerts below are TLS only.
++ UNKNOWN_CA (48),
++ ACCESS_DENIED (49),
++ DECODE_ERROR (50),
++ DECRYPT_ERROR (51),
++ EXPORT_RESTRICTION (60),
++ PROTOCOL_VERSION (70),
++ INSUFFICIENT_SECURITY (71),
++ INTERNAL_ERROR (80),
++ INAPPROPRIATE_FALLBACK (86), // could also be sent for SSLv3
++ USER_CANCELED (90),
++ NO_RENEGOTIATION (100),
++
++ // Alerts for client hello extensions
++ MISSING_EXTENSION (109),
++ UNSUPPORTED_EXTENSION (110),
++ CERTIFICATE_UNOBTAINABLE (111),
++ UNRECOGNIZED_NAME (112),
++ BAD_CERTIFICATE_STATUS_RESPONSE (113),
++ BAD_CERTIFICATE_HASH_VALUE (114),
++ NO_APPLICATION_PROTOCOL (120);
++
++ private int id;
++
++ private SSLAlertDescription(int id) {
++ this.id = id;
++ }
++
++ public int getID() {
++ return id;
++ }
++
++ public static SSLAlertDescription valueOf(int id) {
++ for (SSLAlertDescription description : SSLAlertDescription.class.getEnumConstants()) {
++ if (description.id == id) return description;
++ }
++ return null;
++ }
++}
+diff --git a/org/mozilla/jss/ssl/SSLAlertEvent.java b/org/mozilla/jss/ssl/SSLAlertEvent.java
+new file mode 100644
+index 0000000..bfa42e1
+--- /dev/null
++++ b/org/mozilla/jss/ssl/SSLAlertEvent.java
+@@ -0,0 +1,39 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++package org.mozilla.jss.ssl;
++
++import java.util.EventObject;
++
++public class SSLAlertEvent extends EventObject {
++
++ private static final long serialVersionUID = 1L;
++
++ int level;
++ int description;
++
++ public SSLAlertEvent(SSLSocket socket) {
++ super(socket);
++ }
++
++ public SSLSocket getSocket() {
++ return (SSLSocket)getSource();
++ }
++
++ public int getLevel() {
++ return level;
++ }
++
++ public void setLevel(int level) {
++ this.level = level;
++ }
++
++ public int getDescription() {
++ return description;
++ }
++
++ public void setDescription(int description) {
++ this.description = description;
++ }
++}
+diff --git a/org/mozilla/jss/ssl/SSLAlertLevel.java b/org/mozilla/jss/ssl/SSLAlertLevel.java
+new file mode 100644
+index 0000000..f7f44f2
+--- /dev/null
++++ b/org/mozilla/jss/ssl/SSLAlertLevel.java
+@@ -0,0 +1,29 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++package org.mozilla.jss.ssl;
++
++public enum SSLAlertLevel {
++
++ // see lib/ssl/ssl3prot.h in NSS
++ WARNING (1),
++ FATAL (2);
++
++ private int id;
++
++ private SSLAlertLevel(int id) {
++ this.id = id;
++ }
++
++ public int getID() {
++ return id;
++ }
++
++ public static SSLAlertLevel valueOf(int id) {
++ for (SSLAlertLevel level : SSLAlertLevel.class.getEnumConstants()) {
++ if (level.id == id) return level;
++ }
++ return null;
++ }
++}
+diff --git a/org/mozilla/jss/ssl/SSLSocket.java b/org/mozilla/jss/ssl/SSLSocket.java
+index 2e1ac54..0dd39fd 100644
+--- a/org/mozilla/jss/ssl/SSLSocket.java
++++ b/org/mozilla/jss/ssl/SSLSocket.java
+@@ -11,7 +11,8 @@ import java.net.InetAddress;
+ import java.net.SocketException;
+ import java.net.SocketTimeoutException;
+ import java.net.UnknownHostException;
+-import java.util.Vector;
++import java.util.ArrayList;
++import java.util.Collection;
+
+ /**
+ * SSL client socket.
+@@ -349,6 +350,9 @@ public class SSLSocket extends java.net.Socket {
+ static final public int SSL_RENEGOTIATE_TRANSITIONAL =
+ org.mozilla.jss.ssl.SocketBase.SSL_RENEGOTIATE_TRANSITIONAL;
+
++ private Collection<SSLSocketListener> socketListeners = new ArrayList<>();
++ private Collection<SSLHandshakeCompletedListener> handshakeCompletedListeners = new ArrayList<>();
++
+ /**
+ * For sockets that get created by accept().
+ */
+@@ -749,38 +753,51 @@ public class SSLSocket extends java.net.Socket {
+ ////////////////////////////////////////////////////////////////////
+ // SSL-specific stuff
+ ////////////////////////////////////////////////////////////////////
+- private Vector handshakeCompletedListeners = new Vector();
++
++ public void addSocketListener(SSLSocketListener listener) {
++ socketListeners.add(listener);
++ addHandshakeCompletedListener(listener);
++ }
++
++ public void removeSocketListener(SSLSocketListener listener) {
++ socketListeners.remove(listener);
++ removeHandshakeCompletedListener(listener);
++ }
++
++ private void fireAlertReceivedEvent(SSLAlertEvent event) {
++ for (SSLSocketListener listener : socketListeners) {
++ listener.alertReceived(event);
++ }
++ }
++
++ private void fireAlertSentEvent(SSLAlertEvent event) {
++ for (SSLSocketListener listener : socketListeners) {
++ listener.alertSent(event);
++ }
++ }
+
+ /**
+ * Adds a listener to be notified when an SSL handshake completes.
+ */
+- public void addHandshakeCompletedListener(SSLHandshakeCompletedListener l) {
+- handshakeCompletedListeners.addElement(l);
++ public void addHandshakeCompletedListener(SSLHandshakeCompletedListener listener) {
++ handshakeCompletedListeners.add(listener);
+ }
+
+ /**
+ * Removes a previously registered listener for handshake completion.
+ */
+- public void removeHandshakeCompletedListener(
+- SSLHandshakeCompletedListener l) {
+- handshakeCompletedListeners.removeElement(l);
++ public void removeHandshakeCompletedListener(SSLHandshakeCompletedListener listener) {
++ handshakeCompletedListeners.remove(listener);
+ }
+
+ private void notifyAllHandshakeListeners() {
+- SSLHandshakeCompletedEvent event =
+- new SSLHandshakeCompletedEvent(this);
+-
+- /* XXX NOT THREAD SAFE */
+- int i;
+- for( i=0; i < handshakeCompletedListeners.size(); ++i) {
+- SSLHandshakeCompletedListener l =
+- (SSLHandshakeCompletedListener)
+- handshakeCompletedListeners.elementAt(i);
+- l.handshakeCompleted(event);
++ SSLHandshakeCompletedEvent event = new SSLHandshakeCompletedEvent(this);
++
++ for (SSLHandshakeCompletedListener listener : handshakeCompletedListeners) {
++ listener.handshakeCompleted(event);
+ }
+ }
+
+-
+ /**
+ * Enables SSL v2 on this socket. It is enabled by default, unless the
+ * default has been changed with <code>enableSSL2Default</code>.
+diff --git a/org/mozilla/jss/ssl/SSLSocketListener.java b/org/mozilla/jss/ssl/SSLSocketListener.java
+new file mode 100644
+index 0000000..e653f66
+--- /dev/null
++++ b/org/mozilla/jss/ssl/SSLSocketListener.java
+@@ -0,0 +1,11 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++package org.mozilla.jss.ssl;
++
++public interface SSLSocketListener extends SSLHandshakeCompletedListener {
++
++ public void alertReceived(SSLAlertEvent event);
++ public void alertSent(SSLAlertEvent event);
++}
+diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c
+index d691363..0738e79 100644
+--- a/org/mozilla/jss/ssl/callbacks.c
++++ b/org/mozilla/jss/ssl/callbacks.c
+@@ -271,6 +271,125 @@ loser:
+ return rv;
+ }
+
++void
++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert)
++{
++ JSSL_SocketData *socket = (JSSL_SocketData*) arg;
++
++ jint rc;
++ JNIEnv *env;
++ jclass socketClass, eventClass;
++ jmethodID eventConstructor, eventSetLevel, eventSetDescription;
++ jobject event;
++ jmethodID fireEvent;
++
++ PR_ASSERT(socket != NULL);
++ PR_ASSERT(socket->socketObject != NULL);
++
++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL);
++ PR_ASSERT(rc == JNI_OK);
++ PR_ASSERT(env != NULL);
++
++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */
++
++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS);
++ PR_ASSERT(socketClass != NULL);
++
++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS);
++ PR_ASSERT(eventClass != NULL);
++
++ eventConstructor = (*env)->GetMethodID(env, eventClass, "<init>", "(L" SSLSOCKET_CLASS ";)V");
++ PR_ASSERT(eventConstructor != NULL);
++
++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject);
++ PR_ASSERT(event != NULL);
++
++ /* event.setLevel(level); */
++
++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V");
++ PR_ASSERT(eventSetLevel != NULL);
++
++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level);
++
++ /* event.setDescription(description); */
++
++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V");
++ PR_ASSERT(eventSetDescription != NULL);
++
++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description);
++
++ /* socket.fireAlertReceivedEvent(event); */
++
++ fireEvent = (*env)->GetMethodID(env,
++ socketClass,
++ "fireAlertReceivedEvent",
++ "(L" SSL_ALERT_EVENT_CLASS ";)V");
++ PR_ASSERT(fireEvent != NULL);
++
++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event);
++
++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM);
++}
++
++void
++JSSL_AlertSentCallback(const PRFileDesc *fd, void *arg, const SSLAlert *alert)
++{
++ JSSL_SocketData *socket = (JSSL_SocketData*) arg;
++
++ jint rc;
++ JNIEnv *env;
++ jclass socketClass, eventClass;
++ jmethodID eventConstructor, eventSetLevel, eventSetDescription;
++ jobject event;
++ jmethodID fireEvent;
++
++ PR_ASSERT(socket != NULL);
++ PR_ASSERT(socket->socketObject != NULL);
++
++ rc = (*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL);
++ PR_ASSERT(rc == JNI_OK);
++ PR_ASSERT(env != NULL);
++
++ /* SSLAlertEvent event = new SSLAlertEvent(socket); */
++
++ socketClass = (*env)->FindClass(env, SSLSOCKET_CLASS);
++ PR_ASSERT(socketClass != NULL);
++
++ eventClass = (*env)->FindClass(env, SSL_ALERT_EVENT_CLASS);
++ PR_ASSERT(eventClass != NULL);
++
++ eventConstructor = (*env)->GetMethodID(env, eventClass, "<init>", "(L" SSLSOCKET_CLASS ";)V");
++ PR_ASSERT(eventConstructor != NULL);
++
++ event = (*env)->NewObject(env, eventClass, eventConstructor, socket->socketObject);
++ PR_ASSERT(event != NULL);
++
++ /* event.setLevel(level); */
++
++ eventSetLevel = (*env)->GetMethodID(env, eventClass, "setLevel", "(I)V");
++ PR_ASSERT(eventSetLevel != NULL);
++
++ (*env)->CallVoidMethod(env, event, eventSetLevel, (int)alert->level);
++
++ /* event.setDescription(description); */
++
++ eventSetDescription = (*env)->GetMethodID(env, eventClass, "setDescription", "(I)V");
++ PR_ASSERT(eventSetDescription != NULL);
++
++ (*env)->CallVoidMethod(env, event, eventSetDescription, alert->description);
++
++ /* socket.fireAlertSentEvent(event); */
++
++ fireEvent = (*env)->GetMethodID(env,
++ socketClass,
++ "fireAlertSentEvent",
++ "(L" SSL_ALERT_EVENT_CLASS ";)V");
++ PR_ASSERT(fireEvent != NULL);
++
++ (*env)->CallVoidMethod(env, socket->socketObject, fireEvent, event);
++
++ (*JSS_javaVM)->DetachCurrentThread(JSS_javaVM);
++}
+
+ void
+ JSSL_HandshakeCallback(PRFileDesc *fd, void *arg)
+diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c
+index be35c57..84a4332 100644
+--- a/org/mozilla/jss/ssl/common.c
++++ b/org/mozilla/jss/ssl/common.c
+@@ -261,6 +261,7 @@ JSSL_SocketData*
+ JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,
+ PRFilePrivate *priv)
+ {
++ SECStatus status;
+ JSSL_SocketData *sockdata = NULL;
+
+ /* make a JSSL_SocketData structure */
+@@ -297,6 +298,24 @@ JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,
+ sockdata->socketObject = NEW_WEAK_GLOBAL_REF(env, sockObj);
+ if( sockdata->socketObject == NULL ) goto finish;
+
++ /* registering alert received callback */
++
++ status = SSL_AlertReceivedCallback(sockdata->fd, JSSL_AlertReceivedCallback, sockdata);
++
++ if (status != SECSuccess) {
++ JSSL_throwSSLSocketException(env, "Unable to install alert received callback");
++ goto finish;
++ }
++
++ /* registering alert sent callback */
++
++ status = SSL_AlertSentCallback(sockdata->fd, JSSL_AlertSentCallback, sockdata);
++
++ if (status != SECSuccess) {
++ JSSL_throwSSLSocketException(env, "Unable to install alert sent callback");
++ goto finish;
++ }
++
+ finish:
+ if( (*env)->ExceptionOccurred(env) != NULL ) {
+ if( sockdata != NULL ) {
+diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h
+index 616c755..571c2a4 100644
+--- a/org/mozilla/jss/ssl/jssl.h
++++ b/org/mozilla/jss/ssl/jssl.h
+@@ -5,6 +5,8 @@
+ #ifndef ORG_MOZILLA_JSS_SSL_JSSL_H
+ #define ORG_MOZILLA_JSS_SSL_JSSL_H
+
++#include <ssl.h>
++
+ struct JSSL_SocketData {
+ PRFileDesc *fd;
+ jobject socketObject; /* weak global ref */
+@@ -26,6 +28,12 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig,
+ PRBool isServer);
+
+ void
++JSSL_AlertReceivedCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert);
++
++void
++JSSL_AlertSentCallback(const PRFileDesc *fd, void *client_data, const SSLAlert *alert);
++
++void
+ JSSL_HandshakeCallback(PRFileDesc *fd, void *arg);
+
+ SECStatus
+diff --git a/org/mozilla/jss/util/java_ids.h b/org/mozilla/jss/util/java_ids.h
+index 3ceebaa..7ec9ea9 100644
+--- a/org/mozilla/jss/util/java_ids.h
++++ b/org/mozilla/jss/util/java_ids.h
+@@ -285,6 +285,11 @@ PR_BEGIN_EXTERN_C
+ #define SUPPORTS_IPV6_SIG "()Z"
+
+ /*
++ * SSLAlertEvent
++ */
++#define SSL_ALERT_EVENT_CLASS "org/mozilla/jss/ssl/SSLAlertEvent"
++
++/*
+ * SSLCertificateApprovalCallback
+ */
+ #define SSLCERT_APP_CB_APPROVE_NAME "approve"
+@@ -300,8 +305,11 @@ PR_BEGIN_EXTERN_C
+ /*
+ * SSLSocket
+ */
++#define SSLSOCKET_CLASS "org/mozilla/jss/ssl/SSLSocket"
++
+ #define SSLSOCKET_HANDSHAKE_NOTIFIER_NAME "notifyAllHandshakeListeners"
+ #define SSLSOCKET_HANDSHAKE_NOTIFIER_SIG "()V"
++
+ #define SSLSOCKET_PROXY_FIELD "sockProxy"
+ #define SSLSOCKET_PROXY_SIG "Lorg/mozilla/jss/ssl/SocketProxy;"
+
+--
+2.9.3
+
+
+From 1a83476dbbd54c87ffcf54fac7fdfa093812997f Mon Sep 17 00:00:00 2001
+From: "Endi S. Edewata" <edewata@redhat.com>
+Date: Tue, 21 Mar 2017 13:21:43 -0700
+Subject: [PATCH 06/11] Added SSLCipher enumeration. The cipher constants in
+ SSLSocket have been copied and converted into SSLCipher enumeration. The
+ enumeration provides a mechanism to convert between cipher ID and cipher
+ constant, also a flag to indicate whether it is an ECC cipher.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1349278
+---
+ org/mozilla/jss/ssl/SSLCipher.java | 328 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 328 insertions(+)
+ create mode 100644 org/mozilla/jss/ssl/SSLCipher.java
+
+diff --git a/org/mozilla/jss/ssl/SSLCipher.java b/org/mozilla/jss/ssl/SSLCipher.java
+new file mode 100644
+index 0000000..30acdd7
+--- /dev/null
++++ b/org/mozilla/jss/ssl/SSLCipher.java
+@@ -0,0 +1,328 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++package org.mozilla.jss.ssl;
++
++/**
++ * SSL cipher.
++ */
++public enum SSLCipher {
++
++ /**
++ *
++ * Note the following cipher-suites constants are not all implemented.
++ * You need to call SSLSocket.getImplementedCiphersuites().
++ *
++ */
++
++ SSL2_RC4_128_WITH_MD5 (0xFF01),
++ SSL2_RC4_128_EXPORT40_WITH_MD5 (0xFF02),
++ SSL2_RC2_128_CBC_WITH_MD5 (0xFF03),
++ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 (0xFF04),
++ SSL2_IDEA_128_CBC_WITH_MD5 (0xFF05),
++ SSL2_DES_64_CBC_WITH_MD5 (0xFF06),
++ SSL2_DES_192_EDE3_CBC_WITH_MD5 (0xFF07),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_NULL_MD5.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_NULL_MD5 (0x0001),
++ TLS_RSA_WITH_NULL_MD5 (0x0001),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_NULL_SHA.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_NULL_SHA (0x0002),
++ TLS_RSA_WITH_NULL_SHA (0x0002),
++
++ SSL3_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_MD5.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_RC4_128_MD5 (0x0004),
++ TLS_RSA_WITH_RC4_128_MD5 (0x0004),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_RC4_128_SHA.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_RC4_128_SHA (0x0005),
++ TLS_RSA_WITH_RC4_128_SHA (0x0005),
++
++ SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_IDEA_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_IDEA_CBC_SHA (0x0007),
++ TLS_RSA_WITH_IDEA_CBC_SHA (0x0007),
++
++ SSL3_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_DES_CBC_SHA (0x0009),
++ TLS_RSA_WITH_DES_CBC_SHA (0x0009),
++
++ /**
++ * @deprecated Replaced with TLS_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_RSA_WITH_3DES_EDE_CBC_SHA (0x000a),
++ TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a),
++
++ SSL3_DH_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000b),
++
++ /**
++ * @deprecated Replaced with TLS_DH_DSS_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_DSS_WITH_DES_CBC_SHA (0x000c),
++ TLS_DH_DSS_WITH_DES_CBC_SHA (0x000c),
++
++ /**
++ * @deprecated Replaced with TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d),
++ TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0x000d),
++
++ SSL3_DH_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000e),
++
++ /**
++ * @deprecated Replaced with TLS_DH_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_RSA_WITH_DES_CBC_SHA (0x000f),
++ TLS_DH_RSA_WITH_DES_CBC_SHA (0x000f),
++
++ /**
++ * @deprecated Replaced with TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010),
++ TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x0010),
++
++ SSL3_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011),
++
++ /**
++ * @deprecated Replaced with TLS_DHE_DSS_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DHE_DSS_WITH_DES_CBC_SHA (0x0012),
++ TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012),
++
++ /**
++ * @deprecated Replaced with TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013),
++ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013),
++
++ SSL3_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014),
++
++ /**
++ * @deprecated Replaced with TLS_DHE_RSA_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DHE_RSA_WITH_DES_CBC_SHA (0x0015),
++ TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015),
++
++ /**
++ * @deprecated Replaced with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016),
++ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016),
++
++ SSL3_DH_ANON_EXPORT_WITH_RC4_40_MD5 (0x0017),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_RC4_128_MD5.
++ */
++ @Deprecated
++ SSL3_DH_ANON_WITH_RC4_128_MD5 (0x0018),
++ TLS_DH_anon_WITH_RC4_128_MD5 (0x0018),
++
++ SSL3_DH_ANON_EXPORT_WITH_DES40_CBC_SHA (0x0019),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_DES_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_ANON_WITH_DES_CBC_SHA (0x001a),
++ TLS_DH_anon_WITH_DES_CBC_SHA (0x001a),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_3DES_EDE_CBC_SHA.
++ */
++ @Deprecated
++ SSL3_DH_ANON_WITH_3DES_EDE_CBC_SHA (0x001b),
++ TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x001b),
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ */
++ @Deprecated
++ SSL3_FORTEZZA_DMS_WITH_NULL_SHA (0x001c),
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ */
++ @Deprecated
++ SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA (0x001d),
++
++ /**
++ * @deprecated As of NSS 3.11, FORTEZZA is no longer supported.
++ */
++ @Deprecated
++ SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA (0x001e),
++
++ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff),
++ SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe),
++
++ TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062),
++ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064),
++
++ TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063),
++ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065),
++ TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066),
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067),
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006B),
++
++ // New TLS cipher suites in NSS 3.4
++ TLS_RSA_WITH_AES_128_CBC_SHA (0x002F),
++ TLS_DH_DSS_WITH_AES_128_CBC_SHA (0x0030),
++ TLS_DH_RSA_WITH_AES_128_CBC_SHA (0x0031),
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032),
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_128_CBC_SHA.
++ */
++ @Deprecated
++ TLS_DH_ANON_WITH_AES_128_CBC_SHA (0x0034),
++ TLS_DH_anon_WITH_AES_128_CBC_SHA (0x0034),
++
++ TLS_RSA_WITH_AES_256_CBC_SHA (0x0035),
++ TLS_DH_DSS_WITH_AES_256_CBC_SHA (0x0036),
++ TLS_DH_RSA_WITH_AES_256_CBC_SHA (0x0037),
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038),
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_AES_256_CBC_SHA.
++ */
++ @Deprecated
++ TLS_DH_ANON_WITH_AES_256_CBC_SHA (0x003A),
++ TLS_DH_anon_WITH_AES_256_CBC_SHA (0x003A),
++
++ TLS_RSA_WITH_NULL_SHA256 (0x003B),
++ TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C),
++ TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D),
++
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041),
++ TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0042),
++ TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0043),
++ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044),
++ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA.
++ */
++ @Deprecated
++ TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA (0x0046),
++ TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x0046),
++
++ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084),
++ TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0085),
++ TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0086),
++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087),
++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088),
++
++ /**
++ * @deprecated Replaced with TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA.
++ */
++ @Deprecated
++ TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA (0x0089),
++ TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x0089),
++
++ TLS_RSA_WITH_SEED_CBC_SHA (0x0096),
++
++ TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C),
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009E),
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00A2),
++
++ TLS_ECDH_ECDSA_WITH_NULL_SHA (0xc001, true),
++ TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002, true),
++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003, true),
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004, true),
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005, true),
++
++ TLS_ECDHE_ECDSA_WITH_NULL_SHA (0xc006, true),
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007, true),
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008, true),
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009, true),
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a, true),
++
++ TLS_ECDH_RSA_WITH_NULL_SHA (0xc00b, true),
++ TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c, true),
++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d, true),
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e, true),
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f, true),
++
++ TLS_ECDHE_RSA_WITH_NULL_SHA (0xc010, true),
++ TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011, true),
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012, true),
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013, true),
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014, true),
++
++ TLS_ECDH_anon_WITH_NULL_SHA (0xc015, true),
++ TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016, true),
++ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017, true),
++ TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018, true),
++ TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019, true),
++
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023, true),
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027, true),
++
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02B, true),
++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02D, true),
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02F, true),
++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031, true);
++
++ private int id;
++ private boolean ecc;
++
++ private SSLCipher(int id) {
++ this.id = id;
++ }
++
++ private SSLCipher(int id, boolean ecc) {
++ this.id = id;
++ this.ecc = ecc;
++ }
++
++ public int getID() {
++ return id;
++ }
++
++ public boolean isECC() {
++ return ecc;
++ }
++
++ public static SSLCipher valueOf(int id) {
++ for (SSLCipher cipher : SSLCipher.class.getEnumConstants()) {
++ if (cipher.id == id) return cipher;
++ }
++ return null;
++ }
++}
+--
+2.9.3
+
+
+From 5c09c644caf9849dd1602dc6df56c0691a2d25f8 Mon Sep 17 00:00:00 2001
+From: "Endi S. Edewata" <edewata@redhat.com>
+Date: Wed, 22 Mar 2017 19:17:19 -0700
+Subject: [PATCH 07/11] Replaced Password.readPasswordFromConsole()
+ implementation.
+
+The native implementation of Password.readPasswordFromConsole() has
+been replaced with platform independent code using System.console()
+which does not cause a problem if the program is interrupted while
+waiting for password input.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1349349
+---
+ org/mozilla/jss/util/Password.java | 24 +++--
+ org/mozilla/jss/util/jssutil.c | 212 -------------------------------------
+ 2 files changed, 17 insertions(+), 219 deletions(-)
+
+diff --git a/org/mozilla/jss/util/Password.java b/org/mozilla/jss/util/Password.java
+index 9e6a3bb..47bc8a1 100644
+--- a/org/mozilla/jss/util/Password.java
++++ b/org/mozilla/jss/util/Password.java
+@@ -5,6 +5,7 @@
+ package org.mozilla.jss.util;
+
+ import java.io.CharConversionException;
++import java.io.Console;
+
+ /**
+ * Stores a password. <code>clear</code> should be
+@@ -114,7 +115,7 @@ public class Password implements PasswordCallback, Cloneable,
+ * for example using <code>wipeChars</code>.
+ */
+ public synchronized char[] getCharCopy() {
+- return (char[]) password.clone();
++ return password.clone();
+ }
+
+ /**
+@@ -125,7 +126,7 @@ public class Password implements PasswordCallback, Cloneable,
+ * for example using <code>wipeChars</code>.
+ */
+ synchronized byte[] getByteCopy() {
+- return charToByte( (char[]) password.clone() );
++ return charToByte( password.clone() );
+ }
+
+ /**
+@@ -150,11 +151,11 @@ public class Password implements PasswordCallback, Cloneable,
+ public synchronized Object clone() {
+ Password dolly = new Password();
+
+- dolly.password = (char[]) password.clone();
++ dolly.password = password.clone();
+ dolly.cleared = cleared;
+ return dolly;
+ }
+-
++
+
+ /**
+ * The finalizer clears the sensitive information before releasing
+@@ -230,9 +231,18 @@ public class Password implements PasswordCallback, Cloneable,
+ * <code><enter></code>).
+ * @return The password the user entered at the command line.
+ */
+- public synchronized static native Password readPasswordFromConsole()
+- throws PasswordCallback.GiveUpException;
+-
++ public static Password readPasswordFromConsole() throws PasswordCallback.GiveUpException {
++
++ Console console = System.console();
++ char[] password = console.readPassword();
++
++ if (password == null || password.length == 0) {
++ throw new PasswordCallback.GiveUpException();
++ }
++
++ return new Password(password);
++ }
++
+ // The password, stored as a char[] so we can clear it. Passwords
+ // should never be stored in Strings because Strings can't be cleared.
+ private char[] password;
+diff --git a/org/mozilla/jss/util/jssutil.c b/org/mozilla/jss/util/jssutil.c
+index 609eeb3..0d19a84 100644
+--- a/org/mozilla/jss/util/jssutil.c
++++ b/org/mozilla/jss/util/jssutil.c
+@@ -462,218 +462,6 @@ JSS_wipeCharArray(char* array)
+ }
+ }
+
+-/***********************************************************************
+- * platform-dependent definitions for getting passwords from console.
+- ***********************************************************************/
+-
+-#ifdef XP_UNIX
+-
+-#include <termios.h>
+-#include <unistd.h>
+-#define GETCH getchar
+-#define PUTCH putchar
+-
+-#else
+-
+-#include <conio.h>
+-#define GETCH _getch
+-#define PUTCH _putch
+-
+-#endif
+-
+-/***********************************************************************
+- * g e t P W F r o m C o n s o l e
+- *
+- * Does platform-dependent stuff to retrieve a char* from the console.
+- * Retrieves up to the first newline character, but does not return
+- * the newline. Maximum length is 200 chars.
+- * Stars (*) are echoed to the screen. Backspacing works.
+- * WARNING: This function is NOT thread-safe!!! This should be OK because
+- * the Java method that calls it is synchronized.
+- *
+- * RETURNS
+- * The password in a buffer owned by the caller, or NULL if the
+- * user did not enter a password (just hit <enter>).
+- */
+-static char* getPWFromConsole()
+-{
+- int c;
+- char *ret;
+- int i;
+- char buf[200]; /* no buffer overflow: we bail after 200 chars */
+- int length=200;
+-#ifdef XP_UNIX
+- int fd = fileno(stdin);
+- struct termios save_tio;
+- struct termios tio;
+-#endif
+-
+-
+- /*
+- * In Win32, the default is for _getch to not echo and to not be buffered.
+- * In UNIX, we have to set this explicitly.
+- */
+-#ifdef XP_UNIX
+- if ( isatty(fd) ) {
+- tcgetattr(fd, &save_tio);
+- tio = save_tio;
+- tio.c_lflag &= ~(ECHO|ICANON); /* no echo, non-canonical mode */
+- tio.c_cc[VMIN] = 1; /* 1 char at a time */
+- tio.c_cc[VTIME] = 0; /* wait forever */
+- tcsetattr(fd, TCSAFLUSH, &tio);
+- } else {
+- /* no reading from a file allowed. Windows enforces this automatically*/
+- return NULL;
+- }
+-#endif
+-
+- /*
+- * Retrieve up to length characters, or the first newline character.
+- */
+- for(i=0; i < length-1; i++) {
+- PR_ASSERT(i >= 0);
+- c = GETCH();
+- if( c == '\b' ) {
+- /*
+- * backspace. Back up the buffer and the cursor.
+- */
+- if( i==0 ) {
+- /* backspace is first char, do nothing */
+- i--;
+- } else {
+- /* backspace is not first char, backup one */
+- i -= 2;
+- PUTCH('\b'); PUTCH(' '); PUTCH('\b');
+- }
+- } else if( c == '\r' || c == '\n' ) {
+- /* newline, we're done */
+- break;
+- } else {
+- /* normal password char. Echo an asterisk. */
+- buf[i] = c;
+- PUTCH('*');
+- }
+- }
+- buf[i] = '\0';
+- PUTCH('\n');
+-
+- /*
+- * Restore the saved terminal settings.
