diff --git a/.jss.metadata b/.jss.metadata new file mode 100644 index 0000000..bd356c5 --- /dev/null +++ b/.jss.metadata @@ -0,0 +1 @@ +4c7eb4e1bfcda535b4b4371f9389c0b77d717469 SOURCES/jss-4.2.6.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/MPL-1.1.txt b/SOURCES/MPL-1.1.txt new file mode 100644 index 0000000..7714141 --- /dev/null +++ b/SOURCES/MPL-1.1.txt @@ -0,0 +1,470 @@ + MOZILLA PUBLIC LICENSE + Version 1.1 + + --------------- + +1. Definitions. + + 1.0.1. "Commercial Use" means distribution or otherwise making the + Covered Code available to a third party. + + 1.1. "Contributor" means each entity that creates or contributes to + the creation of Modifications. + + 1.2. "Contributor Version" means the combination of the Original + Code, prior Modifications used by a Contributor, and the Modifications + made by that particular Contributor. + + 1.3. "Covered Code" means the Original Code or Modifications or the + combination of the Original Code and Modifications, in each case + including portions thereof. + + 1.4. "Electronic Distribution Mechanism" means a mechanism generally + accepted in the software development community for the electronic + transfer of data. + + 1.5. "Executable" means Covered Code in any form other than Source + Code. + + 1.6. "Initial Developer" means the individual or entity identified + as the Initial Developer in the Source Code notice required by Exhibit + A. + + 1.7. "Larger Work" means a work which combines Covered Code or + portions thereof with code not governed by the terms of this License. + + 1.8. "License" means this document. + + 1.8.1. "Licensable" means having the right to grant, to the maximum + extent possible, whether at the time of the initial grant or + subsequently acquired, any and all of the rights conveyed herein. + + 1.9. "Modifications" means any addition to or deletion from the + substance or structure of either the Original Code or any previous + Modifications. When Covered Code is released as a series of files, a + Modification is: + A. Any addition to or deletion from the contents of a file + containing Original Code or previous Modifications. + + B. Any new file that contains any part of the Original Code or + previous Modifications. + + 1.10. "Original Code" means Source Code of computer software code + which is described in the Source Code notice required by Exhibit A as + Original Code, and which, at the time of its release under this + License is not already Covered Code governed by this License. + + 1.10.1. "Patent Claims" means any patent claim(s), now owned or + hereafter acquired, including without limitation, method, process, + and apparatus claims, in any patent Licensable by grantor. + + 1.11. "Source Code" means the preferred form of the Covered Code for + making modifications to it, including all modules it contains, plus + any associated interface definition files, scripts used to control + compilation and installation of an Executable, or source code + differential comparisons against either the Original Code or another + well known, available Covered Code of the Contributor's choice. The + Source Code can be in a compressed or archival form, provided the + appropriate decompression or de-archiving software is widely available + for no charge. + + 1.12. "You" (or "Your") means an individual or a legal entity + exercising rights under, and complying with all of the terms of, this + License or a future version of this License issued under Section 6.1. + For legal entities, "You" includes any entity which controls, is + controlled by, or is under common control with You. For purposes of + this definition, "control" means (a) the power, direct or indirect, + to cause the direction or management of such entity, whether by + contract or otherwise, or (b) ownership of more than fifty percent + (50%) of the outstanding shares or beneficial ownership of such + entity. + +2. Source Code License. + + 2.1. The Initial Developer Grant. + The Initial Developer hereby grants You a world-wide, royalty-free, + non-exclusive license, subject to third party intellectual property + claims: + (a) under intellectual property rights (other than patent or + trademark) Licensable by Initial Developer to use, reproduce, + modify, display, perform, sublicense and distribute the Original + Code (or portions thereof) with or without Modifications, and/or + as part of a Larger Work; and + + (b) under Patents Claims infringed by the making, using or + selling of Original Code, to make, have made, use, practice, + sell, and offer for sale, and/or otherwise dispose of the + Original Code (or portions thereof). + + (c) the licenses granted in this Section 2.1(a) and (b) are + effective on the date Initial Developer first distributes + Original Code under the terms of this License. + + (d) Notwithstanding Section 2.1(b) above, no patent license is + granted: 1) for code that You delete from the Original Code; 2) + separate from the Original Code; or 3) for infringements caused + by: i) the modification of the Original Code or ii) the + combination of the Original Code with other software or devices. + + 2.2. Contributor Grant. + Subject to third party intellectual property claims, each Contributor + hereby grants You a world-wide, royalty-free, non-exclusive license + + (a) under intellectual property rights (other than patent or + trademark) Licensable by Contributor, to use, reproduce, modify, + display, perform, sublicense and distribute the Modifications + created by such Contributor (or portions thereof) either on an + unmodified basis, with other Modifications, as Covered Code + and/or as part of a Larger Work; and + + (b) under Patent Claims infringed by the making, using, or + selling of Modifications made by that Contributor either alone + and/or in combination with its Contributor Version (or portions + of such combination), to make, use, sell, offer for sale, have + made, and/or otherwise dispose of: 1) Modifications made by that + Contributor (or portions thereof); and 2) the combination of + Modifications made by that Contributor with its Contributor + Version (or portions of such combination). + + (c) the licenses granted in Sections 2.2(a) and 2.2(b) are + effective on the date Contributor first makes Commercial Use of + the Covered Code. + + (d) Notwithstanding Section 2.2(b) above, no patent license is + granted: 1) for any code that Contributor has deleted from the + Contributor Version; 2) separate from the Contributor Version; + 3) for infringements caused by: i) third party modifications of + Contributor Version or ii) the combination of Modifications made + by that Contributor with other software (except as part of the + Contributor Version) or other devices; or 4) under Patent Claims + infringed by Covered Code in the absence of Modifications made by + that Contributor. + +3. Distribution Obligations. + + 3.1. Application of License. + The Modifications which You create or to which You contribute are + governed by the terms of this License, including without limitation + Section 2.2. The Source Code version of Covered Code may be + distributed only under the terms of this License or a future version + of this License released under Section 6.1, and You must include a + copy of this License with every copy of the Source Code You + distribute. You may not offer or impose any terms on any Source Code + version that alters or restricts the applicable version of this + License or the recipients' rights hereunder. However, You may include + an additional document offering the additional rights described in + Section 3.5. + + 3.2. Availability of Source Code. + Any Modification which You create or to which You contribute must be + made available in Source Code form under the terms of this License + either on the same media as an Executable version or via an accepted + Electronic Distribution Mechanism to anyone to whom you made an + Executable version available; and if made available via Electronic + Distribution Mechanism, must remain available for at least twelve (12) + months after the date it initially became available, or at least six + (6) months after a subsequent version of that particular Modification + has been made available to such recipients. You are responsible for + ensuring that the Source Code version remains available even if the + Electronic Distribution Mechanism is maintained by a third party. + + 3.3. Description of Modifications. + You must cause all Covered Code to which You contribute to contain a + file documenting the changes You made to create that Covered Code and + the date of any change. You must include a prominent statement that + the Modification is derived, directly or indirectly, from Original + Code provided by the Initial Developer and including the name of the + Initial Developer in (a) the Source Code, and (b) in any notice in an + Executable version or related documentation in which You describe the + origin or ownership of the Covered Code. + + 3.4. Intellectual Property Matters + (a) Third Party Claims. + If Contributor has knowledge that a license under a third party's + intellectual property rights is required to exercise the rights + granted by such Contributor under Sections 2.1 or 2.2, + Contributor must include a text file with the Source Code + distribution titled "LEGAL" which describes the claim and the + party making the claim in sufficient detail that a recipient will + know whom to contact. If Contributor obtains such knowledge after + the Modification is made available as described in Section 3.2, + Contributor shall promptly modify the LEGAL file in all copies + Contributor makes available thereafter and shall take other steps + (such as notifying appropriate mailing lists or newsgroups) + reasonably calculated to inform those who received the Covered + Code that new knowledge has been obtained. + + (b) Contributor APIs. + If Contributor's Modifications include an application programming + interface and Contributor has knowledge of patent licenses which + are reasonably necessary to implement that API, Contributor must + also include this information in the LEGAL file. + + (c) Representations. + Contributor represents that, except as disclosed pursuant to + Section 3.4(a) above, Contributor believes that Contributor's + Modifications are Contributor's original creation(s) and/or + Contributor has sufficient rights to grant the rights conveyed by + this License. + + 3.5. Required Notices. + You must duplicate the notice in Exhibit A in each file of the Source + Code. If it is not possible to put such notice in a particular Source + Code file due to its structure, then You must include such notice in a + location (such as a relevant directory) where a user would be likely + to look for such a notice. If You created one or more Modification(s) + You may add your name as a Contributor to the notice described in + Exhibit A. You must also duplicate this License in any documentation + for the Source Code where You describe recipients' rights or ownership + rights relating to Covered Code. You may choose to offer, and to + charge a fee for, warranty, support, indemnity or liability + obligations to one or more recipients of Covered Code. However, You + may do so only on Your own behalf, and not on behalf of the Initial + Developer or any Contributor. You must make it absolutely clear than + any such warranty, support, indemnity or liability obligation is + offered by You alone, and You hereby agree to indemnify the Initial + Developer and every Contributor for any liability incurred by the + Initial Developer or such Contributor as a result of warranty, + support, indemnity or liability terms You offer. + + 3.6. Distribution of Executable Versions. + You may distribute Covered Code in Executable form only if the + requirements of Section 3.1-3.5 have been met for that Covered Code, + and if You include a notice stating that the Source Code version of + the Covered Code is available under the terms of this License, + including a description of how and where You have fulfilled the + obligations of Section 3.2. The notice must be conspicuously included + in any notice in an Executable version, related documentation or + collateral in which You describe recipients' rights relating to the + Covered Code. You may distribute the Executable version of Covered + Code or ownership rights under a license of Your choice, which may + contain terms different from this License, provided that You are in + compliance with the terms of this License and that the license for the + Executable version does not attempt to limit or alter the recipient's + rights in the Source Code version from the rights set forth in this + License. If You distribute the Executable version under a different + license You must make it absolutely clear that any terms which differ + from this License are offered by You alone, not by the Initial + Developer or any Contributor. You hereby agree to indemnify the + Initial Developer and every Contributor for any liability incurred by + the Initial Developer or such Contributor as a result of any such + terms You offer. + + 3.7. Larger Works. + You may create a Larger Work by combining Covered Code with other code + not governed by the terms of this License and distribute the Larger + Work as a single product. In such a case, You must make sure the + requirements of this License are fulfilled for the Covered Code. + +4. Inability to Comply Due to Statute or Regulation. + + If it is impossible for You to comply with any of the terms of this + License with respect to some or all of the Covered Code due to + statute, judicial order, or regulation then You must: (a) comply with + the terms of this License to the maximum extent possible; and (b) + describe the limitations and the code they affect. Such description + must be included in the LEGAL file described in Section 3.4 and must + be included with all distributions of the Source Code. Except to the + extent prohibited by statute or regulation, such description must be + sufficiently detailed for a recipient of ordinary skill to be able to + understand it. + +5. Application of this License. + + This License applies to code to which the Initial Developer has + attached the notice in Exhibit A and to related Covered Code. + +6. Versions of the License. + + 6.1. New Versions. + Netscape Communications Corporation ("Netscape") may publish revised + and/or new versions of the License from time to time. Each version + will be given a distinguishing version number. + + 6.2. Effect of New Versions. + Once Covered Code has been published under a particular version of the + License, You may always continue to use it under the terms of that + version. You may also choose to use such Covered Code under the terms + of any subsequent version of the License published by Netscape. No one + other than Netscape has the right to modify the terms applicable to + Covered Code created under this License. + + 6.3. Derivative Works. + If You create or use a modified version of this License (which you may + only do in order to apply it to code which is not already Covered Code + governed by this License), You must (a) rename Your license so that + the phrases "Mozilla", "MOZILLAPL", "MOZPL", "Netscape", + "MPL", "NPL" or any confusingly similar phrase do not appear in your + license (except to note that your license differs from this License) + and (b) otherwise make it clear that Your version of the license + contains terms which differ from the Mozilla Public License and + Netscape Public License. (Filling in the name of the Initial + Developer, Original Code or Contributor in the notice described in + Exhibit A shall not of themselves be deemed to be modifications of + this License.) + +7. DISCLAIMER OF WARRANTY. + + COVERED CODE IS PROVIDED UNDER THIS LICENSE ON AN "AS IS" BASIS, + WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, + WITHOUT LIMITATION, WARRANTIES THAT THE COVERED CODE IS FREE OF + DEFECTS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. + THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE COVERED CODE + IS WITH YOU. SHOULD ANY COVERED CODE PROVE DEFECTIVE IN ANY RESPECT, + YOU (NOT THE INITIAL DEVELOPER OR ANY OTHER CONTRIBUTOR) ASSUME THE + COST OF ANY NECESSARY SERVICING, REPAIR OR CORRECTION. THIS DISCLAIMER + OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THIS LICENSE. NO USE OF + ANY COVERED CODE IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. + +8. TERMINATION. + + 8.1. This License and the rights granted hereunder will terminate + automatically if You fail to comply with terms herein and fail to cure + such breach within 30 days of becoming aware of the breach. All + sublicenses to the Covered Code which are properly granted shall + survive any termination of this License. Provisions which, by their + nature, must remain in effect beyond the termination of this License + shall survive. + + 8.2. If You initiate litigation by asserting a patent infringement + claim (excluding declatory judgment actions) against Initial Developer + or a Contributor (the Initial Developer or Contributor against whom + You file such action is referred to as "Participant") alleging that: + + (a) such Participant's Contributor Version directly or indirectly + infringes any patent, then any and all rights granted by such + Participant to You under Sections 2.1 and/or 2.2 of this License + shall, upon 60 days notice from Participant terminate prospectively, + unless if within 60 days after receipt of notice You either: (i) + agree in writing to pay Participant a mutually agreeable reasonable + royalty for Your past and future use of Modifications made by such + Participant, or (ii) withdraw Your litigation claim with respect to + the Contributor Version against