+- */
+-#ifdef XP_UNIX
+- tcsetattr(fd, TCSAFLUSH, &save_tio);
+-#endif
+-
+- /* If password is empty, return NULL to signal the user giving up */
+- if(buf[0] == '\0') {
+- ret = NULL;
+- } else {
+- ret = PL_strdup(buf);
+- }
+-
+- /* Clear the input buffer */
+- memset(buf, 0, length);
+-
+- return ret;
+-}
+-
+-
+-/***********************************************************************
+- * Class: org_mozilla_jss_util_Password
+- * Method: readPasswordFromConsole
+- * Signature: ()Lorg/mozilla/jss/util/Password;
+- */
+-JNIEXPORT jobject JNICALL Java_org_mozilla_jss_util_Password_readPasswordFromConsole
+- (JNIEnv *env, jclass clazz)
+-{
+- char *pw=NULL;
+- int pwlen;
+- jclass pwClass;
+- jmethodID pwConstructor;
+- jcharArray pwCharArray=NULL;
+- jchar *pwChars=NULL;
+- jobject password=NULL;
+- jboolean pwIsCopy;
+- int i;
+-
+- /***************************************************
+- * Get JNI IDs
+- ***************************************************/
+- pwClass = (*env)->FindClass(env, PASSWORD_CLASS_NAME);
+- if(pwClass == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+- pwConstructor = (*env)->GetMethodID(env,
+- pwClass,
+- PLAIN_CONSTRUCTOR,
+- PASSWORD_CONSTRUCTOR_SIG);
+- if(pwConstructor == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+-
+- /***************************************************
+- * Get the password from the console
+- ***************************************************/
+- pw = getPWFromConsole();
+-
+- if(pw == NULL) {
+- JSS_throw(env, GIVE_UP_EXCEPTION);
+- goto finish;
+- }
+- pwlen = strlen(pw);
+- PR_ASSERT(pwlen > 0);
+-
+- /***************************************************
+- * Put the password into a char array
+- ***************************************************/
+- pwCharArray = (*env)->NewCharArray(env, pwlen);
+- if(pwCharArray == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+- pwChars = (*env)->GetCharArrayElements(env, pwCharArray, &pwIsCopy);
+- if(pwChars == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+- for(i=0; i < pwlen; i++) {
+- /* YUK! Only works for ASCII. */
+- pwChars[i] = pw[i];
+- }
+-
+- if( pwIsCopy ) {
+- /* copy back the changes */
+- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_COMMIT);
+- /* clear the copy */
+- memset(pwChars, 0, pwlen);
+- /* release the copy */
+- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, JNI_ABORT);
+- } else {
+- /* pwChars is not a copy, so this should be a no-op, but we include
+- * it anyway */
+- (*env)->ReleaseCharArrayElements(env, pwCharArray, pwChars, 0);
+- }
+- pwChars = NULL;
+-
+- /***************************************************
+- * Construct a new Password from the char array
+- ***************************************************/
+- password = (*env)->NewObject(env, pwClass, pwConstructor, pwCharArray);
+- if(password == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+-
+-finish:
+- if(pw != NULL) {
+- memset(pw, 0, strlen(pw));
+- PR_Free(pw);
+- }
+- return password;
+-}
+-
+ #ifdef DEBUG
+ static int debugLevel = JSS_TRACE_VERBOSE;
+ #else
+--
+2.9.3
+
+
+From bee3bc6cfef28f39b8abb1fd7e8505e5a9880716 Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Thu, 23 Mar 2017 10:48:29 -0700
+Subject: [PATCH 08/11] Bug 1349831 - Revise top-level README file, r=emaldona
+
+---
+ README | 134 +++++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 110 insertions(+), 24 deletions(-)
+
+diff --git a/README b/README
+index 4ceb0fd..cfc0244 100644
+--- a/README
++++ b/README
+@@ -4,8 +4,8 @@
+
+ (1) Prepare a work area
+
+- (a) For upstream builds which checkout and utilize the current NSPR and NSS
+- source repositories:
++ (a) For upstream builds which checkout and utilize
++ the current NSPR and NSS source repositories:
+
+ # mkdir sandbox
+ # cd sandbox
+@@ -20,13 +20,20 @@
+ cd jss; hg pull -u -v; cd ..
+ )
+
+- (b) Alternatively, for upstream builds which use the NSPR and NSS installed
+- on the system:
++ (b) Alternatively, for upstream builds which use
++ the NSPR and NSS installed on the system:
+
+ # mkdir sandbox
+ # cd sandbox
+ # export USE_INSTALLED_NSPR=1
+ # export USE_INSTALLED_NSS=1
++ # export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
++ # export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
++ # export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
++ # export NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'`
++ # export NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'`
++ # export NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'`
++ # export XCFLAGS="-g"
+ # hg clone https://hg.mozilla.org/projects/jss
+ # cd ..
+
+@@ -41,9 +48,32 @@
+ # export JAVA_HOME=/etc/alternatives/java_sdk_1.8.0_openjdk
+ # export USE_64=1
+
+- NOTE: JSS will now attempt to verify whether or not these two environment
+- variables have been set (JAVA_HOME is mandatory; USE_64 is mandatory
+- on 64-bit platforms when building 64-bit).
++ NOTE: JSS will now attempt to verify whether or not these two
++ environment variables have been set (JAVA_HOME is mandatory;
++ USE_64 is mandatory on 64-bit platforms when building 64-bit).
++
++ The following steps are optional, and left to the discretion of the user:
++
++ Debug vs. Optimized jar files:
++
++ By default, JSS will be built as a debuggable jar
++ (xpclass_dbg.jar - generally recommended for test builds);
++ to create an optimized jar (xpclass.jar), set the following
++ environment variable:
++
++ # export BUILD_OPT=1
++
++ Beta vs. Non-Beta builds:
++
++ Finally, by default, JSS is not built as a "beta" release (as
++ specified in 'org/mozilla/jss/util/jssver.h'):
++
++ #define JSS_BETA PR_FALSE
++
++ If a "beta" version of JSS is desired, reset this #define (as
++ specified in 'org/mozilla/jss/util/jssver.h') to:
++
++ #define JSS_BETA PR_TRUE
+
+
+ (3) Build JSS
+@@ -52,30 +82,88 @@
+ # make clean all
+ # cd ../..
+
+- (or you can run "# script -c 'make clean all' typescript.build')
++ (or you can run "# script -c 'make clean all' typescript.build")
+
+ NOTE: When build method (1)(a) is being utilized, if nss has not been
+ built, it will now automatically be built before jss; if nss has
+ already been built, only jss will be built/re-built.
+
+
+-(4) Run JSS Tests
++(4) Install JSS on the System (Optional)
+
+- # cd sandbox/jss
+- # make test_jss
+- # cd ../..
++ If JSS already exists on the system, run something similar to the
++ following command(s):
++
++ # sudo mv /usr/lib/java/jss4.jar /usr/lib/java/jss4.jar.orig
++
++ If the platform is 32-bit Linux:
++
++ # sudo mv /usr/lib/jss/libjss4.so /usr/lib/jss/libjss4.so.orig
++
++ else if the platform is 64-bit Linux:
++
++ # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig
++
++ If BUILD_OPT is undefined (default Debuggable Jar):
++
++ # sudo cp sandbox/dist/xpclass_dbg.jar /usr/lib/java/jss4.jar
++
++ else if BUILD_OPT is defined (Optimized Jar):
+
+- (or you can run "# script -c 'make test_jss' typescript.tests)
++ # sudo cp sandbox/dist/xpclass.jar /usr/lib/java/jss4.jar
++
++ # sudo chown root:root /usr/lib/java/jss4.jar
++ # sudo chmod 644 /usr/lib/java/jss4.jar
++
++ # sudo cp sandbox/jss/lib/Linux*.OBJ/libjss4.so /usr/lib64/jss/libjss4.so
++ # sudo chown root:root /usr/lib64/jss/libjss4.so
++ # sudo chmod 755 /usr/lib64/jss/libjss4.so
++
++
++(5) Run JSS Tests (Optional, but only if build method (1)(a) was utilized)
++
++ If build method (1)(a) is being utilized, it is possible to run the
++ built-in JSS tests:
++
++ # cd sandbox/jss
++ # make test_jss
++ # cd ../..
++
++ (or you can run "# script -c 'make test_jss' typescript.tests")
+
+ NOTE: This command is currently only available on Linux and Macintosh
+- platforms; currenty JSS must be built via 'make clean all' before
++ platforms when method (1)(a) has been utilized to build JSS
++ since the tests are dependent upon the work area as setup in
++ this method; currenty JSS must be built via 'make clean all' before
+ execution of this command (e.g. - build is separate from test).
+
+
+-(5) Known Issues
++(6) Restoration of non-Test-Only Systems (Optional)
++
++ If step (4) above was run, and the system is being used for purposes
++ other than test, the user may wish to restore the original system JSS
++ by running the following commands:
++
++ # sudo mv /usr/lib/java/jss4.jar.orig /usr/lib/java/jss4.jar
++
++ If the platform is 32-bit Linux:
++
++ # sudo mv /usr/lib/jss/libjss4.so.orig /usr/lib/jss/libjss4.so
++
++ else if the platform is 64-bit Linux:
++
++ # sudo mv /usr/lib64/jss/libjss4.so.orig /usr/lib64/jss/libjss4.so
++
++ NOTE: For this procedure, no ownership or permission changes should
++ be necessary.
++
++
++(7) Known Issues
+
+ * Mozilla Bug #1346410 - Load JSS libraries appropriately
+
++ NOTE: This issue should not occur unless step (4) above was skipped.
++
+ Testing failures were found while working on Bug 1346410 when loading the
+ JSS libraries to meet requirements of certain operating systems. Our
+ investigation revealed that due to the nature of the changes made via this
+@@ -83,16 +171,14 @@
+ that a failure may be encountered on one or more of the HMAC algorithms
+ causing these two tests to fail. On 64-bit Linux, for example, the
+ workaround for this issue is to perform the following steps before
+- re-running the tests:
++ re-running the tests:
++
++ (a) Install the new JSS builds by executing step (4) above
++
++ (b) Execute the following commands:
+
+- # sudo mv /usr/lib64/jss/libjss4.so /usr/lib64/jss/libjss4.so.orig
+- # sudo cp -p
+- sandbox/dist/Linux3.10_x86_64_cc_glibc_PTH_64_DBG.OBJ/lib/libjss4.so
+- /usr/lib64/jss/libjss4.so
+- # sudo chown root:root /usr/lib64/jss/libjss4.so
+- # sudo chmod 755 /usr/lib64/jss/libjss4.so
+- # cd sandbox/jss; make test_jss
++ # cd sandbox/jss; make test_jss
+
+ NOTE: If the system is being used for purposes other than test, the user
+- may wish to restore 'libjss4.so.orig' back to 'libjss4.so'.
++ may wish to restore the original JSS by executing step (6) above.
+
+--
+2.9.3
+
+
+From 382d6611ee2208c0bbe03afac33b96bf7a34047a Mon Sep 17 00:00:00 2001
+From: Matthew Harmsen <mharmsen@redhat.com>
+Date: Thu, 23 Mar 2017 10:52:15 -0700
+Subject: [PATCH 09/11] Bug 1349836 - Changes to JSS Version Block, r=emaldona
+
+---
+ lib/manifest.mn | 4 ++--
+ manifest.mn | 8 ++------
+ org/mozilla/jss/CryptoManager.c | 4 ++--
+ org/mozilla/jss/CryptoManager.java | 4 ++--
+ org/mozilla/jss/JSSProvider.java | 4 ++--
+ org/mozilla/jss/util/jssver.h | 5 ++---
+ 6 files changed, 12 insertions(+), 17 deletions(-)
+
+diff --git a/lib/manifest.mn b/lib/manifest.mn
+index d37cb68..6f03301 100644
+--- a/lib/manifest.mn
++++ b/lib/manifest.mn
+@@ -7,11 +7,11 @@
+ #/* The VERSION Strings should be updated in the following */
+ #/* files everytime a new release of JSS is generated: */
+ #/* */
++#/* lib/manifest.mn */
++#/* org/mozilla/jss/CryptoManager.c */
+ #/* org/mozilla/jss/CryptoManager.java */
+ #/* org/mozilla/jss/JSSProvider.java */
+ #/* org/mozilla/jss/util/jssver.h */
+-#/* lib/manifest.mn */
+-#/* jss/manifest.mn */
+ #/* */
+ #/********************************************************************/
+
+diff --git a/manifest.mn b/manifest.mn
+index 9338108..07cabce 100644
+--- a/manifest.mn
++++ b/manifest.mn
+@@ -12,18 +12,14 @@ MODULE = jss
+ #/* The VERSION Strings should be updated in the following */
+ #/* files everytime a new release of JSS is generated: */
+ #/* */
++#/* lib/manifest.mn */
++#/* org/mozilla/jss/CryptoManager.c */
+ #/* org/mozilla/jss/CryptoManager.java */
+ #/* org/mozilla/jss/JSSProvider.java */
+ #/* org/mozilla/jss/util/jssver.h */
+-#/* lib/manifest.mn */
+-#/* mozilla/security/jss/manifest.mn */
+ #/* */
+ #/********************************************************************/
+
+-IMPORTS = nss/NSS_3_12_RTM \
+- nspr20/v4.7 \
+- $(NULL)
+-
+ DIRS = coreconf \
+ org \
+ lib \
+diff --git a/org/mozilla/jss/CryptoManager.c b/org/mozilla/jss/CryptoManager.c
+index 3eb9ae7..56e66b2 100644
+--- a/org/mozilla/jss/CryptoManager.c
++++ b/org/mozilla/jss/CryptoManager.c
+@@ -49,11 +49,11 @@ const char * jss_sccsid() {
+ /* The VERSION Strings should be updated in the following */
+ /* files everytime a new release of JSS is generated: */
+ /* */
++/* lib/manifest.mn */
++/* org/mozilla/jss/CryptoManager.c */
+ /* org/mozilla/jss/CryptoManager.java */
+ /* org/mozilla/jss/JSSProvider.java */
+ /* org/mozilla/jss/util/jssver.h */
+-/* lib/manifest.mn */
+-/* mozilla/security/jss/manifest.mn */
+ /* */
+ /********************************************************************/
+
+diff --git a/org/mozilla/jss/CryptoManager.java b/org/mozilla/jss/CryptoManager.java
+index 9cc50d9..9e5503d 100644
+--- a/org/mozilla/jss/CryptoManager.java
++++ b/org/mozilla/jss/CryptoManager.java
+@@ -1449,11 +1449,11 @@ public final class CryptoManager implements TokenSupplier
+ /* The VERSION Strings should be updated in the following */
+ /* files everytime a new release of JSS is generated: */
+ /* */
++ /* lib/manifest.mn */
++ /* org/mozilla/jss/CryptoManager.c */
+ /* org/mozilla/jss/CryptoManager.java */
+ /* org/mozilla/jss/JSSProvider.java */
+ /* org/mozilla/jss/util/jssver.h */
+- /* lib/manifest.mn */
+- /* jss/manifest.mn */
+ /* */
+ /********************************************************************/
+
+diff --git a/org/mozilla/jss/JSSProvider.java b/org/mozilla/jss/JSSProvider.java
+index 687e88b..a8205ab 100644
+--- a/org/mozilla/jss/JSSProvider.java
++++ b/org/mozilla/jss/JSSProvider.java
+@@ -9,11 +9,11 @@ public final class JSSProvider extends java.security.Provider {
+ /* The VERSION Strings should be updated in the following */
+ /* files everytime a new release of JSS is generated: */
+ /* */
++ /* lib/manifest.mn */
++ /* org/mozilla/jss/CryptoManager.c */
+ /* org/mozilla/jss/CryptoManager.java */
+ /* org/mozilla/jss/JSSProvider.java */
+ /* org/mozilla/jss/util/jssver.h */
+- /* lib/manifest.mn */
+- /* jss/manifest.mn */
+ /* */
+ /********************************************************************/
+ /* QUESTION: When do we change MINOR and PATCH to 4 and 0? */
+diff --git a/org/mozilla/jss/util/jssver.h b/org/mozilla/jss/util/jssver.h
+index bd8a492..df67620 100644
+--- a/org/mozilla/jss/util/jssver.h
++++ b/org/mozilla/jss/util/jssver.h
+@@ -17,12 +17,11 @@
+ /* The VERSION Strings should be updated in the following */
+ /* files everytime a new release of JSS is generated: */
+ /* */
+-/* org/mozilla/jss/CryptoManager.java */
++/* lib/manifest.mn */
+ /* org/mozilla/jss/CryptoManager.c */
++/* org/mozilla/jss/CryptoManager.java */
+ /* org/mozilla/jss/JSSProvider.java */
+ /* org/mozilla/jss/util/jssver.h */
+-/* lib/manifest.mn */
+-/* jss/manifest.mn */
+ /* */
+ /********************************************************************/
+
+--
+2.9.3
+
+
+From 434c9d5253d6f1e32c4f29cf66cb43d8ca7bf569 Mon Sep 17 00:00:00 2001
+From: Christina Fu <cfu@redhat.com>
+Date: Sat, 25 Mar 2017 12:08:51 -0400
+Subject: [PATCH 10/11] Bug 1337092 CMC conformance update: Implement required
+ ASN.1 code for RFC5272+, r=jmagne
+
+From: Christina Fu <cfu@redhat.com>
+Date: Thu, 16 Mar 2017 09:54:01 -0700
+Subject: [PATCH] bugzilla.mozilla#1337092 cmc RFC5272 ASN.1
+This patch provides the required ASN.1 code for updating cmc to RFC5272,
+as well as adding some needed missing controls from earlier rfc 2797.
+The major cmc control structures added are: IdentityProofV2, EncryptedPOP,
+DecryptedPOP, PopLinkWitnessV2, CMCStatusInfoV2 and their underelying
+support structures.
+---
+ org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java | 21 ++
+ org/mozilla/jss/crypto/HMACAlgorithm.java | 2 +-
+ org/mozilla/jss/pkix/cmc/BodyPartReference.java | 198 +++++++++++++++
+ org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java | 270 ++++++++++++++++++++
+ org/mozilla/jss/pkix/cmc/DecryptedPOP.java | 165 ++++++++++++
+ org/mozilla/jss/pkix/cmc/EncryptedPOP.java | 185 ++++++++++++++
+ org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java | 145 +++++++++++
+ org/mozilla/jss/pkix/cmc/IdentityProofV2.java | 163 ++++++++++++
+ org/mozilla/jss/pkix/cmc/OtherInfo.java | 150 ++++++++---
+ org/mozilla/jss/pkix/cmc/OtherReqMsg.java | 167 ++++++++++++
+ org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java | 163 ++++++++++++
+ org/mozilla/jss/pkix/cmc/RevokeRequest.java | 323 ++++++++++++++++++++++++
+ org/mozilla/jss/pkix/cmc/TaggedRequest.java | 78 +++++-
+ org/mozilla/jss/pkix/cmmf/RevRequest.java | 3 +
+ org/mozilla/jss/pkix/crmf/CertRequest.java | 7 +
+ 15 files changed, 1995 insertions(+), 45 deletions(-)
+ create mode 100644 org/mozilla/jss/pkix/cmc/BodyPartReference.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/DecryptedPOP.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/EncryptedPOP.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/IdentityProofV2.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/OtherReqMsg.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java
+ create mode 100644 org/mozilla/jss/pkix/cmc/RevokeRequest.java
+
+diff --git a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
+index 399b555..d55dcfc 100644
+--- a/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
++++ b/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
+@@ -140,6 +140,27 @@ public class OBJECT_IDENTIFIER implements ASN1Value {
+ id_cmc_idPOPLinkWitness = id_cmc.subBranch(23);
+ public static final OBJECT_IDENTIFIER
+ id_cmc_idConfirmCertAcceptance = id_cmc.subBranch(24);
++ // rfc 5272
++ public static final OBJECT_IDENTIFIER
++ id_cmc_statusInfoV2 = id_cmc.subBranch(25);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_trustedAnchors = id_cmc.subBranch(26);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_authData = id_cmc.subBranch(27);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_batchRequests = id_cmc.subBranch(28);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_batchResponses = id_cmc.subBranch(29);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_publishCert = id_cmc.subBranch(30);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_modCertTemplate = id_cmc.subBranch(31);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_controlProcessed = id_cmc.subBranch(32);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_popLinkWitnessV2 = id_cmc.subBranch(33);
++ public static final OBJECT_IDENTIFIER
++ id_cmc_identityProofV2 = id_cmc.subBranch(34);
+
+ public static final OBJECT_IDENTIFIER
+ id_cct = PKIX.subBranch( 12 );
+diff --git a/org/mozilla/jss/crypto/HMACAlgorithm.java b/org/mozilla/jss/crypto/HMACAlgorithm.java
+index aec57c8..24ed2ea 100644
+--- a/org/mozilla/jss/crypto/HMACAlgorithm.java
++++ b/org/mozilla/jss/crypto/HMACAlgorithm.java
+@@ -34,7 +34,7 @@ public class HMACAlgorithm extends DigestAlgorithm {
+ * @exception NoSuchAlgorithmException If no registered HMAC algorithm
+ * has the given OID.
+ */
+- public static DigestAlgorithm fromOID(OBJECT_IDENTIFIER oid)
++ public static HMACAlgorithm fromOID(OBJECT_IDENTIFIER oid)
+ throws NoSuchAlgorithmException
+ {
+ Object alg = oidMap.get(oid);
+diff --git a/org/mozilla/jss/pkix/cmc/BodyPartReference.java b/org/mozilla/jss/pkix/cmc/BodyPartReference.java
+new file mode 100644
+index 0000000..e7358dc
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/BodyPartReference.java
+@@ -0,0 +1,198 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 2004
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.util.Assert;
++import org.mozilla.jss.asn1.*;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.util.BitSet;
++
++/**
++ * CMC <i>BodyPartReference</i>:
++ * <pre>
++ * BodyPartReference::= CHOICE {
++ * bodyPartID BodyPartID
++ * bodyPartPath SEQUENCE SIZE (1..MAX) OF BodyPartID,
++ * }
++ *
++ * @author Christina Fu (cfu)
++ * </pre>
++ */
++public class BodyPartReference implements ASN1Value {
++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295");
++
++ /**
++ * The type of BodyPartReference.
++ */
++ public static class Type {
++ private Type() { }
++
++ static Type BodyPartID = new Type();
++ static Type BodyPartPath = new Type();
++ }
++ public static Type BodyPartID = Type.BodyPartID;
++ public static Type BodyPartPath = Type.BodyPartPath;
++
++ ///////////////////////////////////////////////////////////////////////
++ // Members
++ ///////////////////////////////////////////////////////////////////////
++ private Type type;
++ private INTEGER bodyPartID;
++ private SEQUENCE bodyPartPath;
++
++ ///////////////////////////////////////////////////////////////////////
++ // Constructors
++ ///////////////////////////////////////////////////////////////////////
++
++ private BodyPartReference() { }
++
++ /**
++ * @param type The type of the BodyPartReference
++ * @param bodyPartID A BodyPartID.
++ * @param bodyPartPath The sequence of bodyPartIDs.
++ */
++ public BodyPartReference(Type type,
++ INTEGER bodyPartID,
++ SEQUENCE bodyPartPath) {
++ this.bodyPartID = bodyPartID;
++ this.bodyPartPath = bodyPartPath;
++ }
++
++ /**
++ * Adds a BodyPartID to the bodyPartPath SEQUENCE.
++ */
++ public void addBodyPartId(int id) {
++ INTEGER id1 = new INTEGER(id);
++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0);
++ bodyPartPath.addElement( id1 );
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // member access
++ ///////////////////////////////////////////////////////////////////////
++
++ /**
++ * Returns the type of BodyPartReference: <ul>
++ * <li><code>BodyPartID</code>
++ * <li><code>BodyPartPath</code>
++ * </ul>
++ */
++ public Type getType() {
++ return type;
++ }
++
++ public INTEGER getBodyPartID() {
++ return bodyPartID;
++ }
++
++ public SEQUENCE getBodyPartPath() {
++ return bodyPartPath;
++ }
++ ///////////////////////////////////////////////////////////////////////
++ // decoding/encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ public Tag getTag() {
++ //return the subType's tag
++ if (type == BodyPartID ) {
++ return INTEGER.TAG;
++ } else {
++ Assert._assert( type == BodyPartPath);
++ return SEQUENCE.TAG;
++ }
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ if (type == BodyPartID ) {
++ bodyPartID.encode(ostream);
++ } else {
++ Assert._assert( type == BodyPartPath);
++ bodyPartPath.encode(ostream);
++ }
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException
++ {
++ encode(ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++
++ /**
++ * A Template for decoding a BodyPartReference.
++ */
++ public static class Template implements ASN1Template {
++
++ private CHOICE.Template choicet;
++
++ public Template() {
++ choicet = new CHOICE.Template();
++ choicet.addElement( INTEGER.getTemplate() );
++ choicet.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return choicet.tagMatch(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ CHOICE c = (CHOICE) choicet.decode(istream);
++
++ if( c.getTag().equals(INTEGER.TAG) ) {
++ return new BodyPartReference(BodyPartID, (INTEGER) c.getValue() , null);
++ } else {
++ Assert._assert( c.getTag().equals(SEQUENCE.TAG) );
++ return new BodyPartReference(BodyPartPath, null, (SEQUENCE) c.getValue());
++ }
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++ //A CHOICE cannot be implicitly tagged
++ return decode(istream);
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java
+new file mode 100644
+index 0000000..9b6aeb9
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/CMCStatusInfoV2.java
+@@ -0,0 +1,270 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.util.Assert;
++import org.mozilla.jss.asn1.*;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.util.BitSet;
++
++/**
++ * CMCStatusInfoV2 replaces CMCStatusInfo in rfc 5272
++ * CMC <i>CMCStatusInfoV2</i>:
++ * <pre>
++ * CMCStatusInfoV2 ::= SEQUENCE {
++ * cMCStatus CMCStatus,
++ * bodyList SEQUENCE SIZE (1..MAX)
++ * BodyPartReference,
++ * statusString UTF8String OPTIONAL,
++ * otherInfo CHOICE { // defined in updated OtherInfo
++ * failInfo CMCFailInfo,
++ * pendInfo PendInfo,
++ * extendedFailInfo SEQUENCE {
++ * failInfoOID OBJECT IDENTIFIER,
++ * failInfoValue AttributeValue
++ * } OPTIONAL
++ * }
++ * }
++ * PendInfo ::= SEQUENCE {
++ * pendToken OCTET STRING,
++ * pendTime GeneralizedTime
++ * }
++ *
++ * @author Christina Fu (cfu)
++ * </pre>
++ */
++public class CMCStatusInfoV2 implements ASN1Value {
++ public static final INTEGER BODYIDMAX = new INTEGER("4294967295");
++
++ ///////////////////////////////////////////////////////////////////////
++ // Members
++ ///////////////////////////////////////////////////////////////////////
++ private INTEGER status;
++ private SEQUENCE bodyList;
++ private UTF8String statusString;
++ private OtherInfo otherInfo;
++
++ // CMCStatus constants
++ public static final int SUCCESS = 0;
++ public static final int RESERVED = 1;
++ public static final int FAILED = 2;
++ public static final int PENDING = 3;
++ public static final int NOSUPPORT = 4;
++ public static final int CONFIRM_REQUIRED = 5;
++ public static final int POP_REQUIRED = 6;
++ public static final int PARTIAL = 7;
++
++ public static final String[] STATUS = {"success",
++ "reserved",
++ "failed",
++ "pending",
++ "not supported",
++ "confirm required",
++ "pop required",
++ "partial"};
++
++ ///////////////////////////////////////////////////////////////////////
++ // Constructors
++ ///////////////////////////////////////////////////////////////////////
++
++ private CMCStatusInfoV2() { }
++
++ /**
++ * @param status A CMCStatus constant.
++ * @param bodyList The sequence of BodyPartReference.
++ */
++ public CMCStatusInfoV2(int status, SEQUENCE bodyList) {
++ this.status = new INTEGER(status);
++ this.bodyList = bodyList;
++ this.statusString = null;
++ this.otherInfo = null;
++ }
++
++ /**
++ * @param status A CMCStatus constant.
++ * @param bodyList The sequence of BodyPartReference.
++ * @param statusString A String.
++ * @param otherInfo The OtherInfo choice.
++ */
++ public CMCStatusInfoV2(int status, SEQUENCE bodyList, String
++ statusString, OtherInfo otherInfo) {
++ this.status = new INTEGER(status);
++ this.bodyList = bodyList;
++ if (statusString != null){
++ try {
++ this.statusString = new UTF8String(statusString);
++ } catch (Exception e){}
++ } else
++ this.statusString = null;
++ this.otherInfo = otherInfo;
++ }
++
++ /**
++ * Create a CMCStatusInfoV2 from decoding.
++ * @param status A CMCStatus constant.
++ * @param bodyList The sequence of BodyPartReference.
++ * @param statusString A UTF8String.
++ * @param otherInfo A CHOICE.
++ */
++ public CMCStatusInfoV2(INTEGER status, SEQUENCE bodyList, UTF8String
++ statusString, OtherInfo otherInfo) {
++ this.status = status;
++ this.bodyList = bodyList;
++ this.statusString = statusString;
++ this.otherInfo = otherInfo;
++ }
++
++ /**
++ * Sets the <code>statusString</code> field. May be null, since this
++ * field is optional.
++ */
++ public void setStatusString(String statusString) {
++ if (statusString != null){
++ try {
++ this.statusString = new UTF8String(statusString);
++ } catch (Exception e){}
++ } else{
++ this.statusString = null;
++ }
++ }
++
++ /**
++ * Adds a BodyPartID to the bodyList SEQUENCE.
++ */
++ public void addBodyPartID(int id) {
++ INTEGER id1 = new INTEGER(id);
++ Assert._assert(id1.compareTo(BODYIDMAX) <= 0);
++ bodyList.addElement( id1 );
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // member access
++ ///////////////////////////////////////////////////////////////////////
++ public int getStatus() {
++ return status.intValue();
++ }
++
++ public SEQUENCE getBodyList() {
++ return bodyList;
++ }
++
++ public String getStatusString() {
++ if (statusString != null)
++ return statusString.toString();
++ return null;
++ }
++
++ public OtherInfo getOtherInfo() {
++ return otherInfo;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // decoding/encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ public static final Tag TAG = SEQUENCE.TAG;
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ encode(TAG, ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException
++ {
++ SEQUENCE seq = new SEQUENCE();
++
++ seq.addElement(status);
++ seq.addElement(bodyList);
++ if( statusString != null ) {
++ seq.addElement( statusString );
++ }
++
++ if ( otherInfo != null) {
++ seq.addElement( otherInfo );
++ }
++
++ seq.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++ seqt.addElement( INTEGER.getTemplate() );
++ seqt.addElement( new SEQUENCE.OF_Template(INTEGER.getTemplate()) );
++ seqt.addOptionalElement( UTF8String.getTemplate());
++
++ seqt.addOptionalElement( OtherInfo.getTemplate() );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ CMCStatusInfoV2 psi;
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new CMCStatusInfoV2((INTEGER)seq.elementAt(0),
++ (SEQUENCE)seq.elementAt(1),
++ (UTF8String)seq.elementAt(2),
++ (OtherInfo)seq.elementAt(3));
++ }
++ }
++}
++
+diff --git a/org/mozilla/jss/pkix/cmc/DecryptedPOP.java b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java
+new file mode 100644
+index 0000000..14013aa
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/DecryptedPOP.java
+@@ -0,0 +1,165 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import org.mozilla.jss.pkix.primitive.*;
++import java.io.*;
++
++/**
++ * CMC <i>DecryptedPOP</i>:
++ * <pre>
++ * DecryptedPOP ::= SEQUENCE {
++ * bodyPartID BodyPartID,
++ * thePOPAlgID AlgorithmIdentifier,
++ * thePOP OCTET STRING
++ * }
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class DecryptedPOP implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private INTEGER bodyPartID;
++ private AlgorithmIdentifier thePOPAlgID;
++ private OCTET_STRING thePOP;
++ private SEQUENCE sequence; // for DER encoding
++
++ /**
++ * Returns the <code>bodyPartID</code> field.
++ */
++ public INTEGER getBodyPartID() {
++ return bodyPartID;
++ }
++
++ public AlgorithmIdentifier getThePOPAlgID() {
++ return thePOPAlgID;
++ }
++
++ public OCTET_STRING getWitness() {
++ return thePOP;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // constructors
++ ///////////////////////////////////////////////////////////////////////
++ private DecryptedPOP() { }
++
++ public DecryptedPOP(
++ INTEGER bodyPartID,
++ AlgorithmIdentifier thePOPAlgID,
++ OCTET_STRING thePOP)
++ {
++ if( bodyPartID==null || thePOPAlgID==null ||
++ thePOP==null ) {
++ throw new IllegalArgumentException("DecryptedPOP constructor"
++ +" parameter is null");
++ }
++
++ this.bodyPartID = bodyPartID;
++ this.thePOPAlgID = thePOPAlgID;
++ this.thePOP = thePOP;
++
++ sequence = new SEQUENCE();
++ sequence.addElement(bodyPartID);
++ sequence.addElement(thePOPAlgID);
++ sequence.addElement(thePOP);
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // DER encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ private static final Tag TAG = SEQUENCE.TAG;
++
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding BER-encoded DecryptedPOP items.
++ */
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++
++ seqt.addElement( INTEGER.getTemplate() );
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( OCTET_STRING.getTemplate() );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new DecryptedPOP(
++ (INTEGER) seq.elementAt(0),
++ (AlgorithmIdentifier) seq.elementAt(1),
++ (OCTET_STRING) seq.elementAt(2) );
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/EncryptedPOP.java b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java
+new file mode 100644
+index 0000000..58a3f4c
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/EncryptedPOP.java
+@@ -0,0 +1,185 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import org.mozilla.jss.pkix.primitive.*;
++import org.mozilla.jss.pkix.cms.*;
++import java.io.*;
++
++/**
++ * CMC <i>EncryptedPOP</i>:
++ * <pre>
++ * EncryptedPOP ::= SEQUENCE {
++ * request TaggedRequest,
++ * cms ContentInfo,
++ * thePOPAlgID AlgorithmIdentifier,
++ * witnessAlgID AlgorithmIdentifier,
++ * witness OCTET STRING
++ * }
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class EncryptedPOP implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private TaggedRequest request;
++ private ContentInfo cms;
++ private AlgorithmIdentifier thePOPAlgID;
++ private AlgorithmIdentifier witnessAlgID;
++ private OCTET_STRING witness;
++ private SEQUENCE sequence; // for DER encoding
++
++ public TaggedRequest getRequest() {
++ return request;
++ }
++
++ public ContentInfo getContentInfo() {
++ return cms;
++ }
++
++ public AlgorithmIdentifier getThePOPAlgID() {
++ return thePOPAlgID;
++ }
++
++ public AlgorithmIdentifier getWitnessAlgID() {
++ return witnessAlgID;
++ }
++
++ public OCTET_STRING getWitness() {
++ return witness;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // constructors
++ ///////////////////////////////////////////////////////////////////////
++ private EncryptedPOP() { }
++
++ public EncryptedPOP(
++ TaggedRequest request,
++ ContentInfo cms,
++ AlgorithmIdentifier thePOPAlgID,
++ AlgorithmIdentifier witnessAlgID,
++ OCTET_STRING witness)
++ {
++ if( request==null || cms==null || thePOPAlgID==null || witnessAlgID==null ||
++ witness==null ) {
++ throw new IllegalArgumentException("EncryptedPOP constructor"
++ +" parameter is null");
++ }
++
++ this.request = request;
++ this.cms = cms;
++ this.thePOPAlgID = thePOPAlgID;
++ this.witnessAlgID = witnessAlgID;
++ this.witness = witness;
++
++ sequence = new SEQUENCE();
++ sequence.addElement(request);
++ sequence.addElement(cms);
++ sequence.addElement(thePOPAlgID);
++ sequence.addElement(witnessAlgID);
++ sequence.addElement(witness);
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // DER encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ private static final Tag TAG = SEQUENCE.TAG;
++
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding BER-encoded EncryptedPOP items.
++ */
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++
++ seqt.addElement( TaggedRequest.getTemplate() );
++ seqt.addElement( ContentInfo.getTemplate() );
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( OCTET_STRING.getTemplate() );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new EncryptedPOP(
++ (TaggedRequest) seq.elementAt(0),
++ (ContentInfo) seq.elementAt(1),
++ (AlgorithmIdentifier) seq.elementAt(2),
++ (AlgorithmIdentifier) seq.elementAt(3),
++ (OCTET_STRING) seq.elementAt(4) );
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java
+new file mode 100644
+index 0000000..34a10a8
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/ExtendedFailInfo.java
+@@ -0,0 +1,145 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.IOException;
++import org.mozilla.jss.util.Assert;
++
++/**
++ * ExtendedFailInfo per rfc 5272
++ * It is to be used in CMCStatusInfoV2 as a CHOICE of otherInfo
++ *
++ * <pre>
++ * ExtendedFailInfo ::= SEQUENCE {
++ * failInfoOID OBJECT IDENTIFIER,
++ * failInfoValue ANY DEFINED BY failInfoOID }
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class ExtendedFailInfo implements ASN1Value {
++
++ private OBJECT_IDENTIFIER failInfoOID;
++ private ANY failInfoValue;
++
++ public static final Tag TAG = SEQUENCE.TAG;
++ public Tag getTag() {
++ return TAG;
++ }
++
++ private ExtendedFailInfo() { }
++
++ public ExtendedFailInfo(OBJECT_IDENTIFIER failInfoOID, ASN1Value failInfoValue) {
++ this.failInfoOID = failInfoOID;
++ if( failInfoValue instanceof ANY ) {
++ this.failInfoValue = (ANY) failInfoValue;
++ } else {
++ byte[] encoded = ASN1Util.encode(failInfoValue);
++ try {
++ this.failInfoValue = (ANY) ASN1Util.decode(ANY.getTemplate(), encoded);
++ } catch( InvalidBERException e ) {
++ Assert.notReached("InvalidBERException while decoding as ANY");
++ }
++ }
++ }
++
++ public OBJECT_IDENTIFIER getOID() {
++ return failInfoOID;
++ }
++
++ /**
++ * Returns the failInfoValue of this ExtendedFailInfo, encoded as an ANY.
++ */
++ public ANY getValue() {
++ return failInfoValue;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ encode(TAG, ostream);
++ }
++
++ public void encode(Tag implicit, OutputStream ostream)
++ throws IOException
++ {
++ SEQUENCE seq = new SEQUENCE();
++ seq.addElement(failInfoOID);
++ seq.addElement(failInfoValue);
++
++ seq.encode(implicit, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding an ExtendedFailInfo.
++ */
++ public static class Template implements ASN1Template {
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws IOException, InvalidBERException
++ {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicit, InputStream istream)
++ throws IOException, InvalidBERException
++ {
++ SEQUENCE.Template seqt = new SEQUENCE.Template();
++
++ seqt.addElement( new OBJECT_IDENTIFIER.Template() );
++ seqt.addElement( new ANY.Template() );
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicit, istream);
++
++ // The template should have enforced this
++ Assert._assert(seq.size() == 2);
++
++ return new ExtendedFailInfo( (OBJECT_IDENTIFIER) seq.elementAt(0),
++ seq.elementAt(1) );
++ }
++ }
++
++}
+diff --git a/org/mozilla/jss/pkix/cmc/IdentityProofV2.java b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java
+new file mode 100644
+index 0000000..f0daaaa
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/IdentityProofV2.java
+@@ -0,0 +1,163 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import org.mozilla.jss.pkix.primitive.*;
++import java.io.*;
++
++/**
++ * CMC <i>IdentityProofV2</i>:
++ * per rfc 5272
++ * <pre>
++ * IdentityProofV2 ::= SEQUENCE {
++ * hashAlgID AlgorithmIdentifier,
++ * macAlgId AlgorithmIdentifier,
++ * witness OCTET STRING
++ * }
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class IdentityProofV2 implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private AlgorithmIdentifier hashAlgID;
++ private AlgorithmIdentifier macAlgId;
++ private OCTET_STRING witness;
++ private SEQUENCE sequence; // for DER encoding
++
++ public AlgorithmIdentifier getHashAlgID() {
++ return hashAlgID;
++ }
++
++ public AlgorithmIdentifier getMacAlgId() {
++ return macAlgId;
++ }
++
++ public OCTET_STRING getWitness() {
++ return witness;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // constructors
++ ///////////////////////////////////////////////////////////////////////
++ private IdentityProofV2() { }
++
++ public IdentityProofV2(
++ AlgorithmIdentifier hashAlgID,
++ AlgorithmIdentifier macAlgId,
++ OCTET_STRING witness)
++ {
++ if( hashAlgID==null || macAlgId==null ||
++ witness==null ) {
++ throw new IllegalArgumentException("IdentityProofV2 constructor"
++ +" parameter is null");
++ }
++
++ this.hashAlgID = hashAlgID;
++ this.macAlgId = macAlgId;
++ this.witness = witness;
++
++ sequence = new SEQUENCE();
++ sequence.addElement(hashAlgID);
++ sequence.addElement(macAlgId);
++ sequence.addElement(witness);
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // DER encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ private static final Tag TAG = SEQUENCE.TAG;
++
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding BER-encoded IdentityProofV2 items.
++ */
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( OCTET_STRING.getTemplate() );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new IdentityProofV2(
++ (AlgorithmIdentifier) seq.elementAt(0),
++ (AlgorithmIdentifier) seq.elementAt(1),
++ (OCTET_STRING) seq.elementAt(2) );
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/OtherInfo.java b/org/mozilla/jss/pkix/cmc/OtherInfo.java
+index b93c193..3c83932 100644
+--- a/org/mozilla/jss/pkix/cmc/OtherInfo.java
++++ b/org/mozilla/jss/pkix/cmc/OtherInfo.java
+@@ -9,13 +9,20 @@ import java.io.*;
+ import org.mozilla.jss.util.Assert;
+
+ /**
+- * CMCStatusInfo <i>OtherInfo</i>:
++ * CMCStatusInfoV2 <i>OtherInfo</i>:
++ *
+ * <pre>
+ * OtherInfo ::= CHOICE {
+ * failInfo INTEGER,
+- * pendInfo PendInfo
+- * }
++ * pendInfo PendInfo,
++ * extendedFailInfo SEQUENCE { // ExtendedFailInfo
++ * failInfoOID OBJECT IDENTIFIER,
++ * failInfoValue AttributeValue
++ * } OPTIONAL
++ * }
+ * </pre>
++ *
++ * @author Christina Fu (cfu) - updated for rfc5272
+ */
+ public class OtherInfo implements ASN1Value {
+ // CMCFailInfo constants
+@@ -32,20 +39,23 @@ public class OtherInfo implements ASN1Value {
+ public static final int NO_KEY_REUSE = 10;
+ public static final int INTERNAL_CA_ERROR = 11;
+ public static final int TRY_LATER = 12;
++ public static final int authDataFail = 13;
+
+- public static final String[] FAIL_INFO = {"bad algorithm",
+- "bad message check",
+- "bad request",
+- "bad time",
+- "bad certificate id",
+- "unsupported extensions",
+- "must archive keys",
+- "bad identity",
+- "POP required",
+- "POP failed",
+- "no key reuse",
+- "internal ca error",
+- "try later"};
++ public static final String[] FAIL_INFO = {
++ "bad algorithm",
++ "bad message check",
++ "bad request",
++ "bad time",
++ "bad certificate id",
++ "unsupported extensions",
++ "must archive keys",
++ "bad identity",
++ "POP required",
++ "POP failed",
++ "no key reuse",
++ "internal ca error",
++ "try later",
++ "authenticated data fail"};
+ /**
+ * The type of OtherInfo.
+ */
+@@ -54,9 +64,11 @@ public class OtherInfo implements ASN1Value {
+
+ static Type FAIL = new Type();
+ static Type PEND = new Type();
++ static Type EXTENDED = new Type();
+ }
+ public static Type FAIL = Type.FAIL;
+ public static Type PEND = Type.PEND;
++ public static Type EXTENDED = Type.EXTENDED;
+
+ ///////////////////////////////////////////////////////////////////////
+ // members and member access
+@@ -65,6 +77,7 @@ public class OtherInfo implements ASN1Value {
+ private Type type;
+ private INTEGER failInfo; // if type == FAIL
+ private PendInfo pendInfo; // if type == PEND
++ private ExtendedFailInfo extendedFailInfo; // if type == EXTENDED
+
+ ///////////////////////////////////////////////////////////////////////
+ // Constructors
+@@ -73,17 +86,76 @@ public class OtherInfo implements ASN1Value {
+ // no default constructor
+ public OtherInfo() { }
+
+- /**
++ /**
+ * Constructs a OtherInfo from its components.
+ *
+ * @param type The type of the otherInfo.
+ * @param failInfo the CMCFailInfo code.
+ * @param pendInfo the pending information.
++ *
++ * Note: kept for backward compatibility for now; new code don't use
+ */
+ public OtherInfo(Type type, INTEGER failInfo, PendInfo pendInfo) {
++ if (type == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter is null");
++ }
++
++ if ( type == FAIL ) {
++ if (failInfo == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter failInfo is null");
++ }
++ } else {
++ Assert._assert( type == PEND );
++ if (pendInfo == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter pendInfo is null");
++ }
++ }
++ this.type = type;
++ this.failInfo = failInfo;
++ this.pendInfo = pendInfo;
++ }
++
++ /**
++ * Constructs a OtherInfo from its components.
++ *
++ * @param type The type of the otherInfo.
++ * @param failInfo the CMCFailInfo code.
++ * @param pendInfo the pending information.
++ * @param extendedFailInfo the extendedFailInfo information.
++ */
++ public OtherInfo(Type type,
++ INTEGER failInfo,
++ PendInfo pendInfo,
++ ExtendedFailInfo extendedFailInfo) {
++ if (type == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter is null");
++ }
++
++ if ( type == FAIL ) {
++ if (failInfo == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter failInfo is null");
++ }
++ } else if ( type == PEND ) {
++ if (pendInfo == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter pendInfo is null");
++ }
++ } else {
++ Assert._assert( type == EXTENDED );
++ if (extendedFailInfo == null) {
++ throw new IllegalArgumentException("OtherInfo constructor"
++ +" parameter extendedFailInfo is null");
++ }
++ }
+ this.type = type;
+ this.failInfo = failInfo;
+ this.pendInfo = pendInfo;
++ this.extendedFailInfo = extendedFailInfo;
+ }
+
+ ///////////////////////////////////////////////////////////////////////
+@@ -94,6 +166,7 @@ public class OtherInfo implements ASN1Value {
+ * Returns the type of OtherInfo: <ul>
+ * <li><code>FAIL</code>
+ * <li><code>PEND</code>
++ * <li><code>EXTENDED</code>
+ * </ul>
+ */
+ public Type getType() {
+@@ -116,17 +189,27 @@ public class OtherInfo implements ASN1Value {
+ return pendInfo;
+ }
+
++ /**
++ * If type == EXTENDED, returns the extendedFailInfo field. Otherwise,
++ * returns null.
++ */
++ public ExtendedFailInfo getExtendedFailInfo() {
++ return extendedFailInfo;
++ }
++
+ ///////////////////////////////////////////////////////////////////////
+ // DER decoding/encoding
+ ///////////////////////////////////////////////////////////////////////
+
+ public Tag getTag() {
+- // return the subType's tag
++ // return the subType's tag
+ if( type == FAIL ) {
+ return INTEGER.TAG;
+- } else {
+- Assert._assert( type == PEND );
++ } else if( type == PEND ){
+ return PendInfo.TAG;
++ } else {
++ Assert._assert( type == EXTENDED );
++ return ExtendedFailInfo.TAG;
+ }
+ }
+
+@@ -134,16 +217,18 @@ public class OtherInfo implements ASN1Value {
+
+ if( type == FAIL ) {
+ failInfo.encode(ostream);
+- } else {
+- Assert._assert( type == PEND );
++ } else if( type == PEND ){
+ pendInfo.encode(ostream);
++ } else {
++ Assert._assert( type == EXTENDED );
++ extendedFailInfo.encode(ostream);
+ }
+ }
+
+ public void encode(Tag implicitTag, OutputStream ostream)
+ throws IOException {
+- //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum());
+- encode(ostream);
++ //Assert.notReached("A CHOICE cannot be implicitly tagged " +implicitTag.getNum());
++ encode(ostream);
+ }
+
+ private static final Template templateInstance = new Template();
+@@ -162,6 +247,7 @@ public class OtherInfo implements ASN1Value {
+ choicet = new CHOICE.Template();
+ choicet.addElement( INTEGER.getTemplate() );
+ choicet.addElement( PendInfo.getTemplate() );
++ choicet.addElement( ExtendedFailInfo.getTemplate() );
+ }
+
+ public boolean tagMatch(Tag tag) {
+@@ -173,17 +259,19 @@ public class OtherInfo implements ASN1Value {
+ CHOICE c = (CHOICE) choicet.decode(istream);
+
+ if( c.getTag().equals(INTEGER.TAG) ) {
+- return new OtherInfo(FAIL, (INTEGER) c.getValue() , null);
++ return new OtherInfo(FAIL, (INTEGER) c.getValue() , null, null);
++ } else if( c.getTag().equals(PendInfo.TAG) ) {
++ return new OtherInfo(PEND, null, (PendInfo) c.getValue(), null);
+ } else {
+- Assert._assert( c.getTag().equals(PendInfo.TAG) );
+- return new OtherInfo(PEND, null, (PendInfo) c.getValue());
++ Assert._assert( c.getTag().equals(ExtendedFailInfo.TAG) );
++ return new OtherInfo(EXTENDED, null, null, (ExtendedFailInfo) c.getValue());
+ }
+ }
+
+ public ASN1Value decode(Tag implicitTag, InputStream istream)
+ throws InvalidBERException, IOException {
+- //Assert.notReached("A CHOICE cannot be implicitly tagged");
+- return decode(istream);
+- }
+- }
++ //Assert.notReached("A CHOICE cannot be implicitly tagged");
++ return decode(istream);
++ }
++ }
+ }
+diff --git a/org/mozilla/jss/pkix/cmc/OtherReqMsg.java b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java
+new file mode 100644
+index 0000000..d1100b4
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/OtherReqMsg.java
+@@ -0,0 +1,167 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 2004
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import java.io.*;
++
++/**
++ * CMC <i>OtherReqMsg</i>.
++ * <pre>
++ * OtherReqMsg is to be used by the "orm" field of the TaggedRequest per
++ * definition in RFC 5272.
++ *
++ * OtherReqMsg ::= SEQUENCE {
++ * bodyPartID BodyPartID,
++ * requestMessageType Object Identifier,
++ * requestMessageValue ANY defined by requestMessageType}
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class OtherReqMsg implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // Members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private INTEGER bodyPartID;
++ private OBJECT_IDENTIFIER requestMessageType;
++ private ANY requestMessageValue;
++ private SEQUENCE sequence;
++
++ /**
++ * Returns the <code>bodyPartID</code> field.
++ */
++ public INTEGER getBodyPartID() {
++ return bodyPartID;
++ }
++
++ /**
++ * Returns the <code>requestMessageType</code> field.
++ */
++ public OBJECT_IDENTIFIER getOtherReqMsgType() {
++ return requestMessageType;
++ }
++
++ /**
++ * Returns the <code>requestMessageValue</code> field.
++ */
++ public ANY getOtherReqMsgValue() {
++ return requestMessageValue;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // Constructors
++ ///////////////////////////////////////////////////////////////////////
++ private OtherReqMsg() { }
++
++ /**
++ * Constructs a new <code>OtherReqMsg</code> from its components.
++ */
++ public OtherReqMsg(INTEGER bodyPartID, OBJECT_IDENTIFIER requestMessageType,
++ ANY requestMessageValue) {
++ if (bodyPartID == null || requestMessageType == null
++ || requestMessageValue == null) {
++ throw new IllegalArgumentException(
++ "parameter to OtherReqMsg constructor is null");
++ }
++ sequence = new SEQUENCE();
++
++ this.bodyPartID = bodyPartID;
++ sequence.addElement(bodyPartID);
++
++ this.requestMessageType = requestMessageType;
++ sequence.addElement(requestMessageType);
++
++ this.requestMessageValue = requestMessageValue;
++ sequence.addElement(requestMessageValue);
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // encoding/decoding
++ ///////////////////////////////////////////////////////////////////////
++ private static final Tag TAG = SEQUENCE.TAG;
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding a <code>OtherReqMsg</code>.
++ */
++ public static class Template implements ASN1Template {
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++ seqt.addElement(INTEGER.getTemplate());
++ seqt.addElement(OBJECT_IDENTIFIER.getTemplate());
++ seqt.addElement(ANY.getTemplate());
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new OtherReqMsg((INTEGER)seq.elementAt(0),
++ (OBJECT_IDENTIFIER)seq.elementAt(1),
++ (ANY)seq.elementAt(2));
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java
+new file mode 100644
+index 0000000..637c316
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/PopLinkWitnessV2.java
+@@ -0,0 +1,163 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import org.mozilla.jss.pkix.primitive.*;
++import java.io.*;
++
++/**
++ * CMC <i>PopLinkWitnessV2</i>:
++ * per rfc 5272
++ * <pre>
++ * PopLinkWitnessV2 ::= SEQUENCE {
++ * keyGenAlgorithm AlgorithmIdentifier,
++ * macAlgorithm AlgorithmIdentifier,
++ * witness OCTET STRING
++ * }
++ * </pre>
++ *
++ * @author Christina Fu (cfu)
++ */
++public class PopLinkWitnessV2 implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private AlgorithmIdentifier keyGenAlgorithm;
++ private AlgorithmIdentifier macAlgorithm;
++ private OCTET_STRING witness;
++ private SEQUENCE sequence; // for DER encoding
++
++ public AlgorithmIdentifier getKeyGenAlgorithm() {
++ return keyGenAlgorithm;
++ }
++
++ public AlgorithmIdentifier getMacAlgorithm() {
++ return macAlgorithm;
++ }
++
++ public OCTET_STRING getWitness() {
++ return witness;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // constructors
++ ///////////////////////////////////////////////////////////////////////
++ private PopLinkWitnessV2() { }
++
++ public PopLinkWitnessV2(
++ AlgorithmIdentifier keyGenAlgorithm,
++ AlgorithmIdentifier macAlgorithm,
++ OCTET_STRING witness)
++ {
++ if( keyGenAlgorithm==null || macAlgorithm==null ||
++ witness==null ) {
++ throw new IllegalArgumentException("PopLinkWitnessV2 constructor"
++ +" parameter is null");
++ }
++
++ this.keyGenAlgorithm = keyGenAlgorithm;
++ this.macAlgorithm = macAlgorithm;
++ this.witness = witness;
++
++ sequence = new SEQUENCE();
++ sequence.addElement(keyGenAlgorithm);
++ sequence.addElement(macAlgorithm);
++ sequence.addElement(witness);
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // DER encoding
++ ///////////////////////////////////////////////////////////////////////
++
++ private static final Tag TAG = SEQUENCE.TAG;
++
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++ private static final Template templateInstance = new Template();
++ public static Template getTemplate() {
++ return templateInstance;
++ }
++
++ /**
++ * A Template for decoding BER-encoded PopLinkWitnessV2 items.
++ */
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( AlgorithmIdentifier.getTemplate() );
++ seqt.addElement( OCTET_STRING.getTemplate() );
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new PopLinkWitnessV2(
++ (AlgorithmIdentifier) seq.elementAt(0),
++ (AlgorithmIdentifier) seq.elementAt(1),
++ (OCTET_STRING) seq.elementAt(2) );
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/RevokeRequest.java b/org/mozilla/jss/pkix/cmc/RevokeRequest.java
+new file mode 100644
+index 0000000..d8444b6
+--- /dev/null
++++ b/org/mozilla/jss/pkix/cmc/RevokeRequest.java
+@@ -0,0 +1,323 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.pkix.cmc;
++
++import org.mozilla.jss.asn1.*;
++import java.io.*;
++
++/**
++ * CMC <i>RevokeRequest</i>.
++ * <pre>
++ * RevokeRequest ::= SEQUENCE {
++ * issuerName Name,
++ * serialNumber INTEGER,
++ * reason CRLReason,
++ * invalidityDate GeneralizedTime OPTIONAL,
++ * passphrase OCTET STRING OPTIONAL,
++ * comment UTF8String OPTIONAL }
++ * </pre>
++ *
++ * For maintenance and conformance reasons, this code is brought over
++ * and mildly updated and renamed from cmmf/RevRequest during the process
++ * of CMC update to rfc 5272
++ * @author Christina Fu (cfu)
++ */
++public class RevokeRequest implements ASN1Value {
++
++ ///////////////////////////////////////////////////////////////////////
++ // Constants
++ ///////////////////////////////////////////////////////////////////////
++
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED unspecified = new ENUMERATED(0);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED keyCompromise = new ENUMERATED(1);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED cACompromise = new ENUMERATED(2);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED affiliationChanged = new ENUMERATED(3);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED superseded = new ENUMERATED(4);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED cessationOfOperation = new ENUMERATED(5);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED certificateHold = new ENUMERATED(6);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED removeFromCRL = new ENUMERATED(8);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED privilegeWithdrawn = new ENUMERATED(9);
++ /**
++ * A <code>CRLReason</code>, which can be used in the <code>reason</code>
++ * field.
++ */
++ public static final ENUMERATED aACompromise = new ENUMERATED(10);
++
++
++ ///////////////////////////////////////////////////////////////////////
++ // Members and member access
++ ///////////////////////////////////////////////////////////////////////
++ private ANY issuerName;
++ private INTEGER serialNumber;
++ private ENUMERATED reason;
++ private GeneralizedTime invalidityDate; // may be null
++ private OCTET_STRING passphrase; // may be null
++ private UTF8String comment; // may be null
++ private SEQUENCE sequence;
++
++ /**
++ * Returns the <code>issuerName</code> field as an ANY.
++ */
++ public ANY getIssuerName() {
++ return issuerName;
++ }
++
++ /**
++ * Returns the <code>serialNumber</code> field.
++ */
++ public INTEGER getSerialNumber() {
++ return serialNumber;
++ }
++
++ /**
++ * Returns the <code>reason</code> field, which should indicate the
++ * reason for the revocation. The currently supported reasons are:
++ * <pre>
++ * CRLReason ::= ENUMERATED {
++ * unspecified (0),
++ * keyCompromise (1),
++ * cACompromise (2),
++ * affiliationChanged (3),
++ * superseded (4),
++ * cessationOfOperation (5),
++ * certificateHold (6),
++ * removeFromCRL (8),
++ * privilegeWithdrawn (9),
++ * aACompromise (10) }
++ * </pre>
++ * These are all defined as constants in this class.
++ */
++ public ENUMERATED getReason() {
++ return reason;
++ }
++
++ /**
++ * Returns the <tt>invalidityDate</tt> field. Returns <tt>null</tt>
++ * if the field is not present.
++ */
++ public GeneralizedTime getInvalidityDate() {
++ return invalidityDate;
++ }
++
++ /**
++ * Returns the <code>passphrase</code> field. Returns
++ * <code>null</code> if the field is not present.
++ */
++ public OCTET_STRING getSharedSecret() {
++ return passphrase;
++ }
++
++ /**
++ * Returns the <code>comment</code> field. Returns <code>null</code>
++ * if the field is not present.
++ */
++ public UTF8String getComment() {
++ return comment;
++ }
++
++ ///////////////////////////////////////////////////////////////////////
++ // Constructors
++ ///////////////////////////////////////////////////////////////////////
++
++ private RevokeRequest() { }
++
++
++ /**
++ * Constructs a new <code>RevokeRequest</code> from its components,
++ * omitting the <tt>invalidityDate</tt> field.