such Participant. If within 60 days + of notice, a reasonable royalty and payment arrangement are not + mutually agreed upon in writing by the parties or the litigation claim + is not withdrawn, the rights granted by Participant to You under + Sections 2.1 and/or 2.2 automatically terminate at the expiration of + the 60 day notice period specified above. + + (b) any software, hardware, or device, other than such Participant's + Contributor Version, directly or indirectly infringes any patent, then + any rights granted to You by such Participant under Sections 2.1(b) + and 2.2(b) are revoked effective as of the date You first made, used, + sold, distributed, or had made, Modifications made by that + Participant. + + 8.3. If You assert a patent infringement claim against Participant + alleging that such Participant's Contributor Version directly or + indirectly infringes any patent where such claim is resolved (such as + by license or settlement) prior to the initiation of patent + infringement litigation, then the reasonable value of the licenses + granted by such Participant under Sections 2.1 or 2.2 shall be taken + into account in determining the amount or value of any payment or + license. + + 8.4. In the event of termination under Sections 8.1 or 8.2 above, + all end user license agreements (excluding distributors and resellers) + which have been validly granted by You or any distributor hereunder + prior to termination shall survive termination. + +9. LIMITATION OF LIABILITY. + + UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT + (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL YOU, THE INITIAL + DEVELOPER, ANY OTHER CONTRIBUTOR, OR ANY DISTRIBUTOR OF COVERED CODE, + OR ANY SUPPLIER OF ANY OF SUCH PARTIES, BE LIABLE TO ANY PERSON FOR + ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY + CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, + WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER + COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN + INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF + LIABILITY SHALL NOT APPLY TO LIABILITY FOR DEATH OR PERSONAL INJURY + RESULTING FROM SUCH PARTY'S NEGLIGENCE TO THE EXTENT APPLICABLE LAW + PROHIBITS SUCH LIMITATION. SOME JURISDICTIONS DO NOT ALLOW THE + EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO + THIS EXCLUSION AND LIMITATION MAY NOT APPLY TO YOU. + +10. U.S. GOVERNMENT END USERS. + + The Covered Code is a "commercial item," as that term is defined in + 48 C.F.R. 2.101 (Oct. 1995), consisting of "commercial computer + software" and "commercial computer software documentation," as such + terms are used in 48 C.F.R. 12.212 (Sept. 1995). Consistent with 48 + C.F.R. 12.212 and 48 C.F.R. 227.7202-1 through 227.7202-4 (June 1995), + all U.S. Government End Users acquire Covered Code with only those + rights set forth herein. + +11. MISCELLANEOUS. + + This License represents the complete agreement concerning subject + matter hereof. If any provision of this License is held to be + unenforceable, such provision shall be reformed only to the extent + necessary to make it enforceable. This License shall be governed by + California law provisions (except to the extent applicable law, if + any, provides otherwise), excluding its conflict-of-law provisions. + With respect to disputes in which at least one party is a citizen of, + or an entity chartered or registered to do business in the United + States of America, any litigation relating to this License shall be + subject to the jurisdiction of the Federal Courts of the Northern + District of California, with venue lying in Santa Clara County, + California, with the losing party responsible for costs, including + without limitation, court costs and reasonable attorneys' fees and + expenses. The application of the United Nations Convention on + Contracts for the International Sale of Goods is expressly excluded. + Any law or regulation which provides that the language of a contract + shall be construed against the drafter shall not apply to this + License. + +12. RESPONSIBILITY FOR CLAIMS. + + As between Initial Developer and the Contributors, each party is + responsible for claims and damages arising, directly or indirectly, + out of its utilization of rights under this License and You agree to + work with Initial Developer and Contributors to distribute such + responsibility on an equitable basis. Nothing herein is intended or + shall be deemed to constitute any admission of liability. + +13. MULTIPLE-LICENSED CODE. + + Initial Developer may designate portions of the Covered Code as + "Multiple-Licensed". "Multiple-Licensed" means that the Initial + Developer permits you to utilize portions of the Covered Code under + Your choice of the NPL or the alternative licenses, if any, specified + by the Initial Developer in the file described in Exhibit A. + +EXHIBIT A -Mozilla Public License. + + ``The contents of this file are subject to the Mozilla Public License + Version 1.1 (the "License"); you may not use this file except in + compliance with the License. You may obtain a copy of the License at + http://www.mozilla.org/MPL/ + + Software distributed under the License is distributed on an "AS IS" + basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the + License for the specific language governing rights and limitations + under the License. + + The Original Code is ______________________________________. + + The Initial Developer of the Original Code is ________________________. + Portions created by ______________________ are Copyright (C) ______ + _______________________. All Rights Reserved. + + Contributor(s): ______________________________________. + + Alternatively, the contents of this file may be used under the terms + of the _____ license (the "[___] License"), in which case the + provisions of [______] License are applicable instead of those + above. If you wish to allow use of your version of this file only + under the terms of the [____] License and not to allow others to use + your version of this file under the MPL, indicate your decision by + deleting the provisions above and replace them with the notice and + other provisions required by the [___] License. If you do not delete + the provisions above, a recipient may use your version of this file + under either the MPL or the [___] License." + + [NOTE: The text of this Exhibit A may differ slightly from the text of + the notices in the Source Code files of the Original Code. You should + use the text of this Exhibit A rather than the text found in the + Original Code Source Code for Your Modifications.] + diff --git a/SOURCES/gpl.txt b/SOURCES/gpl.txt new file mode 100644 index 0000000..d511905 --- /dev/null +++ b/SOURCES/gpl.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/SOURCES/jss-ECC-HSM-FIPS.patch b/SOURCES/jss-ECC-HSM-FIPS.patch new file mode 100644 index 0000000..739c930 --- /dev/null +++ b/SOURCES/jss-ECC-HSM-FIPS.patch @@ -0,0 +1,62 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig 2011-05-18 10:01:36.792151000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-05-18 10:06:07.483691000 -0700 +@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { + /* 47 */ {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG}, + /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, + /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, ++/* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, + /* REMEMBER TO UPDATE NUM_ALGS!!! */ + }; + +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig 2011-05-18 10:01:43.561164000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-05-18 10:06:07.489690000 -0700 +@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { + JSS_AlgType type; + } JSS_AlgInfo; + +-#define NUM_ALGS 50 ++#define NUM_ALGS 51 + + extern JSS_AlgInfo JSS_AlgTable[]; + extern CK_ULONG JSS_symkeyUsage[]; +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig 2011-05-18 10:01:51.232179000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-05-18 10:06:07.493690000 -0700 +@@ -232,5 +232,6 @@ public class Algorithm { + protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47; + protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; + protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; ++ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; + + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig 2011-05-18 10:02:01.056198000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java 2011-05-18 13:46:33.452948000 -0700 +@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al + DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA"); + + public static final Algorithm +- ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC"); ++ ++// To support both ECDSA and ECDH, it is best to provide two EC Families; ++// However, since there is no token that does only CKM_DERIVE to ++// date, we will just do ECDSA for now as it is sufficient enough today. ++// This fix will support tokens that do not do ECDH ++ ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC"); + + public static final KeyPairAlgorithm + RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily); +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig 2011-05-18 10:02:10.696218000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java 2011-05-18 10:06:07.496691000 -0700 +@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends + * operates on its input, which should be a hash. + */ + public static final SignatureAlgorithm +- ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, ++ ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, + "EC", + null, null, ANSI_X962_OID.subBranch(2).subBranch(1) ); + diff --git a/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch b/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch new file mode 100644 index 0000000..1bcc238 --- /dev/null +++ b/SOURCES/jss-ECC-Phase2KeyArchivalRecovery.patch @@ -0,0 +1,451 @@ +diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl +--- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700 +@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm + org.mozilla.jss.crypto.EncryptionAlgorithm + org.mozilla.jss.crypto.PQGParams + org.mozilla.jss.crypto.SecretDecoderRing ++org.mozilla.jss.asn1.ASN1Util + org.mozilla.jss.pkcs11.CertProxy + org.mozilla.jss.pkcs11.CipherContextProxy + org.mozilla.jss.pkcs11.PK11Module +diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk +--- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700 +@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \ + ../org/mozilla/jss/SecretDecoderRing \ + ../org/mozilla/jss \ + ../org/mozilla/jss/pkcs11 \ ++ ../org/mozilla/jss/asn1 \ + ../org/mozilla/jss/ssl \ + ../org/mozilla/jss/util \ + ../org/mozilla/jss/provider/java/security \ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700 +@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC + Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; ++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk +--- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700 +@@ -41,6 +41,7 @@ release_sanitize:: + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) ++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX) +@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) ++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) + -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX) +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700 +@@ -0,0 +1,97 @@ ++/* ***** BEGIN LICENSE BLOCK ***** ++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++ * ++ * The contents of this file are subject to the Mozilla Public License Version ++ * 1.1 (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * http://www.mozilla.org/MPL/ ++ * ++ * Software distributed under the License is distributed on an "AS IS" basis, ++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++ * for the specific language governing rights and limitations under the ++ * License. ++ * ++ * The Original Code is the Netscape Security Services for Java. ++ * ++ * The Initial Developer of the Original Code is ++ * Netscape Communications Corporation. ++ * Portions created by the Initial Developer are Copyright (C) 1998-2000 ++ * the Initial Developer. All Rights Reserved. ++ * ++ * Contributor(s): ++ * ++ * Alternatively, the contents of this file may be used under the terms of ++ * either the GNU General Public License Version 2 or later (the "GPL"), or ++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++ * in which case the provisions of the GPL or the LGPL are applicable instead ++ * of those above. If you wish to allow use of your version of this file only ++ * under the terms of either the GPL or the LGPL, and not to allow others to ++ * use your version of this file under the terms of the MPL, indicate your ++ * decision by deleting the provisions above and replace them with the notice ++ * and other provisions required by the GPL or the LGPL. If you do not delete ++ * the provisions above, a recipient may use your version of this file under ++ * the terms of any one of the MPL, the GPL or the LGPL. ++ * ++ * ***** END LICENSE BLOCK ***** */ ++#include "_jni/org_mozilla_jss_asn1_ASN1Util.h" ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++/*********************************************************************** ++ * ++ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid ++ * retrieves OID description by NSS's OID Tag identifier ++ * the OID byte array is expected to be without the OID Tag (6) and size ++ * (together 2 bytes) ++ */ ++JNIEXPORT jstring JNICALL ++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA) ++{ ++ SECItem *oid = NULL; ++ SECOidTag oidTag = SEC_OID_UNKNOWN; ++ char *oidDesc = NULL; ++ jstring description= ""; ++ ++ if (oidBA == NULL) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: oidBA null"); ++ goto finish; ++ } else { ++ /************************************************** ++ * Setup the parameters ++ *************************************************/ ++ oid = JSS_ByteArrayToSECItem(env, oidBA); ++ if (oid == NULL) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed"); ++ goto finish; ++ } ++ ++ /* ++ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match ++ */ ++ oidTag = SECOID_FindOIDTag(oid); ++ if (oidTag == SEC_OID_UNKNOWN) { ++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION, ++ "JSS getTagDescriptionByOid: OID UNKNOWN"); ++ goto finish; ++ } ++ ++ oidDesc = SECOID_FindOIDTagDescription(oidTag); ++ if (oidDesc == NULL) { ++ oidDesc = ""; ++ } ++ description = (*env)->NewStringUTF(env, oidDesc); ++ } ++ ++finish: ++ return description; ++} +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700 +@@ -36,6 +36,8 @@ + package org.mozilla.jss.asn1; + + import java.io.*; ++import java.util.Arrays; ++ + import org.mozilla.jss.asn1.InvalidBERException; + import org.mozilla.jss.util.Assert; + +@@ -114,4 +116,71 @@ public class ASN1Util { + numRead += nr; + } + } ++ ++ /** ++ * returns the ECC curve byte array given the X509 public key byte array ++ * ++ * @param X509PubKeyBytes byte array of an X509PubKey ++ * @param withHeader tells if the return byes should inclulde the tag and size header or not ++ */ ++ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes, ++ boolean withHeader) ++ throws IllegalArgumentException, ArrayIndexOutOfBoundsException, ++ NullPointerException ++ { ++ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) { ++ throw new IllegalArgumentException("X509PubKeyBytes null"); ++ } ++ ++ /* EC public key OID complete with tag and size */ ++ byte[] EC_PubOIDBytes_full = ++ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID); ++ ++ /* EC public key OID without tag and size */ ++ byte[] EC_PubOIDBytes = ++ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length); ++ ++ int curveBeginIndex = 0; ++ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) { ++ byte[] tmp = ++ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length); ++ if (Arrays.equals(tmp, EC_PubOIDBytes)) { ++ curveBeginIndex = idx+ EC_PubOIDBytes.length; ++ break; ++ } ++ } ++ ++ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1]; ++ ++ if (withHeader) { ++ /* actual curve with tag and size */ ++ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2); ++ return curve; ++ } else { ++ /* actual curve without tag and size */ ++ byte curve[] = ++ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2, ++ curveBeginIndex + 2 + curveByteArraySize); ++ return curve; ++ } ++ } ++ ++ /** ++ * getOIDdescription() returns a text description of the OID ++ * from OID byte array ++ * the OID byte array is expected to be without the OID Tag (6) and size ++ * (together 2 bytes) ++ */ ++ public static String ++ getOIDdescription(byte[] oidBA) { ++ return getTagDescriptionByOid(oidBA); ++ } ++ ++ /** ++ * get OID description JNI method ++ */ ++ private native static String ++ getTagDescriptionByOid(byte[] oidBA); ++ ++ + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700 +@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # + ####################################################################### +-#include config.mk ++include config.mk + + + ####################################################################### +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700 +@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement + /////////////////////////////////////////////////////////////////////// + + /** ++ * The OID space for EC ++ */ ++ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID = ++ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} ); ++ ++ /** + * The OID space for RSA Data Security, Inc. + */ + public static final OBJECT_IDENTIFIER RSADSI = +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700 +@@ -0,0 +1,41 @@ ++# ++# ***** BEGIN LICENSE BLOCK ***** ++# Version: MPL 