++ *
++ * @deprecated This constructor is obsolete now that
++ * <tt>invalidityDate</tt> has been added to the class.
++ *
++ * @param issuerName The <code>issuerName</code> field.
++ * @param serialNumber The <code>serialNumber</code> field.
++ * @param reason The <code>reason</code> field. The constants defined
++ * in this class may be used.
++ * @param passphrase The <code>passphrase</code> field. This field is
++ * optional, so <code>null</code> may be used.
++ * @param comment The <code>comment</code> field. This field is optional,
++ * so <code>null</code> may be used.
++ */
++ public RevokeRequest(ANY issuerName, INTEGER serialNumber,
++ ENUMERATED reason, OCTET_STRING passphrase,
++ UTF8String comment)
++ {
++ this(issuerName, serialNumber, reason, null, passphrase, comment);
++ }
++
++ /**
++ * Constructs a new <code>RevokeRequest</code> from its components.
++ *
++ * @param issuerName The <code>issuerName</code> field.
++ * @param serialNumber The <code>serialNumber</code> field.
++ * @param reason The <code>reason</code> field. The constants defined
++ * in this class may be used.
++ * @param invalidityDate The suggested value for the Invalidity Date
++ * CRL extension. This field is optional, so <tt>null</tt> may be
++ * used.
++ * @param passphrase The <code>passphrase</code> field. This field is
++ * optional, so <code>null</code> may be used.
++ * @param comment The <code>comment</code> field. This field is optional,
++ * so <code>null</code> may be used.
++ */
++ public RevokeRequest(ANY issuerName, INTEGER serialNumber,
++ ENUMERATED reason, GeneralizedTime invalidityDate,
++ OCTET_STRING passphrase, UTF8String comment)
++ {
++ if( issuerName==null || serialNumber==null || reason==null ) {
++ throw new IllegalArgumentException(
++ "parameter to RevokeRequest constructor is null");
++ }
++ sequence = new SEQUENCE();
++
++ this.issuerName = issuerName;
++ sequence.addElement(issuerName);
++
++ this.serialNumber = serialNumber;
++ sequence.addElement(serialNumber);
++
++ this.reason = reason;
++ sequence.addElement(reason);
++
++ this.invalidityDate = invalidityDate;
++ sequence.addElement(invalidityDate);
++
++ this.passphrase = passphrase;
++ sequence.addElement(passphrase);
++
++ this.comment = comment;
++ sequence.addElement(comment);
++ }
++
++
++ ///////////////////////////////////////////////////////////////////////
++ // encoding/decoding
++ ///////////////////////////////////////////////////////////////////////
++
++ private static final Tag TAG = SEQUENCE.TAG;
++ public Tag getTag() {
++ return TAG;
++ }
++
++ public void encode(OutputStream ostream) throws IOException {
++ sequence.encode(ostream);
++ }
++
++ public void encode(Tag implicitTag, OutputStream ostream)
++ throws IOException {
++ sequence.encode(implicitTag, ostream);
++ }
++
++
++
++ /**
++ * A Template class for decoding a <code>RevokeRequest</code>.
++ */
++ public static class Template implements ASN1Template {
++
++ private SEQUENCE.Template seqt;
++
++ public Template() {
++ seqt = new SEQUENCE.Template();
++ seqt.addElement(ANY.getTemplate());
++ seqt.addElement(INTEGER.getTemplate());
++ seqt.addElement(ENUMERATED.getTemplate());
++ seqt.addOptionalElement(GeneralizedTime.getTemplate());
++ seqt.addOptionalElement(OCTET_STRING.getTemplate());
++ seqt.addOptionalElement(UTF8String.getTemplate());
++ }
++
++ public boolean tagMatch(Tag tag) {
++ return TAG.equals(tag);
++ }
++
++ public ASN1Value decode(InputStream istream)
++ throws InvalidBERException, IOException {
++ return decode(TAG, istream);
++ }
++
++ public ASN1Value decode(Tag implicitTag, InputStream istream)
++ throws InvalidBERException, IOException {
++
++ SEQUENCE seq = (SEQUENCE) seqt.decode(implicitTag, istream);
++
++ return new RevokeRequest( (ANY) seq.elementAt(0),
++ (INTEGER) seq.elementAt(1),
++ (ENUMERATED) seq.elementAt(2),
++ (GeneralizedTime) seq.elementAt(3),
++ (OCTET_STRING) seq.elementAt(4),
++ (UTF8String) seq.elementAt(5) );
++
++ }
++ }
++}
+diff --git a/org/mozilla/jss/pkix/cmc/TaggedRequest.java b/org/mozilla/jss/pkix/cmc/TaggedRequest.java
+index e616660..e71b57c 100644
+--- a/org/mozilla/jss/pkix/cmc/TaggedRequest.java
++++ b/org/mozilla/jss/pkix/cmc/TaggedRequest.java
+@@ -15,6 +15,11 @@ import org.mozilla.jss.util.Assert;
+ * TaggedRequest ::= CHOICE {
+ * tcr [0] TaggedCertificationRequest,
+ * crm [1] CertReqMsg
++ * orm [2] SEQUENCE {
++ * bodyPartID BodyPartID,
++ * requestMessageType OBJECT IDENTIFIER,
++ * requestMessageValue ANY DEFINED BY requestMessageType
++ * } // added for rfc 5272; defined in OtherReqMsg
+ * }
+ * </pre>
+ */
+@@ -27,9 +32,11 @@ public class TaggedRequest implements ASN1Value {
+
+ static Type PKCS10 = new Type();
+ static Type CRMF = new Type();
++ static Type OTHER = new Type();
+ }
+ public static Type PKCS10 = Type.PKCS10;
+ public static Type CRMF = Type.CRMF;
++ public static Type OTHER = Type.OTHER;
+
+ ///////////////////////////////////////////////////////////////////////
+ // members and member access
+@@ -38,6 +45,7 @@ public class TaggedRequest implements ASN1Value {
+ private Type type;
+ private TaggedCertificationRequest tcr; // if type == PKCS10
+ private CertReqMsg crm; // if type == CRMF
++ private OtherReqMsg orm; // if type == OTHER
+
+ ///////////////////////////////////////////////////////////////////////
+ // Constructors
+@@ -48,7 +56,7 @@ public class TaggedRequest implements ASN1Value {
+
+ /**
+ * Constructs a TaggedRequest from its components.
+- *
++ * kept for backward compatibility for now
+ * @param type The type of the request.
+ * @param tcr Tagged pkcs10 request.
+ * @param crm CRMF request.
+@@ -59,6 +67,24 @@ public class TaggedRequest implements ASN1Value {
+ this.crm = crm;
+ }
+
++ /**
++ * Constructs a TaggedRequest from its components.
++ * rfc 5272
++ * @param type The type of the request.
++ * @param tcr Tagged pkcs10 request.
++ * @param crm CRMF request.
++ * @param orm OTHER request.
++ */
++ public TaggedRequest(Type type,
++ TaggedCertificationRequest tcr,
++ CertReqMsg crm,
++ OtherReqMsg orm) {
++ this.type = type;
++ this.tcr = tcr;
++ this.crm = crm;
++ this.orm = orm;
++ }
++
+ ///////////////////////////////////////////////////////////////////////
+ // accessors
+ ///////////////////////////////////////////////////////////////////////
+@@ -67,6 +93,7 @@ public class TaggedRequest implements ASN1Value {
+ * Returns the type of TaggedRequest: <ul>
+ * <li><code>PKCS10</code>
+ * <li><code>CRMF</code>
++ * <li><code>OTHER</code>
+ * </ul>
+ */
+ public Type getType() {
+@@ -89,6 +116,14 @@ public class TaggedRequest implements ASN1Value {
+ return crm;
+ }
+
++ /**
++ * If type == OTHER, returns the orm field. Otherwise,
++ * returns null.
++ */
++ public OtherReqMsg getOrm() {
++ return orm;
++ }
++
+ ///////////////////////////////////////////////////////////////////////
+ // DER decoding/encoding
+ ///////////////////////////////////////////////////////////////////////
+@@ -96,9 +131,11 @@ public class TaggedRequest implements ASN1Value {
+ public Tag getTag() {
+ if( type == PKCS10 ) {
+ return Tag.get(0);
+- } else {
+- Assert._assert( type == CRMF );
++ } else if( type == CRMF ){
+ return Tag.get(1);
++ } else {
++ Assert._assert( type == OTHER );
++ return Tag.get(2);
+ }
+ }
+
+@@ -109,12 +146,17 @@ public class TaggedRequest implements ASN1Value {
+ // a CHOICE must be explicitly tagged
+ //EXPLICIT e = new EXPLICIT( Tag.get(0), tcr );
+ //e.encode(ostream);
+- } else {
+- Assert._assert( type == CRMF );
++ } else if( type == CRMF ) {
+ crm.encode(Tag.get(1), ostream);
+ // a CHOICE must be explicitly tagged
+ //EXPLICIT e = new EXPLICIT( Tag.get(1), crm );
+ //e.encode(ostream);
++ } else {
++ Assert._assert( type == OTHER );
++ orm.encode(Tag.get(2), ostream);
++ // a CHOICE must be explicitly tagged
++ //EXPLICIT e = new EXPLICIT( Tag.get(2), orm );
++ //e.encode(ostream);
+ }
+ }
+
+@@ -142,12 +184,16 @@ public class TaggedRequest implements ASN1Value {
+
+ //EXPLICIT.Template et = new EXPLICIT.Template(
+ // Tag.get(0), TaggedCertificationRequest.getTemplate() );
+- //choicet.addElement( et );
++ //choicet.addElement( et );
+ choicet.addElement( Tag.get(0), TaggedCertificationRequest.getTemplate() );
+ //et = new EXPLICIT.Template(
+ // Tag.get(1), CertReqMsg.getTemplate() );
+- //choicet.addElement( et );
++ //choicet.addElement( et );
+ choicet.addElement( Tag.get(1), CertReqMsg.getTemplate() );
++ //et = new EXPLICIT.Template(
++ // Tag.get(2), CertReqMsg.getTemplate() );
++ //choicet.addElement( et );
++ choicet.addElement( Tag.get(2), OtherReqMsg.getTemplate() );
+ }
+
+ public boolean tagMatch(Tag tag) {
+@@ -161,15 +207,21 @@ public class TaggedRequest implements ASN1Value {
+ if( c.getTag().equals(Tag.get(0)) ) {
+ //EXPLICIT e = (EXPLICIT) c.getValue();
+ //return new TaggedRequest(PKCS10,
+- // (TaggedCertificationRequest)
+- // e.getContent(), null );
++ // (TaggedCertificationRequest)
++ // e.getContent(), null );
+ return new TaggedRequest(PKCS10, (TaggedCertificationRequest) c.getValue() , null);
++ } if( c.getTag().equals(Tag.get(1)) ) {
++ //EXPLICIT e = (EXPLICIT) c.getValue();
++ //return new TaggedRequest(CRMF,
++ // (CertReqMsg)
++ // e.getContent(), null );
++ return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue() , null);
+ } else {
+- Assert._assert( c.getTag().equals(Tag.get(1)) );
++ Assert._assert( c.getTag().equals(Tag.get(2)) );
+ //EXPLICIT e = (EXPLICIT) c.getValue();
+- //return new TaggedRequest(CRMF, null,
+- // (CertReqMsg) e.getContent() );
+- return new TaggedRequest(CRMF, null, (CertReqMsg) c.getValue());
++ //return new TaggedRequest(OTHER, null,
++ // (CertReqMsg) e.getContent() );
++ return new TaggedRequest(OTHER, null, null, (OtherReqMsg) c.getValue());
+ }
+ }
+
+diff --git a/org/mozilla/jss/pkix/cmmf/RevRequest.java b/org/mozilla/jss/pkix/cmmf/RevRequest.java
+index 3fd1342..578548b 100644
+--- a/org/mozilla/jss/pkix/cmmf/RevRequest.java
++++ b/org/mozilla/jss/pkix/cmmf/RevRequest.java
+@@ -18,6 +18,9 @@ import java.io.*;
+ * sharedSecret OCTET STRING OPTIONAL,
+ * comment UTF8String OPTIONAL }
+ * </pre>
++ * For maintenance and conformance reasons, this code has been brought
++ * over and renamed to cmc/RevokeRequest during the CMC update to rfc 5272.
++ * All new code should use cmc/RevokeRequest instead
+ */
+ public class RevRequest implements ASN1Value {
+
+diff --git a/org/mozilla/jss/pkix/crmf/CertRequest.java b/org/mozilla/jss/pkix/crmf/CertRequest.java
+index ee0868c..90aab0d 100644
+--- a/org/mozilla/jss/pkix/crmf/CertRequest.java
++++ b/org/mozilla/jss/pkix/crmf/CertRequest.java
+@@ -57,6 +57,13 @@ public class CertRequest implements ASN1Value {
+ }
+
+ /**
++ * Returns the <i>controls</i> field.
++ */
++ public SEQUENCE getControls() {
++ return controls;
++ }
++
++ /**
+ * Returns the number of optional Controls in the cert request.
+ * The number may be zero.
+ */
+--
+2.9.3
+
+
+From 9462edf264ae6da5aad113b293af9f5345542caa Mon Sep 17 00:00:00 2001
+From: Elio Maldonado <emaldona@redhat.com>
+Date: Mon, 27 Mar 2017 12:01:30 -0700
+Subject: [PATCH 11/11] Bug 1350130 - Missing
+ CryptoManager.verifyCertificateNowCUNative() implementation, r=edewata
+
+---
+ org/mozilla/jss/PK11Finder.c | 87 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 87 insertions(+)
+
+diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c
+index a488c4f..9e234e6 100644
+--- a/org/mozilla/jss/PK11Finder.c
++++ b/org/mozilla/jss/PK11Finder.c
+@@ -1554,6 +1554,68 @@ finish:
+ }
+
+ /***********************************************************************
++ * CryptoManager.verifyCertificateNow
++ *
++ * Called by java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative
++ */
++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
++ jboolean checkSig, jint required_certificateUsage,
++ SECCertificateUsage *currUsage)
++{
++ SECStatus rv = SECFailure;
++ SECCertificateUsage certificateUsage;
++ CERTCertificate *cert=NULL;
++ char *nickname=NULL;
++
++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
++ if( nickname == NULL ) {
++ goto finish;
++ }
++
++ certificateUsage = required_certificateUsage;
++
++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
++
++ if (cert == NULL) {
++ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++ goto finish;
++ } else {
++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
++ * retrieve the current valid usage into currUsage
++ */
++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
++ checkSig, certificateUsage, NULL, currUsage );
++ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
++ if (*currUsage ==
++ ( certUsageUserCertImport |
++ certUsageVerifyCA |
++ certUsageProtectedObjectSigner |
++ certUsageAnyCA )) {
++
++ /* the cert is good for nothing
++ The folllowing usages cannot be verified:
++ certUsageAnyCA
++ certUsageProtectedObjectSigner
++ certUsageUserCertImport
++ certUsageVerifyCA
++ (0x0b80) */
++ rv =SECFailure;
++ }
++ }
++ }
++
++finish:
++ if(nickname != NULL) {
++ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
++ }
++ if(cert != NULL) {
++ CERT_DestroyCertificate(cert);
++ }
++
++ return rv;
++}
++
++/***********************************************************************
+ * CryptoManager.verifyCertificateNowNative
+ *
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+@@ -1604,6 +1666,31 @@ finish:
+ }
+
+ /***********************************************************************
++ * CryptoManager.verifyCertificateNowCUNative
++ *
++ * Returns jint which contains bits in SECCertificateUsage that reflects
++ * the cert usage(s) that the cert is good for
++ * if the cert is good for nothing, returned value is
++ * (0x0b80):
++ * certUsageUserCertImport |
++ * certUsageVerifyCA |
++ * certUsageProtectedObjectSigner |
++ * certUsageAnyCA
++ */
++JNIEXPORT jint JNICALL
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
++ jobject self, jstring nickString, jboolean checkSig)
++{
++ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure;
++ SECCertificateUsage currUsage = 0x0000;
++
++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
++ /* rv is ignored */
++
++ return currUsage;
++}
++
++/***********************************************************************
+ * CryptoManager.verifyCertificateNowNative2
+ *
+ * Verify a certificate that exists in the given cert database,
+--
+2.9.3
+
diff --git a/SOURCES/jss-rhel-7-4-beta.patch b/SOURCES/jss-rhel-7-4-beta.patch
new file mode 100644
index 0000000..5bfe995
--- /dev/null
+++ b/SOURCES/jss-rhel-7-4-beta.patch
@@ -0,0 +1,844 @@
+# HG changeset patch
+# User Fraser Tweedale <ftweedal@redhat.com>
+# Date 1493324725 25200
+# Thu Apr 27 13:25:25 2017 -0700
+# Node ID c8885dd6787639d74a1c9d634fd289ff17fa6f02
+# Parent b2306481f30dcc8c0c060520805d405dd2546d14
+Bug 1355358 - CryptoStore: add methods for importing and exporting EncryptedPrivateKeyInfo, r=cfu
+
+diff --git a/lib/jss.def b/lib/jss.def
+--- a/lib/jss.def
++++ b/lib/jss.def
+@@ -324,3 +324,9 @@
+ ;+ local:
+ ;+ *;
+ ;+};
++;+JSS_4.4.1 { # JSS 4.4.1 release
++;+ global:
++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo;
++;+ local:
++;+ *;
++;+};
+diff --git a/org/mozilla/jss/crypto/Algorithm.c b/org/mozilla/jss/crypto/Algorithm.c
+--- a/org/mozilla/jss/crypto/Algorithm.c
++++ b/org/mozilla/jss/crypto/Algorithm.c
+@@ -86,7 +86,13 @@
+ /* 55 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
+ /* 56 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
+ /* 57 */ {CKM_NSS_AES_KEY_WRAP, PK11_MECH},
+-/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH}
++/* 58 */ {CKM_NSS_AES_KEY_WRAP_PAD, PK11_MECH},
++/* 59 */ {SEC_OID_AES_128_ECB, SEC_OID_TAG},
++/* 60 */ {SEC_OID_AES_128_CBC, SEC_OID_TAG},
++/* 61 */ {SEC_OID_AES_192_ECB, SEC_OID_TAG},
++/* 62 */ {SEC_OID_AES_192_CBC, SEC_OID_TAG},
++/* 63 */ {SEC_OID_AES_256_ECB, SEC_OID_TAG},
++/* 64 */ {SEC_OID_AES_256_CBC, SEC_OID_TAG}
+ /* REMEMBER TO UPDATE NUM_ALGS!!! */
+ };
+
+diff --git a/org/mozilla/jss/crypto/Algorithm.h b/org/mozilla/jss/crypto/Algorithm.h
+--- a/org/mozilla/jss/crypto/Algorithm.h
++++ b/org/mozilla/jss/crypto/Algorithm.h
+@@ -24,7 +24,7 @@
+ JSS_AlgType type;
+ } JSS_AlgInfo;
+
+-#define NUM_ALGS 59
++#define NUM_ALGS 65
+
+ extern JSS_AlgInfo JSS_AlgTable[];
+ extern CK_ULONG JSS_symkeyUsage[];
+diff --git a/org/mozilla/jss/crypto/Algorithm.java b/org/mozilla/jss/crypto/Algorithm.java
+--- a/org/mozilla/jss/crypto/Algorithm.java
++++ b/org/mozilla/jss/crypto/Algorithm.java
+@@ -212,4 +212,12 @@
+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
+ protected static final short CKM_NSS_AES_KEY_WRAP=57;
+ protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
++
++ // AES Encryption Algorithms
++ protected static final short SEC_OID_AES_128_ECB = 59;
++ protected static final short SEC_OID_AES_128_CBC = 60;
++ protected static final short SEC_OID_AES_192_ECB = 61;
++ protected static final short SEC_OID_AES_192_CBC = 62;
++ protected static final short SEC_OID_AES_256_ECB = 63;
++ protected static final short SEC_OID_AES_256_CBC = 64;
+ }
+diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java
+--- a/org/mozilla/jss/crypto/CryptoStore.java
++++ b/org/mozilla/jss/crypto/CryptoStore.java
+@@ -4,6 +4,7 @@
+
+ package org.mozilla.jss.crypto;
+
++import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.util.*;
+ import java.security.*;
+ import java.security.cert.CertificateEncodingException;
+@@ -68,9 +69,50 @@
+ public void deletePrivateKey(org.mozilla.jss.crypto.PrivateKey key)
+ throws NoSuchItemOnTokenException, TokenException;
+
++ /**
++ * Get an encrypted private key for the given cert.
++ *
++ * @param cert Certificate of key to be exported
++ * @param pbeAlg The PBEAlgorithm to use
++ * @param pw The password to encrypt with
++ * @param iteration Iteration count; default of 2000 if le 0
++ */
++ public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert,
++ PBEAlgorithm pbeAlg, Password pw, int iteration)
++ throws CryptoManager.NotInitializedException,
++ ObjectNotFoundException, TokenException;
+
+- public byte[] getEncryptedPrivateKeyInfo(X509Certificate cert,
+- PBEAlgorithm pbeAlg, Password pw, int iteration);
++ /**
++ * Get an encrypted private key, with optional password
++ * conversion.
++ *
++ * @param conv Password converter. If null, pw.getByteCopy()
++ * will be used to get password bytes.
++ * @param pw The password
++ * @param alg The encryption algorithm
++ * @param n Iteration count; default of 2000 if le 0
++ * @param k The private key
++ */
++ public byte[] getEncryptedPrivateKeyInfo(
++ KeyGenerator.CharToByteConverter conv,
++ Password pw,
++ Algorithm alg,
++ int n,
++ PrivateKey k);
++
++ /**
++ * @param conv Password converter. If null, pw.getByteCopy()
++ * will be used to get password bytes.
++ * @param pw The password
++ * @param nickname Nickname to use for private key
++ * @param pubKey Public key corresponding to private key
++ */
++ public void importEncryptedPrivateKeyInfo(
++ KeyGenerator.CharToByteConverter conv,
++ Password pw,
++ String nickname,
++ PublicKey pubKey,
++ byte[] epkiBytes);
+
+ ////////////////////////////////////////////////////////////
+ // Certs
+diff --git a/org/mozilla/jss/crypto/EncryptionAlgorithm.java b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
+--- a/org/mozilla/jss/crypto/EncryptionAlgorithm.java
++++ b/org/mozilla/jss/crypto/EncryptionAlgorithm.java
+@@ -347,12 +347,14 @@
+ { 2, 16, 840, 1, 101, 3, 4, 1 } );
+
+ public static final EncryptionAlgorithm
+- AES_128_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
++ AES_128_ECB = new EncryptionAlgorithm(SEC_OID_AES_128_ECB,
++ Alg.AES, Mode.ECB,
+ Padding.NONE, (Class)null, 16,
+ AES_ROOT_OID.subBranch(1), 128);
+
+ public static final EncryptionAlgorithm
+- AES_128_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC,
++ AES_128_CBC = new EncryptionAlgorithm(SEC_OID_AES_128_CBC,
++ Alg.AES, Mode.CBC,
+ Padding.NONE, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(2), 128);
+
+@@ -361,11 +363,13 @@
+ Padding.PKCS5, IVParameterSpecClasses, 16, null, 128); // no oid
+
+ public static final EncryptionAlgorithm
+- AES_192_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
++ AES_192_ECB = new EncryptionAlgorithm(SEC_OID_AES_192_ECB,
++ Alg.AES, Mode.ECB,
+ Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(21), 192);
+
+ public static final EncryptionAlgorithm
+- AES_192_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC,
++ AES_192_CBC = new EncryptionAlgorithm(SEC_OID_AES_192_CBC,
++ Alg.AES, Mode.CBC,
+ Padding.NONE, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(22), 192);
+
+@@ -374,11 +378,13 @@
+ Padding.PKCS5, IVParameterSpecClasses, 16, null, 192); // no oid
+
+ public static final EncryptionAlgorithm
+- AES_256_ECB = new EncryptionAlgorithm(CKM_AES_ECB, Alg.AES, Mode.ECB,
++ AES_256_ECB = new EncryptionAlgorithm(SEC_OID_AES_256_ECB,
++ Alg.AES, Mode.ECB,
+ Padding.NONE, (Class)null, 16, AES_ROOT_OID.subBranch(41), 256);
+
+ public static final EncryptionAlgorithm
+- AES_256_CBC = new EncryptionAlgorithm(CKM_AES_CBC, Alg.AES, Mode.CBC,
++ AES_256_CBC = new EncryptionAlgorithm(SEC_OID_AES_256_CBC,
++ Alg.AES, Mode.CBC,
+ Padding.NONE, IVParameterSpecClasses, 16,
+ AES_ROOT_OID.subBranch(42), 256);
+
+diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c
+--- a/org/mozilla/jss/pkcs11/PK11Store.c
++++ b/org/mozilla/jss/pkcs11/PK11Store.c
+@@ -31,6 +31,8 @@
+ char *data;
+ } secuPWData;
+
++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj);
++
+ /**********************************************************************
+ * PK11Store.putSymKeysInVector
+ */
+@@ -533,103 +535,293 @@
+
+
+ JNIEXPORT jbyteArray JNICALL
+-Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo
+-(JNIEnv *env, jobject this, jobject certObj, jobject algObj,
+- jobject pwObj, jint iteration)
++Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo(
++ JNIEnv *env,
++ jobject this,
++ jobject conv,
++ jobject pwObj,
++ jobject algObj,
++ jint iterations,
++ jobject key)
++{
++ // initialisations so we can goto finish
++ SECItem *pwItem = NULL;
++ SECKEYEncryptedPrivateKeyInfo *epki = NULL;
++ SECItem epkiItem;
++ epkiItem.data = NULL;
++ epkiItem.len = 0;
+
+-{
+- SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+- jbyteArray encodedEpki = NULL;
++ PR_ASSERT(env != NULL && this != NULL);
++
++ if (pwObj == NULL || algObj == NULL || key == NULL) {
++ JSS_throw(env, NULL_POINTER_EXCEPTION);
++ goto finish;
++ }
++
++ if (iterations <= 0) {
++ iterations = 2000; // set default iterations
++ }
++
++ // get slot
+ PK11SlotInfo *slot = NULL;
+- SECOidTag algTag;
+- jclass passwordClass = NULL;
+- jmethodID getByteCopyMethod = NULL;
+- jbyteArray pwArray = NULL;
+- jbyte* pwchars = NULL;
+- SECItem pwItem;
+- CERTCertificate *cert = NULL;
+- SECItem epkiItem;
+-
+- epkiItem.data = NULL;
+-
+- /* get slot */
+ if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+ PR_ASSERT(slot!=NULL);
+-
+- /* get algorithm */
+- algTag = JSS_getOidTagFromAlg(env, algObj);
+- if( algTag == SEC_OID_UNKNOWN ) {
+- JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized PBE algorithm");
++
++ // get algorithm
++ SECOidTag algTag = JSS_getOidTagFromAlg(env, algObj);
++ if (algTag == SEC_OID_UNKNOWN) {
++ JSS_throwMsg(env, NO_SUCH_ALG_EXCEPTION, "Unrecognized algorithm");
+ goto finish;
+ }
+
+- /*
+- * get password
+- */
+- passwordClass = (*env)->GetObjectClass(env, pwObj);
+- if(passwordClass == NULL) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+- getByteCopyMethod = (*env)->GetMethodID(
+- env,
+- passwordClass,
+- PW_GET_BYTE_COPY_NAME,
+- PW_GET_BYTE_COPY_SIG);
+- if(getByteCopyMethod==NULL) {
++ pwItem = preparePassword(env, conv, pwObj);
++ if (pwItem == NULL) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+- pwArray = (*env)->CallObjectMethod( env, pwObj, getByteCopyMethod);
+- pwchars = (*env)->GetByteArrayElements(env, pwArray, NULL);
+- /* !!! Include the NULL byte or not? */
+- pwItem.data = (unsigned char*) pwchars;
+- pwItem.len = strlen((const char*)pwchars) + 1;
+
+- /*
+- * get cert
+- */
+- if( JSS_PK11_getCertPtr(env, certObj, &cert) != PR_SUCCESS ) {
+- /* exception was thrown */
++ // get key
++ SECKEYPrivateKey *privk;
++ if (JSS_PK11_getPrivKeyPtr(env, key, &privk) != PR_SUCCESS) {
++ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL);
+ goto finish;
+ }
+
+- /*
+- * export the epki
+- */
+- epki = PK11_ExportEncryptedPrivateKeyInfo(slot, algTag, &pwItem,
+- cert, iteration, NULL /*wincx*/);
+-
++ // export the epki
++ epki = PK11_ExportEncryptedPrivKeyInfo(
++ slot, algTag, pwItem, privk, iterations, NULL /*wincx*/);
+
+- /*
+- * DER-encode the epki
+- */
+- epkiItem.data = NULL;
+- epkiItem.len = 0;
+- if( SEC_ASN1EncodeItem(NULL, &epkiItem, epki,
+- SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate) ) == NULL ) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to ASN1-encode "
+- "EncryptedPrivateKeyInfo");
++ // DER-encode the epki
++ if (SEC_ASN1EncodeItem(NULL, &epkiItem, epki,
++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate)) == NULL) {
++ JSS_throwMsg(
++ env, TOKEN_EXCEPTION,
++ "Failed to ASN1-encode EncryptedPrivateKeyInfo");
+ goto finish;
+ }
+
+- /*
+- * convert to Java byte array
+- */
+- encodedEpki = JSS_SECItemToByteArray(env, &epkiItem);
++ // convert to Java byte array
++ jbyteArray encodedEpki = JSS_SECItemToByteArray(env, &epkiItem);
+
+ finish:
+- if( epki != NULL ) {
++ if (epki != NULL) {
+ SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/);
+ }
+- if( pwchars != NULL ) {
+- (*env)->ReleaseByteArrayElements(env, pwArray, pwchars, JNI_ABORT);
++ if (epkiItem.data != NULL) {
++ SECITEM_FreeItem(&epkiItem, PR_FALSE /*freeit*/);
+ }
+- if(epkiItem.data != NULL) {
+- PR_Free(epkiItem.data);
++ if (pwItem != NULL) {
++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/);
+ }
+ return encodedEpki;
+ }
++
++
++JNIEXPORT void JNICALL
++Java_org_mozilla_jss_pkcs11_PK11Store_importEncryptedPrivateKeyInfo(
++ JNIEnv *env,
++ jobject this,
++ jobject conv,
++ jobject pwObj,
++ jstring nickname,
++ jobject pubKeyObj,
++ jbyteArray epkiBytes)
++{
++ // initialisations so we can goto finish
++ SECItem *epkiItem = NULL;
++ SECKEYEncryptedPrivateKeyInfo *epki = NULL;
++ SECItem *pwItem = NULL;
++ SECItem *spkiItem = NULL;
++ CERTSubjectPublicKeyInfo *spki = NULL;
++ SECKEYPublicKey *pubKey = NULL;
++ const char *nicknameChars = NULL;
++
++ PR_ASSERT(env != NULL && this != NULL);
++
++ if (pwObj == NULL || nickname == NULL || pubKeyObj == NULL) {
++ JSS_throw(env, NULL_POINTER_EXCEPTION);
++ goto finish;
++ }
++
++ // get slot
++ PK11SlotInfo *slot = NULL;
++ if (JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) {
++ ASSERT_OUTOFMEM(env);
++ goto finish;
++ }
++ PR_ASSERT(slot != NULL);
++
++ // decode EncryptedPrivateKeyInfo
++ epkiItem = JSS_ByteArrayToSECItem(env, epkiBytes);
++ epki = PR_Calloc(1, sizeof(SECKEYEncryptedPrivateKeyInfo));
++ if (SEC_ASN1DecodeItem(
++ NULL,
++ epki,
++ SEC_ASN1_GET(SECKEY_EncryptedPrivateKeyInfoTemplate),
++ epkiItem
++ ) != SECSuccess) {
++ JSS_throwMsg(env, INVALID_DER_EXCEPTION,
++ "Failed to decode EncryptedPrivateKeyInfo");
++ goto finish;
++ }
++
++ pwItem = preparePassword(env, conv, pwObj);
++ if (pwItem == NULL) {
++ ASSERT_OUTOFMEM(env);
++ goto finish;
++ }
++
++ // get public key value
++ jclass pubKeyClass = (*env)->GetObjectClass(env, pubKeyObj);
++ if (pubKeyClass == NULL) {
++ ASSERT_OUTOFMEM(env);
++ goto finish;
++ }
++ jmethodID getEncoded = (*env)->GetMethodID(
++ env, pubKeyClass, "getEncoded", "()[B");
++ if (getEncoded == NULL) {
++ ASSERT_OUTOFMEM(env);
++ goto finish;
++ }
++ jbyteArray spkiBytes = (*env)->CallObjectMethod(
++ env, pubKeyObj, getEncoded);
++ spkiItem = JSS_ByteArrayToSECItem(env, spkiBytes);
++ spki = PR_Calloc(1, sizeof(CERTSubjectPublicKeyInfo));
++ if (SEC_ASN1DecodeItem(
++ NULL,
++ spki,
++ SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate),
++ spkiItem
++ ) != SECSuccess) {
++ JSS_throwMsg(env, INVALID_DER_EXCEPTION,
++ "Failed to decode SubjectPublicKeyInfo");
++ goto finish;
++ }
++
++ pubKey = SECKEY_ExtractPublicKey(spki);
++ if (pubKey == NULL) {
++ JSS_throwMsgPrErr(env, INVALID_DER_EXCEPTION,
++ "Failed to extract public key from SubjectPublicKeyInfo");
++ goto finish;
++ }
++
++ SECItem *pubValue;
++ switch (pubKey->keyType) {
++ case dsaKey:
++ pubValue = &pubKey->u.dsa.publicValue;
++ break;
++ case dhKey:
++ pubValue = &pubKey->u.dh.publicValue;
++ break;
++ case rsaKey:
++ pubValue = &pubKey->u.rsa.modulus;
++ break;
++ case ecKey:
++ pubValue = &pubKey->u.ec.publicValue;
++ break;
++ default:
++ pubValue = NULL;
++ }
++
++ // prepare nickname
++ nicknameChars = (*env)->GetStringUTFChars(env, nickname, NULL);
++ if (nicknameChars == NULL) {
++ ASSERT_OUTOFMEM(env);
++ goto finish;
++ }
++ SECItem nickItem;
++ nickItem.data = nicknameChars;
++ nickItem.len = (*env)->GetStringUTFLength(env, nickname);
++
++ // if keyUsage = 0, defaults to signing and encryption/key agreement.
++ // see pk11akey.c in NSS
++ int keyUsage = 0;
++
++ // perform import
++ SECStatus result = PK11_ImportEncryptedPrivateKeyInfo(
++ slot, epki, pwItem, &nickItem, pubValue,
++ PR_TRUE /* isperm */, PR_TRUE /* isprivate */,
++ pubKey->keyType, keyUsage, NULL /* wincx */);
++ if (result != SECSuccess) {
++ JSS_throwMsg(
++ env, TOKEN_EXCEPTION,
++ "Failed to import EncryptedPrivateKeyInfo to token");
++ goto finish;
++ }
++
++finish:
++ if (epkiItem != NULL) {
++ SECITEM_FreeItem(epkiItem, PR_TRUE /*freeit*/);
++ }
++ if (epki != NULL) {
++ SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE /*freeit*/);
++ }
++ if (spkiItem != NULL) {
++ SECITEM_FreeItem(spkiItem, PR_TRUE /*freeit*/);
++ }
++ if (spki != NULL) {
++ SECKEY_DestroySubjectPublicKeyInfo(spki);
++ }
++ if (pwItem != NULL) {
++ SECITEM_FreeItem(pwItem, PR_TRUE /*freeit*/);
++ }
++ if (pubKey != NULL) {
++ SECKEY_DestroyPublicKey(pubKey);
++ }
++ if (nicknameChars != NULL) {
++ (*env)->ReleaseStringUTFChars(env, nickname, nicknameChars);
++ }
++}
++
++/* Process the given password through the given PasswordConverter,
++ * returning a new SECItem* on success.
++ *
++ * After use, the caller should free the SECItem:
++ *
++ * SECITEM_FreeItem(pwItem, PR_TRUE).
++ */
++SECItem *preparePassword(JNIEnv *env, jobject conv, jobject pwObj) {
++ jclass passwordClass = (*env)->GetObjectClass(env, pwObj);
++ if (passwordClass == NULL) {
++ ASSERT_OUTOFMEM(env);
++ return NULL;
++ }
++
++ jbyteArray pwBytes;
++
++ if (conv == NULL) {
++ jmethodID getByteCopy = (*env)->GetMethodID(
++ env, passwordClass, PW_GET_BYTE_COPY_NAME, PW_GET_BYTE_COPY_SIG);
++ if (getByteCopy == NULL) {
++ ASSERT_OUTOFMEM(env);
++ return NULL;
++ }
++ pwBytes = (*env)->CallObjectMethod(env, pwObj, getByteCopy);
++ } else {
++ jmethodID getChars = (*env)->GetMethodID(
++ env, passwordClass, "getChars", "()[C");
++ if (getChars == NULL) {
++ ASSERT_OUTOFMEM(env);
++ return NULL;
++ }
++ jcharArray pwChars = (*env)->CallObjectMethod(env, pwObj, getChars);
++
++ jclass convClass = (*env)->GetObjectClass(env, conv);
++ if (conv == NULL) {
++ ASSERT_OUTOFMEM(env);
++ return NULL;
++ }
++ jmethodID convert = (*env)->GetMethodID(
++ env, convClass, "convert", "([C)[B");
++ if (convert == NULL) {
++ ASSERT_OUTOFMEM(env);
++ return NULL;
++ }
++ pwBytes = (*env)->CallObjectMethod(env, conv, convert, pwChars);
++ }
++
++ return JSS_ByteArrayToSECItem(env, pwBytes);
++}
+diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java
+--- a/org/mozilla/jss/pkcs11/PK11Store.java
++++ b/org/mozilla/jss/pkcs11/PK11Store.java
+@@ -4,8 +4,10 @@
+
+ package org.mozilla.jss.pkcs11;
+
++import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.*;
+ import org.mozilla.jss.util.*;
++import java.security.PublicKey;
+ import java.security.cert.CertificateEncodingException;
+ import java.util.Vector;
+
+@@ -53,8 +55,35 @@
+ public native void deletePrivateKey(PrivateKey key)
+ throws NoSuchItemOnTokenException, TokenException;
+
+- public native byte[] getEncryptedPrivateKeyInfo(X509Certificate cert,
+- PBEAlgorithm pbeAlg, Password pw, int iteration);
++ public byte[] getEncryptedPrivateKeyInfo(
++ X509Certificate cert,
++ PBEAlgorithm pbeAlg,
++ Password pw,
++ int iteration)
++ throws CryptoManager.NotInitializedException,
++ ObjectNotFoundException, TokenException {
++ return getEncryptedPrivateKeyInfo(
++ null,
++ pw,
++ pbeAlg,
++ iteration,
++ CryptoManager.getInstance().findPrivKeyByCert(cert)
++ );
++ }
++
++ public native byte[] getEncryptedPrivateKeyInfo(
++ KeyGenerator.CharToByteConverter conv,
++ Password pw,
++ Algorithm alg,
++ int n,
++ PrivateKey k);
++
++ public native void importEncryptedPrivateKeyInfo(
++ KeyGenerator.CharToByteConverter conv,
++ Password pw,
++ String nickname,
++ PublicKey pubKey,
++ byte[] epkiBytes);
+
+ ////////////////////////////////////////////////////////////
+ // Certs
+diff --git a/org/mozilla/jss/util/jss_exceptions.h b/org/mozilla/jss/util/jss_exceptions.h
+--- a/org/mozilla/jss/util/jss_exceptions.h
++++ b/org/mozilla/jss/util/jss_exceptions.h
+@@ -47,6 +47,8 @@
+
+ #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException"
+
++#define INVALID_DER_EXCEPTION "org/mozilla/jss/crypto/InvalidDERException"
++
+ #define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException"
+
+ #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException"
+# HG changeset patch
+# User Fraser Tweedale <ftweedal@redhat.com>
+# Date 1493335326 25200
+# Thu Apr 27 16:22:06 2017 -0700
+# Node ID ead2ea094c98ddc708169c3de411ca8d8883cab8
+# Parent c8885dd6787639d74a1c9d634fd289ff17fa6f02
+Bug 1359731 - CryptoStore.importPrivateKey enhancements, r=cfu
+
+- Enhance CryptoStore.importPrivateKey to support temporary import, and
+- returning the private key to the caller.
+- Also remove some validation of the unused keyType argument.
+
+diff --git a/org/mozilla/jss/crypto/CryptoStore.java b/org/mozilla/jss/crypto/CryptoStore.java
+--- a/org/mozilla/jss/crypto/CryptoStore.java
++++ b/org/mozilla/jss/crypto/CryptoStore.java
+@@ -21,17 +21,30 @@
+ ////////////////////////////////////////////////////////////
+
+ /**
+- * Imports a raw private key into this token.
++ * Imports a raw private key into this token (permanently).
+ *
+ * @param key The private key.
+ * @exception TokenException If the key cannot be imported to this token.
+ * @exception KeyAlreadyImportedException If the key already exists on this token.
+ */
+- public void
++ public PrivateKey
+ importPrivateKey( byte[] key,
+ PrivateKey.Type type )
+ throws TokenException, KeyAlreadyImportedException;
+
++ /**
++ * Imports a raw private key into this token.
++ *
++ * @param key The private key.
++ * @param temporary Whether the key should be temporary.
++ * @exception TokenException If the key cannot be imported to this token.
++ * @exception KeyAlreadyImportedException If the key already exists on this token.
++ */
++ public PrivateKey
++ importPrivateKey( byte[] key,
++ PrivateKey.Type type, boolean temporary)
++ throws TokenException, KeyAlreadyImportedException;
++
+
+ /**
+ * Returns all private keys stored on this token.
+diff --git a/org/mozilla/jss/pkcs11/PK11Store.c b/org/mozilla/jss/pkcs11/PK11Store.c
+--- a/org/mozilla/jss/pkcs11/PK11Store.c
++++ b/org/mozilla/jss/pkcs11/PK11Store.c
+@@ -429,22 +429,22 @@
+ int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int);
+
+ /***********************************************************************
+- * importPrivateKey
++ * PK11Store.importdPrivateKey
+ */
+-static void
+-importPrivateKey
++JNIEXPORT jobject JNICALL
++Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey
+ ( JNIEnv *env,
+ jobject this,
+ jbyteArray keyArray,
+ jobject keyTypeObj,
+- PRBool temporary )
++ jboolean temporary )
+ {
+ SECItem derPK;
+ PK11SlotInfo *slot;
+ jthrowable excep;
+- KeyType keyType;
+ SECStatus status;
+ SECItem nickname;
++ jobject privkObj = NULL;
+
+ /*
+ * initialize so we can goto finish
+@@ -452,13 +452,6 @@
+ derPK.data = NULL;
+ derPK.len = 0;
+
+-
+- keyType = JSS_PK11_getKeyType(env, keyTypeObj);
+- if( keyType == nullKey ) {
+- /* exception was thrown */
+- goto finish;
+- }
+-
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+ if(keyArray == NULL) {
+@@ -492,14 +485,22 @@
+ nickname.len = 0;
+ nickname.data = NULL;
+
+- status = PK11_ImportDERPrivateKeyInfo(slot, &derPK, &nickname,
+- NULL /*public value*/, PR_TRUE /*isPerm*/,
+- PR_TRUE /*isPrivate*/, 0 /*keyUsage*/, NULL /*wincx*/);
++ SECKEYPrivateKey *privk = NULL;
++ status = PK11_ImportDERPrivateKeyInfoAndReturnKey(
++ slot, &derPK, &nickname,
++ NULL /*public value*/, !temporary /*isPerm*/,
++ PR_TRUE /*isPrivate*/, 0 /*keyUsage*/,
++ &privk, NULL /*wincx*/);
+ if(status != SECSuccess) {
+ JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import private key info");
+ goto finish;
+ }
+
++ privkObj = JSS_PK11_wrapPrivKey(env, &privk);
++ if (privkObj == NULL) {
++ goto finish;
++ }
++
+ finish:
+ /* Save any exceptions */
+ if( (excep=(*env)->ExceptionOccurred(env)) ) {
+@@ -515,24 +516,11 @@
+ if( excep ) {
+ (*env)->Throw(env, excep);
+ }
++ return privkObj;
+ }
+
+ extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
+
+-/***********************************************************************
+- * PK11Store.importdPrivateKey
+- */
+-JNIEXPORT void JNICALL
+-Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey
+- ( JNIEnv *env,
+- jobject this,
+- jbyteArray keyArray,
+- jobject keyTypeObj )
+-{
+- importPrivateKey(env, this, keyArray,
+- keyTypeObj, PR_FALSE /* not temporary */);
+-}
+-
+
+ JNIEXPORT jbyteArray JNICALL
+ Java_org_mozilla_jss_pkcs11_PK11Store_getEncryptedPrivateKeyInfo(
+diff --git a/org/mozilla/jss/pkcs11/PK11Store.java b/org/mozilla/jss/pkcs11/PK11Store.java
+--- a/org/mozilla/jss/pkcs11/PK11Store.java
++++ b/org/mozilla/jss/pkcs11/PK11Store.java
+@@ -23,9 +23,15 @@
+ * @exception TokenException If the key cannot be imported to this token.
+ * @exception KeyAlreadyImportedException If the key already on this token.
+ */
+- public native void
+- importPrivateKey( byte[] key,
+- PrivateKey.Type type )
++ public PrivateKey
++ importPrivateKey(byte[] key, PrivateKey.Type type)
++ throws TokenException,KeyAlreadyImportedException {
++ return importPrivateKey(key, type, false);
++ }
++
++ public native PrivateKey
++ importPrivateKey(
++ byte[] key, PrivateKey.Type type, boolean temporary)
+ throws TokenException,KeyAlreadyImportedException;
+
+ public synchronized PrivateKey[]
+# HG changeset patch
+# User Matthew Harmsen <mharmsen@redhat.com>
+# Date 1493389838 25200
+# Fri Apr 28 07:30:38 2017 -0700
+# Node ID 4ee5af07d6d8fd7efe60d130d3e7593f6e12e642
+# Parent ead2ea094c98ddc708169c3de411ca8d8883cab8
+Bug 1352476 - RFE: Document on the README how to create a release tag, r=emaldona
+
+diff --git a/README b/README
+--- a/README
++++ b/README
+@@ -158,7 +158,40 @@
+ be necessary.
+
+
+-(7) Known Issues
++(7) Tagging the Source Code for a Release
++
++ During development, several releases may be made. Consequently, it is
++ good practice to create a "regular tag" to the source code at these
++ various points in time using the following format:
++
++ # hg tag -m "message" JSS_<major>_<minor>_YYYYMMDD
++
++ where: <major> = JSS Major Version Number
++ <minor> = JSS Minor Version Number
++ YYYY = 4-digit year (e. g. - 2017)
++ MM = 2-digit month (e. g. - 01, ..., 12)
++ DD = 2-digit day of the month (e. g. - 01, ..., 31)
++
++ For example:
++
++ # hg id
++ b3e864205ff0+ tip
++
++ # hg tag -m "Added tag JSS_4_4_20170328 for changeset b3e864205ff0" JSS_4_4_20170328
++
++ At the appropriate time, a new major.minor version may be created. At this
++ time, it is important to create a maintenance branch for any future changes
++ to the previous major.minor version:
++
++ For example:
++
++ # hg id
++ f00f00f00f00+ tip
++
++ # hg branch -m "Created branch JSS_4_4_BRANCH for changeset f00f00f00f00" JSS_4_4_BRANCH
++
++
++(8) Known Issues
+
+ * Mozilla Bug #1346410 - Load JSS libraries appropriately
+
diff --git a/SOURCES/jss-support-TLS1_1-TLS1_2.patch b/SOURCES/jss-support-TLS1_1-TLS1_2.patch
deleted file mode 100644
index 7fd2207..0000000
--- a/SOURCES/jss-support-TLS1_1-TLS1_2.patch
+++ /dev/null
@@ -1,345 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved jss-4.2.6/mozilla/security/jss/lib/jss.def
---- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuSaved 2014-09-29 14:12:27.560206348 -0700
-+++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2014-09-29 14:12:34.376194464 -0700
-@@ -334,6 +334,8 @@ Java_org_mozilla_jss_CryptoManager_setOC
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
- Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
- Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
-+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange;
-+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault;
- ;+ local:
- ;+ *;
- ;+};
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfuSaved 2014-09-29 14:12:27.565206339 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2014-09-29 14:13:33.222091053 -0700
-@@ -56,6 +56,105 @@
- #endif
-
-
-+/*
-+ * support TLS v1.1 and v1.2
-+ * sets default SSL version range for sockets created after this call
-+ */
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env,
-+ jclass clazz, jint ssl_variant, jint min, jint max)
-+{
-+ SECStatus status;
-+ SSLVersionRange vrange;
-+
-+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
-+ min <0 || min >= JSSL_enums_size ||
-+ max <0 || max >= JSSL_enums_size) {
-+ char buf[128];
-+ PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size);
-+ JSSL_throwSSLSocketException(env, buf);
-+ goto finish;
-+ }
-+
-+ vrange.min = JSSL_enums[min];
-+ vrange.max = JSSL_enums[max];
-+
-+ /* get supported range */
-+ SSLVersionRange supported_range;
-+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
-+ &supported_range);
-+ if( status != SECSuccess ) {
-+ char buf[128];
-+ PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError());
-+ JSSL_throwSSLSocketException(env, buf);
-+ goto finish;
-+ }
-+ /* now check the min and max */
-+ if (vrange.min < supported_range.min ||
-+ vrange.max > supported_range.max) {
-+ char buf[128];
-+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError());
-+ JSSL_throwSSLSocketException(env, buf);
-+ goto finish;
-+ }
-+
-+ /* set the default SSL Version Range */
-+ status = SSL_VersionRangeSetDefault(JSSL_enums[ssl_variant],
-+ &vrange);
-+ if( status != SECSuccess ) {
-+ char buf[128];
-+ PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d failed: %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, PR_GetError());
-+ JSSL_throwSSLSocketException(env, buf);
-+ goto finish;
-+ }
-+
-+finish:
-+ return;
-+}
-+
-+/*
-+ * support TLS v1.1 and v1.2
-+ * sets SSL version range for this socket
-+ */
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange
-+ (JNIEnv *env, jobject self, jint min, jint max)
-+{
-+ SECStatus status;
-+ JSSL_SocketData *sock = NULL;
-+ SSLVersionRange vrange;
-+
-+ if ( min <0 || min >= JSSL_enums_size ||
-+ max <0 || max >= JSSL_enums_size) {
-+ char buf[128];
-+ PR_snprintf(buf, 128, "JSS setSSLVersionRange(): for max=%d failed - out of range for array JSSL_enums size: %d", min, max, JSSL_enums_size);
-+ JSSL_throwSSLSocketException(env, buf);
-+ goto finish;
-+ }
-+
-+ /* get my fd */
-+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
-+ goto finish;
-+ }
-+
-+ vrange.min = JSSL_enums[min];
-+ vrange.max = JSSL_enums[max];
-+
-+ /*
-+ * set the SSL Version Range
-+ * The validity of the range will be checked by this NSS call
-+ */
-+ status = SSL_VersionRangeSet(sock->fd, &vrange);
-+ if( status != SECSuccess ) {
-+ JSSL_throwSSLSocketException(env, "SSL_VersionRangeSet failed");
-+ goto finish;
-+ }
-+
-+finish:
-+ EXCEPTION_CHECK(env, sock)
-+ return;
-+}
-+
- JNIEXPORT void JNICALL
- Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOption(JNIEnv *env,
- jclass clazz, jint joption, jint on)
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java.cfuSaved 2014-09-29 14:12:27.566206338 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2014-09-29 14:12:34.377194462 -0700
-@@ -36,6 +36,7 @@
-
- package org.mozilla.jss.ssl;
-
-+import java.lang.IllegalArgumentException;
- import java.net.*;
- import java.net.SocketException;
- import java.net.SocketTimeoutException;
-@@ -948,6 +949,63 @@ public class SSLSocket extends java.net.
- setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b);
- }
-
-+ /*
-+ * _min_enum and _max_enum should be one of the following:
-+ * SocketBase.SSL_LIBRARY_VERSION_3_0
-+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_0
-+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_1
-+ * SocketBase.SSL_LIBRARY_VERSION_TLS_1_2
-+ */
-+ public static class SSLVersionRange {
-+ private int _min_enum;
-+ private int _max_enum;
-+ public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0;
-+ public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0;
-+ public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1;
-+ public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2;
-+ public SSLVersionRange(int min_enum, int max_enum)
-+ throws IllegalArgumentException {
-+ if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) &&
-+ (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) &&
-+ (min_enum <= max_enum)) {
-+ _min_enum = min_enum;
-+ _max_enum = max_enum;
-+ } else {
-+ throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range");
-+ }
-+ }
-+
-+ int getMinEnum() { return _min_enum; }
-+ int getMaxEnum() { return _max_enum; }
-+
-+ }
-+
-+ public static class SSLProtocolVariant {
-+ private int _enum;
-+ private SSLProtocolVariant(int val) { _enum = val; }
-+
-+ int getEnum() { return _enum; }
-+
-+ public static final SSLProtocolVariant STREAM =
-+ new SSLProtocolVariant(SocketBase.SSL_Variant_Stream);
-+ public static final SSLProtocolVariant DATA_GRAM =
-+ new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram);
-+
-+ }
-+
-+ public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range)
-+ throws SocketException
-+ {
-+ if (range == null)
-+ throw new SocketException("setSSLVersionRangeDefault: range null");
-+ setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum());
-+ }
-+
-+ /**
-+ * Sets SSL Version Range Default
-+ */
-+ private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max)
-+ throws SocketException;
-
- private static void setSSLDefaultOption(int option, boolean on)
- throws SocketException
-@@ -1221,6 +1279,8 @@ public class SSLSocket extends java.net.
- public final static int TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = 0x0063;
- public final static int TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = 0x0065;
- public final static int TLS_DHE_DSS_WITH_RC4_128_SHA = 0x0066;
-+ public final static int TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = 0x0067;
-+ public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = 0x006B;
-
- // New TLS cipher suites in NSS 3.4
- public final static int TLS_RSA_WITH_AES_128_CBC_SHA = 0x002F;
-@@ -1236,6 +1296,10 @@ public class SSLSocket extends java.net.
- public final static int TLS_DHE_DSS_WITH_AES_256_CBC_SHA = 0x0038;
- public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
- public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
-+ public final static int TLS_RSA_WITH_NULL_SHA256 = 0x003B;
-+ public final static int TLS_RSA_WITH_AES_128_CBC_SHA256 = 0x003C;
-+ public final static int TLS_RSA_WITH_AES_256_CBC_SHA256 = 0x003D;
-+
-
- public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
- public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
-@@ -1251,6 +1315,12 @@ public class SSLSocket extends java.net.
- public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
- public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
-
-+ public final static int TLS_RSA_WITH_SEED_CBC_SHA = 0x0096;
-+
-+ public final static int TLS_RSA_WITH_AES_128_GCM_SHA256 = 0x009C;
-+ public final static int TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = 0x009E;
-+ public final static int TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = 0x00A2;
-+
- public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
- public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
- public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
-@@ -1281,5 +1351,13 @@ public class SSLSocket extends java.net.
- public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
- public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
-
-+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = 0xc023;
-+ public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = 0xc027;
-+
-+ public final static int TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02B;
-+ public final static int TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = 0xc02D;
-+ public final static int TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = 0xc02F;
-+ public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = 0xc031;
-+
- }
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java.cfuSaved 2014-09-29 14:12:27.564206341 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2014-09-29 14:12:34.378194460 -0700
-@@ -114,6 +114,15 @@ class SocketBase {
- static final int SSL_REQUIRE_ALWAYS = 19;
- static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20;
- static final int SSL_REQUIRE_NO_ERROR = 21;
-+ /* ssl/sslproto.h for supporting SSLVersionRange */
-+ static final int SSL_LIBRARY_VERSION_2 = 22;
-+ static final int SSL_LIBRARY_VERSION_3_0 = 23;
-+ static final int SSL_LIBRARY_VERSION_TLS_1_0 = 24;
-+ static final int SSL_LIBRARY_VERSION_TLS_1_1 = 25;
-+ static final int SSL_LIBRARY_VERSION_TLS_1_2 = 26;
-+ /* ssl/sslt.h */
-+ static final int SSL_Variant_Stream = 27;
-+ static final int SSL_Variant_Datagram = 28;
-
-
- static final int SSL_AF_INET = 50;
-@@ -190,6 +199,18 @@ class SocketBase {
- native void setSSLOption(int option, int on)
- throws SocketException;
-
-+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
-+ throws SocketException
-+ {
-+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
-+ }
-+
-+ /**
-+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
-+ */
-+ native void setSSLVersionRange(int min, int max)
-+ throws SocketException;
-+
- /**
- * Sets the SSL option setting mode value use for options
- * that have more values than just enable/diasable.