1.1/GPL 2.0/LGPL 2.1 ++# ++# The contents of this file are subject to the Mozilla Public License Version ++# 1.1 (the "License"); you may not use this file except in compliance with ++# the License. You may obtain a copy of the License at ++# http://www.mozilla.org/MPL/ ++# ++# Software distributed under the License is distributed on an "AS IS" basis, ++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License ++# for the specific language governing rights and limitations under the ++# License. ++# ++# The Original Code is the Netscape Security Services for Java. ++# ++# The Initial Developer of the Original Code is ++# Netscape Communications Corporation. ++# Portions created by the Initial Developer are Copyright (C) 1998-2000 ++# the Initial Developer. All Rights Reserved. ++# ++# Contributor(s): ++# ++# Alternatively, the contents of this file may be used under the terms of ++# either the GNU General Public License Version 2 or later (the "GPL"), or ++# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), ++# in which case the provisions of the GPL or the LGPL are applicable instead ++# of those above. If you wish to allow use of your version of this file only ++# under the terms of either the GPL or the LGPL, and not to allow others to ++# use your version of this file under the terms of the MPL, indicate your ++# decision by deleting the provisions above and replace them with the notice ++# and other provisions required by the GPL or the LGPL. If you do not delete ++# the provisions above, a recipient may use your version of this file under ++# the terms of any one of the MPL, the GPL or the LGPL. ++# ++# ***** END LICENSE BLOCK ***** ++TARGETS=$(LIBRARY) ++SHARED_LIBRARY= ++IMPORT_LIBRARY= ++ ++NO_MD_RELEASE = 1 +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700 +@@ -41,6 +41,8 @@ MODULE = jss + + NS_USE_JDK = 1 + ++REQUIRES = nspr20 nss ++ + PACKAGE = org/mozilla/jss/asn1 + + CLASSES = \ +@@ -112,3 +114,9 @@ JSRCS = \ + UTCTime.java \ + UTF8String.java \ + $(NULL) ++ ++CSRCS = \ ++ ASN1Util.c \ ++ $(NULL) ++ ++LIBRARY_NAME = jssasn1 +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700 +@@ -48,6 +48,7 @@ DIRS = \ + crypto \ + SecretDecoderRing \ + pkcs11 \ ++ asn1 \ + ssl \ + provider \ + $(NULL) +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700 +@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten + // } + // } + // +-// public BigInteger getW() { +-// try { +-// return new BigInteger( getWByteArray() ); +-// } catch(NumberFormatException e) { +-// Assert.notReached("Unable to decode DSA public value"); +-// return null; +-// } +-// } +-// +-// private native byte[] getCurveByteArray(); +-// private native byte[] getWByteArray(); ++ ++ public BigInteger getCurve() { ++ try { ++ return new BigInteger( getCurveByteArray() ); ++ } catch(NumberFormatException e) { ++ Assert.notReached("Unable to decode EC curve"); ++ return null; ++ } ++ } ++ ++ public byte[] getCurveBA() { ++ return getCurveByteArray(); ++ } ++ ++ public BigInteger getW() { ++ try { ++ return new BigInteger( getWByteArray() ); ++ } catch(NumberFormatException e) { ++ Assert.notReached("Unable to decode EC public value"); ++ return null; ++ } ++ } ++ ++ private native byte[] getCurveByteArray(); ++ private native byte[] getWByteArray(); + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700 +@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + numAttribs = 4; + } + break; ++ case CKK_EC: ++ numAttribs = 1; ++ attribs[0] = CKA_SIGN; ++ if (isExtractable) { ++ attribs[1] = CKA_EXTRACTABLE; ++ numAttribs = 2; ++ } ++ break; + case CKK_DSA: + attribs[0] = CKA_SIGN; + numAttribs = 1; +@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + attribs[0] = CKA_DERIVE; + numAttribs = 1; + break; +- case CKK_EC: +- attribs[0] = CKA_SIGN; +- attribs[1] = CKA_DERIVE; +- numAttribs = 2; +- break; + default: + /* unknown key type */ + PR_ASSERT(PR_FALSE); +@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + attribs, numAttribs, NULL /*wincx*/); + if( privk == NULL ) { + char err[256] = {0}; +- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); ++ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType); + JSS_throwMsg(env, TOKEN_EXCEPTION, err); + goto finish; + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700 +@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke + if( type == PrivateKey.RSA ) { + if( !(publicKey instanceof RSAPublicKey)) { + throw new InvalidKeyException("Type of public key does not "+ +- "match type of private key"); ++ "match type of private key which is RSA"); + } + return ((RSAPublicKey)publicKey).getModulus().toByteArray(); ++ } else if(type == PrivateKey.EC) { ++ if( !(publicKey instanceof PK11ECPublicKey) ) { ++ throw new InvalidKeyException("Type of public key does not "+ ++ "match type of private key which is EC"); ++ } ++ return ((PK11ECPublicKey)publicKey).getW().toByteArray(); + } else if(type == PrivateKey.DSA) { + if( !(publicKey instanceof DSAPublicKey) ) { + throw new InvalidKeyException("Type of public key does not "+ +- "match type of private key"); ++ "match type of private key which is DSA"); + } + return ((DSAPublicKey)publicKey).getY().toByteArray(); + } else { diff --git a/SOURCES/jss-ECC-pop.patch b/SOURCES/jss-ECC-pop.patch new file mode 100644 index 0000000..48da89d --- /dev/null +++ b/SOURCES/jss-ECC-pop.patch @@ -0,0 +1,29 @@ +diff -rupN jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2004-04-25 08:02:26.000000000 -0700 ++++ jss-4.2.6.cfu/mozilla/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java 2009-07-27 13:38:38.197422000 -0700 +@@ -130,6 +130,16 @@ public class CertReqMsg implements ASN1V + /////////////////////////////////////////////////////////////////////// + + public void verify() throws SignatureException, ++ InvalidKeyFormatException, NoSuchAlgorithmException, ++ org.mozilla.jss.CryptoManager.NotInitializedException, ++ TokenException, java.security.InvalidKeyException, IOException{ ++ ++ CryptoToken token = CryptoManager.getInstance() ++ .getInternalCryptoToken(); ++ verify(token); ++ } ++ ++ public void verify(CryptoToken token) throws SignatureException, + InvalidKeyFormatException, NoSuchAlgorithmException, + org.mozilla.jss.CryptoManager.NotInitializedException, + TokenException, java.security.InvalidKeyException, IOException{ +@@ -149,8 +159,6 @@ public class CertReqMsg implements ASN1V + pubkey = (PublicKey) spi.toPublicKey(); + } + +- CryptoToken token = CryptoManager.getInstance() +- .getInternalCryptoToken(); + SignatureAlgorithm sigAlg = + SignatureAlgorithm.fromOID(alg.getOID()); + Signature sig = token.getSignatureContext(sigAlg); diff --git a/SOURCES/jss-ECC_keygen_byCurveName.patch b/SOURCES/jss-ECC_keygen_byCurveName.patch new file mode 100644 index 0000000..0617183 --- /dev/null +++ b/SOURCES/jss-ECC_keygen_byCurveName.patch @@ -0,0 +1,490 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java.fix 2010-10-20 09:54:35.189680000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2010-10-20 10:54:53.154835000 -0700 +@@ -196,7 +196,10 @@ public class KeyPairGenerator { + engine.setKeyPairUsages(usages,usages_mask); + } + +- ++ public int getCurveCodeByName(String curveName) ++ throws InvalidParameterException { ++ return engine.getCurveCodeByName(curveName); ++ } + + + +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java.fix 2010-10-20 09:54:52.393628000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2010-10-20 10:55:39.441698000 -0700 +@@ -94,4 +94,6 @@ public abstract class KeyPairGeneratorSp + + public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, + KeyPairGeneratorSpi.Usage[] usages_mask); ++ ++ public abstract int getCurveCodeByName(String curveName) throws InvalidParameterException; + } +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java.fix 2010-10-15 10:30:57.832196000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2010-10-20 11:09:30.523208000 -0700 +@@ -44,6 +44,7 @@ import java.security.*; + import java.security.SecureRandom; + import java.security.spec.AlgorithmParameterSpec; + import java.security.spec.DSAParameterSpec; ++import java.util.Hashtable; + + + /** +@@ -55,6 +56,246 @@ public final class PK11KeyPairGenerator + extends org.mozilla.jss.crypto.KeyPairGeneratorSpi + { + ++ // curve code for getting the actual EC curve ++ private enum ECCurve_Code { ++ // NIST, SEC2 Prime curves ++ secp521r1 , // == nistp521 ++ nistp521 , ++ secp384r1 , // == nistp384 ++ nistp384 , ++ secp256r1 , // == nistp256 ++ nistp256 , ++ secp256k1 , ++ secp224r1 , // == nistp224 ++ nistp224 , ++ secp224k1 , ++ secp192r1 , // == nistp192 ++ nistp192 , ++ secp192k1 , ++ secp160r2 , ++ secp160r1 , ++ secp160k1 , ++ secp128r2 , ++ secp128r1 , ++ secp112r2 , ++ secp112r1 , ++ // NIST, SEC2 Binary curves ++ sect571r1 , // == nistb571 ++ nistb571 , ++ sect571k1 , // == nistk571 ++ nistk571 , ++ sect409r1 , // == nistb409 ++ nistb409 , ++ sect409k1 , // == nistk409 ++ nistk409 , ++ sect283r1 , // == nistb283 ++ nistb283 , ++ sect283k1 , // == nistk283 ++ nistk283 , ++ sect239k1 , ++ sect233r1 , // == nistb233 ++ nistb233 , ++ sect233k1 , // == nistk233 ++ nistk233 , ++ sect193r2 , ++ sect193r1 , ++ nistb163 , ++ sect163r2 , // == nistb163 ++ sect163r1 , ++ sect163k1 , // == nistk163 ++ nistk163 , ++ sect131r2 , ++ sect131r1 , ++ sect113r2 , ++ sect113r1 , ++ // ANSI X9.62 Prime curves ++ prime239v3 , ++ prime239v2 , ++ prime239v1 , ++ prime192v3 , ++ prime192v2 , ++ prime192v1 , // == nistp192 ++ // prime256v1 == nistp256 ++ // ANSI X9.62 Binary curves ++ c2pnb163v1 , ++ c2pnb163v2 , ++ c2pnb163v3 , ++ c2pnb176v1 , ++ c2tnb191v1 , ++ c2tnb191v2 , ++ c2tnb191v3 , ++ //c2onb191v4 , ++ //c2onb191v5 , ++ c2pnb208w1 , ++ c2tnb239v1 , ++ c2tnb239v2 , ++ c2tnb239v3 , ++ //c2onb239v4 , ++ //c2onb239v5 , ++ c2pnb272w1 , ++ c2pnb304w1 , ++ c2tnb359v1 , ++ c2pnb368w1 , ++ c2tnb431r1 ++ // no WTLS curves fo now ++ }; ++ ++ private static Hashtable ECCurve_NameToCode = new Hashtable(); ++ static { ++ // NIST, SEC2 Prime curves ++ ECCurve_NameToCode.put( ++ "secp521r1", ECCurve_Code.secp521r1); ++ ECCurve_NameToCode.put( ++ "nistp521", ECCurve_Code.nistp521); ++ ECCurve_NameToCode.put( ++ "secp384r1", ECCurve_Code.secp384r1); ++ ECCurve_NameToCode.put( ++ "nistp384", ECCurve_Code.nistp384); ++ ECCurve_NameToCode.put( ++ "secp256r1", ECCurve_Code.secp256r1); ++ ECCurve_NameToCode.put( ++ "nistp256", ECCurve_Code.nistp256); ++ ECCurve_NameToCode.put( ++ "secp256k1", ECCurve_Code.secp256k1); ++ ECCurve_NameToCode.put( ++ "secp224r1", ECCurve_Code.secp224r1); ++ ECCurve_NameToCode.put( ++ "nistp224", ECCurve_Code.nistp224); ++ ECCurve_NameToCode.put( ++ "secp224k1", ECCurve_Code.secp224k1); ++ ECCurve_NameToCode.put( ++ "secp192r1", ECCurve_Code.secp192r1); ++ ECCurve_NameToCode.put( ++ "nistp192", ECCurve_Code.nistp192); ++ ECCurve_NameToCode.put( ++ "secp192k1", ECCurve_Code.secp192k1); ++ ECCurve_NameToCode.put( ++ "secp160r2", ECCurve_Code.secp160r2); ++ ECCurve_NameToCode.put( ++ "secp160r1", ECCurve_Code.secp160r1); ++ ECCurve_NameToCode.put( ++ "secp160k1", ECCurve_Code.secp160k1); ++ ECCurve_NameToCode.put( ++ "secp128r2", ECCurve_Code.secp128r2); ++ ECCurve_NameToCode.put( ++ "secp128r1", ECCurve_Code.secp128r1); ++ ECCurve_NameToCode.put( ++ "secp112r2", ECCurve_Code.secp112r2); ++ ECCurve_NameToCode.put( ++ "secp112r1", ECCurve_Code.secp112r1); ++ // NIST, SEC2 Binary curves ++ ECCurve_NameToCode.put( ++ "sect571r1", ECCurve_Code.sect571r1); ++ ECCurve_NameToCode.put( ++ "nistb571", ECCurve_Code.nistb571); ++ ECCurve_NameToCode.put( ++ "sect571k1", ECCurve_Code.sect571k1); ++ ECCurve_NameToCode.put( ++ "nistk571", ECCurve_Code.nistk571); ++ ECCurve_NameToCode.put( ++ "sect409r1", ECCurve_Code.sect409r1); ++ ECCurve_NameToCode.put( ++ "nistb409", ECCurve_Code.nistb409); ++ ECCurve_NameToCode.put( ++ "sect409k1", ECCurve_Code.sect409k1); ++ ECCurve_NameToCode.put( ++ "nistk409", ECCurve_Code.nistk409); ++ ECCurve_NameToCode.put( ++ "sect283r1", ECCurve_Code.sect283r1); ++ ECCurve_NameToCode.put( ++ "nistb283", ECCurve_Code.nistb283); ++ ECCurve_NameToCode.put( ++ "sect283k1", ECCurve_Code.sect283k1); ++ ECCurve_NameToCode.put( ++ "nistk283", ECCurve_Code.nistk283); ++ ECCurve_NameToCode.put( ++ "sect239k1", ECCurve_Code.sect239k1); ++ ECCurve_NameToCode.put( ++ "sect233r1", ECCurve_Code.sect233r1); ++ ECCurve_NameToCode.put( ++ "nistb233", ECCurve_Code.nistb233); ++ ECCurve_NameToCode.put( ++ "sect233k1", ECCurve_Code.sect233k1); ++ ECCurve_NameToCode.put( ++ "nistk233", ECCurve_Code.nistk233); ++ ECCurve_NameToCode.put( ++ "sect193r2", ECCurve_Code.sect193r2); ++ ECCurve_NameToCode.put( ++ "sect193r1", ECCurve_Code.sect193r1); ++ ECCurve_NameToCode.put( ++ "nistb163", ECCurve_Code.nistb163); ++ ECCurve_NameToCode.put( ++ "sect163r2", ECCurve_Code.sect163r2); ++ ECCurve_NameToCode.put( ++ "sect163r1", ECCurve_Code.sect163r1); ++ ECCurve_NameToCode.put( ++ "sect163k1", ECCurve_Code.sect163k1); ++ ECCurve_NameToCode.put( ++ "nistk163", ECCurve_Code.nistk163); ++ ECCurve_NameToCode.put( ++ "sect131r2", ECCurve_Code.sect131r2); ++ ECCurve_NameToCode.put( ++ "sect131r1", ECCurve_Code.sect131r1); ++ ECCurve_NameToCode.put( ++ "sect113r2", ECCurve_Code.sect113r2); ++ ECCurve_NameToCode.put( ++ "sect113r1", ECCurve_Code.sect113r1); ++ // ANSI Prime curves ++ ECCurve_NameToCode.put( ++ "prime239v3", ECCurve_Code.prime239v3); ++ ECCurve_NameToCode.put( ++ "prime239v2", ECCurve_Code.prime239v2); ++ ECCurve_NameToCode.put( ++ "prime239v1", ECCurve_Code.prime239v1); ++ ECCurve_NameToCode.put( ++ "prime192v3", ECCurve_Code.prime192v3); ++ ECCurve_NameToCode.put( ++ "prime192v2", ECCurve_Code.prime192v2); ++ ECCurve_NameToCode.put( ++ "prime192v1", ECCurve_Code.prime192v1); ++ // ANSI Binary curves ++ ECCurve_NameToCode.put( ++ "c2pnb163v1", ECCurve_Code.c2pnb163v1); ++ ECCurve_NameToCode.put( ++ "c2pnb163v2", ECCurve_Code.c2pnb163v2); ++ ECCurve_NameToCode.put( ++ "c2pnb163v3", ECCurve_Code.c2pnb163v3); ++ ECCurve_NameToCode.put( ++ "c2pnb176v1", ECCurve_Code.c2pnb176v1); ++ ECCurve_NameToCode.put( ++ "c2tnb191v1", ECCurve_Code.c2tnb191v1); ++ ECCurve_NameToCode.put( ++ "c2tnb191v2", ECCurve_Code.c2tnb191v2); ++ ECCurve_NameToCode.put( ++ "c2tnb191v3", ECCurve_Code.c2tnb191v3); ++ //ECCurve_NameToCode.put( ++ // "c2onb191v4", ECCurve_Code.c2onb191v4); ++ //ECCurve_NameToCode.put( ++ // "c2onb191v5", ECCurve_Code.c2onb191v5); ++ ECCurve_NameToCode.put( ++ "c2pnb208w1", ECCurve_Code.c2pnb208w1); ++ ECCurve_NameToCode.put( ++ "c2tnb239v1", ECCurve_Code.c2tnb239v1); ++ ECCurve_NameToCode.put( ++ "c2tnb239v2", ECCurve_Code.c2tnb239v2); ++ ECCurve_NameToCode.put( ++ "c2tnb239v3", ECCurve_Code.c2tnb239v3); ++ //ECCurve_NameToCode.put( ++ // "c2onb239v4", ECCurve_Code.c2onb239v4); ++ //ECCurve_NameToCode.put( ++ // "c2onb239v5", ECCurve_Code.c2onb239v5); ++ ECCurve_NameToCode.put( ++ "c2pnb272w1", ECCurve_Code.c2pnb272w1); ++ ECCurve_NameToCode.put( ++ "c2pnb304w1", ECCurve_Code.c2pnb304w1); ++ ECCurve_NameToCode.put( ++ "c2tnb359v1", ECCurve_Code.c2tnb359v1); ++ ECCurve_NameToCode.put( ++ "c2pnb368w1", ECCurve_Code.c2pnb368w1); ++ ECCurve_NameToCode.put( ++ "c2tnb431r1", ECCurve_Code.c2tnb431r1); ++ } ++ + // opFlag constants: each of these flags specifies a crypto operation + // the key will support. Their values must match the same-named C + // preprocessor macros defined in the PKCS #11 header pkcs11t.h. +@@ -165,7 +406,15 @@ public final class PK11KeyPairGenerator + } + } else { + Assert._assert( algorithm == KeyPairAlgorithm.EC ); +- params = getCurve(strength); ++ if (strength < 112) { ++ // for EC, "strength" is actually a code for curves defined in ++ // ECCurve_Code ++ params = getECCurve(strength); ++ } else { ++ // this is the old method of strength to curve mapping, ++ // which is somewhat defective ++ params = getCurve(strength); ++ } + } + } + +@@ -642,6 +891,189 @@ public final class PK11KeyPairGenerator + static final OBJECT_IDENTIFIER CURVE_SECG_T571R1 + = SECG_EC_CURVE.subBranch(39); + ++ // the EC curvecode to oid hash table ++ private static Hashtable mECCurve_CodeToCurve = new Hashtable(); ++ static { ++ // SEG Prime curves ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp521r1.ordinal(), (Object) CURVE_SECG_P521R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistp521.ordinal(), (Object) CURVE_SECG_P521R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp384r1.ordinal(), (Object) CURVE_SECG_P384R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistp384.ordinal(), (Object) CURVE_SECG_P384R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp256r1.ordinal(), (Object) CURVE_ANSI_P256V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistp256.ordinal(), (Object) CURVE_ANSI_P256V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp256k1.ordinal(), (Object) CURVE_SECG_P256K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp224r1.ordinal(), (Object) CURVE_SECG_P224R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistp224.ordinal(), (Object) CURVE_SECG_P224R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp224k1.ordinal(), (Object) CURVE_SECG_P224K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp192r1.ordinal(), (Object) CURVE_ANSI_P192V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistp192.ordinal(), (Object) CURVE_ANSI_P192V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp192k1.ordinal(), (Object) CURVE_SECG_P192K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp160r2.ordinal(), (Object) CURVE_SECG_P160R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp160r1.ordinal(), (Object) CURVE_SECG_P160R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp160k1.ordinal(), (Object) CURVE_SECG_P160K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp128r2.ordinal(), (Object) CURVE_SECG_P128R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp128r1.ordinal(), (Object) CURVE_SECG_P128R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp112r2.ordinal(), (Object) CURVE_SECG_P112R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.secp112r1.ordinal(), (Object) CURVE_SECG_P112R1); ++ // SEG Binary curves ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect571r1.ordinal(), (Object) CURVE_SECG_T571R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistb571.ordinal(), (Object) CURVE_SECG_T571R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect571k1.ordinal(), (Object) CURVE_SECG_T571K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistk571.ordinal(), (Object) CURVE_SECG_T571K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect409r1.ordinal(), (Object) CURVE_SECG_T409R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistb409.ordinal(), (Object) CURVE_SECG_T409R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect409k1.ordinal(), (Object) CURVE_SECG_T409K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistk409.ordinal(), (Object) CURVE_SECG_T409K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect283r1.ordinal(), (Object) CURVE_SECG_T283R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistb283.ordinal(), (Object) CURVE_SECG_T283R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect283k1.ordinal(), (Object) CURVE_SECG_T283K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistk283.ordinal(), (Object) CURVE_SECG_T283K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect239k1.ordinal(), (Object) CURVE_SECG_T239K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect233r1.ordinal(), (Object) CURVE_SECG_T233R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistb233.ordinal(), (Object) CURVE_SECG_T233R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect233k1.ordinal(), (Object) CURVE_SECG_T233K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistk233.ordinal(), (Object) CURVE_SECG_T233K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect193r2.ordinal(), (Object) CURVE_SECG_T193R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect193r1.ordinal(), (Object) CURVE_SECG_T193R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistb163.ordinal(), (Object) CURVE_SECG_T163K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect163r2.ordinal(), (Object) CURVE_SECG_T163R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect163r1.ordinal(), (Object) CURVE_SECG_T163R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect163k1.ordinal(), (Object) CURVE_SECG_T163K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.nistk163.ordinal(), (Object) CURVE_SECG_T163K1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect131r2.ordinal(), (Object) CURVE_SECG_T131R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect131r1.ordinal(), (Object) CURVE_SECG_T131R1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect113r2.ordinal(), (Object) CURVE_SECG_T113R2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.sect113r1.ordinal(), (Object) CURVE_SECG_T113R1); ++ // ANSI Prime curves ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime239v3.ordinal(), (Object) CURVE_ANSI_P239V3); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime239v2.ordinal(), (Object) CURVE_ANSI_P239V2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime239v1.ordinal(), (Object) CURVE_ANSI_P239V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime192v3.ordinal(), (Object) CURVE_ANSI_P192V3); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime192v2.ordinal(), (Object) CURVE_ANSI_P192V2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.prime192v1.ordinal(), (Object) CURVE_ANSI_P192V1); ++ // ANSI Binary curves ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb163v1.ordinal(), (Object) CURVE_ANSI_PNB163V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb163v2.ordinal(), (Object) CURVE_ANSI_PNB163V2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb163v3.ordinal(), (Object) CURVE_ANSI_PNB163V3); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb176v1.ordinal(), (Object) CURVE_ANSI_PNB176V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb191v1.ordinal(), (Object) CURVE_ANSI_TNB191V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb191v2.ordinal(), (Object) CURVE_ANSI_TNB191V2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb191v3.ordinal(), (Object) CURVE_ANSI_TNB191V3); ++ //mECCurve_CodeToCurve.put( ++ // ECCurve_Code.c2onb191v4.ordinal(), (Object) CURVE_ANSI_ONB191V4); ++ //mECCurve_CodeToCurve.put( ++ // ECCurve_Code.c2onb191v5.ordinal(), (Object) CURVE_ANSI_ONB191V5); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb208w1.ordinal(), (Object) CURVE_ANSI_PNB208W1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb239v1.ordinal(), (Object) CURVE_ANSI_TNB239V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb239v2.ordinal(), (Object) CURVE_ANSI_TNB239V2); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb239v3.ordinal(), (Object) CURVE_ANSI_TNB239V3); ++ //mECCurve_CodeToCurve.put( ++ // ECCurve_Code.c2onb239v4.ordinal(), (Object) CURVE_ANSI_ONB239V4); ++ //mECCurve_CodeToCurve.put( ++ // ECCurve_Code.c2onb239v5.ordinal(), (Object) CURVE_ANSI_ONB239V5); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb272w1.ordinal(), (Object) CURVE_ANSI_PNB272W1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb304w1.ordinal(), (Object) CURVE_ANSI_PNB304W1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb359v1.ordinal(), (Object) CURVE_ANSI_TNB359V1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2pnb368w1.ordinal(), (Object) CURVE_ANSI_PNB368W1); ++ mECCurve_CodeToCurve.put( ++ ECCurve_Code.c2tnb431r1.ordinal(), (Object) CURVE_ANSI_TNB431R1); ++ } ++ ++ public int getCurveCodeByName(String curveName) ++ throws InvalidParameterException { ++ if (curveName == null) ++ throw new InvalidParameterException(); ++ ECCurve_Code c = (ECCurve_Code) ECCurve_NameToCode.get(curveName); ++ if (c == null) ++ throw new InvalidParameterException(curveName); ++ return c.ordinal(); ++ } ++ ++ /* ++ * getECCurve ++ * maps curvecode to the actual oid of the curve and ++ * returns the PK11ParameterSpec ++ */ ++ private AlgorithmParameterSpec getECCurve(int curvecode) ++ throws InvalidParameterException ++ { ++ OBJECT_IDENTIFIER oid; ++ ++ oid = (OBJECT_IDENTIFIER) mECCurve_CodeToCurve.get(curvecode); ++ if (oid == null) ++ throw new IllegalArgumentException("curvecode ="+curvecode); ++ return new PK11ParameterSpec(ASN1Util.encode(oid)); ++ } ++ + private AlgorithmParameterSpec getCurve(int strength) + throws InvalidParameterException + { diff --git a/SOURCES/jss-HSM-manufacturerID.patch b/SOURCES/jss-HSM-manufacturerID.patch new file mode 100644 index 0000000..2a7bdff --- /dev/null +++ b/SOURCES/jss-HSM-manufacturerID.patch @@ -0,0 +1,62 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800 +@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE + } + PR_GetErrorText(errBuf); + } +- msgBuf = PR_smprintf("Keypair Generation failed on token: %s", ++ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s", ++ PR_GetError(), + errLength>0? errBuf : ""); + if(errLength>0) { + PR_Free(errBuf); +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800 +@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + PRBool isExtractable = PR_FALSE; + + /* special case nethsm and lunasa*/ +- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; +- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; ++ const int numManufacturerIDchars = 7; ++ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'}; ++ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'}; + PRBool isNethsm = PR_TRUE; + PRBool isLunasa = PR_TRUE; + ++ tokenInfo.manufacturerID[0] = 0; ++ + if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { + /* exception was thrown */ + goto finish; + } + +- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { ++ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) && ++ (tokenInfo.manufacturerID[0] != 0)) { + int ix = 0; +- for(ix=0; ix < 4; ix++) { +- if (tokenInfo.label[ix] != nethsmLabel[ix]) { ++ ++ for(ix=0; ix < numManufacturerIDchars; ix++) { ++ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) { + isNethsm = PR_FALSE; + break; + } + } +- ix = 0; +- for(ix=0; ix < 4; ix++) { +- if (tokenInfo.label[ix] != lunasaLabel[ix]) { ++ ++ for(ix=0; ix < numManufacturerIDchars; ix++) { ++ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) { + isLunasa = PR_FALSE; + break; + } + } +- + } else { + isNethsm = PR_FALSE; + isLunasa = PR_FALSE; diff --git a/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch b/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch new file mode 100644 index 0000000..068e4d7 --- /dev/null +++ b/SOURCES/jss-PBE-PKCS5-V2-secure-P12.patch @@ -0,0 +1,328 @@ +diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c +--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700 +@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = { + /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG}, + /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG}, + /* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG}, ++/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG}, ++/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG}, ++/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG}, + /* REMEMBER TO UPDATE NUM_ALGS!!! */ + }; + +diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h +--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700 +@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr { + JSS_AlgType type; + } JSS_AlgInfo; + +-#define NUM_ALGS 51 ++#define NUM_ALGS 54 + + extern JSS_AlgInfo JSS_AlgTable[]; + extern CK_ULONG JSS_symkeyUsage[]; +diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java +--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700 +@@ -233,5 +233,9 @@ public class Algorithm { + protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48; + protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49; + protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50; ++ //PKCS5 V2 ++ protected static final short SEC_OID_PKCS5_PBKDF2=51; ++ protected static final short SEC_OID_PKCS5_PBES2=52; ++ protected static final short SEC_OID_PKCS5_PBMAC1=53; + + } +diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java +--- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700 +@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen + /////////////////////////////////////////////////////////////////////// + + ////////////////////////////////////////////////////////////// ++ // PKCS 5 v2 ++ public static final PBEAlgorithm ++ PBE_PKCS5_PBKDF2 = new PBEAlgorithm( ++ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128, ++ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 ); ++ ++ ////////////////////////////////////////////////////////////// ++ // PKCS 5 v2 ++ public static final PBEAlgorithm ++ PBE_PKCS5_PBES2 = new PBEAlgorithm( ++ SEC_OID_PKCS5_PBES2, "PBES2", 128, ++ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 ); ++ ++ ////////////////////////////////////////////////////////////// ++ // PKCS 5 v2 ++ public static final PBEAlgorithm ++ PBE_PKCS5_PBMAC1 = new PBEAlgorithm( ++ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128, ++ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 ); ++ ++ ////////////////////////////////////////////////////////////// + public static final PBEAlgorithm + PBE_MD2_DES_CBC = new PBEAlgorithm( + SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56, +diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c +--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700 +@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener + } + /* print_secitem(pwitem); */ + +- + mech = JSS_getPK11MechFromAlg(env, alg); + + if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) { +@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener + PR_ASSERT(oidTag != SEC_OID_UNKNOWN); + + /* create algid */ +- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt); ++ algid = PK11_CreatePBEV2AlgorithmID( ++ oidTag, ++ SEC_OID_DES_EDE3_CBC, ++ SEC_OID_HMAC_SHA1, ++ 168/8, ++ iterationCount, ++ salt); ++ + if( algid == NULL ) { + JSS_throwMsg(env, TOKEN_EXCEPTION, + "Unable to process PBE parameters"); +diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700 +@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL; + SECItem label; /* empty secitem, doesn't need to be freed */ + PRBool token; +- CK_ATTRIBUTE_TYPE attribs[4]; +- int numAttribs; ++ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0}; ++ int numAttribs = 0; ++ CK_TOKEN_INFO tokenInfo; ++ ++ PRBool isSensitive = PR_TRUE; ++ PRBool isExtractable = PR_FALSE; ++ /* special case nethsm*/ ++ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; ++ PRBool isNethsm = PR_TRUE; + + if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { + /* exception was thrown */ + goto finish; + } + ++ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) { ++ int ix = 0; ++ for(ix=0; ix < 4; ix++) { ++ if (tokenInfo.label[ix] != nethsmLabel[ix]) { ++ isNethsm = PR_FALSE; ++ break; ++ } ++ } ++ ++ } else { ++ isNethsm = PR_FALSE; ++ } ++ + /* get unwrapping key */ + if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey) + != PR_SUCCESS) { +@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + } + keyType = PK11_GetKeyType(keyTypeMech, 0); + ++ if( isNethsm ) { ++ isSensitive = PR_FALSE; ++ isExtractable = PR_FALSE; ++ } ++ ++setAttrs: + /* figure out which operations to enable for this key */ + switch (keyType) { + case CKK_RSA: + attribs[0] = CKA_SIGN; +- attribs[1] = CKA_DECRYPT; +- attribs[2] = CKA_SIGN_RECOVER; +- attribs[3] = CKA_UNWRAP; +- numAttribs = 4; ++ attribs[1] = CKA_SIGN_RECOVER; ++ attribs[2] = CKA_UNWRAP; ++ if (isExtractable) { ++ attribs[3] = CKA_EXTRACTABLE; ++ numAttribs = 4; ++ } else { ++ numAttribs = 3; ++ } + break; + case CKK_DSA: + attribs[0] = CKA_SIGN; +@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + + /* perform the unwrap */ + privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped, +- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType, ++ &label, pubValue, token, isSensitive /*sensitive*/, keyType, + attribs, numAttribs, NULL /*wincx*/); + if( privk == NULL ) { + JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); +diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java +--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700 +@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke + if( key==null ) { + throw new InvalidKeyException("Key is null"); + } +- if( ! key.getOwningToken().equals(token) ) { +- throw new InvalidKeyException("Key does not reside on the "+ +- "current token"); +- } +- if( ! (key instanceof PK11SymKey) ) { +- throw new InvalidKeyException("Key is not a PKCS #11 key"); +- } + try { ++ if( ! key.getOwningToken().equals(token) ) { ++ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+ ++ key.getOwningToken().getName()); ++ } ++ if( ! (key instanceof PK11SymKey) ) { ++ throw new InvalidKeyException("Key is not a PKCS #11 key"); ++ } + if( ((PK11SymKey)key).getKeyType() != +- KeyType.getKeyTypeFromAlgorithm(algorithm) ) { +- throw new InvalidKeyException("Key is not the right type for"+ ++ KeyType.getKeyTypeFromAlgorithm(algorithm) ) { ++ throw new InvalidKeyException("Key is not the right type for"+ + " this algorithm"); + } + } catch( NoSuchAlgorithmException e ) { + Assert.notReached("Unknown algorithm"); ++ } catch (Exception e) { ++ Assert.notReached("Exception:"+ e.toString()); + } + } + +diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java +--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700 +@@ -106,10 +106,13 @@ public final class PK11Token implements + getKeyGenerator(KeyGenAlgorithm algorithm) + throws NoSuchAlgorithmException, TokenException + { ++/* NSS is capable of finding the right token to do algorithm, ++ so this call is prematurely bailing + if( ! doesAlgorithm(algorithm) ) { + throw new NoSuchAlgorithmException( + algorithm+" is not supported by this token"); + } ++*/ + return new PK11KeyGenerator(this, algorithm); + } + +diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +--- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700 ++++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700 +@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert; + import java.security.