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c.cfuSaved 2014-09-29 14:12:27.562206345 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2014-09-29 14:12:34.378194460 -0700
-@@ -38,6 +38,7 @@
- #include <pk11func.h>
- #include <ssl.h>
- #include <sslerr.h>
-+#include <sslproto.h>
-
- #include <jssutil.h>
- #include <jss_exceptions.h>
-@@ -407,8 +408,16 @@ PRInt32 JSSL_enums[] = {
- SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */
- SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */
- SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */
-+ SSL_LIBRARY_VERSION_2, /* 22 */ /* sslproto.h */
-+ SSL_LIBRARY_VERSION_3_0, /* 23 */ /* sslproto.h */
-+ SSL_LIBRARY_VERSION_TLS_1_0, /* 24 */ /* sslproto.h */
-+ SSL_LIBRARY_VERSION_TLS_1_1, /* 25 */ /* sslproto.h */
-+ SSL_LIBRARY_VERSION_TLS_1_2, /* 26 */ /* sslproto.h */
-+ ssl_variant_stream, /* 27 */ /* sslt.h */
-+ ssl_variant_datagram, /* 28 */ /* sslt.h */
- 0
- };
-+
-
-
- JNIEXPORT void JNICALL
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h.cfuSaved 2014-09-29 14:12:27.563206343 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/jssl.h 2014-09-29 14:13:59.605044228 -0700
-@@ -111,6 +111,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL
-
-
- extern PRInt32 JSSL_enums[];
-+#define JSSL_enums_size 29
-
- JSSL_SocketData*
- JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java.cfuSaved 2014-09-29 14:12:27.567206336 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/Constants.java 2014-09-29 14:12:34.379194458 -0700
-@@ -149,6 +149,21 @@ public interface Constants {
- /*52*/ new cipher(SSLSocket.SSL2_DES_64_CBC_WITH_MD5, "SSL2_DES_64_CBC_WITH_MD5"),
- /*53*/ new cipher(SSLSocket.SSL2_RC4_128_EXPORT40_WITH_MD5, "SSL2_RC4_128_EXPORT40_WITH_MD5"),
- /*54*/ new cipher(SSLSocket.SSL2_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL2_RC2_128_CBC_EXPORT40_WITH_MD5"),
-+/*55*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"),
-+/*56*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"),
-+/*57*/ new cipher(SSLSocket.TLS_RSA_WITH_NULL_SHA256, "TLS_RSA_WITH_NULL_SHA256"),
-+/*58*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256"),
-+/*59*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CBC_SHA256"),
-+/*60*/ new cipher(SSLSocket.TLS_RSA_WITH_SEED_CBC_SHA, "TLS_RSA_WITH_SEED_CBC_SHA"),
-+/*61*/ new cipher(SSLSocket.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256"),
-+/*62*/ new cipher(SSLSocket.TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"),
-+/*63*/ new cipher(SSLSocket.TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"),
-+/*64*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"),
-+/*65*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"),
-+/*66*/ new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"),
-+/*67*/ new cipher(SSLSocket.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"),
-+/*68*/ new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"),
-+/*69*/ new cipher(SSLSocket.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256")
- };
-
- /** Cipher supported by JSSE (JDK 1.5.x) */
diff --git a/SOURCES/jss-symkey-enhancements.patch b/SOURCES/jss-symkey-enhancements.patch
deleted file mode 100644
index 248ba76..0000000
--- a/SOURCES/jss-symkey-enhancements.patch
+++ /dev/null
@@ -1,1855 +0,0 @@
-diff -up ./mozilla/security/jss/build_java.pl.jmagne ./mozilla/security/jss/build_java.pl
---- ./mozilla/security/jss/build_java.pl.jmagne 2016-04-14 13:56:16.946920239 -0700
-+++ ./mozilla/security/jss/build_java.pl 2016-04-14 14:53:08.501298062 -0700
-@@ -31,7 +31,8 @@ org.mozilla.jss.pkcs11.PK11MessageDigest
- org.mozilla.jss.pkcs11.PK11PrivKey
- org.mozilla.jss.pkcs11.PK11PubKey
- org.mozilla.jss.pkcs11.PK11SymKey
--org.mozilla.jss.pkcs11.PK11KeyPairGenerator
-+org.mozilla.jss.pkcs11.PK11KeyPairGenerator
-+org.mozilla.jss.pkcs11.PK11SymmetricKeyDeriver
- org.mozilla.jss.pkcs11.PK11KeyGenerator
- org.mozilla.jss.pkcs11.PK11Token
- org.mozilla.jss.pkcs11.PrivateKeyProxy
-diff -up ./mozilla/security/jss/lib/jss.def.jmagne ./mozilla/security/jss/lib/jss.def
---- ./mozilla/security/jss/lib/jss.def.jmagne 2016-04-14 16:00:06.229534228 -0700
-+++ ./mozilla/security/jss/lib/jss.def 2016-04-14 16:00:32.229356314 -0700
-@@ -158,6 +158,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
- Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey;
- Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector;
- Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector;
-+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector;
- Java_org_mozilla_jss_pkcs11_SigContextProxy_releaseNativeResources;
- Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getModulusByteArray;
- Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getPublicExponentByteArray;
-@@ -336,6 +337,8 @@ Java_org_mozilla_jss_CryptoManager_verif
- Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
- Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange;
- Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault;
-+Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey;
-+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative;
- ;+ local:
- ;+ *;
- ;+};
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.jmagne 2016-04-14 16:02:38.108494940 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2016-04-14 16:02:47.243432431 -0700
-@@ -114,6 +114,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
- /* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG},
- /* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG},
- /* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
-+/* 54 */ {SEC_OID_HMAC_SHA1,SEC_OID_TAG},
-+/* 55 */ {SEC_OID_HMAC_SHA224,SEC_OID_TAG},
-+/* 56 */ {SEC_OID_HMAC_SHA256,SEC_OID_TAG},
-+/* 57 */ {SEC_OID_HMAC_SHA384,SEC_OID_TAG},
-+/* 58 */ {SEC_OID_HMAC_SHA512,SEC_OID_TAG}
- /* REMEMBER TO UPDATE NUM_ALGS!!! */
- };
-
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.jmagne 2016-04-14 11:30:41.871517926 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2016-04-14 11:30:54.933436860 -0700
-@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
- JSS_AlgType type;
- } JSS_AlgInfo;
-
--#define NUM_ALGS 54
-+#define NUM_ALGS 59
-
- extern JSS_AlgInfo JSS_AlgTable[];
- extern CK_ULONG JSS_symkeyUsage[];
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.jmagne 2016-04-14 16:06:13.388021812 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2016-04-14 16:06:27.537924813 -0700
-@@ -237,5 +237,9 @@ public class Algorithm {
- protected static final short SEC_OID_PKCS5_PBKDF2=51;
- protected static final short SEC_OID_PKCS5_PBES2=52;
- protected static final short SEC_OID_PKCS5_PBMAC1=53;
--
-+ protected static final short SEC_OID_HMAC_SHA1=54;
-+ protected static final short SEC_OID_HMAC_SHA224=55;
-+ protected static final short SEC_OID_HMAC_SHA256=56;
-+ protected static final short SEC_OID_HMAC_SHA384=57;
-+ protected static final short SEC_OID_HMAC_SHA512=58;
- }
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java.jmagne 2016-04-14 17:03:33.504298176 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoStore.java 2016-04-14 17:03:42.198238112 -0700
-@@ -75,6 +75,18 @@ public interface CryptoStore {
- getPrivateKeys() throws TokenException;
-
- /**
-+ * Returns all symmetric keys stored on this token.
-+ *
-+ * @return An array of all symmetric keys stored on this token.
-+ * @exception TokenException If an error occurs on the token while
-+ * gathering the keys.
-+ */
-+ public SymmetricKey[]
-+ getSymmetricKeys() throws TokenException;
-+
-+
-+
-+ /**
- * Deletes the given PrivateKey from the CryptoToken.
- * This is a very dangerous call: it deletes the key from the underlying
- * token. After calling this, the PrivateKey passed in must no longer
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java.jmagne 2016-04-14 16:07:39.458429756 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2016-04-14 16:07:52.266341595 -0700
-@@ -92,6 +92,9 @@ public interface CryptoToken {
- getCipherContext(EncryptionAlgorithm algorithm)
- throws java.security.NoSuchAlgorithmException, TokenException;
-
-+ public abstract SymmetricKeyDeriver getSymmetricKeyDeriver()
-+ throws TokenException;
-+
- public abstract KeyWrapper
- getKeyWrapper(KeyWrapAlgorithm algorithm)
- throws java.security.NoSuchAlgorithmException, TokenException;
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java.jmagne 2016-04-14 16:09:02.858855679 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java 2016-04-14 16:09:18.048751121 -0700
-@@ -85,4 +85,21 @@ public class HMACAlgorithm extends Diges
- public static final HMACAlgorithm SHA1 = new HMACAlgorithm
- (CKM_SHA_1_HMAC, "SHA-1-HMAC",
- OBJECT_IDENTIFIER.ALGORITHM.subBranch(26), 20);
-+
-+ public static final HMACAlgorithm SHA224 = new HMACAlgorithm
-+ (SEC_OID_HMAC_SHA224, "SHA-224-HMAC",
-+ OBJECT_IDENTIFIER.RSADSI.subBranch(8), 28);
-+
-+ public static final HMACAlgorithm SHA256 = new HMACAlgorithm
-+ (SEC_OID_HMAC_SHA256, "SHA-256-HMAC",
-+ OBJECT_IDENTIFIER.RSADSI.subBranch(9), 32);
-+
-+ public static final HMACAlgorithm SHA384 = new HMACAlgorithm
-+ (SEC_OID_HMAC_SHA384, "SHA-384-HMAC",
-+ OBJECT_IDENTIFIER.RSADSI.subBranch(10), 48);
-+
-+ public static final HMACAlgorithm SHA512 = new HMACAlgorithm
-+ (SEC_OID_HMAC_SHA512, "SHA-512-HMAC",
-+ OBJECT_IDENTIFIER.RSADSI.subBranch(11), 64);
-+
- }
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java.jmagne 2016-04-14 16:10:43.930159965 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2016-04-14 16:10:55.377081172 -0700
-@@ -133,4 +133,21 @@ public interface KeyWrapper {
- throws TokenException, IllegalStateException,
- InvalidAlgorithmParameterException;
-
-+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
-+ SymmetricKey.Usage usage, int keyLength)
-+ throws TokenException, IllegalStateException,
-+ InvalidAlgorithmParameterException;
-+
-+ /**
-+ * Unwraps a key and allows it to be used for all operations.
-+ * @param keyLength The expected length of the key in bytes. This is
-+ * only used for variable-length keys (RC4) and non-padding
-+ * algorithms. Otherwise, it can be set to anything(like 0).
-+ */
-+ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
-+ int keyLength)
-+ throws TokenException, IllegalStateException,
-+ InvalidAlgorithmParameterException;
-+
-+
- }
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java.jmagne 2016-04-14 16:36:36.080464052 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java 2016-04-14 16:36:49.784369514 -0700
-@@ -0,0 +1,79 @@
-+/* ***** BEGIN LICENSE BLOCK *****
-+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+ *
-+ * The contents of this file are subject to the Mozilla Public License Version
-+ * 1.1 (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ * http://www.mozilla.org/MPL/
-+ *
-+ * Software distributed under the License is distributed on an "AS IS" basis,
-+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+ * for the specific language governing rights and limitations under the
-+ * License.
-+ *
-+ * The Original Code is the Netscape Security Services for Java.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *
-+ * Alternatively, the contents of this file may be used under the terms of
-+ * either the GNU General Public License Version 2 or later (the "GPL"), or
-+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+ * in which case the provisions of the GPL or the LGPL are applicable instead
-+ * of those above. If you wish to allow use of your version of this file only
-+ * under the terms of either the GPL or the LGPL, and not to allow others to
-+ * use your version of this file under the terms of the MPL, indicate your
-+ * decision by deleting the provisions above and replace them with the notice
-+ * and other provisions required by the GPL or the LGPL. If you do not delete
-+ * the provisions above, a recipient may use your version of this file under
-+ * the terms of any one of the MPL, the GPL or the LGPL.
-+ *
-+ * ***** END LICENSE BLOCK ***** */
-+
-+package org.mozilla.jss.crypto;
-+
-+import java.security.spec.AlgorithmParameterSpec;
-+import java.security.InvalidAlgorithmParameterException;
-+import java.security.PublicKey;
-+import java.security.InvalidKeyException;
-+
-+public interface SymmetricKeyDeriver {
-+
-+ /* Use with the encrypt type mechanisms
-+ Example: initDerive(
-+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16);
-+ */
-+
-+ public abstract void initDerive(SymmetricKey baseKey,
-+ long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
-+ throws InvalidKeyException;
-+
-+
-+
-+ /* Use with key extraction and key concatanation mechanisms
-+
-+ Example:
-+ param: byte array that has the bit position of where to extract
-+ initDerive(
-+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
-+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8);
-+
-+
-+ initDerive(
-+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0);
-+
-+ */
-+
-+ public abstract void initDerive(SymmetricKey baseKey,
-+ SymmetricKey secondaryKey, long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
-+ throws InvalidKeyException;
-+
-+ public abstract SymmetricKey derive()
-+ throws TokenException;
-+}
-diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java
---- ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java.jmagne 2016-04-14 16:11:50.865699222 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/crypto/SymmetricKey.java 2016-04-14 16:12:02.768617289 -0700
-@@ -71,6 +71,10 @@ public interface SymmetricKey {
-
- String getFormat();
-
-+ String getNickName();
-+
-+ void setNickName(String nickName);
-+
- public final static class Type {
- // all names converted to lowercase for case insensitivity
- private static Hashtable nameMap = new Hashtable();
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn.jmagne 2016-04-14 16:15:59.271989344 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/manifest.mn 2016-04-14 16:16:10.670910881 -0700
-@@ -64,6 +64,7 @@ CSRCS = \
- PK11Store.c \
- PK11SymKey.c \
- PK11Token.c \
-+ PK11SymmetricKeyDeriver.c \
- $(NULL)
-
-
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.jmagne 2016-04-14 16:17:29.760366477 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-14 16:17:58.742166983 -0700
-@@ -519,7 +519,7 @@ JNIEXPORT jobject JNICALL
- Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym
- (JNIEnv *env, jclass clazz, jobject tokenObj, jobject unwrapperObj,
- jbyteArray wrappedBA, jobject wrapAlgObj, jobject typeAlgObj,
-- jint keyLen, jbyteArray ivBA, jint usageEnum)
-+ jint keyLen, jbyteArray ivBA, jint usageEnum,jboolean temporary)
- {
- PK11SymKey *symKey=NULL, *wrappingKey=NULL;
- CK_MECHANISM_TYPE wrappingMech, keyTypeMech;
-@@ -527,6 +527,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- jobject keyObj = NULL;
- CK_ULONG operation;
- CK_FLAGS flags;
-+ PRBool isPermanent = PR_FALSE;
-
- /* get key type */
- keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj);
-@@ -579,8 +580,21 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- flags = 0;
- }
-
-- symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param,
-- wrappedKey, keyTypeMech, operation, keyLen, flags);
-+ if( temporary ) {
-+ isPermanent = PR_FALSE;
-+ } else {
-+ isPermanent = PR_TRUE;
-+ }
-+
-+ if( isPermanent == PR_FALSE) {
-+ symKey = PK11_UnwrapSymKeyWithFlags(wrappingKey, wrappingMech, param,
-+ wrappedKey, keyTypeMech, operation, keyLen, flags);
-+
-+ } else {
-+ symKey = PK11_UnwrapSymKeyWithFlagsPerm(wrappingKey, wrappingMech, param,
-+ wrappedKey, keyTypeMech, operation, keyLen, flags,isPermanent);
-+ }
-+
- if( symKey == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key");
- goto finish;
-@@ -702,7 +716,7 @@ finish:
- JNIEXPORT jobject JNICALL
- Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymPlaintext
- (JNIEnv *env, jclass clazz, jobject tokenObj, jbyteArray wrappedBA,
-- jobject typeAlgObj, jint usageEnum)
-+ jobject typeAlgObj, jint usageEnum,jboolean temporary)
- {
- PK11SymKey *symKey=NULL;
- CK_MECHANISM_TYPE keyTypeMech;
-@@ -711,6 +725,8 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- PK11SlotInfo *slot = NULL;
- CK_ULONG operation;
- CK_FLAGS flags;
-+ PRBool isPerm = PR_FALSE;
-+
-
- /* get key type */
- keyTypeMech = JSS_getPK11MechFromAlg(env, typeAlgObj);
-@@ -740,9 +756,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- flags = 0;
- }
-
-+ if( temporary ) {
-+ isPerm = PR_FALSE;
-+ } else {
-+ isPerm = PR_TRUE;
-+ }
-+
- /* pull in the key */
- symKey = PK11_ImportSymKeyWithFlags(slot, keyTypeMech, PK11_OriginUnwrap,
-- operation, wrappedKey, flags, PR_FALSE /*isPerm*/, NULL);
-+ operation, wrappedKey, flags, isPerm, NULL);
- if( symKey == NULL ) {
- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to unwrap key");
- goto finish;
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.jmagne 2016-04-14 16:19:26.998559480 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2016-04-14 16:19:40.941463506 -0700
-@@ -498,8 +498,25 @@ final class PK11KeyWrapper implements Ke
- return unwrapSymmetric(wrapped, type, -1, keyLen);
- }
-
-+ public SymmetricKey
-+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
-+ SymmetricKey.Usage usage, int keyLen)
-+ throws TokenException, IllegalStateException,
-+ InvalidAlgorithmParameterException
-+ {
-+ return unwrapSymmetricPerm(wrapped, type, usage.getVal(), keyLen);
-+ }
-+
-+ public SymmetricKey
-+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type, int keyLen)
-+ throws TokenException, IllegalStateException,
-+ InvalidAlgorithmParameterException
-+ {
-+ return unwrapSymmetricPerm(wrapped, type, -1, keyLen);
-+ }
-+
- private SymmetricKey
-- unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type,
-+ unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
- int usageEnum, int keyLen)
- throws TokenException, IllegalStateException,
- InvalidAlgorithmParameterException
-@@ -508,6 +525,10 @@ final class PK11KeyWrapper implements Ke
- throw new IllegalStateException();
- }
-
-+ /* Since we want permanent,make the temporary arg false */
-+ boolean temporary = false;
-+
-+
- if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) {
- if( keyLen <= 0 ) {
- throw new InvalidAlgorithmParameterException(
-@@ -521,12 +542,53 @@ final class PK11KeyWrapper implements Ke
-
- if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) {
- return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type),
-- usageEnum );
-+ usageEnum,temporary );
- } else {
- if( symKey != null ) {
- Assert._assert(pubKey==null && privKey==null);
- return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm,
-- algFromType(type), keyLen, IV, usageEnum);
-+ algFromType(type), keyLen, IV, usageEnum,temporary);
-+ } else {
-+ Assert._assert(privKey!=null && pubKey==null && symKey==null);
-+ throw new TokenException("We do not support permnament unwrapping with private key.");
-+ }
-+ }
-+ }
-+
-+
-+ private SymmetricKey
-+ unwrapSymmetric(byte[] wrapped, SymmetricKey.Type type,
-+ int usageEnum, int keyLen)
-+ throws TokenException, IllegalStateException,
-+ InvalidAlgorithmParameterException
-+ {
-+ if( state != UNWRAP ) {
-+ throw new IllegalStateException();
-+ }
-+
-+ if( (! algorithm.isPadded()) && (type == SymmetricKey.RC4) ) {
-+ if( keyLen <= 0 ) {
-+ throw new InvalidAlgorithmParameterException(
-+ "RC4 keys wrapped in unpadded algorithms need key length"+
-+ " specified when unwrapping");
-+ }
-+ } else {
-+ // Don't use the key length
-+ //keyLen = 0;
-+ }
-+
-+ /* Since we DONT want permanent,make the temporary arg true */
-+ boolean temporary = true;
-+
-+
-+ if( algorithm == KeyWrapAlgorithm.PLAINTEXT ) {
-+ return nativeUnwrapSymPlaintext(token, wrapped, algFromType(type),
-+ usageEnum, temporary );
-+ } else {
-+ if( symKey != null ) {
-+ Assert._assert(pubKey==null && privKey==null);
-+ return nativeUnwrapSymWithSym(token, symKey, wrapped, algorithm,
-+ algFromType(type), keyLen, IV, usageEnum,temporary);
- } else {
- Assert._assert(privKey!=null && pubKey==null && symKey==null);
- return nativeUnwrapSymWithPriv(token, privKey, wrapped,
-@@ -586,7 +648,7 @@ final class PK11KeyWrapper implements Ke
- private static native SymmetricKey
- nativeUnwrapSymWithSym(PK11Token token, SymmetricKey unwrappingKey,
- byte[] wrappedKey, KeyWrapAlgorithm alg, Algorithm type, int keyLen,
-- byte[] IV, int usageEnum)
-+ byte[] IV, int usageEnum,boolean temporary)
- throws TokenException;
-
- /**
-@@ -600,7 +662,7 @@ final class PK11KeyWrapper implements Ke
-
- private static native SymmetricKey
- nativeUnwrapSymPlaintext(PK11Token token, byte[] wrappedKey,
-- Algorithm type, int usageEnum);
-+ Algorithm type, int usageEnum,boolean temporary);
-
- private void reset() {
- state = UNINITIALIZED;
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c.jmagne 2016-05-06 18:10:04.531912407 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2016-05-06 17:36:19.913933639 -0700
-@@ -99,17 +99,19 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
- }
-
- /* copy the key, setting the CKA_SIGN attribute */
-- newKey = PK11_CopySymKeyForSigning(origKey, mech);
-+/* newKey = PK11_CopySymKeyForSigning(origKey, mech);
- if( newKey == NULL ) {
- JSS_throwMsg(env, DIGEST_EXCEPTION,
- "Unable to set CKA_SIGN attribute on symmetric key");
- goto finish;
- }
-
-+*/
-+
- param.data = NULL;
- param.len = 0;
-
-- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, ¶m);
-+ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, ¶m);
- if( context == NULL ) {
- JSS_throwMsg(env, DIGEST_EXCEPTION,
- "Unable to initialize digest context");
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c.jmagne 2016-04-14 16:22:16.174394977 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2016-04-14 16:22:26.605323176 -0700
-@@ -44,13 +44,101 @@
- #include <cert.h>
- #include <certdb.h>
- #include <secasn1.h>
--
- #include <jssutil.h>
- #include <Algorithm.h>
- #include "pk11util.h"
- #include <java_ids.h>
- #include <jss_exceptions.h>
-
-+typedef struct
-+{
-+ enum
-+ {
-+ PW_NONE = 0,
-+ PW_FROMFILE = 1,
-+ PW_PLAINTEXT = 2,
-+ PW_EXTERNAL = 3
-+ } source;
-+ char *data;
-+} secuPWData;
-+
-+/**********************************************************************
-+ * PK11Store.putSymKeysInVector
-+ */
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector
-+ (JNIEnv *env, jobject this, jobject keyVector)
-+{
-+ PK11SlotInfo *slot;
-+ jobject object = NULL;
-+ jclass vectorClass;
-+ jmethodID addElement;
-+
-+ PK11SymKey *firstSymKey= NULL;
-+ PK11SymKey *sk = NULL;
-+ PK11SymKey *nextSymKey = NULL;
-+ secuPWData pwdata;
-+
-+ PK11SymKey *freeSymKey = NULL;
-+ PK11SymKey *nextFreeSymKey = NULL;
-+
-+ pwdata.source = PW_NONE;
-+ pwdata.data = (char *) NULL;
-+
-+ PR_ASSERT(env!=NULL && this!=NULL && keyVector!=NULL);
-+
-+ if( JSS_PK11_getStoreSlotPtr(env, this, &slot) != PR_SUCCESS) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+ PR_ASSERT(slot!=NULL);
-+
-+ vectorClass = (*env)->GetObjectClass(env, keyVector);
-+ if(vectorClass == NULL) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+
-+ addElement = (*env)->GetMethodID(env,
-+ vectorClass,
-+ VECTOR_ADD_ELEMENT_NAME,
-+ VECTOR_ADD_ELEMENT_SIG);
-+ if(addElement == NULL) {
-+ ASSERT_OUTOFMEM(env);
-+ goto finish;
-+ }
-+
-+ PK11_Authenticate(slot, PR_TRUE /*load certs*/, NULL /*wincx*/);
-+
-+ /* Obtain the symmetric key list. */
-+ firstSymKey = PK11_ListFixedKeysInSlot( slot , NULL, ( void *) &pwdata );
-+ sk = firstSymKey;
-+
-+ while(( sk != NULL ))
-+ {
-+ if( sk ) {
-+
-+ nextSymKey = sk;
-+ object = JSS_PK11_wrapSymKey(env, &sk);
-+
-+ if(object == NULL) {
-+ PR_ASSERT( (*env)->ExceptionOccurred(env) );
-+ goto finish;
-+ }
-+
-+ /***************************************************
-+ * Insert the key into the vector
-+ ***************************************************/
-+ (*env)->CallVoidMethod(env, keyVector, addElement, object);
-+ }
-+
-+ sk = PK11_GetNextSymKey( nextSymKey );
-+ }
-+
-+finish:
-+
-+ return;
-+}
-
- /**********************************************************************
- * PK11Store.putKeysInVector
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java.jmagne 2016-04-14 16:23:26.997907471 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.java 2016-04-14 16:23:34.435856272 -0700
-@@ -66,8 +66,23 @@ public final class PK11Store implements
- keys.copyInto( (Object[]) array );
- return array;
- }
-+
-+ public synchronized SymmetricKey[]
-+ getSymmetricKeys() throws TokenException {
-+
-+ Vector keys = new Vector();
-+ putSymKeysInVector(keys);
-+ SymmetricKey[] array = new SymmetricKey[keys.size()];
-+ keys.copyInto( (Object[]) array);
-+ return array;
-+ }
-+
-+
-+
- protected native void putKeysInVector(Vector keys) throws TokenException;
-
-+ protected native void putSymKeysInVector(Vector symKeys) throws TokenException;
-+
-
- public native void deletePrivateKey(PrivateKey key)
- throws NoSuchItemOnTokenException, TokenException;
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c.jmagne 2016-04-14 16:24:44.565372557 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2016-05-17 11:37:48.532485104 -0700
-@@ -33,7 +33,6 @@
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
--
- #include "_jni/org_mozilla_jss_pkcs11_SymKeyProxy.h"
-
- #include <nspr.h>
-@@ -62,6 +61,8 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym
- jmethodID constructor;
- jbyteArray ptrArray;
- jobject Key=NULL;
-+ char *nickname = NULL;
-+ jstring jnickname = NULL;
-
- PR_ASSERT(env!=NULL && symKey!=NULL && *symKey!=NULL);
-
-@@ -72,10 +73,17 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym
- goto finish;
- }
-
-+ nickname = PK11_GetSymKeyNickname( *symKey );
-+
-+ if (nickname) {
-+ jnickname = (*env)->NewStringUTF(env, nickname);
-+ }
-+
-+
- /* find the constructor */
- constructor = (*env)->GetMethodID(env, keyClass,
- PLAIN_CONSTRUCTOR,
-- PK11SYMKEY_CONSTRUCTOR_SIG);
-+ PK11SYMKEY_CONSTRUCTOR_1_SIG);
- if(constructor == NULL) {
- ASSERT_OUTOFMEM(env);
- goto finish;
-@@ -87,12 +95,16 @@ JSS_PK11_wrapSymKey(JNIEnv *env, PK11Sym
- goto finish;
- }
- /* call the constructor */
-- Key = (*env)->NewObject(env, keyClass, constructor, ptrArray);
-+ Key = (*env)->NewObject(env, keyClass, constructor, ptrArray,jnickname);
-
- finish:
- if(Key == NULL) {
- PK11_FreeSymKey(*symKey);
- }
-+ if(nickname != NULL) {
-+ PORT_Free(nickname);
-+ nickname = NULL;
-+ }
- *symKey = NULL;
- return Key;
- }
-@@ -181,6 +193,49 @@ finish:
-
- /***********************************************************************
- *
-+ * PK11SymKey.setNickNameNative
-+ */
-+JNIEXPORT void JNICALL
-+Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative
-+ (JNIEnv *env, jobject this,jstring nickname)
-+{
-+ PK11SymKey *key=NULL;
-+ const char *keyname = NULL;
-+ SECStatus status;
-+
-+ /* If no nickname provided, we are done */
-+ if( nickname == NULL ) {
-+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION,
-+ "Nickname is NULL, will not be set");
-+ goto finish;
-+ }
-+
-+ /* get the key pointer */
-+ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS) {
-+ goto finish;
-+ }
-+
-+ /* convert the Java String into a native "C" string */
-+ keyname = (*env)->GetStringUTFChars( env, nickname, 0 );
-+
-+ /* name the key */
-+ status = PK11_SetSymKeyNickname( key, keyname );
-+ if( status != SECSuccess ) {
-+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION,
-+ "Failed to name symmetric key");
-+ }
-+finish:
-+
-+ if( keyname != NULL ) {
-+ /* free the native "C" string */
-+ (*env)->ReleaseStringUTFChars(env, nickname, keyname);
-+ }
-+
-+ return;
-+}
-+
-+/***********************************************************************
-+ *
- * PK11SymKey.getKeyData
- */
- JNIEXPORT jbyteArray JNICALL
-@@ -279,6 +334,10 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g
- case CKK_AES:
- typeFieldName = AES_KEYTYPE_FIELD;
- break;
-+ case CKK_DES2:
-+ printf("hello des2! \n");
-+ typeFieldName = DES3_KEYTYPE_FIELD;
-+ break;
- default:
- PR_ASSERT(PR_FALSE);
- typeFieldName = DES_KEYTYPE_FIELD;
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java.jmagne 2016-04-14 16:58:33.385371633 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.java 2016-05-17 11:41:36.323841045 -0700
-@@ -44,9 +44,17 @@ public final class PK11SymKey implements
- protected PK11SymKey(byte[] pointer) {
- Assert._assert(pointer!=null);
- keyProxy = new SymKeyProxy(pointer);
-+ nickName = null;
-+ }
-+
-+ protected PK11SymKey(byte[] pointer,String nickName) {
-+ Assert._assert(pointer!=null);
-+ keyProxy = new SymKeyProxy(pointer);
-+ this.nickName = nickName;
- }
-
- private SymKeyProxy keyProxy;
-+ private String nickName;
-
- public SymmetricKey.Type getType() {
- KeyType kt = getKeyType();
-@@ -108,6 +116,20 @@ public final class PK11SymKey implements
- public String getFormat() {
- return "RAW";
- }
-+
-+ public String getNickName() {
-+ return nickName;
-+ }
-+
-+ public void setNickName(String nickName) {
-+ this.nickName = nickName;
-+
-+ if( nickName != null) {
-+ setNickNameNative(nickName);
-+ }
-+ }
-+
-+ public native void setNickNameNative(String nickName);
- }
-
- class SymKeyProxy extends KeyProxy {
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c.jmagne 2016-04-14 16:26:18.611723763 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.c 2016-05-17 14:13:35.456574082 -0700
-@@ -0,0 +1,364 @@
-+/* ***** BEGIN LICENSE BLOCK *****
-+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+ *
-+ * The contents of this file are subject to the Mozilla Public License Version
-+ * 1.1 (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ * http://www.mozilla.org/MPL/
-+ *
-+ * Software distributed under the License is distributed on an "AS IS" basis,
-+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+ * for the specific language governing rights and limitations under the
-+ * License.
-+ *
-+ * The Original Code is the Netscape Security Services for Java.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *
-+ * Alternatively, the contents of this file may be used under the terms of
-+ * either the GNU General Public License Version 2 or later (the "GPL"), or
-+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+ * in which case the provisions of the GPL or the LGPL are applicable instead
-+ * of those above. If you wish to allow use of your version of this file only
-+ * under the terms of either the GPL or the LGPL, and not to allow others to
-+ * use your version of this file under the terms of the MPL, indicate your
-+ * decision by deleting the provisions above and replace them with the notice
-+ * and other provisions required by the GPL or the LGPL. If you do not delete
-+ * the provisions above, a recipient may use your version of this file under
-+ * the terms of any one of the MPL, the GPL or the LGPL.
-+ *
-+ * ***** END LICENSE BLOCK ***** */
-+#include "_jni/org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver.h"
-+#include <plarena.h>
-+#include <secmodt.h>
-+#include <pk11func.h>
-+#include <pk11pqg.h>
-+#include <secerr.h>
-+#include <nspr.h>
-+#include <key.h>
-+#include <secasn1.h>
-+#include <base64.h>
-+#include <cert.h>
-+#include <cryptohi.h>
-+
-+#include <jssutil.h>
-+#include <jss_exceptions.h>
-+#include <jss_bigint.h>
-+#include <Algorithm.h>
-+#include <jni.h>
-+#include <secitem.h>
-+#include "java_ids.h"
-+
-+#include "pk11util.h"
-+#include <plstr.h>
-+
-+/***********************************************************************
-+ * Expose the NSS functionality at low level, one should know what to do
-+ * at the Java level.
-+ */
-+
-+JNIEXPORT jobject JNICALL Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey
-+ (JNIEnv * env, jobject this,jobject tokenObj,
-+ jobject baseKeyObj, jobject secondaryKeyObj,
-+ jlong deriveMechanism, jbyteArray param, jbyteArray iv, jlong targetMechanism, jlong operation, jlong keySize)
-+{
-+ jobject keyObj = NULL;
-+ PK11SlotInfo *slot=NULL;
-+ PK11SlotInfo *bestSlot = NULL;
-+ PK11SlotInfo *slotForKey = NULL;
-+ PK11SlotInfo *slotForSecondaryKey = NULL;
-+ PK11SlotInfo *finalSlot = NULL;
-+ PK11SlotInfo *finalSecondarySlot = NULL;
-+ PK11SlotInfo *finalBaseKeySlot = NULL;
-+
-+ PK11SymKey *baseKey = NULL;
-+ PK11SymKey *bestBaseKey = NULL;
-+ PK11SymKey *finalBaseKey = NULL;
-+ PK11SymKey *newKey = NULL;
-+
-+ PK11SymKey *secondaryKey = NULL;
-+ PK11SymKey *bestSecondaryKey = NULL;
-+ PK11SymKey *finalSecondaryKey = NULL;
-+ PK11SymKey *derivedKey = NULL;
-+ jbyte *paramValue = NULL;
-+ int paramLength = 0;
-+ jbyte *ivValue = NULL;
-+ int ivLength = 0;
-+
-+
-+ CK_OBJECT_HANDLE keyhandle = 0;
-+
-+ CK_AES_CBC_ENCRYPT_DATA_PARAMS aes;
-+ CK_DES_CBC_ENCRYPT_DATA_PARAMS des;
-+ CK_KEY_DERIVATION_STRING_DATA string;
-+
-+ SECItem paramsItem = { siBuffer, NULL, 0 };
-+
-+ PR_ASSERT(env!=NULL && this!=NULL);
-+
-+ if( baseKeyObj == 0) {
-+ PR_fprintf(PR_STDOUT,"baseKeyObj can not be null!\n");
-+ goto loser;
-+ }
-+
-+ if( param != NULL) {
-+ paramValue = (*env)->GetByteArrayElements(env,param, NULL);
-+ paramLength = (*env)->GetArrayLength(env,param);
-+ }
-+
-+ if( iv != NULL) {
-+ ivValue = (*env)->GetByteArrayElements(env,iv, NULL);
-+ ivLength = (*env)->GetArrayLength(env,iv);
-+ }
-+
-+ /* Set up the params data for the PK11_Derive family */
-+
-+ switch ( deriveMechanism ) {
-+ case CKM_DES_ECB_ENCRYPT_DATA:
-+ case CKM_DES3_ECB_ENCRYPT_DATA:
-+ case CKM_AES_ECB_ENCRYPT_DATA:
-+ case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
-+ case CKM_SEED_ECB_ENCRYPT_DATA:
-+ /* Use CK_KEY_DERIVATION_STRING_DATA */
-+
-+ string.pData = (unsigned char *) paramValue;
-+ string.ulLen = paramLength;
-+ paramsItem.data = (void *) &string;
-+ paramsItem.len = sizeof(string);
-+
-+ break;
-+ case CKM_DES_CBC_ENCRYPT_DATA:
-+ case CKM_DES3_CBC_ENCRYPT_DATA:
-+ /* Use CK_DES_CBC_ENCRYPT_DATA_PARAMS */
-+
-+ if( ivValue == NULL) {
-+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA or CKM_DES3_CBC_ENCRYPT_DATA. \n");
-+ goto loser;
-+ }
-+
-+ if( ivLength != 8) {
-+ PR_fprintf(PR_STDOUT, "Need iv param for CKM_DES_CBC_ENCRYPT_DATA structure to be 8 bytes!. \n");
-+ goto loser;
-+ }
-+
-+ des.pData = (unsigned char *) paramValue;
-+ des.length = paramLength;
-+ PORT_Memcpy(des.iv,ivValue,ivLength);
-+ paramsItem.data = (void *) &des;
-+ paramsItem.len = sizeof(des);
-+
-+ break;
-+
-+ case CKM_AES_CBC_ENCRYPT_DATA:
-+ case CKM_CAMELLIA_CBC_ENCRYPT_DATA:
-+ case CKM_SEED_CBC_ENCRYPT_DATA:
-+ /* Use CK_AES_CBC_ENCRYPT_DATA_PARAMS */
-+
-+ if ( ivValue == NULL ) {
-+ PR_fprintf(PR_STDOUT, "Need iv param for CBC encrypt derive for AES, or CAMELLIA or SEED. \n");
-+ goto loser;
-+ }
-+
-+ if( ivLength != 16) {
-+ PR_fprintf(PR_STDOUT, "Need iv param for CK_AES_CBC_ENCRYPT_DATA_PARAMS structure to be 16 bytes!. \n");
-+ goto loser;
-+ }
-+
-+ aes.pData = (unsigned char *) paramValue;
-+ aes.length = paramLength;
-+ PORT_Memcpy(aes.iv,ivValue,ivLength);
-+ paramsItem.data = (void *) &aes;
-+ paramsItem.len = sizeof(aes);
-+ break;
-+ default:
-+ paramsItem.data = (unsigned char *) paramValue;
-+ paramsItem.len = paramLength;
-+ break;
-+ }
-+
-+ /* Get slot */
-+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
-+ goto loser;
-+ }
-+
-+ /* Get base key */
-+
-+ if( JSS_PK11_getSymKeyPtr(env, baseKeyObj, &baseKey) != PR_SUCCESS) {
-+ PR_fprintf(PR_STDOUT, "PK11SymmetricKeyDeriver.nativeDeriveSymKey: Unable to extract symmetric base key!");
-+ goto loser;
-+ }
-+
-+ /* Ask NSS what the best slot for the given mechanism */
-+
-+ bestSlot = PK11_GetBestSlot(deriveMechanism, NULL);
-+
-+ if( bestSlot == NULL) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find suitable slot for sym key derivation! \n");
-+ goto loser;
-+ }
-+
-+ slotForKey = PK11_GetSlotFromKey(baseKey);
-+
-+ int keyOnRequestedSlot = 0;
-+ int baseKeyMoved= 0;
-+
-+ if(slotForKey != slot) {
-+ keyOnRequestedSlot = 0;
-+ } else {
-+ keyOnRequestedSlot = 1;
-+ finalBaseKeySlot = slot;
-+ }
-+
-+ if ( PK11_DoesMechanism( slot, deriveMechanism)) {
-+ if ( keyOnRequestedSlot ) {
-+ finalBaseKey = baseKey;
-+ } else {
-+ bestBaseKey = PK11_MoveSymKey( slot, CKA_ENCRYPT, 0, PR_FALSE, baseKey );
-+ if(bestBaseKey == NULL) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to requested slot!\n");
-+ goto loser;
-+ }
-+ baseKeyMoved = 1;
-+ finalBaseKey = bestBaseKey;
-+ finalBaseKeySlot = slot;
-+ }
-+
-+ } else {
-+ bestBaseKey = PK11_MoveSymKey( bestSlot, CKA_ENCRYPT, 0, PR_FALSE, baseKey );
-+ if(bestBaseKey == NULL) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't move Base Key to best slot!\n");
-+ goto loser;
-+ }
-+ baseKeyMoved = 1;
-+ finalBaseKey = bestBaseKey;
-+ finalBaseKeySlot = bestSlot;
-+ }
-+
-+ /* Assume we want to do a concatenation family here */
-+
-+ if( secondaryKeyObj != NULL) {
-+ if( JSS_PK11_getSymKeyPtr(env, secondaryKeyObj, &secondaryKey) != PR_SUCCESS) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: Can't find secondary sym key!\n");
-+ goto loser;
-+ }
-+
-+ /* Make sure the secondary key is in the proper slot to do concatenation */
-+
-+ slotForSecondaryKey = PK11_GetSlotFromKey( secondaryKey );
-+
-+ if( finalBaseKeySlot != slotForSecondaryKey ) {
-+
-+ finalSecondaryKey = PK11_MoveSymKey (finalBaseKeySlot, CKA_ENCRYPT, 0, PR_FALSE, secondaryKey);
-+
-+ if( finalSecondaryKey == NULL) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, Problem moving secondary key to proper slot.\n");
-+ goto loser;
-+ }
-+ } else {
-+ finalSecondaryKey = secondaryKey;
-+ }
-+
-+ if( paramValue == NULL) {
-+ keyhandle = PK11_GetSymKeyHandle(finalSecondaryKey);
-+
-+ if( keyhandle == 0) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey, can't get handle for secondary sym key.\n");
-+ goto loser;
-+ }
-+
-+ paramsItem.data=(unsigned char *) &keyhandle;
-+ paramsItem.len=sizeof(keyhandle);
-+
-+ } else {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: incorrect input parameter provided!\n");
-+ goto loser;
-+ }
-+ }
-+
-+ derivedKey = PK11_Derive(finalBaseKey, deriveMechanism, ¶msItem, targetMechanism,
-+ operation, keySize);
-+ if(derivedKey == NULL) {
-+ PR_fprintf(PR_STDOUT,
-+ "ERROR: Can't derive symmetric key, error: %d \n",PR_GetError());
-+ goto loser;
-+ }
-+
-+ if ( (finalSlot = PK11_GetSlotFromKey(derivedKey )) != slot) {
-+ newKey = PK11_MoveSymKey ( slot, CKA_ENCRYPT, 0, PR_FALSE, derivedKey);
-+
-+ if ( newKey == NULL ) {
-+ PR_fprintf(PR_STDOUT,"PK11SymmetricKeyDeriver.nativeDeriveSymKey: error moving key to original slot, return anyway. \n");
-+ newKey = derivedKey;
-+ derivedKey = NULL;
-+ }
-+
-+ } else {
-+ newKey = derivedKey;
-+ derivedKey = NULL;
-+ }
-+
-+ keyObj = JSS_PK11_wrapSymKey(env, &newKey);
-+
-+loser:
-+
-+ if ( bestBaseKey != NULL ) {
-+ PK11_FreeSymKey ( bestBaseKey );
-+ bestBaseKey = NULL;
-+ }
-+
-+ if ( bestSecondaryKey != NULL ) {
-+ PK11_FreeSymKey ( bestSecondaryKey );
-+ bestSecondaryKey = NULL;
-+ }
-+
-+ if ( derivedKey != NULL) {
-+ PK11_FreeSymKey ( derivedKey );
-+ derivedKey = NULL;
-+ }
-+
-+ if (bestSlot != NULL ) {
-+ PK11_FreeSlot(bestSlot);
-+ bestSlot = NULL;
-+ }
-+
-+ if ( slotForKey != NULL ) {
-+ PK11_FreeSlot( slotForKey );
-+ slotForKey = NULL;
-+ }
-+
-+ if ( finalSlot != NULL ) {
-+ PK11_FreeSlot( finalSlot );
-+ finalSlot = NULL;
-+ }
-+
-+ if ( finalSecondarySlot != NULL ) {
-+ PK11_FreeSlot( finalSecondarySlot );
-+ finalSecondarySlot = NULL;
-+ }
-+
-+ if ( slotForSecondaryKey != NULL ) {
-+ PK11_FreeSlot( slotForSecondaryKey );
-+ slotForSecondaryKey = NULL;
-+ }
-+
-+ if(paramValue) {
-+ (*env)->ReleaseByteArrayElements(env, param, (jbyte*)paramValue,
-+ JNI_ABORT);
-+ }
-+ if(ivValue) {
-+ (*env)->ReleaseByteArrayElements(env, iv, (jbyte*)ivValue,
-+ JNI_ABORT);
-+ }
-+
-+ if( keyObj == NULL) {
-+ JSS_throwMsgPrErr(env, TOKEN_EXCEPTION, "Unable to derive symmetric key! "
-+ "failure!");
-+ }
-+
-+ return keyObj;
-+}
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java.jmagne 2016-04-14 16:28:29.179823017 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymmetricKeyDeriver.java 2016-04-14 16:28:36.186774680 -0700
-@@ -0,0 +1,158 @@
-+/* ***** BEGIN LICENSE BLOCK *****
-+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+ *
-+ * The contents of this file are subject to the Mozilla Public License Version
-+ * 1.1 (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ * http://www.mozilla.org/MPL/
-+ *
-+ * Software distributed under the License is distributed on an "AS IS" basis,
-+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+ * for the specific language governing rights and limitations under the
-+ * License.
-+ *
-+ * The Original Code is the Netscape Security Services for Java.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *
-+ * Alternatively, the contents of this file may be used under the terms of
-+ * either the GNU General Public License Version 2 or later (the "GPL"), or
-+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+ * in which case the provisions of the GPL or the LGPL are applicable instead
-+ * of those above. If you wish to allow use of your version of this file only
-+ * under the terms of either the GPL or the LGPL, and not to allow others to
-+ * use your version of this file under the terms of the MPL, indicate your
-+ * decision by deleting the provisions above and replace them with the notice
-+ * and other provisions required by the GPL or the LGPL. If you do not delete
-+ * the provisions above, a recipient may use your version of this file under
-+ * the terms of any one of the MPL, the GPL or the LGPL.
-+ *
-+ * ***** END LICENSE BLOCK ***** */
-+
-+package org.mozilla.jss.pkcs11;
-+
-+import org.mozilla.jss.crypto.*;
-+import org.mozilla.jss.util.Assert;
-+import sun.security.pkcs11.wrapper.*;
-+import java.security.InvalidKeyException;
-+
-+
-+/*This operation is pkcs11 based only */
-+
-+public class PK11SymmetricKeyDeriver implements SymmetricKeyDeriver {
-+
-+ private PK11Token token = null;
-+ private SymmetricKey baseKey = null;
-+ private SymmetricKey secondaryKey = null;
-+ private long deriveMechanism = 0;
-+ private long targetMechanism = 0;
-+ private long operation = 0;
-+ private long keySize = 0;
-+ private byte[] param = null;
-+ private byte[] iv = null;
-+
-+ public PK11SymmetricKeyDeriver(PK11Token token)
-+ {
-+ this.token = token;
-+ }
-+
-+ /* Use with the encrypt type mechanisms
-+
-+ Example: initDerive(
-+ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16);
-+
-+
-+ */
-+ public void initDerive(SymmetricKey baseKey, long deriveMech, byte[] param, byte[] iv,
-+ long targetMech, long operation, long keySize) throws InvalidKeyException
-+ {
-+ reset();
-+
-+ if(baseKey == null) {
-+ throw new InvalidKeyException("Key is null");
-+ }
-+
-+ this.baseKey = baseKey;
-+ this.deriveMechanism = deriveMech;
-+ this.targetMechanism = targetMech;
-+ this.operation = operation;
-+
-+ if ( param != null) {
-+ this.param = new byte[param.length];
-+ System.arraycopy(param,0,this.param,0,param.length);
-+ }
-+
-+ if ( iv != null) {
-+ this.iv = new byte[iv.length];
-+ System.arraycopy(iv,0,this.iv,0,iv.length);
-+ }
-+
-+ this.keySize = keySize;
-+
-+ }
-+
-+ /* Use with key extraction and key concatanation mechanisms
-+
-+ Example Extraction:
-+ param: byte array that has the bit position of where to extract
-+ initDerive(
-+ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
-+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8);
-+
-+ Example Concat:
-+
-+ initDerive(
-+ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0);
-+
-+ */
-+
-+ public void initDerive(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMech,
-+ byte[] param, byte[] iv, long targetMech, long operation, long keySize) throws InvalidKeyException
-+ {
-+ reset();
-+
-+ if ( baseKey == null || secondaryKey == null) {
-+ throw new InvalidKeyException("Key is null");
-+ }
-+
-+ initDerive(baseKey, deriveMech, param,iv,targetMech,operation,keySize);
-+ this.secondaryKey = secondaryKey;
-+
-+ }
-+
-+
-+ public SymmetricKey derive()
-+ throws TokenException
-+ {
-+ SymmetricKey result = deriveSymKey(this.baseKey,this.secondaryKey,this.deriveMechanism, this.param, this.iv, this.targetMechanism, this.operation,this.keySize);
-+ return result;
-+ }
-+
-+ private SymmetricKey
-+ deriveSymKey(SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv, long targetMechanism, long operation, long keySize)
-+ throws TokenException, IllegalStateException
-+ {
-+ return nativeDeriveSymKey(token, baseKey, secondaryKey,deriveMechanism, param, iv, targetMechanism, operation, keySize);
-+ }
-+
-+ public native SymmetricKey nativeDeriveSymKey(PK11Token token, SymmetricKey baseKey, SymmetricKey secondaryKey, long deriveMechanism, byte[] param, byte[] iv,
-+ long targetMechanism, long operation, long keySize);
-+
-+ private void reset() {
-+ baseKey = null;
-+ secondaryKey = null;
-+ deriveMechanism = 0;
-+ targetMechanism = 0;
-+ operation = 0;
-+ keySize = 0;
-+ param = null;
-+ iv = null;
-+ }
-+}
-diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
---- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.jmagne 2016-04-14 16:30:46.098878459 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2016-04-14 17:27:30.918367372 -0700
-@@ -131,6 +131,11 @@ public final class PK11Token implements
- return PK11KeyGenerator.clone(key, this);
- }
-
-+ public PK11SymmetricKeyDeriver getSymmetricKeyDeriver()
-+ {
-+ return new PK11SymmetricKeyDeriver(this);
-+ }
-+
- public KeyWrapper
- getKeyWrapper(KeyWrapAlgorithm algorithm)
- throws NoSuchAlgorithmException, TokenException
-diff -up ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java
---- ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java.jmagne 2016-04-14 16:32:58.529964860 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/tests/SymKeyDeriving.java 2016-05-17 11:43:51.858862556 -0700
-@@ -0,0 +1,516 @@
-+/* ***** BEGIN LICENSE BLOCK *****
-+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
-+ *
-+ * The contents of this file are subject to the Mozilla Public License Version
-+ * 1.1 (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ * http://www.mozilla.org/MPL/
-+ *
-+ * Software distributed under the License is distributed on an "AS IS" basis,
-+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
-+ * for the specific language governing rights and limitations under the
-+ * License.
-+ *
-+ * The Original Code is the Netscape Security Services for Java.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1998-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *
-+ * Alternatively, the contents of this file may be used under the terms of
-+ * either the GNU General Public License Version 2 or later (the "GPL"), or
-+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
-+ * in which case the provisions of the GPL or the LGPL are applicable instead
-+ * of those above. If you wish to allow use of your version of this file only
-+ * under the terms of either the GPL or the LGPL, and not to allow others to
-+ * use your version of this file under the terms of the MPL, indicate your
-+ * decision by deleting the provisions above and replace them with the notice
-+ * and other provisions required by the GPL or the LGPL. If you do not delete
-+ * the provisions above, a recipient may use your version of this file under
-+ * the terms of any one of the MPL, the GPL or the LGPL.
-+ *
-+ * ***** END LICENSE BLOCK ***** */
-+
-+package org.mozilla.jss.tests;
-+
-+import org.mozilla.jss.crypto.*;
-+import org.mozilla.jss.CryptoManager;
-+import org.mozilla.jss.util.Assert;
-+import org.mozilla.jss.pkcs11.*;
-+import sun.security.pkcs11.wrapper.PKCS11Constants;
-+import java.nio.ByteBuffer;
-+import java.util.Arrays;
-+import java.util.Vector;
-+import java.util.Enumeration;
-+
-+/**
-+ * Sym Key deriving tests..
-+ *
-+ */
-+
-+public class SymKeyDeriving {
-+
-+ private static final byte[] iv8 = new byte [] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8 };
-+ private static final byte[] iv16 = new byte [] { 0x1, 0x2, 0x3, 0x4,
-+ 0x5, 0x6, 0x7, 0x8,
-+ 0x9,0xa, 0xb, 0xc,0xd,0xe, 0xf,0x10 };
-+
-+ private static final byte[] derivationData1 = new byte[] { 0x11, 0x11, 0x13,
-+ 0x14, 0x15, 0x16, 0x17, 0x18 };
-+
-+ private static final byte[] derivationData2 = new byte [] { 0x9, 0xa, 0xb, 0xc, 0xd,
-+ 0xe, 0xf, 0x10 };
-+
-+ private static final byte[] derivationData16 = new byte[] { 0x1, 0x2, 0x3, 0x4, 0x5, 0x6,0x7, 0x8,
-+ 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, 0x10 };
-+
-+
-+ public static void main(String args[]) {
-+
-+ SymmetricKey macKeyDev = null;
-+ try {
-+
-+ CryptoManager.InitializationValues vals =
-+ new CryptoManager.InitializationValues("./"
-+ );
-+ CryptoManager.initialize(vals);
-+ CryptoManager cm = CryptoManager.getInstance();
-+ CryptoToken token = cm.getInternalCryptoToken();
-+ CryptoToken keyToken = cm.getInternalKeyStorageToken();
-+ System.out.println("interal token name: " + keyToken.getName());
-+ KeyGenerator keyKg = keyToken.getKeyGenerator(KeyGenAlgorithm.DES3);
-+ SymmetricKey baseKey = keyKg.generate();
-+
-+
-+ KeyGenerator keyKgDes = keyToken.getKeyGenerator(KeyGenAlgorithm.DES);
-+ SymmetricKey baseKeyDes = keyKgDes.generate();
-+ System.out.println("strength: " + baseKeyDes.getStrength());
-+
-+
-+ KeyGenerator keyKgAES = keyToken.getKeyGenerator(KeyGenAlgorithm.AES);
-+ keyKgAES.initialize(128);
-+ SymmetricKey baseKeyAES = keyKgAES.generate();
-+
-+
-+
-+ System.out.println("baseKey bytes: ");
-+ byte[] baseBytes = baseKey.getEncoded();
-+ displayByteArray(baseBytes,true);
-+
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 16 bytes. \n");
-+
-+
-+ SymmetricKeyDeriver deriver = token.getSymmetricKeyDeriver();
-+ System.out.println("deriver: " + deriver);
-+ System.out.println("CKM_EXTRACT_KEY_FROM_KEY : " + PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY);
-+
-+ long bitPosition = 0;
-+
-+ byte[] param = longToBytes(bitPosition);
-+
-+ deriver.initDerive(
-+ baseKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
-+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 16);
-+
-+
-+ SymmetricKey extracted16 = deriver.derive();
-+
-+ System.out.println("Derived key: " + extracted16);
-+
-+ if(extracted16 == null) {
-+ System.out.println("Failed to derive 16 byte key with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n");
-+ }
-+
-+ System.out.println("derivedKey 16 bytes: ");
-+ byte[] derivedBytes = extracted16.getEncoded();
-+ displayByteArray(derivedBytes,true);
-+
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_EXTRACT_KEY_FROM_KEY test 8 bytes. \n");
-+
-+
-+ SymmetricKeyDeriver extract8 = token.getSymmetricKeyDeriver();
-+ extract8.initDerive(
-+ extracted16, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
-+ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,(long) 8);
-+
-+
-+ SymmetricKey extracted8 = extract8.derive();
-+ System.out.println("Derived key: " + extracted8);
-+
-+ if(extracted8 == null) {
-+ System.out.println("Failed to derive key extracted 8 bytes with mechanism: CKM_EXTRACT_KEY_FROM_KEY \n");
-+ }
-+
-+ byte[] extracted8Bytes = extracted8.getEncoded();
-+ System.out.println("derived extracted 8 bytes of key: ");
-+ displayByteArray(extracted8Bytes,true);
-+
-+
-+ /*****************************************************************************************************/
-+
-+
-+ System.out.println("\n Mechanism CKM_CONCATENATE_BASE_AND_KEY test 16 + 8 = 24 byte key. \n");
-+
-+ SymmetricKeyDeriver concat = keyToken.getSymmetricKeyDeriver();
-+ concat.initDerive(
-+ extracted16,extracted8, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 0);
-+
-+ SymmetricKey concated24 = concat.derive();
-+
-+ if( concated24 == null) {
-+ System.out.println("Failed to derive key concated 8 bytes to 16 bytes key: CKM_CONCATENATE_BASE_AND_KEY \n");
-+ }
-+
-+ byte[] concated24Bytes = concated24.getEncoded();
-+ System.out.println("derived concated 16 + 8 = 24 byte key: ");
-+ displayByteArray(concated24Bytes,true);
-+
-+ /*****************************************************************************************************/
-+
-+ // Now lets try more complex derivation
-+
-+ // tmp2 = PK11_Derive( master , CKM_DES_ECB_ENCRYPT_DATA , ¶m , CKM_CONCATENATE_BASE_AND_KEY , CKA_DERIVE , 0);
-+
-+ System.out.println("\n Mechanism CKM_DES_ECB_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encrypt = token.getSymmetricKeyDeriver();
-+
-+ encrypt.initDerive(
-+ baseKeyDes, /* PKCS11Constants.CKM_DES_ECB_ENCRYPT_DATA */ 4352L,derivationData1 ,null,
-+ PKCS11Constants.CKM_DES_ECB, PKCS11Constants.CKA_DERIVE,(long) 8);
-+
-+ SymmetricKey encrypted8 = encrypt.derive();
-+
-+ if( encrypted8 == null) {
-+ System.out.println("Failed to derive 8 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encrypted8Bytes = encrypted8.getEncoded();
-+ System.out.println("derived encrypted 8 bytes: " + encrypted8Bytes.length);
-+ displayByteArray(encrypted8Bytes,true);
-+
-+ Cipher cipher = null;
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_ECB);
-+
-+ cipher.initEncrypt(baseKeyDes);
-+
-+ byte[] ciphertext = cipher.doFinal(derivationData1);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encrypted8Bytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encrypted8Bytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encrypted8Bytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+
-+ /*****************************************************************************************************/
-+
-+ // Try ecnrypted des3 derivation
-+
-+ System.out.println("\n Mechanism CKM_DES3_ECB_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encryptDes3 = token.getSymmetricKeyDeriver();
-+
-+ encryptDes3.initDerive(
-+ baseKey, /* PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA */ 4354L ,derivationData16 ,null,
-+ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,(long) 16);
-+
-+
-+ SymmetricKey encrypted16 = encryptDes3.derive();
-+
-+ if ( encrypted16 == null) {
-+ System.out.println("Failed to derive 16 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encrypted16Bytes = encrypted16.getEncoded();
-+
-+ System.out.println("derived encrypted 16 bytes: " + encrypted16Bytes.length);
-+ displayByteArray(encrypted16Bytes,true);
-+
-+
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_ECB);
-+ cipher.initEncrypt(baseKey);
-+ ciphertext = cipher.doFinal(derivationData16);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encrypted16Bytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encrypted16Bytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encrypted16Bytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_DES_CBC_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encryptDesCBC = token.getSymmetricKeyDeriver();
-+
-+ encryptDesCBC.initDerive(
-+ baseKeyDes, /* PKCS11Constants.CKM_DES_CBC_ENCRYPT_DATA */ 4353L ,derivationData1 ,iv8,
-+ PKCS11Constants.CKM_DES_CBC, PKCS11Constants.CKA_DERIVE,(long) 8);
-+
-+
-+ SymmetricKey encryptedDesCBC = encryptDesCBC.derive();
-+
-+ if ( encryptedDesCBC == null) {
-+ System.out.println("Failed to derive 8 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encryptedDesCBCBytes = encryptedDesCBC.getEncoded();
-+
-+ System.out.println("derived encrypted 8 bytes: " + encryptedDesCBCBytes.length);
-+ displayByteArray(encryptedDesCBCBytes,true);
-+
-+
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES_CBC);
-+ cipher.initEncrypt(baseKeyDes,new IVParameterSpec(iv8));
-+ ciphertext = cipher.doFinal(derivationData1);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encryptedDesCBCBytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encryptedDesCBCBytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encryptedDesCBCBytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_DES3_CBC_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encryptDes3CBC = token.getSymmetricKeyDeriver();
-+
-+ encryptDes3CBC.initDerive(
-+ baseKey, /* PKCS11Constants.CKM_DES3_CBC_ENCRYPT_DATA */ 4355L ,derivationData16 ,iv8,
-+ PKCS11Constants.CKM_DES3_CBC, PKCS11Constants.CKA_DERIVE,(long) 16);
-+
-+
-+ SymmetricKey encryptedDes3CBC = encryptDes3CBC.derive();
-+
-+ if ( encryptedDes3CBC == null) {
-+ System.out.println("Failed to derive 16 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encryptedDes3CBCBytes = encryptedDes3CBC.getEncoded();
-+
-+ System.out.println("derived encrypted 16 bytes: " + encryptedDes3CBCBytes.length);
-+ displayByteArray(encryptedDes3CBCBytes,true);
-+
-+
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.DES3_CBC);
-+ cipher.initEncrypt(baseKey,new IVParameterSpec(iv8));
-+ ciphertext = cipher.doFinal(derivationData16);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encryptedDes3CBCBytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encryptedDes3CBCBytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encryptedDes3CBCBytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_AES_ECB_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encryptAESECB = token.getSymmetricKeyDeriver();
-+
-+ //System.in.read();
-+ encryptAESECB.initDerive(
-+ baseKeyAES, /* PKCS11Constants.CKM_AES_ECB_ENCRYPT_DATA */ 4356L ,derivationData16 ,null,
-+ PKCS11Constants.CKM_AES_ECB, PKCS11Constants.CKA_DERIVE,(long) 16);
-+
-+
-+ SymmetricKey encryptedAESECB = encryptAESECB.derive();
-+
-+ if ( encryptedAESECB == null) {
-+ System.out.println("Failed to derive 16 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encryptedAESECBBytes = encryptedAESECB.getEncoded();
-+
-+ System.out.println("derived encrypted 16 bytes: " + encryptedAESECBBytes.length);
-+ displayByteArray(encryptedAESECBBytes,true);
-+
-+
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_ECB);
-+ cipher.initEncrypt(baseKeyAES);
-+ ciphertext = cipher.doFinal(derivationData16);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encryptedAESECBBytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encryptedAESECBBytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encryptedAESECBBytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+
-+ /*****************************************************************************************************/
-+
-+ System.out.println("\n Mechanism CKM_AES_CBC_ENCRYPT_DATA test. \n");
-+
-+ SymmetricKeyDeriver encryptAESCBC= token.getSymmetricKeyDeriver();
-+
-+ //System.in.read();
-+ encryptAESCBC.initDerive(
-+ baseKeyAES, /* PKCS11Constants.CKM_AES_CBC_ENCRYPT_DATA */ 4357L ,derivationData16 ,iv16,
-+ PKCS11Constants.CKM_AES_CBC, PKCS11Constants.CKA_DERIVE,(long) 16);
-+
-+
-+ SymmetricKey encryptedAESCBC = encryptAESCBC.derive();
-+
-+ if ( encryptedAESCBC == null) {
-+ System.out.println("Failed to derive 16 bytes from encrypted derivation data.");
-+ }
-+
-+ byte[] encryptedAESCBCBytes = encryptedAESCBC.getEncoded();
-+
-+ System.out.println("derived encrypted 16 bytes: " + encryptedAESCBCBytes.length);
-+ displayByteArray(encryptedAESCBCBytes,true);
-+
-+
-+ cipher = keyToken.getCipherContext(EncryptionAlgorithm.AES_128_CBC);
-+ cipher.initEncrypt(baseKeyAES,new IVParameterSpec(iv16));
-+ ciphertext = cipher.doFinal(derivationData16);
-+ displayByteArray(ciphertext,true);
-+
-+ if ( ciphertext.length != encryptedAESCBCBytes.length ) {
-+ System.out.println("FAILED: encrypted data length not equal to derived key length.");
-+ } else {
-+ for ( int i = 0; i < ciphertext.length ; i ++) {
-+ ciphertext[i]&=0xfe;
-+ encryptedAESCBCBytes[i]&=0xfe;
-+ }
-+ if ( Arrays.equals(ciphertext, encryptedAESCBCBytes)) {
-+ System.out.println("PASSED: derived key the same as encrypted data.");
-+ } else {
-+
-+ System.out.println("FAILED: derived key not the same as encrypted data.");
-+ }
-+ }
-+
-+ // get vector of symkeys
-+
-+ Enumeration<CryptoToken> ect = null;
-+ ect = (Enumeration<CryptoToken>) cm.getAllTokens();
-+ CryptoToken ct = null; //ct = cm.getTokenByName("ePass Token");
-+ while (ect.hasMoreElements())
-+ {
-+ ct = ect.nextElement();
-+ System.out.println("CryptoToken.name= " + ct.getName());
-+ }
-+
-+ SymmetricKey[] keys = keyToken.getCryptoStore().getSymmetricKeys();
-+
-+ SymmetricKey macKey = getSymKeyByName(keys, "defKeySet-macKey");
-+
-+ System.out.println("macKey: " + macKey);
-+
-+ } catch(Exception e) {
-+ e.printStackTrace();
-+ }
-+ }
-+
-+ public static void
-+ displayByteArray(byte[] ba, boolean has_check_sum) {
-+ char mask = 0xff;
-+
-+ if ( has_check_sum == true )
-+ mask = 0xfe;
-+
-+ for(int i=0; i < ba.length; i++) {
-+
-+ System.out.print( Integer.toHexString(ba[i]&mask) + " " );
-+ if( (i % 26) == 25 ) {
-+ System.out.println("");
-+ }
-+ }
-+ System.out.println("");
-+ }
-+
-+ public static byte[] longToBytes(long x) {
-+ ByteBuffer buffer = ByteBuffer.allocate(8);
-+ buffer.putLong(x);
-+ return buffer.array();
-+ }
-+
-+ public static byte[] concatByteArrays(byte[] a, byte[] b) {
-+ byte[] result = new byte[a.length + b.length];
-+ System.arraycopy(a, 0, result, 0, a.length);
-+ System.arraycopy(b, 0, result, a.length, b.length);
-+ return result;
-+ }
-+
-+ public static SymmetricKey getSymKeyByName( SymmetricKey[] keys, String name) {
-+ if ( keys == null || name == null ) {
-+ return null;
-+ }
-+
-+ int len = keys.length;
-+ for(int i = 0 ; i < len ; i++ ) {
-+ SymmetricKey cur = keys[i];
-+ if ( cur != null ) {
-+ if( name.equals(cur.getNickName())) {
-+ System.out.println("Found key: " + name + "\n");
-+ return cur;
-+ }
-+ }
-+ }
-+
-+ return null;
-+ }
-+}
-diff -up ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h
---- ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h.jmagne 2016-04-14 16:34:36.729287416 -0700
-+++ ./mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2016-04-14 16:34:45.608226163 -0700
-@@ -243,6 +243,7 @@ PR_BEGIN_EXTERN_C
- */
- #define PK11SYMKEY_CLASS_NAME "org/mozilla/jss/pkcs11/PK11SymKey"
- #define PK11SYMKEY_CONSTRUCTOR_SIG "([B)V"
-+#define PK11SYMKEY_CONSTRUCTOR_1_SIG "([BLjava/lang/String;)V"
-
- /*
- * PK11Token
diff --git a/SOURCES/jss-undo-BadPaddingException-deprecation.patch b/SOURCES/jss-undo-BadPaddingException-deprecation.patch
deleted file mode 100644
index 1b372a7..0000000
--- a/SOURCES/jss-undo-BadPaddingException-deprecation.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700
-@@ -35,9 +35,6 @@
- * ***** END LICENSE BLOCK ***** */
- package org.mozilla.jss.crypto;
-
--/**
-- * @deprecated Use javax.crypto.BadPaddingException.
-- */
- public class BadPaddingException extends Exception {
- public BadPaddingException() {
- super();
diff --git a/SOURCES/jss-undo-JCA-deprecations.patch b/SOURCES/jss-undo-JCA-deprecations.patch
deleted file mode 100644
index a51c51a..0000000
--- a/SOURCES/jss-undo-JCA-deprecations.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700
-@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert;
- * it is not necessary to call <code>update</code> if all of the data is
- * available at once. In this case, all of the input can be processed with one
- * call to <code>doFinal</code>.
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
- */
- public abstract class Cipher {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700
-@@ -60,7 +60,6 @@ public interface CryptoToken {
- * @param algorithm The algorithm used for the signing/verification.
- * @exception java.security.NoSuchAlgorithmException If the given
- * algorithm is not supported by this provider.
-- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
- */
- public abstract org.mozilla.jss.crypto.Signature
- getSignatureContext(SignatureAlgorithm algorithm)
-@@ -73,7 +72,6 @@ public interface CryptoToken {
- * @param algorithm The algorithm used for digesting.
- * @exception java.security.NoSuchAlgorithmException If this provider
- * does not support the given algorithm.
-- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
- */
- public abstract JSSMessageDigest
- getDigestContext(DigestAlgorithm algorithm)
-@@ -89,15 +87,11 @@ public interface CryptoToken {
- * @param algorithm The algorithm used for encryption/decryption.
- * @exception java.security.NoSuchAlgorithmException If this provider
- * does not support the given algorithm.
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
- */
- public abstract Cipher
- getCipherContext(EncryptionAlgorithm algorithm)
- throws java.security.NoSuchAlgorithmException, TokenException;
-
-- /**
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
-- */
- public abstract KeyWrapper
- getKeyWrapper(KeyWrapAlgorithm algorithm)
- throws java.security.NoSuchAlgorithmException, TokenException;
-@@ -123,7 +117,6 @@ public interface CryptoToken {
- * @param algorithm The algorithm that the keys will be used with.
- * @exception java.security.NoSuchAlgorithmException If this token does not
- * support the given algorithm.
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
- */
- public abstract KeyGenerator
- getKeyGenerator(KeyGenAlgorithm algorithm)
-@@ -136,7 +129,6 @@ public interface CryptoToken {
- * cannot be extracted from the current token.
- * @exception InvalidKeyException If the owning token cannot process
- * the key to be cloned.
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory})
- */
- public SymmetricKey cloneKey(SymmetricKey key)
- throws SymmetricKey.NotExtractableException,
-@@ -151,7 +143,6 @@ public interface CryptoToken {
- * DSA, EC, etc.)
- * @exception java.security.NoSuchAlgorithmException If this token does
- * not support the given algorithm.
-- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
- */
- public abstract KeyPairGenerator
- getKeyPairGenerator(KeyPairAlgorithm algorithm)
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700
-@@ -41,7 +41,6 @@ import java.security.InvalidKeyException
-
- /**
- * A class for performing message digesting (hashing) and MAC operations.
-- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
- */
- public abstract class JSSMessageDigest {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700
-@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto;
-
- /**
- * An interface for secure random numbers.
-- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom})
- */
- public interface JSSSecureRandom {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700
-@@ -43,7 +43,6 @@ import java.io.CharConversionException;
-
- /**
- * Generates symmetric keys for encryption and decryption.
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
- */
- public interface KeyGenerator {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700
-@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam
- * <code>keygenOnInternalToken</code> to find out if this is happening.
- *
- * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator
-- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
- */
- public class KeyPairGenerator {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700
-@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar
- import java.security.PublicKey;
- import java.security.InvalidKeyException;
-
--/**
-- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
-- */
- public interface KeyWrapper {
-
- public void initWrap(SymmetricKey wrappingKey,
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700
-@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam
- * Instances of this class can be obtain from <code>CryptoToken</code>s.
- *
- * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext
-- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
- */
- public class Signature {
-
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700
-@@ -37,15 +37,10 @@
-
- /* This program demonstrates how to sign data with keys from JSS
- *
-- * Most of this code is deprecated look at JCASigTest.java
-- *
- * The token name can be either the name of a hardware token, or
- * one of the internal tokens:
- * Internal Crypto Services Token
- * Internal Key Storage Token (keys stored in key3.db)
-- *
-- * @see org.mozilla.jss.tests.JCASigTest
-- * @deprecated Use the JCA interface instead
- */
-
- package org.mozilla.jss.tests;
-diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl
---- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700
-@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature "
- $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
- run_test($testname, $command);
-
-+$testname = "Mozilla-JSS NSS Signature ";
-+$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
-+run_test($testname, $command);
-+
- $testname = "Secret Decoder Ring";
- $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
- run_test($testname, $command);
diff --git a/SOURCES/jss-wrapInToken.patch b/SOURCES/jss-wrapInToken.patch
deleted file mode 100644
index 697895f..0000000
--- a/SOURCES/jss-wrapInToken.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700
-@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param,
- &wrapped, NULL /* wincx */ );
- if(status != SECSuccess) {
-- JSS_throwMsg(env, TOKEN_EXCEPTION,
-- "Wrapping operation failed on token");
-+ char err[256] = {0};
-+ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError());
-+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
- goto finish;
- }
- PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL);
-@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- int numAttribs = 0;
- CK_TOKEN_INFO tokenInfo;
-
-+ /* ideal defaults */
- PRBool isSensitive = PR_TRUE;
- PRBool isExtractable = PR_FALSE;
-- /* special case nethsm*/
-+
-+ /* special case nethsm and lunasa*/
- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
-+ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
- PRBool isNethsm = PR_TRUE;
-+ PRBool isLunasa = PR_TRUE;
-
- if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
- /* exception was thrown */
-@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- break;
- }
- }
-+ ix = 0;
-+ for(ix=0; ix < 4; ix++) {
-+ if (tokenInfo.label[ix] != lunasaLabel[ix]) {
-+ isLunasa = PR_FALSE;
-+ break;
-+ }
-+ }
-
- } else {
- isNethsm = PR_FALSE;
-+ isLunasa = PR_FALSE;
- }
-
- /* get unwrapping key */
-@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
- }
- keyType = PK11_GetKeyType(keyTypeMech, 0);
-
-+ /* special case nethsm and lunasa*/
- if( isNethsm ) {
- isSensitive = PR_FALSE;
- isExtractable = PR_FALSE;
-+ } else if ( isLunasa) {
-+ isSensitive = PR_FALSE;
-+ isExtractable = PR_TRUE;
- }
-
--setAttrs:
- /* figure out which operations to enable for this key */
- switch (keyType) {
- case CKK_RSA:
-+ numAttribs = 3;
- attribs[0] = CKA_SIGN;
- attribs[1] = CKA_SIGN_RECOVER;
- attribs[2] = CKA_UNWRAP;
- if (isExtractable) {
- attribs[3] = CKA_EXTRACTABLE;
- numAttribs = 4;
-- } else {
-- numAttribs = 3;
- }
- break;
- case CKK_DSA:
-@@ -459,7 +474,9 @@ setAttrs:
- &label, pubValue, token, isSensitive /*sensitive*/, keyType,
- attribs, numAttribs, NULL /*wincx*/);
- if( privk == NULL ) {
-- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
-+ char err[256] = {0};
-+ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
-+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
- goto finish;
- }
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700
-@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke
- throw new InvalidKeyException("key to be wrapped is not a "+
- "PKCS #11 key");
- }
-+/* NSS is capable of moving keys appropriately,
-+ so this call is prematurely bailing
- if( ! symKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-+*/
- }
-
- /**
-@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke
- throw new InvalidKeyException("key to be wrapped is not a "+
- "PKCS #11 key");
- }
-+/* NSS is capable of moving keys appropriately,
-+ so this call is prematurely bailing
- if( ! privKey.getOwningToken().equals(token) ) {
- throw new InvalidKeyException("key to be wrapped does not live"+
- " on the same token as the wrapping key");
- }
-+*/
- }
-
- /**
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700
-@@ -135,10 +135,13 @@ public final class PK11Token implements
- getKeyWrapper(KeyWrapAlgorithm algorithm)
- throws NoSuchAlgorithmException, TokenException
- {
-+/* NSS is capable of finding the right token to do algorithm,
-+ so this call is prematurely bailing
- if( ! doesAlgorithm(algorithm) ) {
- throw new NoSuchAlgorithmException(
- algorithm+" is not supported by this token");
- }
-+*/
- return new PK11KeyWrapper(this, algorithm);
- }
-
-diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
---- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700
-+++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700
-@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp
- }
-
- KeyWrapper wrapper = token.getKeyWrapper(
-- KeyWrapAlgorithm.DES3_CBC);
-+ KeyWrapAlgorithm.DES3_CBC_PAD);
- wrapper.initWrap(key, params);
- byte encrypted[] = wrapper.wrap(pri);
-
-@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp
- return epki;
-
- } catch (Exception e) {
-+ System.out.println("createPBE: exception:"+e.toString());
- Assert.notReached("EncryptedPrivateKeyInfo exception:"
- +".createPBE");
- }
diff --git a/SPECS/jss.spec b/SPECS/jss.spec
index cc130dc..07214f3 100644
--- a/SPECS/jss.spec
+++ b/SPECS/jss.spec
@@ -1,60 +1,39 @@
Name: jss
-Version: 4.2.6
-Release: 42%{?dist}
+Version: 4.4.0
+Release: 7%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/jss/
-# The source for this package was pulled from upstream's cvs. Use the
+# The source for this package was pulled from upstream's hg. Use the
# following commands to generate the tarball:
-# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot export -r JSS_4_2_6_RTM -d jss-4.2.6 -N mozilla/security/coreconf mozilla/security/jss
-# tar -czvf jss-4.2.6.tar.gz jss-4.2.6
-Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/%{name}-%{version}.tar.gz
-Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/MPL-1.1.txt
-Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/gpl.txt
-Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/lgpl.txt
+#
+# hg clone https://hg.mozilla.org/projects/jss
+# cd jss
+# hg archive --prefix jss-4.4.0/jss/ ../jss-4.4.0.tar.gz
+#
+Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/%{name}-%{version}.tar.gz
+Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/MPL-1.1.txt
+Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/gpl.txt
+Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{version}/lgpl.txt
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: nss-devel >= 3.21.0
-BuildRequires: nspr-devel >= 4.11.0
+Conflicts: idm-console-framework < 1.1.17-4
+Conflicts: pki-base < 10.4.0
+Conflicts: tomcatjss < 7.2.1
+
+BuildRequires: nss-devel >= 3.28.4-6
+BuildRequires: nspr-devel >= 4.13.1
BuildRequires: java-devel
-Requires: java
-Requires: nss >= 3.21.0
-
-Patch1: jss-key_pair_usage_with_op_flags.patch
-Patch2: jss-javadocs-param.patch
-Patch3: jss-ipv6.patch
-Patch4: jss-ECC-pop.patch
-Patch5: jss-loadlibrary.patch
-Patch6: jss-ocspSettings.patch
-Patch7: jss-ECC_keygen_byCurveName.patch
-Patch8: jss-VerifyCertificate.patch
-Patch9: jss-bad-error-string-pointer.patch
-Patch10: jss-VerifyCertificateReturnCU.patch
-#Patch11: jss-slots-not-freed.patch
-Patch12: jss-ECC-HSM-FIPS.patch
-Patch13: jss-eliminate-native-compiler-warnings.patch
-Patch14: jss-eliminate-java-compiler-warnings.patch
-Patch15: jss-PKCS12-FIPS.patch
-Patch16: jss-eliminate-native-coverity-defects.patch
-Patch17: jss-PBE-PKCS5-V2-secure-P12.patch
-Patch18: jss-wrapInToken.patch
-Patch19: jss-HSM-manufacturerID.patch
-Patch20: jss-ECC-Phase2KeyArchivalRecovery.patch
-Patch21: jss-undo-JCA-deprecations.patch
-Patch22: jss-undo-BadPaddingException-deprecation.patch
-Patch23: jss-fixed-build-issue-on-F17-or-newer.patch
-Patch24: jss-SHA-OID-fix.patch
-Patch25: jss-RC4-strengh-verify.patch
-Patch26: jss-support-TLS1_1-TLS1_2.patch
-Patch27: jss-WindowsCompileFix.patch
-Patch28: jss-WindowsLoadLibrary.patch
-Patch29: jss-Fixed-build-failures.patch
-Patch30: jss-VerifyCertificate-enhancement.patch
-Patch31: jss-lunasaUnwrap.patch
-Patch32: jss-symkey-enhancements.patch
-Patch33: jss-crmf-envelopedData.patch
+%if 0%{?fedora} >= 25
+BuildRequires: perl
+%endif
+Requires: java-headless
+Requires: nss >= 3.28.4-6
+
+Patch1: jss-post-rebase.patch
+Patch2: jss-rhel-7-4-beta.patch
%description
Java Security Services (JSS) is a java native interface which provides a bridge
@@ -70,47 +49,22 @@ Requires: jss = %{version}-%{release}
This package contains the API documentation for JSS.
%prep
-%setup -q
+%setup -q -n %{name}-%{version}
+pushd jss
%patch1 -p1
%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
-#%patch11 -p1
-%patch12 -p1
-%patch13 -p1
-%patch14 -p1
-%patch15 -p1
-%patch16 -p1
-%patch17 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch21 -p1
-%patch22 -p1
-%patch23 -p1
-%patch24 -p1
-%patch25 -p1
-%patch26 -p1
-%patch27 -p1
-%patch28 -p1
-%patch29 -p1
-%patch30 -p1
-%patch31 -p1
-%patch32 -p1
-%patch33 -p1
+popd
%build
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
+[ -z "$USE_INSTALLED_NSPR" ] && export USE_INSTALLED_NSPR=1
+[ -z "$USE_INSTALLED_NSS" ] && export USE_INSTALLED_NSS=1
# Enable compiler optimizations and disable debugging code
-BUILD_OPT=1
-export BUILD_OPT
+# NOTE: If you ever need to create a debug build with optimizations disabled
+# just comment out this line and change in the %%install section below the
+# line that copies jars xpclass.jar to be xpclass_dbg.jar
+export BUILD_OPT=1
# Generate symbolic info for debuggers
XCFLAGS="-g $RPM_OPT_FLAGS"
@@ -133,31 +87,22 @@ export NSPR_LIB_DIR
export NSS_INCLUDE_DIR
export NSS_LIB_DIR
-%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
+%if 0%{?__isa_bits} == 64
USE_64=1
export USE_64
%endif
-%if 0%{?fedora} >= 16
-cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk
-sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk
-
-cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk
-sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk
-
-cp -p mozilla/security/coreconf/Linux3.2.mk mozilla/security/coreconf/Linux3.6.mk
-sed -i -e 's;LINUX3_1;LINUX3_6;' mozilla/security/coreconf/Linux3.6.mk
-%endif
-
# The Makefile is not thread-safe
-make -C mozilla/security/coreconf
-make -C mozilla/security/jss
-make -C mozilla/security/jss javadoc
+make -C jss/coreconf
+make -C jss
+make -C jss javadoc
+
+%check
%install
rm -rf $RPM_BUILD_ROOT docdir
-# Copy the license files here so we can include them in %doc
+# Copy the license files here so we can include them in %%doc
cp -p %{SOURCE1} .
cp -p %{SOURCE2} .
cp -p %{SOURCE3} .
@@ -165,31 +110,23 @@ cp -p %{SOURCE3} .
# There is no install target so we'll do it by hand
# jars
-%if 0%{?fedora} >= 16
-install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
-%else
-install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_libdir}/jss/jss4-%{version}.jar
-ln -fs jss4-%{version}.jar $RPM_BUILD_ROOT%{_libdir}/jss/jss4.jar
-
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
-ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar
-%endif
+# NOTE: if doing a debug no opt build change xpclass.jar to xpclass_dbg.jar
+install -m 644 dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
-install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
-%if 0%{?fedora} >= 16
+install -m 0755 dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
ln -fs %{_jnidir}/jss4.jar jss4.jar
popd
-%endif
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
-cp -rp mozilla/dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -rp dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -p jss/jss.html $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
+cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
%clean
rm -rf $RPM_BUILD_ROOT
@@ -197,21 +134,115 @@ rm -rf $RPM_BUILD_ROOT
# No ldconfig is required since this library is loaded by Java itself.
%files
%defattr(-,root,root,-)
-%doc mozilla/security/jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt
+%doc jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt
%{_libdir}/jss/*
%{_jnidir}/*
+%{_libdir}/jss/lib*.so
%files javadoc
%defattr(-,root,root,-)
%dir %{_javadocdir}/%{name}-%{version}
%{_javadocdir}/%{name}-%{version}/*
-
%changelog
+* Tue May 9 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-7
+- Bump NSS dependencies from 4.28.3 to 4.28.4-6 to pick-up fix in
+ Mozilla Bugzilla #1360207 - Fix incorrect if (ss->...) in SSL_ReconfigFD
+
+* Mon May 1 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-6
+- Mozilla Bugzilla #1352476 - RFE: Document on the README how to create a
+ release tag (mharmsen)
+- Mozilla Bugzilla #1355358 - CryptoStore: add methods for importing and
+ exporting EncryptedPrivateKeyInfo (ftweedal)
+- Mozilla Bugzilla #1359731 - CryptoStore.importPrivateKey enhancements
+ (ftweedal)
+
+* Mon Apr 17 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-5
+- Mozilla Bugzilla #1355268 - JSS 4.4 is incompatible with versions of
+ idm-console-framework < 1.1.17-4
+- Red Hat Bugzilla #1435076 - Remove unused legacy lines from JSS spec files
+
+* Mon Mar 27 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-4
+- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4
+- Updated build requirements for NSPR
+- Updated build and runtime requirements for NSS
+- ## 'jss-post-rebase.patch' resolves the following issues ported from
+ ## upstream:
+- Mozilla Bugzilla #1337092 - CMC conformance update: Implement required ASN.1
+ code for RFC5272+ (cfu)
+- Mozilla Bugzilla #1347394 - Eclipse project files for JSS (edewata)
+- Mozilla Bugzilla #1347429 - Deprecated SSL 3.0 cipher names in SSLSocket
+ class. (edewata)
+- Mozilla Bugzilla #1348856 - SSL alert callback (edewata)
+- Mozilla Bugzilla #1349278 - SSL cipher enumeration (edewata)
+- Mozilla Bugzilla #1349349 - Problem with Password.readPasswordFromConsole().
+ (edewata)
+- Mozilla Bugzilla #1349831 - Revise top-level README file (mharmsen)
+- Mozilla Bugzilla #1349836 - Changes to JSS Version Block (mharmsen)
+- Mozilla Bugzilla #1350130 - Missing
+ CryptoManager.verifyCertificateNowCUNative() implementation. (emaldona)
+
+* Tue Mar 21 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-3
+- Added Conflicts statement due to incompatibility with pki-base < 10.4.0
+
+* Wed Mar 15 2017 Matthew Harmsen <mharmsen@redhat.com> - 4.4.0-2
+- Added Conflicts statement due to incompatibility with tomcatjss < 7.2.1
+
+* Mon Mar 13 2017 Elio Maldonado <emaldona@redhat.com> - 4.4.0-1
+- Bugzilla Bug #1394414 - Rebase jss to 4.4.0 in RHEL 7.4
+- ## JSS 4.4.0 includes the following patches ported from downstream:
+- Mozilla Bugzilla #507536 - Add IPv6 functionality to JSS
+- Mozilla Bugzilla #1307872 - Expose NSS calls for OCSP settings
+- Mozilla Bugzilla #1307882 - RFE ecc - add ecc curve name support in JSS and
+ CS interface
+- Mozilla Bugzilla #1307993 - Expose updated certificate verification function
+ in JSS
+- Mozilla Bugzilla #1308000 - Incorrect socket accept error message due to bad
+ pointer arithmetic
+- Mozilla Bugzilla #1308001 - Verification should fail when a revoked
+ certificate is added
+- Mozilla Bugzilla #1308004 - Warnings should be cleaned up in JSS build
+- Mozilla Bugzilla #1308006 - DRM failed to recovery keys when in FIPS mode
+ (HSM + NSS)
+- Mozilla Bugzilla #1308008 - Defects revealed by Coverity scan
+- Mozilla Bugzilla #1308009 - Add support for PKCS5v2; support for secure PKCS12
+- Mozilla Bugzilla #1308012 - DRM: during archiving and recovering, wrapping
+ unwrapping keys should be done in the token
+- Mozilla Bugzilla #1308013 - JSS - HSM token name was mistaken for
+ manufacturer identifier
+- Mozilla Bugzilla #1308017 - Un-deprecate previously deprecated methods in
+ JSS 4.2.6
+- Mozilla Bugzilla #1308019 - Provide Tomcat support for TLS v1.1 and
+ TLS v1.2 via NSS through JSS
+- Mozilla Bugzilla #1308026 - JSS certificate validation does not pass up exact
+ error from NSS
+- Mozilla Bugzilla #1308027 - Merge pki-symkey into jss
+- Mozilla Bugzilla #1308029 - Resolve Javadoc build issues
+- Mozilla Bugzilla #1308047 - support ECC encryption key archival and recovery
+- Mozilla Bugzilla #1313122 - Remove bypass tests as latest NSS has removed
+ PKCS#11 bypass support
+- Mozilla Bugzilla #1328675 - Simple problem unwrapping AES sym keys on token
+- Mozilla Bugzilla #1345174 - Cannot create system certs when using LunaSA HSM
+ in FIPS Mode and ECC algorithms
+- Mozilla Bugzilla #1345613 - expose AES KeyWrap and add some useful OID
+ functions
+- Mozilla Bugzilla #1346410 - Load JSS libraries appropriately
+- ## JSS 4.4.0 includes the following changes for building and testing:
+- Mozilla Bugzilla #1331765 - Simplify JSS Makefile build and test
+- Mozilla Bugzilla #1346420 - Document steps required to use the proper
+ libjss4.so when running certain HMAC Algorithms tests
+
+* Wed Feb 22 2017 Jack Magne <jmagne@redhat.com> - 4.2.6-44
+- Bugzilla Bug #1425971 - Simple problem unwrapping AES sym keys on token
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 4.2.6-43
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
* Tue Aug 9 2016 Christina Fu <cfu@redhat.com> - 4.2.6-42
-- Sync up patches from both Fedora and RHEL; adding one patch
+- Sync up patches from both Fedora and RHEL; adding two patches
(cfu, edewata, mharmsen) from RHEL:
-- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata)
+- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows (cfu)
+- make it compile on Windows platforms (cfu for nhosoi)
* Fri Jun 24 2016 Christina Fu <cfu@redhat.com> - 4.2.6-41
- Bugzilla 1221295 jss fails to decode EncryptedKey >> EnvelopedData
@@ -225,13 +256,16 @@ rm -rf $RPM_BUILD_ROOT
- PKI ticket 801 - Merge pki-symkey into jss (phase 1)
(jmagne)
-* Wed Jul 8 2015 Christina Fu <cfu@redhat.com> - 4.2.6-37
-- Bugzilla Bug #1238450 - UnsatisfiedLinkError on Windows
+* Wed Dec 09 2015 Endi Dewata <edewata@redhat.com> - 4.2.6-38
+- Bugzilla Bug #1289799 - JSS build failure on F23 and Rawhide (edewata)
+
+* Thu Apr 09 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 4.2.6-37
+- Fix use of __isa_bits macro so it does not fail during srpm generation on koji
-* Fri Apr 24 2015 Christina Fu <cfu@redhat.com> - 4.2.6-36
-- make it compile on Windows platforms (cfu for nhosoi)
+* Thu Apr 09 2015 Marcin Juszkiewicz <mjuszkiewicz@redhat.com> - 4.2.6-36
+- Use __isa_bits macro to check for 64-bit arch. Unblocks aarch64 and ppc64le.
-* Mon Sep 29 2014 Christina Fu <cfu@redhat.com> - 4.2.6-35
+* Tue Sep 30 2014 Christina Fu <cfu@redhat.com> - 4.2.6-35
- Bugzilla Bug #1040640 - Incorrect OIDs for SHA2 algorithms
(cfu for jnimeh@gmail.com)
- Bugzilla Bug #1133718 - Key strength validation is not performed for RC4
@@ -239,14 +273,17 @@ rm -rf $RPM_BUILD_ROOT
- Bugzilla Bug #816396 - Provide Tomcat support for TLS v1.1 and
TLS v1.2 via NSS through JSS (cfu)
-* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 4.2.6-33
-- Mass rebuild 2014-01-24
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-34
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-33
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 4.2.6-32
-- Mass rebuild 2013-12-27
+* Fri Mar 28 2014 Michael Simacek <msimacek@redhat.com> - 4.2.6-32
+- Use Requires: java-headless rebuild (#1067528)
-* Wed Nov 13 2013 Christina Fu <cfu@redhat.com> - 4.2.6-31
-- Bugzilla Bug #1028581 - jss fails to build on RHEL7 for non-x86 arch
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.2.6-31
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Wed Jul 17 2013 Nathan Kinder <nkinder@redhat.com> - 4.2.6-30
- Bugzilla Bug #847120 - Unable to build JSS on F17 or newer