*; + import org.mozilla.jss.CryptoManager; + import org.mozilla.jss.util.Password; ++import org.mozilla.jss.crypto.PrivateKey; + import java.security.spec.AlgorithmParameterSpec; + + /** +@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp + return null; + } + ++ ++ /** ++ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted ++ * with a password-based key- ++ * with wrapping/unwrapping happening on token. ++ * ++ * @param keyGenAlg The algorithm for generating a symmetric key from ++ * a password, salt, and iteration count. ++ * @param password The password to use in generating the key. ++ * @param salt The salt to use in generating the key. ++ * @param iterationCount The number of hashing iterations to perform ++ * while generating the key. ++ * @param charToByteConverter The mechanism for converting the characters ++ * in the password into bytes. If null, the default mechanism ++ * will be used, which is UTF8. ++ * @param pri The PrivateKey to be encrypted and stored in the ++ * EncryptedContentInfo. ++ */ ++ public static EncryptedPrivateKeyInfo ++ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt, ++ int iterationCount, ++ KeyGenerator.CharToByteConverter charToByteConverter, ++ PrivateKey pri, CryptoToken token) ++ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException, ++ InvalidKeyException, InvalidAlgorithmParameterException, TokenException, ++ CharConversionException ++ { ++ try { ++ ++ // check key gen algorithm ++ ++ if( ! (keyGenAlg instanceof PBEAlgorithm) ) { ++ throw new NoSuchAlgorithmException("Key generation algorithm"+ ++ " is not a PBE algorithm"); ++ } ++ ++ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg; ++ ++ // generate key ++ ++ KeyGenerator kg = token.getKeyGenerator( keyGenAlg ); ++ PBEKeyGenParams pbekgParams = new PBEKeyGenParams( ++ password, salt, iterationCount); ++ if( charToByteConverter != null ) { ++ kg.setCharToByteConverter( charToByteConverter ); ++ } ++ kg.initialize(pbekgParams); ++ kg.temporaryKeys(true); ++ SymmetricKey key = kg.generate(); ++ ++ // generate IV ++ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); ++ AlgorithmParameterSpec params=null; ++ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) { ++ params = new IVParameterSpec( kg.generatePBE_IV() ); ++ } ++ ++ KeyWrapper wrapper = token.getKeyWrapper( ++ KeyWrapAlgorithm.DES3_CBC); ++ wrapper.initWrap(key, params); ++ byte encrypted[] = wrapper.wrap(pri); ++ ++ // make encryption algorithm identifier ++ PBEParameter pbeParam = new PBEParameter( salt, iterationCount ); ++ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier( ++ keyGenAlg.toOID(), pbeParam); ++ ++ // create EncryptedPrivateKeyInfo ++ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo ( ++ encAlgID, ++ new OCTET_STRING(encrypted) ); ++ ++ return epki; ++ ++ } catch (Exception e) { ++ Assert.notReached("EncryptedPrivateKeyInfo exception:" ++ +".createPBE"); ++ } ++ ++ return null; ++ } ++ ++ + /** + * Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE + * algorithm. The algorithm and its parameters are extracted from diff --git a/SOURCES/jss-PKCS12-FIPS.patch b/SOURCES/jss-PKCS12-FIPS.patch new file mode 100644 index 0000000..b2aa854 --- /dev/null +++ b/SOURCES/jss-PKCS12-FIPS.patch @@ -0,0 +1,80 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700 +@@ -239,40 +239,47 @@ print_secitem(SECItem *item) { + * TokenException if an error occurs. + */ + static PK11SymKey* +-constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt, ++constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt, + int iterationCount) + { +- PBEBitGenContext* pbeCtxt=NULL; +- SECItem *keyBits=NULL; + PK11SymKey *key=NULL; + +- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey, +- pwitem, salt, 160 /* SHA1 key length */, iterationCount); +- if( pbeCtxt == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context"); ++ unsigned char ivData[8]; ++ SECItem mechItem; ++ CK_PBE_PARAMS pbe_params; ++ ++ if( pwitem == NULL ) { ++ JSS_throwMsg(env, TOKEN_EXCEPTION, ++ "constructSHA1PAKey:" ++ " pwitem NULL"); + goto finish; + } +- +- keyBits = PBE_GenerateBits(pbeCtxt); +- if( keyBits == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from" +- "PBE context"); ++ if( salt == NULL ) { ++ JSS_throwMsg(env, TOKEN_EXCEPTION, ++ "constructSHA1PAKey:" ++ " salt NULL"); + goto finish; + } + +- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1, +- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL); ++ pbe_params.pInitVector = ivData; ++ pbe_params.pPassword = pwitem->data; ++ pbe_params.ulPasswordLen = pwitem->len; ++ pbe_params.pSalt = salt->data; ++ pbe_params.ulSaltLen = salt->len; ++ pbe_params.ulIteration = iterationCount; ++ mechItem.data = (unsigned char *) &pbe_params; ++ mechItem.len = sizeof(pbe_params); ++ ++ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL); ++ + if( key == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from" +- " PBA-generated bits"); ++ JSS_throwMsg(env, TOKEN_EXCEPTION, ++ "PK11_RawPBEKeyGen:" ++ " failed to generate key"); + goto finish; + } + + finish: +- if( pbeCtxt ) { +- PBE_DestroyContext(pbeCtxt); +- } +- /* keyBits == pbeCtxt, so we don't need to free it */ + return key; + } + +@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener + + /* special case, construct key by hand. Bug #336587 */ + +- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount); ++ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount); + if( skey==NULL ) { + /* exception was thrown */ + goto finish; diff --git a/SOURCES/jss-VerifyCertificate.patch b/SOURCES/jss-VerifyCertificate.patch new file mode 100644 index 0000000..a017b77 --- /dev/null +++ b/SOURCES/jss-VerifyCertificate.patch @@ -0,0 +1,220 @@ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700 +@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG + Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; + Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; + Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700 +@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec + public final class CryptoManager implements TokenSupplier + { + /** ++ * note: this is obsolete in NSS + * CertUsage options for validation + */ + public final static class CertUsage { +@@ -86,8 +87,6 @@ public final class CryptoManager impleme + return name; + } + +- +- + // certUsage, these must be kept in sync with nss/lib/certdb/certt.h + public static final CertUsage SSLClient = new CertUsage(0, "SSLClient"); + public static final CertUsage SSLServer = new CertUsage(1, "SSLServer"); +@@ -103,6 +102,63 @@ public final class CryptoManager impleme + public static final CertUsage AnyCA = new CertUsage(11, "AnyCA"); + } + ++ /** ++ * CertificateUsage options for validation ++ */ ++ public final static class CertificateUsage { ++ private int usage; ++ private String name; ++ ++ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h ++ private static final int certificateUsageCheckAllUsages = 0x0000; ++ private static final int certificateUsageSSLClient = 0x0001; ++ private static final int certificateUsageSSLServer = 0x0002; ++ private static final int certificateUsageSSLServerWithStepUp = 0x0004; ++ private static final int certificateUsageSSLCA = 0x0008; ++ private static final int certificateUsageEmailSigner = 0x0010; ++ private static final int certificateUsageEmailRecipient = 0x0020; ++ private static final int certificateUsageObjectSigner = 0x0040; ++ private static final int certificateUsageUserCertImport = 0x0080; ++ private static final int certificateUsageVerifyCA = 0x0100; ++ private static final int certificateUsageProtectedObjectSigner = 0x0200; ++ private static final int certificateUsageStatusResponder = 0x0400; ++ private static final int certificateUsageAnyCA = 0x0800; ++ ++ static private ArrayList list = new ArrayList(); ++ private CertificateUsage() {}; ++ private CertificateUsage(int usage, String name) { ++ this.usage = usage; ++ this.name = name; ++ this.list.add(this); ++ ++ } ++ public int getUsage() { ++ return usage; ++ } ++ ++ static public Iterator getCertificateUsages() { ++ return list.iterator(); ++ ++ } ++ public String toString() { ++ return name; ++ } ++ ++ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages"); ++ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient"); ++ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer"); ++ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp"); ++ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA"); ++ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner"); ++ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient"); ++ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner"); ++ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport"); ++ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA"); ++ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); ++ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); ++ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); ++ } ++ + public final static class NotInitializedException extends Exception {} + public final static class NicknameConflictException extends Exception {} + public final static class UserCertConflictException extends Exception {} +@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme + } + return tok; + } ++ + ///////////////////////////////////////////////////////////// + // isCertValid + ///////////////////////////////////////////////////////////// +@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate ++ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check ++ * @return true for success; false otherwise ++ * ++ * @exception InvalidNicknameException If the nickname is null ++ * @exception ObjectNotFoundException If no certificate could be found ++ * with the given nickname. ++ */ ++ ++ public boolean isCertValid(String nickname, boolean checkSig, ++ CertificateUsage certificateUsage) ++ throws ObjectNotFoundException, InvalidNicknameException ++ { ++ if (nickname==null) { ++ throw new InvalidNicknameException("Nickname must be non-null"); ++ } ++ // 0 certificate usage was supposed to get current usage, however, ++ // it is not exposed at this point ++ return verifyCertificateNowNative(nickname, ++ checkSig, ++ (certificateUsage == null) ? 0:certificateUsage.getUsage()); ++ } ++ ++ private native boolean verifyCertificateNowNative(String nickname, ++ boolean checkSig, int certificateUsage) throws ObjectNotFoundException; ++ ++ /** ++ * note: this method calls obsolete function in NSS ++ * ++ * Verify a certificate that exists in the given cert database, ++ * check if is valid and that we trust the issuer. Verify time ++ * against Now. ++ * @param nickname The nickname of the certificate to verify. ++ * @param checkSig verify the signature of the certificate + * @param certUsage see exposed certUsage defines to verify Certificate + * @return true for success; false otherwise + * +@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme + return verifyCertNowNative(nickname, checkSig, certUsage.getUsage()); + } + ++ /* ++ * Obsolete in NSS ++ */ + private native boolean verifyCertNowNative(String nickname, + boolean checkSig, int cUsage) throws ObjectNotFoundException; + +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700 +@@ -1575,11 +1575,62 @@ finish: + } + + /*********************************************************************** +- * CryptoManager.verifyCertNowNative ++ * CryptoManager.verifyCertificateNowNative + * + * Returns JNI_TRUE if success, JNI_FALSE otherwise + */ + JNIEXPORT jboolean JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage certificateUsage; ++ SECCertificateUsage currUsage; /* unexposed for now */ ++ CERTCertificate *cert=NULL; ++ char *nickname=NULL; ++ ++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); ++ if( nickname == NULL ) { ++ goto finish; ++ } ++ ++ certificateUsage = required_certificateUsage; ++ ++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); ++ ++ if (cert == NULL) { ++ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); ++ goto finish; ++ } else { ++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to ++ * just get the current usage (which we are not passing back for now ++ * but will bypass the certificate usage check ++ */ ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, &currUsage ); ++ } ++ ++finish: ++ if(nickname != NULL) { ++ (*env)->ReleaseStringUTFChars(env, nickString, nickname); ++ } ++ if(cert != NULL) { ++ CERT_DestroyCertificate(cert); ++ } ++ if( rv == SECSuccess) { ++ return JNI_TRUE; ++ } else { ++ return JNI_FALSE; ++ } ++} ++ ++ ++/*********************************************************************** ++ * CryptoManager.verifyCertNowNative ++ * note: this calls obsolete NSS function ++ * Returns JNI_TRUE if success, JNI_FALSE otherwise ++ */ ++JNIEXPORT jboolean JNICALL + Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, + jobject self, jstring nickString, jboolean checkSig, jint cUsage) + { diff --git a/SOURCES/jss-VerifyCertificateReturnCU.patch b/SOURCES/jss-VerifyCertificateReturnCU.patch new file mode 100644 index 0000000..7d220ef --- /dev/null +++ b/SOURCES/jss-VerifyCertificateReturnCU.patch @@ -0,0 +1,227 @@ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800 +@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG + Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; + Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative; ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800 +@@ -157,6 +157,19 @@ public final class CryptoManager impleme + public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner"); + public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder"); + public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA"); ++ ++ /* ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ */ ++ public static final int basicCertificateUsages = /*0x0b80;*/ ++ certificateUsageUserCertImport | ++ certificateUsageVerifyCA | ++ certificateUsageProtectedObjectSigner | ++ certificateUsageAnyCA ; + } + + public final static class NotInitializedException extends Exception {} +@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme + * against Now. + * @param nickname The nickname of the certificate to verify. + * @param checkSig verify the signature of the certificate +- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check +- * @return true for success; false otherwise ++ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage + * + * @exception InvalidNicknameException If the nickname is null + * @exception ObjectNotFoundException If no certificate could be found + * with the given nickname. + */ ++ public int isCertValid(String nickname, boolean checkSig) ++ throws ObjectNotFoundException, InvalidNicknameException ++ { ++ if (nickname==null) { ++ throw new InvalidNicknameException("Nickname must be non-null"); ++ } ++ int currCertificateUsage = 0x0000; // initialize it to 0 ++ currCertificateUsage = verifyCertificateNowCUNative(nickname, ++ checkSig); ++ return currCertificateUsage; ++ } ++ ++ private native int verifyCertificateNowCUNative(String nickname, ++ boolean checkSig) throws ObjectNotFoundException; + ++ ///////////////////////////////////////////////////////////// ++ // isCertValid ++ ///////////////////////////////////////////////////////////// ++ /** ++ * Verify a certificate that exists in the given cert database, ++ * check if is valid and that we trust the issuer. Verify time ++ * against Now. ++ * @param nickname The nickname of the certificate to verify. ++ * @param checkSig verify the signature of the certificate ++ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above ++ * @return true for success; false otherwise ++ * ++ * @exception InvalidNicknameException If the nickname is null ++ * @exception ObjectNotFoundException If no certificate could be found ++ * with the given nickname. ++ */ + public boolean isCertValid(String nickname, boolean checkSig, + CertificateUsage certificateUsage) + throws ObjectNotFoundException, InvalidNicknameException +@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme + if (nickname==null) { + throw new InvalidNicknameException("Nickname must be non-null"); + } +- // 0 certificate usage was supposed to get current usage, however, +- // it is not exposed at this point +- return verifyCertificateNowNative(nickname, +- checkSig, +- (certificateUsage == null) ? 0:certificateUsage.getUsage()); ++ // 0 certificate usage will get current usage ++ // should call isCertValid() call above that returns certificate usage ++ if ((certificateUsage == null) || ++ (certificateUsage == CertificateUsage.CheckAllUsages)){ ++ int currCertificateUsage = 0x0000; ++ currCertificateUsage = verifyCertificateNowCUNative(nickname, ++ checkSig); ++ ++ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){ ++ // cert is good for nothing ++ return false; ++ } else ++ return true; ++ } else { ++ return verifyCertificateNowNative(nickname, checkSig, ++ certificateUsage.getUsage()); ++ } + } + + private native boolean verifyCertificateNowNative(String nickname, +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800 +@@ -1574,18 +1574,16 @@ finish: + } + } + ++ + /*********************************************************************** +- * CryptoManager.verifyCertificateNowNative +- * +- * Returns JNI_TRUE if success, JNI_FALSE otherwise ++ * CryptoManager.verifyCertificateNow + */ +-JNIEXPORT jboolean JNICALL +-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, +- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) ++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, ++ jboolean checkSig, jint required_certificateUsage, ++ SECCertificateUsage *currUsage) + { + SECStatus rv = SECFailure; + SECCertificateUsage certificateUsage; +- SECCertificateUsage currUsage; /* unexposed for now */ + CERTCertificate *cert=NULL; + char *nickname=NULL; + +@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif + JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION); + goto finish; + } else { +- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to +- * just get the current usage (which we are not passing back for now +- * but will bypass the certificate usage check ++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will ++ * retrieve the current valid usage into currUsage + */ + rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certificateUsage, NULL, &currUsage ); ++ checkSig, certificateUsage, NULL, currUsage ); ++ if ((rv == SECSuccess) && certificateUsage == 0x0000) { ++ if (*currUsage == ++ ( certUsageUserCertImport | ++ certUsageVerifyCA | ++ certUsageProtectedObjectSigner | ++ certUsageAnyCA )) { ++ ++ /* the cert is good for nothing ++ The folllowing usages cannot be verified: ++ certUsageAnyCA ++ certUsageProtectedObjectSigner ++ certUsageUserCertImport ++ certUsageVerifyCA ++ (0x0b80) */ ++ rv =SECFailure; ++ } ++ } + } + + finish: +@@ -1617,6 +1631,49 @@ finish: + if(cert != NULL) { + CERT_DestroyCertificate(cert); + } ++ ++ return rv; ++} ++ ++/*********************************************************************** ++ * CryptoManager.verifyCertificateNowCUNative ++ * ++ * Returns jint which contains bits in SECCertificateUsage that reflects ++ * the cert usage(s) that the cert is good for ++ * if the cert is good for nothing, returned value is ++ * (0x0b80): ++ * certUsageUserCertImport | ++ * certUsageVerifyCA | ++ * certUsageProtectedObjectSigner | ++ * certUsageAnyCA ++ */ ++JNIEXPORT jint JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); ++ /* rv is ignored */ ++ ++ return currUsage; ++} ++ ++/*********************************************************************** ++ * CryptoManager.verifyCertificateNowNative ++ * ++ * Returns JNI_TRUE if success, JNI_FALSE otherwise ++ */ ++JNIEXPORT jboolean JNICALL ++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, ++ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage) ++{ ++ SECStatus rv = SECFailure; ++ SECCertificateUsage currUsage = 0x0000; ++ ++ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage); ++ + if( rv == SECSuccess) { + return JNI_TRUE; + } else { +@@ -1624,7 +1681,6 @@ finish: + } + } + +- + /*********************************************************************** + * CryptoManager.verifyCertNowNative + * note: this calls obsolete NSS function diff --git a/SOURCES/jss-bad-error-string-pointer.patch b/SOURCES/jss-bad-error-string-pointer.patch new file mode 100644 index 0000000..05244c3 --- /dev/null +++ b/SOURCES/jss-bad-error-string-pointer.patch @@ -0,0 +1,27 @@ +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-17 18:54:56.000000000 -0500 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.c 2010-11-18 09:46:34.000000000 -0500 +@@ -124,20 +124,16 @@ + /* Clean up after PR_interrupt. */ + PR_NT_CancelIo(sock->fd); + #endif +- JSSL_throwSSLSocketException(env, +- "Accept operation interrupted with error code " + err); ++ JSSL_throwSSLSocketException(env, "Accept operation interrupted"); + } else if( err == PR_IO_TIMEOUT_ERROR ) { + #ifdef WINNT + PR_NT_CancelIo(sock->fd); + #endif +- JSSL_throwSSLSocketException(env, +- "Accept operation timed out with error code " + err); ++ JSSL_throwSSLSocketException(env, "Accept operation timed out"); + } else if( err == PR_IO_ERROR ) { +- JSSL_throwSSLSocketException(env, +- "Accept operation received IO error with error code " + err); ++ JSSL_throwSSLSocketException(env, "Accept operation received IO error"); + } else { +- JSSL_throwSSLSocketException(env, +- "Accept operation failed with error code " + err); ++ JSSL_throwSSLSocketException(env, "Accept operation failed"); + } + goto finish; + } diff --git a/SOURCES/jss-eliminate-java-compiler-warnings.patch b/SOURCES/jss-eliminate-java-compiler-warnings.patch new file mode 100644 index 0000000..1df99d3 --- /dev/null +++ b/SOURCES/jss-eliminate-java-compiler-warnings.patch @@ -0,0 +1,641 @@ +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700 +@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme + * Imports a single certificate into the permanent certificate + * database. + * +- * @param derCert the certificate you want to add ++ * @param cert the certificate you want to add + * @param nickname the nickname you want to refer to the certificate as + * (must not be null) + */ +@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme + public static final String + JAR_JDK_VERSION = "JDK_VERSION = N/A"; + public static final String +- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM"; ++ JAR_NSS_VERSION = "NSS_VERSION = N/A"; + public static final String + JAR_DBM_VERSION = "DBM_VERSION = N/A"; + public static final String +- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM"; ++ JAR_NSPR_VERSION = "NSPR_VERSION = N/A"; + + /** + * Loads the JSS dynamic library if necessary. +@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme + * this thread's token to null will also cause the + * InternalKeyStorageToken to be used. + * +- * @param The token to use for crypto operations. Specifying null +- * will cause the InternalKeyStorageToken to be used. ++ * @param token The token to use for crypto operations. Specifying ++ * null will cause the InternalKeyStorageToken to be used. + */ + public void setThreadToken(CryptoToken token) { + if( token != null ) { +@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme + * Verify a certificate in memory. Check if + * valid and that we trust the issuer. Verify time + * against Now. +- * @param certificate in memory ++ * @param certPackage certificate in memory + * @param checkSig verify the signature of the certificate + * @param certUsage see exposed certUsage defines to verify Certificate + * @return true for success; false otherwise +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700 +@@ -51,7 +51,7 @@ public final class JSSProvider extends j + + private static int JSS_MAJOR_VERSION = 4; + private static int JSS_MINOR_VERSION = 2; +- private static int JSS_PATCH_VERSION = 5; ++ private static int JSS_PATCH_VERSION = 6; + private static double JSS_VERSION = JSS_MAJOR_VERSION + + (JSS_MINOR_VERSION * 100 + + JSS_PATCH_VERSION)/10000.0; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700 +@@ -144,8 +144,8 @@ public abstract class Cipher { + * B is the block size, the padding string consists of + * B - (M mod B) octets, each having the value + * B - (M mod B). +- * @param The block size of the encryption algorithm. Must be greater +- * than zero. ++ * @param blockSize The block size of the encryption algorithm. ++ * Must be greater than zero. + * @see #unPad + */ + public static byte[] +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700 +@@ -194,7 +194,7 @@ public interface CryptoToken { + * Login to the token. If a token is logged in, it will not trigger + * password callbacks. + * +- * @param password The password for this token. ++ * @param pwcb The password callback for this token. + * @exception IncorrectPasswordException If the supplied password is + * incorrect. + * @see #setLoginMode +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700 +@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest { + * Completes digestion. + * + * @return The, ahem, output of the digest operation. +- * @param If an error occurs while digesting. ++ * @exception DigestException If an error occurs while digesting. + */ + public byte[] digest() throws DigestException { + byte[] output = new byte[getOutputSize()]; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700 +@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements + * Must not be null. It is the responsibility of the caller to + * use the right salt length for the algorithm. Most algorithms + * use 8 bytes of salt. +- * @param The iteration count for the PBE algorithm. ++ * @param iterations The iteration count for the PBE algorithm. + */ + public PBEKeyGenParams(Password pass, byte[] salt, int iterations) { + if(pass==null || salt==null) { +@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements + * Must not be null. It is the responsibility of the caller to + * use the right salt length for the algorithm. Most algorithms + * use 8 bytes of salt. +- * @param The iteration count for the PBE algorithm. ++ * @param iterations The iteration count for the PBE algorithm. + */ + public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) { + if(pass==null || salt==null) { +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700 +@@ -228,8 +228,8 @@ public final class PK11Token implements + * Initialize PIN. This sets the user's new PIN, using the current + * security officer PIN for authentication. + * +- * @param ssopw The security officer's current password. +- * @param userpw The user's new password. ++ * @param ssopwcb The security officer's current password callback. ++ * @param userpwcb The user's new password callback. + * @exception IncorrectPinException If the security officer PIN is + * incorrect. + * @exception TokenException If the PIN was already initialized, +@@ -322,8 +322,8 @@ public final class PK11Token implements + * Change password. This changes the user's PIN after it has already + * been initialized. + * +- * @param oldPIN The user's old PIN. +- * @param newPIN The new PIN. ++ * @param oldPINcb The user's old PIN callback. ++ * @param newPINcb The new PIN callback. + * @exception IncorrectPasswordException If the old PIN is incorrect. + * @exception TokenException If some other error occurs on the token. + * +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700 +@@ -288,7 +288,7 @@ public final class SafeBag implements AS + * as the nickname of the associated cert. + * @param localKeyID The localKeyID for the key; should be the same as + * the localKeyID of the associated cert. +- * @param The password used to encrypt the private key. ++ * @param password The password used to encrypt the private key. + */ + public static SafeBag + createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName, +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700 +@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V + * SignerInfo. + * @param contentType The type of the content that is signed by this + * SignerInfo. +- * @param pubkey The public key to use to verify the signature. + * @exception NoSuchObjectException If no certificate matching the + * the issuer name and serial number can be found. + */ +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700 +@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS + * @param status A CMCStatus constant. + * @param bodyList The sequence of bodyPartID. + * @param statusString A String. +- * @param OtherInfo The OtherInfo choice. ++ * @param otherInfo The OtherInfo choice. + */ + public CMCStatusInfo(int status, SEQUENCE bodyList, String + statusString, OtherInfo otherInfo) { +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700 +@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS + /** + * Create a PKIStatusInfo with no failure info. + * @param status A PKIStatus constant. +- * @param failInfo The bitwise AND of the PKIFailureInfo constants. + */ + public PKIStatusInfo(int status) { + this.status = new INTEGER(status); +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700 +@@ -115,10 +115,6 @@ public class DirectoryString implements + + /** + * Converts an ASN.1 DirectoryString to a Java string. +- * +- * @param dirstr An ANY containing a BER-encoded DirectoryString. +- * @exception InvalidBERException If the encoding does not contain a +- * valid DirectoryString. + */ + public String toString() { + return asn1String.toString(); +@@ -176,6 +172,8 @@ public class DirectoryString implements + /** + * @param implicitTag This paramter is ignored, because + * DirectoryStrings (being CHOICEs) cannot have implicit tags. ++ * @exception InvalidBERException If the encoding does not contain a ++ * valid DirectoryString. + */ + public ASN1Value decode(Tag implicitTag, InputStream istream) + throws IOException, InvalidBERException +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700 +@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec + // versions is to use the reflection API. + Class specClass = spec.getClass(); + try { +- Method getSaltMethod = specClass.getMethod("getSalt", null); ++ Method getSaltMethod = specClass.getMethod("getSalt", ++ (java.lang.Class) null); + Method getIterationMethod = +- specClass.getMethod("getIterationCount", null); ++ specClass.getMethod("getIterationCount", ++ (java.lang.Class) null); + +- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null); ++ byte[] salt = (byte[]) getSaltMethod.invoke(spec, ++ (java.lang.Class) null); + + Integer itCountObj = +- (Integer) getIterationMethod.invoke(spec,null); ++ (Integer) getIterationMethod.invoke(spec, ++ (java.lang.Class) null); + int iterationCount = itCountObj.intValue(); + + Password pass = new Password(spec.getPassword()); +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700 +@@ -182,11 +182,11 @@ public class SSLSocket extends java.net. + } + + /** +- * Creates an SSL client socket and connects to the specified host and ++ * Creates an SSL client socket and connects to the specified address and + * port. Binds to the given local address and port. Installs the given + * callbacks for certificate approval and client certificate selection. + * +- * @param host The hostname to connect to. ++ * @param address The IP address to connect to. + * @param port The port to connect to. + * @param localAddr The local address to bind to. It can be null, in which + * case an unspecified local address will be chosen. +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700 +@@ -96,7 +96,7 @@ public class HMACTest { + + /** + * Main test method. +- * @params args[] ++ * @param argv + */ + public static void main(String []argv) { + +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700 +@@ -116,9 +116,9 @@ public class JCASymKeyGen { + } + /** + * +- * @param key +- * @param kg +- * @return ++ * @param keyType ++ * @param provider ++ * @return javax.crypto.SecretKey key + */ + public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ + javax.crypto.SecretKey key = null; +@@ -155,7 +155,7 @@ public class JCASymKeyGen { + * + * @param keyType + * @param provider +- * @return ++ * @return javax.crypto.SecretKey key + */ + public javax.crypto.SecretKey genPBESecretKey(String keyType, + String provider){ +@@ -197,8 +197,10 @@ public class JCASymKeyGen { + /** + * + * @param sKey +- * @param AlgType +- * @param provider ++ * @param algFamily ++ * @param algType ++ * @param providerForEncrypt ++ * @param providerForDecrypt + */ + public void testCipher(javax.crypto.SecretKey sKey, String algFamily, + String algType, String providerForEncrypt, String providerForDecrypt) +@@ -304,8 +306,10 @@ public class JCASymKeyGen { + /** + * + * @param sKey +- * @param AlgType +- * @param provider ++ * @param algFamily ++ * @param algType ++ * @param providerForEncrypt ++ * @param providerForDecrypt + */ + public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily, + String algType, String providerForEncrypt, String providerForDecrypt) +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700 +@@ -78,7 +78,7 @@ public class JSSE_SSLClient { + + /** + * Set the protocol type and revision +- * @param String sslRevision ++ * @param fSslRevision + */ + public void setSslRevision(String fSslRevision) { + +@@ -91,7 +91,7 @@ public class JSSE_SSLClient { + + /** + * Set the host name to connect to. +- * @param String hostname ++ * @param fHost + */ + public void setHost(String fHost) { + this.host = fHost; +@@ -99,7 +99,7 @@ public class JSSE_SSLClient { + + /** + * Set the port number to connect to. +- * @param int portnumber ++ * @param fPort + */ + public void setPort(int fPort) { + this.port = fPort; +@@ -107,7 +107,7 @@ public class JSSE_SSLClient { + + /** + * Set the cipher suite name to use. +- * @param String cipherSuiteName ++ * @param fCipherSuite + */ + public void setCipherSuite(String fCipherSuite) { + this.cipherName = fCipherSuite; +@@ -115,7 +115,7 @@ public class JSSE_SSLClient { + + /** + * Set the location of rsa.pfx +- * @param String fKeystoreLoc ++ * @param fKeystoreLoc + */ + public void setKeystoreLoc(String fKeystoreLoc) { + keystoreLoc = fKeystoreLoc + "/" + keystoreLoc; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700 +@@ -75,7 +75,7 @@ public class JSSE_SSLServer { + + /** + * Set the provider to use. +- * @param String p ++ * @param p + */ + public void setProvider(String p) { + provider = p; +@@ -90,7 +90,7 @@ public class JSSE_SSLServer { + } + /** + * Set the location of keystore file. +- * @param String fconfigDir ++ * @param fconfigDir + */ + public void setKeystore(String fconfigDir) { + configDir = fconfigDir; +@@ -117,7 +117,7 @@ public class JSSE_SSLServer { + + /** + * Start SSLServer and accept connections. +- * @param args[] ++ * @param args + */ + public void startSSLServer(String[] args) throws Exception { + String configDir = ""; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700 +@@ -79,7 +79,7 @@ public class JSS_FileUploadClient { + /** + * Initialize the desired cipher to be set + * on the socket. +- * @param int Cipher ++ * @param aCipher + */ + public void setCipher(int aCipher) { + fCipher = aCipher; +@@ -87,7 +87,7 @@ public class JSS_FileUploadClient { + + /** + * Initialize the hostname to run the server +- * @param String ServerName ++ * @param aHostName + */ + public void setHostName(String aHostName) { + serverHost = aHostName; +@@ -95,7 +95,7 @@ public class JSS_FileUploadClient { + + /** + * Initialize the port to run the server +- * @param int port ++ * @param aPort + */ + public void setPort(int aPort) { + port = aPort; +@@ -103,7 +103,7 @@ public class JSS_FileUploadClient { + + /** + * Initialize the passwords file name +- * @param String passwords ++ * @param aPasswordFile + */ + public void setPasswordFile(String aPasswordFile) { + fPasswordFile = aPasswordFile; +@@ -111,7 +111,7 @@ public class JSS_FileUploadClient { + + /** + * Initialize the cert db path name +- * @param String CertDbPath ++ * @param aCertDbPath + */ + public void setCertDbPath(String aCertDbPath) { + fCertDbPath = aCertDbPath; +@@ -120,7 +120,7 @@ public class JSS_FileUploadClient { + /** + * Initialize the name of the file to + * be used for testing along with full path. +- * @param String UploadFile ++ * @param aUploadFile + */ + public void setUploadFile(String aUploadFile) { + fUploadFile = aUploadFile; +@@ -128,7 +128,7 @@ public class JSS_FileUploadClient { + + /** + * Enable/disable Test Cert Callback. +- * @param boolean ++ * @param aTestCertCallback + */ + public void setTestCertCallback(boolean aTestCertCallback) { + TestCertCallBack = aTestCertCallback; +@@ -136,7 +136,7 @@ public class JSS_FileUploadClient { + + /** + * Set client certificate +- * @param String Certificate Nick Name ++ * @param aClientCertNick Certificate Nick Name + */ + public void setClientCertNick(String aClientCertNick) { + clientCertNick = aClientCertNick; +@@ -170,7 +170,7 @@ public class JSS_FileUploadClient { + + /** + * Set EOF for closinng server socket +- * @param null for closing server socket ++ * @param fEof null for closing server socket + */ + public void setEOF(String fEof) { + this.EOF = fEof; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700 +@@ -99,7 +99,7 @@ public class JSS_SSLClient { + /** + * Initialize the desired cipher to be set + * on the socket. +- * @param int Cipher ++ * @param aCipher + */ + public void setCipher(int aCipher) { + fCipher = aCipher; +@@ -107,7 +107,7 @@ public class JSS_SSLClient { + + /** + * Initialize the hostname to run the server +- * @param String ServerName ++ * @param aHostName + */ + public void setHostName(String aHostName) { + serverHost = aHostName; +@@ -115,7 +115,7 @@ public class JSS_SSLClient { + + /** + * Initialize the port to run the server +- * @param int port ++ * @param aPort + */ + public void setPort(int aPort) { + port = aPort; +@@ -123,7 +123,7 @@ public class JSS_SSLClient { + + /** + * Initialize the passwords file name +- * @param String passwords ++ * @param aPasswordFile + */ + public void setPasswordFile(String aPasswordFile) { + fPasswordFile = aPasswordFile; +@@ -131,7 +131,7 @@ public class JSS_SSLClient { + + /** + * Initialize the cert db path name +- * @param String CertDbPath ++ * @param aCertDbPath + */ + public static void setCertDbPath(String aCertDbPath) { + fCertDbPath = aCertDbPath; +@@ -147,7 +147,7 @@ public class JSS_SSLClient { + + /** + * Enable/disable Test Cert Callback. +- * @param boolean ++ * @param bypass + */ + public void setBypass(boolean bypass) { + testBypass = bypass; +@@ -155,7 +155,7 @@ public class JSS_SSLClient { + + /** + * Enable/disable Test Cert Callback. +- * @param boolean ++ * @param aTestCertCallback + */ + public void setTestCertCallback(boolean aTestCertCallback) { + TestCertCallBack = aTestCertCallback; +@@ -163,7 +163,7 @@ public class JSS_SSLClient { + + /** + * Set client certificate +- * @param String Certificate Nick Name ++ * @param aClientCertNick Certificate Nick Name + */ + public void setClientCertNick(String aClientCertNick) { + clientCertNick = aClientCertNick; +@@ -197,7 +197,7 @@ public class JSS_SSLClient { + + /** + * Set EOF for closinng server socket +- * @param null for closing server socket ++ * @param fEof null for closing server socket + */ + public void setEOF(String fEof) { + this.EOF = fEof; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700 +@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen + /** + * Initialize the desired ciphersuite to be set + * on the socket. +- * @param int Cipher ++ * @param aCipher + */ + public void setCipher(int aCipher) { + +@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen + + /** + * Initialize the hostname to run the server +- * @param String ServerName ++ * @param aHostName + */ + public void setHostName(String aHostName) { + serverHost = aHostName; +@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen + + /** + * Initialize the port to run the server +- * @param int port ++ * @param aPort + */ + public void setPort(int aPort) { + port = aPort; +@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen + + /** + * Initialize the passwords file name +- * @param String passwords ++ * @param aPasswordFile + */ + public void setPasswordFile(String aPasswordFile) { + fPasswordFile = aPasswordFile; +@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen + + /** + * Initialize the cert db path name +- * @param String CertDbPath ++ * @param aCertDbPath + */ + public void setCertDbPath(String aCertDbPath) { + fCertDbPath = aCertDbPath; +@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen + + /** + * Enable/disable Test Cert Callback. +- * @param boolean ++ * @param aTestCertCallback + */ + public void setTestCertCallback(boolean aTestCertCallback) { + TestCertCallBack = aTestCertCallback; +@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen + + /** + * Set client certificate +- * @param String Certificate Nick Name ++ * @param aClientCertNick Certificate Nick Name + */ + public void setClientCertNick(String aClientCertNick) { + clientCertNick = aClientCertNick; +diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java +--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700 ++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700 +@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru + * @param rand + * @param extensions + * @throws java.lang.Exception +- * @return ++ * @return Certificate + */ + public static Certificate makeCert(String issuerName, String subjectName, + int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand, diff --git a/SOURCES/jss-eliminate-native-compiler-warnings.patch b/SOURCES/jss-eliminate-native-compiler-warnings.patch new file mode 100644 index 0000000..d981eb7 --- /dev/null +++ b/SOURCES/jss-eliminate-native-compiler-warnings.patch @@ -0,0 +1,621 @@ +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700 +@@ -55,7 +55,7 @@ + + #include "pk11util.h" + +-#if defined(AIX) || defined(HPUX) || defined(LINUX) ++#if defined(AIX) || defined(HPUX) + #include + #endif + +@@ -90,11 +90,11 @@ const char * jss_sccsid() { + /********************************************************************/ + + /* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */ +-static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; ++static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION; + /* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */ +-static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; ++static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION; + /* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */ +-static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; ++static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION; + + + +@@ -106,13 +106,13 @@ static char* + getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg); + + /************************************************************* +- * AIX, HP, and Linux signal handling madness ++ * AIX and HP signal handling madness + * + * In order for the JVM, kernel, and NSPR to work together, we setup + * a signal handler for SIGCHLD that does nothing. This is only done +- * on AIX, HP, and Linux. ++ * on AIX and HP. + *************************************************************/ +-#if defined(AIX) || defined(HPUX) || defined(LINUX) ++#if defined(AIX) || defined(HPUX) + + static PRStatus + handleSigChild(JNIEnv *env) { +@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi + jboolean initializeJavaOnly ) + { + SECStatus rv = SECFailure; +- JavaVM *VMs[5]; +- jint numVMs; + char *szConfigDir = NULL; + char *szCertPrefix = NULL; + char *szKeyPrefix = NULL; +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700 +@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL + Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative + (JNIEnv *env, jobject this, jobject Cert) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; + CERTCertificate *cert; + PK11SlotInfo *slot; + SECKEYPrivateKey *privKey=NULL; +@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL + Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative + (JNIEnv *env, jobject this, jobject leafCert) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL; + CERTCertificate *leaf; + jobjectArray chainArray=NULL; + CERTCertDBHandle *certdb; +@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor + SECItem *derCerts=NULL; + int certi= -1; + SECItem theDerCert; +- int numCerts; ++ int numCerts = 0; + jbyte *packageBytes=NULL; + jsize packageLen; + SECStatus status; +@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor + CERTSignedCrl *crl = NULL; + SECItem *packageItem = NULL; + int status = SECFailure; +- char *url; ++ char *url = NULL; + char *errmsg = NULL; + + /*************************************************** +@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL + Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env, + jobject self, jstring nickString, jboolean checkSig) + { +- SECStatus rv = SECFailure; ++ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure; + SECCertificateUsage currUsage = 0x0000; + + rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage); +@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif + SECStatus rv = SECFailure; + SECCertUsage certUsage; + SECItem *derCerts[2]; +- SECStatus status; + CERTCertificate **certArray = NULL; + CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700 +@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K + { + PK11SlotInfo *slot = NULL; + PK11SymKey *symk = NULL; +- SECStatus status; + + /* get the slot */ + if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) { +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700 +@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa + /*********************************************************************** + * Perform the verification. + */ +- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) { ++ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) { + JSS_throw(env, OUT_OF_MEMORY_ERROR); + goto finish; + } +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700 +@@ -62,7 +62,7 @@ + JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded + (JNIEnv *env, jobject this) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + CERTCertificate *cert; + SECItem *derCert; + jbyteArray derArray=NULL; +@@ -118,9 +118,9 @@ finish: + JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion + (JNIEnv *env, jobject this) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + CERTCertificate *cert; +- long lVersion; ++ long lVersion = 0; + + pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL); + PR_ASSERT(pThread != NULL); +@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get + { + CERTCertificate *cert; + SECKEYPublicKey *pubk=NULL; +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + jobject pubKey=NULL; + + PR_ASSERT(env!=NULL && this!=NULL); +@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re + (JNIEnv *env, jobject this) + { + CERTCertificate *cert; +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + + PR_ASSERT(env!=NULL && this!=NULL); + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700 +@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i + SECItem *iv=NULL; + PK11Context *context=NULL; + CK_ATTRIBUTE_TYPE op; +- jobject contextObj; ++ jobject contextObj = NULL; + + PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL); + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700 +@@ -207,7 +207,7 @@ finish: + } + #endif + +-static void ++static void FUNCTION_MAY_NOT_BE_USED + print_secitem(SECItem *item) { + int i; + int online; +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700 +@@ -450,7 +450,7 @@ DumpItem(SECItem *item) + for (i=0; i < item->len; i++) { + printf(" %02x",data[i]); + } +- printf(" : 0x%08x %d\n", data, item->len); ++ printf(" : %8p %d\n", data, item->len); + } + + /********************************************************************** +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700 +@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + jint keyLen, jbyteArray ivBA, jint usageEnum) + { + PK11SymKey *symKey=NULL; +- CK_MECHANISM_TYPE wrappingMech, keyTypeMech; ++ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0; + SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL; + jobject keyObj=NULL; + SECKEYPrivateKey *wrappingKey=NULL; +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700 +@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD + PK11Context *context = NULL; + CK_MECHANISM_TYPE mech; + SECItem param; +- PK11SlotInfo *slot=NULL; + jobject contextObj=NULL; + + mech = JSS_getPK11MechFromAlg(env, algObj); +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700 +@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_ + { + SECMODModule *module; + +- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) { ++ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) { + ASSERT_OUTOFMEM(env); + goto finish; + } +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700 +@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL + Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType + (JNIEnv *env, jobject this) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + SECKEYPrivateKey *privk; + KeyType keyType; + char* keyTypeFieldName; +@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr + (JNIEnv *env, jobject this) + { + SECKEYPrivateKey *privk; +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + + PR_ASSERT(env!=NULL && this!=NULL); + +@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_ + (JNIEnv *env, jobject this) + { + SECKEYPrivateKey *key = NULL; +- PK11SlotInfo *slot = NULL; + SECItem *idItem = NULL; + jbyteArray byteArray = NULL; + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700 +@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_ + (JNIEnv *env, jobject this) + { + SECKEYPublicKey *pubk; +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + + PR_ASSERT(env!=NULL && this!=NULL); + +@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL + Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken + (JNIEnv *env, jobject this, jobject token) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + SECKEYPublicKey *key = NULL; + PK11SlotInfo *slot = NULL; + PK11SlotInfo *keySlot = NULL; +@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL + Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType + (JNIEnv *env, jobject this) + { +- PRThread *pThread; ++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread; + SECKEYPublicKey *pubk; + KeyType keyType; + char* keyTypeFieldName; +@@ -454,7 +454,7 @@ get_public_key_info + { + SECKEYPublicKey *pubk; + jbyteArray byteArray=NULL; +- SECItem *item; ++ SECItem *item=NULL; + + PR_ASSERT(env!=NULL && this!=NULL); + +@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ + { + jobject pubkObj=NULL; + SECKEYPublicKey *pubk=NULL; +- SECStatus rv; + SECItem *pubkDER=NULL; + + /* validate args */ +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700 +@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa + * "C" data members + */ + +- PRThread* pThread = NULL; ++ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; + SECStatus status = PR_FALSE; + PK11SlotInfo* slot = NULL; + +@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa + * "C" data members + */ + +- PRThread* pThread = NULL; ++ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL; + SECStatus status = PR_FALSE; + + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700 +@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de + (JNIEnv *env, jobject this, jobject certObject) + { + CERTCertificate *cert; +- SECStatus status; ++ SECStatus VARIABLE_MAY_NOT_BE_USED status; + + PR_ASSERT(env!=NULL && this!=NULL); + if(certObject == NULL) { +@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de + (JNIEnv *env, jobject this, jobject certObject) + { + CERTCertificate *cert; +- SECStatus status; ++ SECStatus VARIABLE_MAY_NOT_BE_USED status; + + PR_ASSERT(env!=NULL && this!=NULL); + if(certObject == NULL) { +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700 +@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g + jfieldID typeField=NULL; + jobject typeObject=NULL; + +- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) { ++ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) { + ASSERT_OUTOFMEM(env); + goto finish; + } +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700 +@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil + jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G) + { + PK11SlotInfo *slot; +- const char* c_subject; ++ const char* c_subject=NULL; + jboolean isCopy; +- unsigned char *b64request; ++ unsigned char *b64request=NULL; + SECItem p, q, g; + PQGParams *dsaParams=NULL; + const char* c_keyType; +@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env, + SECStatus rv; + PRArenaPool *arena; + SECItem result_der, result; +- SECItem *blob; ++ SECItem * VARIABLE_MAY_NOT_BE_USED blob; + CK_MECHANISM_TYPE signMech; + CK_MECHANISM_TYPE keygenMech; + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700 +@@ -89,7 +89,6 @@ traverseTokenObjects + SECKEYPublicKeyList* pubkList = NULL; + PK11SymKey *symKey = NULL; + CERTCertList *certList = NULL; +- SECStatus secstat; + + /* + * Get all private keys +@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec + { + PK11SlotInfo *slot; + EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; +- jbyteArray derCertBA = NULL; + PRStatus status = PR_FAILURE; + + if( alias == NULL ) goto finish; +@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur + PK11SlotInfo *slot; + EngineGetCertificateCBInfo cbinfo = {NULL,NULL}; + jboolean retVal = JNI_FALSE; +- SECKEYPrivateKey *privk = NULL; + + if( alias == NULL ) goto finish; + +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700 +@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo + { + PRSocketOptionData sockOptions; + JSSL_SocketData *sock = NULL; +- jint retval; ++ jint retval=-1; + PRStatus status; + + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { +@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL + Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable( + JNIEnv *env, jobject self) + { +- jint available; ++ jint available=0; + JSSL_SocketData *sock = NULL; + + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700 +@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env + jmethodID excepCons; + jobject excepObj; + jstring msgString; +- jint result; ++ jint VARIABLE_MAY_NOT_BE_USED result; + + /* + * get the error code and error string +@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock + jbyteArray sdArray = NULL; + JSSL_SocketData *sockdata = NULL; + SECStatus status; +- PRFileDesc *newFD; +- PRFileDesc *tmpFD; ++ PRFileDesc *newFD = NULL; ++ PRFileDesc *tmpFD = NULL; + PRFilePrivate *priv = NULL; + int socketFamily = 0; + +@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS + SECStatus status = SECSuccess; + PRBool bOption = PR_FALSE; + +- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) { ++ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { + goto finish; + } + +@@ -649,7 +649,7 @@ JSSL_getSockAddr + (JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer) + { + JSSL_SocketData *sock = NULL; +- PRStatus status; ++ PRStatus status=PR_FAILURE; + + /* get my fd */ + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) { +@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P + + finish: + if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) { +- int ret = (*env)->Throw(env, currentExcep); ++ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep); + PR_ASSERT(ret == 0); + } + } +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700 +@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo + jmethodID getOutputStream, writeMethod; + jclass sockClass, osClass; + jobject outputStream; +- jint arrayLen; ++ jint arrayLen=-1; + PRInt32 retval; + + /* +@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe + jobject sockObj; + JNIEnv *env; + jbyteArray outbufArray; +- PRInt32 retval; ++ PRInt32 retval=-1; + + if( GET_ENV(fd->secret->javaVM, env) ) goto finish; + +@@ -500,7 +500,7 @@ static PRInt32 + jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount, + PRIntn flags, PRIntervalTime timeout) + { +- PRInt32 retval; ++ PRInt32 retval=-1; + JNIEnv *env; + jobject sockObj; + jbyteArray byteArray; +@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock + { + jclass sockClass; + jmethodID method; +- jint retval; ++ jint retval=0; + + sockClass = (*env)->GetObjectClass(env, sock); + if( sockClass == NULL ) goto finish; +@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods = + (PRReservedFN) invalidInt + }; + +-static const PRIOMethods* +-getJsockMethods() +-{ +- return &jsockMethods; +-} +- + static void + jsockDestructor(PRFileDesc *fd) + { +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700 +@@ -115,7 +115,7 @@ void + JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) { + + jclass throwableClass; +- jint result; ++ jint VARIABLE_MAY_NOT_BE_USED result; + + /* validate arguments */ + PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL); +@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl + jclass throwableClass; + jobject throwable; + jmethodID constructor; +- jint result; ++ jint VARIABLE_MAY_NOT_BE_USED result; + + PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL ); + +@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl + PRStatus + JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr) + { ++#ifdef DEBUG + jclass nativeProxyClass; ++#endif + jclass proxyClass; + jfieldID byteArrayField; + jbyteArray byteArray; +@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char + void + JSS_assertOutOfMem(JNIEnv *env) + { +- jclass memErrClass; ++ jclass VARIABLE_MAY_NOT_BE_USED memErrClass; + jthrowable excep; + + PR_ASSERT(env != NULL); +@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI + goto finish; + } + +- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data); ++ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data); + + finish: + return array; +diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h +--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700 ++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700 +@@ -36,6 +36,19 @@ + #ifndef JSS_NATIVE_UTIL_H + #define JSS_NATIVE_UTIL_H + ++/* The following #defines are used to suppress undesired compiler warnings ++ * that have been deemed inappropriate. ++ * ++ * IMPORTANT: These are ONLY used on an "as-needed" basis! ++ */ ++#ifdef __GNUC__ ++#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused)) ++#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused)) ++#else ++#define FUNCTION_MAY_NOT_BE_USED ++#define VARIABLE_MAY_NOT_BE_USED ++#endif ++ + /* Need to include these first. + * #include + * #include diff --git a/SOURCES/jss-eliminate-native-coverity-defects.patch b/SOURCES/jss-eliminate-native-coverity-defects.patch new file mode 100644 index 0000000..68e0fad --- /dev/null +++ b/SOURCES/jss-eliminate-native-coverity-defects.patch @@ -0,0 +1,253 @@ +diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c +--- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700 ++++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700 +@@ -275,9 +275,11 @@ diagnosePath(const char * path) + rv = readlink(myPath, buf, sizeof buf); + if (rv < 0) { + perror("readlink"); +- buf[0] = 0; +- } else { ++ buf[0] = 0; ++ } else if ( rv < BUFSIZ ) { + buf[rv] = 0; ++ } else { ++ buf[BUFSIZ-1] = 0; + } + fprintf(stderr, "%s is a link to %s\n", myPath, buf); + } else if (S_ISDIR(sb.st_mode)) { +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700 +@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR + } + + finish: +- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { + #ifdef DEBUG ++ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) { + jclass giveupClass; + jmethodID printStackTrace; + jclass excepClass; +-#endif ++ + (*env)->ExceptionClear(env); +-#ifdef DEBUG ++ + giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION); + PR_ASSERT(giveupClass != NULL); + if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) { +@@ -746,8 +746,12 @@ finish: + PR_ASSERT( PR_FALSE ); + } + PR_ASSERT(returnchars==NULL); +-#endif + } ++#else ++ if( ((*env)->ExceptionOccurred(env)) != NULL) { ++ (*env)->ExceptionClear(env); ++ } ++#endif + return returnchars; + } + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700 +@@ -768,6 +768,10 @@ static int find_leaf_cert( + int *linked = NULL; + + linked = PR_Malloc( sizeof(int) * numCerts ); ++ if (linked == NULL) { ++ status = 0; ++ goto finish; ++ } + + /* initialize the bitmap */ + for (i = 0; i < numCerts; i++) { +@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif + { + SECStatus rv = SECFailure; + SECCertUsage certUsage; +- SECItem *derCerts[2]; ++ SECItem *derCerts[2] = { NULL, NULL }; + CERTCertificate **certArray = NULL; + CERTCertDBHandle *certdb = CERT_GetDefaultCertDB(); + +@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif + } + PR_ASSERT(certdb != NULL); + +- derCerts[0] = NULL; + derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray); + derCerts[1] = NULL; + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700 +@@ -235,7 +235,7 @@ static PRStatus + getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info) + { + jint index; +- PRStatus status; ++ PRStatus status = PR_FAILURE; + + PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL); + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700 +@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD + PK11Context *context=NULL; + jbyte *bytes=NULL; + SECStatus status; +- unsigned int outLen; ++ unsigned int outLen = 0; + + if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) { + /* exception was thrown */ +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700 +@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g + break; + case keaKey: + keyTypeFieldName = KEA_KEYTYPE_FIELD; ++ break; + default: + PR_ASSERT(PR_FALSE); + keyTypeFieldName = NULL_KEYTYPE_FIELD; +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700 +@@ -390,12 +390,6 @@ importPrivateKey + SECStatus status; + SECItem nickname; + +- keyType = JSS_PK11_getKeyType(env, keyTypeObj); +- if( keyType == nullKey ) { +- /* exception was thrown */ +- goto finish; +- } +- + /* + * initialize so we can goto finish + */ +@@ -403,6 +397,12 @@ importPrivateKey + derPK.len = 0; + + ++ keyType = JSS_PK11_getKeyType(env, keyTypeObj); ++ if( keyType == nullKey ) { ++ /* exception was thrown */ ++ goto finish; ++ } ++ + PR_ASSERT(env!=NULL && this!=NULL); + + if(keyArray == NULL) { +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700 +@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil + { + PK11SlotInfo *slot; + const char* c_subject=NULL; +- jboolean isCopy; ++ jboolean isCopy = JNI_FALSE; + unsigned char *b64request=NULL; + SECItem p, q, g; + PQGParams *dsaParams=NULL; + const char* c_keyType; +- jboolean k_isCopy; ++ jboolean k_isCopy = JNI_FALSE; + SECOidTag signType = SEC_OID_UNKNOWN; + PK11RSAGenParams rsaParams; + void *params = NULL; +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700 +@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke + goto finish; + } + +- if( addrBAelems == NULL ) { +- ASSERT_OUTOFMEM(env); +- goto finish; +- } +- + if(addrBALen != 4 && addrBALen != 16) { + JSSL_throwSSLSocketException(env, "Invalid address in connect!"); + goto finish; +@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi + { + JSSL_SocketData *sock=NULL; + SECStatus status; +- PRBool enabled; ++ PRBool enabled = PR_FAILURE; + + /* get the fd */ + if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) { +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700 +@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P + * Now check the name field in the cert against the desired hostname. + * NB: This is our only defense against Man-In-The-Middle (MITM) attacks! + */ +- if( peerCert == NULL ) { +- rv = SECFailure; ++ char* hostname = NULL; ++ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ ++ if (hostname && hostname[0]) { ++ rv = CERT_VerifyCertName(peerCert, hostname); ++ PORT_Free(hostname); + } else { +- char* hostname = NULL; +- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */ +- if (hostname && hostname[0]) { +- rv = CERT_VerifyCertName(peerCert, hostname); +- PORT_Free(hostname); +- } else { +- rv = SECFailure; +- } ++ rv = SECFailure; + } + } + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700 +@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo + jint arrayLen=-1; + PRInt32 retval; + ++ if( env == NULL ) { ++ goto finish; ++ } ++ + /* + * get the OutputStream + */ +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700 +@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo + #endif + + key.native = nativeErrcode; ++ key.java = -1; + target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode), + errcodeCompare ); + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700 +@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array) + */ + static char* getPWFromConsole() + { +- char c; ++ int c; + char *ret; + int i; + char buf[200]; /* no buffer overflow: we bail after 200 chars */ diff --git a/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch b/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch new file mode 100644 index 0000000..6ffc952 --- /dev/null +++ b/SOURCES/jss-fixed-build-issue-on-F17-or-newer.patch @@ -0,0 +1,23 @@ +diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/config.mk jss-4.2.6/mozilla/security/coreconf/config.mk +--- jss-4.2.6.orig/mozilla/security/coreconf/config.mk 2007-05-03 23:54:05.000000000 -0700 ++++ jss-4.2.6/mozilla/security/coreconf/config.mk 2013-07-22 18:42:19.000000000 -0700 +@@ -68,8 +68,19 @@ TARGET_OSES = FreeBSD BSD_OS NetBSD Open + ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) + include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk + else ++ifeq ($(OS_TARGET), Linux) ++OS_RELEASE_VER_MAJOR := $(shell echo $(OS_RELEASE) | cut -f1 -d.) ++OS_RELEASE_VER_MINOR := $(shell echo $(OS_RELEASE) | cut -f2 -d.) ++OS_RELEASE_GT_2_6 := $(shell [ $(OS_RELEASE_VER_MAJOR) -ge 2 -o \( $(OS_RELEASE_VER_MAJOR) -eq 2 -a $(OS_RELEASE_VER_MINOR) -ge 6 \) ] && echo true) ++ifeq ($(OS_RELEASE_GT_2_6),true) ++include $(CORE_DEPTH)/coreconf/Linux2.6.mk ++else + include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk + endif ++else ++include $(CORE_DEPTH)/coreconf/$(OS_TARGET)$(OS_RELEASE).mk ++endif ++endif + + ####################################################################### + # [4.0] Master "Core Components" source and release tags # diff --git a/SOURCES/jss-ipv6.patch b/SOURCES/jss-ipv6.patch new file mode 100644 index 0000000..9fd5fb9 --- /dev/null +++ b/SOURCES/jss-ipv6.patch @@ -0,0 +1,623 @@ +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/lib/jss.def 2009-06-24 17:08:59.784371000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-06-19 17:56:00.000000000 -0700 +@@ -175,6 +175,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket + Java_org_mozilla_jss_ssl_SSLSocket_forceHandshake; + Java_org_mozilla_jss_ssl_SSLSocket_getKeepAlive; + Java_org_mozilla_jss_ssl_SSLSocket_getLocalAddressNative; ++Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative; + Java_org_mozilla_jss_ssl_SSLSocket_getPort; + Java_org_mozilla_jss_ssl_SSLSocket_getReceiveBufferSize; + Java_org_mozilla_jss_ssl_SSLSocket_getSendBufferSize; +@@ -199,6 +200,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke + Java_org_mozilla_jss_ssl_SSLSocket_socketWrite; + Java_org_mozilla_jss_ssl_SocketBase_getLocalPortNative; + Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative; ++Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative; + Java_org_mozilla_jss_ssl_SocketBase_setClientCertNicknameNative; + Java_org_mozilla_jss_ssl_SocketBase_requestClientAuthNoExpiryCheckNative; + Java_org_mozilla_jss_ssl_SocketBase_setSSLOption; +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2007-03-20 15:39:28.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLServerSocket.java 2009-06-24 13:46:49.000000000 -0700 +@@ -36,7 +36,8 @@ + + package org.mozilla.jss.ssl; + +-import java.net.InetAddress; ++import java.util.*; ++import java.net.*; + import java.io.IOException; + import java.net.Socket; + import java.net.SocketException; +@@ -138,34 +139,34 @@ public class SSLServerSocket extends jav + super.close(); + + // create the socket ++ ++ int socketFamily = SocketBase.SSL_AF_INET; ++ if(SocketBase.supportsIPV6()) { ++ socketFamily = SocketBase.SSL_AF_INET6; ++ } ++ + sockProxy = new SocketProxy( +- base.socketCreate(this, certApprovalCallback, null) ); ++ base.socketCreate(this, certApprovalCallback, null,socketFamily) ); + + base.setProxy(sockProxy); + + setReuseAddress(reuseAddr); + +- // bind it to the local address and port +- if( bindAddr == null ) { +- bindAddr = anyLocalAddr; +- } + byte[] bindAddrBA = null; + if( bindAddr != null ) { + bindAddrBA = bindAddr.getAddress(); + } + base.socketBind(bindAddrBA, port); ++ ++ String hostName = null; ++ if(bindAddr != null) { ++ hostName = bindAddr.getCanonicalHostName(); ++ } + socketListen(backlog); + } + + private native void socketListen(int backlog) throws SocketException; + +- private static InetAddress anyLocalAddr; +- static { +- try { +- anyLocalAddr = InetAddress.getByName("0.0.0.0"); +- } catch (java.net.UnknownHostException e) { } +- } +- + /** + * Accepts a connection. This call will block until a connection is made + * or the timeout is reached. +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2007-05-08 18:40:14.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2009-06-24 13:27:15.000000000 -0700 +@@ -460,10 +460,15 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke + JSSL_SocketData *sock; + PRNetAddr addr; + jbyte *addrBAelems = NULL; ++ int addrBALen = 0; + PRStatus status; + int stat; + const char *hostnameStr=NULL; + ++ jmethodID supportsIPV6ID; ++ jclass socketBaseClass; ++ jboolean supportsIPV6 = 0; ++ + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { + /* exception was thrown */ + goto finish; +@@ -472,16 +477,32 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke + /* + * setup the PRNetAddr structure + */ +- addr.inet.family = AF_INET; +- addr.inet.port = htons(port); +- PR_ASSERT(sizeof(addr.inet.ip) == 4); +- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); ++ ++ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); ++ if( socketBaseClass == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, ++ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); ++ ++ if( supportsIPV6ID == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, ++ supportsIPV6ID); ++ + addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); ++ addrBALen = (*env)->GetArrayLength(env, addrBA); ++ ++ PR_ASSERT(addrBALen != 0); ++ + if( addrBAelems == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } +- memcpy(&addr.inet.ip, addrBAelems, 4); + + /* + * Tell SSL the URL we think we want to connect to. +@@ -495,6 +516,38 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke + goto finish; + } + ++ if( addrBAelems == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ if(addrBALen != 4 && addrBALen != 16) { ++ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); ++ goto finish; ++ } ++ ++ if( addrBALen == 4) { ++ addr.inet.family = AF_INET; ++ addr.inet.port = PR_htons(port); ++ memcpy(&addr.inet.ip, addrBAelems, 4); ++ ++ if(supportsIPV6) { ++ addr.ipv6.family = AF_INET6; ++ addr.ipv6.port = PR_htons(port); ++ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); ++ } ++ ++ } else { /* Must be 16 and ipv6 */ ++ if(supportsIPV6) { ++ addr.ipv6.family = AF_INET6; ++ addr.ipv6.port = PR_htons(port); ++ memcpy(&addr.ipv6.ip,addrBAelems, 16); ++ } else { ++ JSSL_throwSSLSocketException(env, "Invalid address in connect!"); ++ goto finish; ++ } ++ } ++ + /* + * make the connect call + */ +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2007-05-08 18:40:14.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2009-06-24 13:45:59.000000000 -0700 +@@ -243,11 +243,16 @@ public class SSLSocket extends java.net. + SSLClientCertificateSelectionCallback clientCertSelectionCallback) + throws IOException + { ++ ++ int socketFamily = SocketBase.SSL_AF_INET; ++ if(SocketBase.supportsIPV6()) { ++ socketFamily = SocketBase.SSL_AF_INET6; ++ } + // create the socket + sockProxy = + new SocketProxy( + base.socketCreate( +- this, certApprovalCallback, clientCertSelectionCallback) ); ++ this, certApprovalCallback, clientCertSelectionCallback,socketFamily) ); + + base.setProxy(sockProxy); + +@@ -288,7 +293,7 @@ public class SSLSocket extends java.net. + new SocketProxy( + base.socketCreate( + this, certApprovalCallback, clientCertSelectionCallback, +- s, host ) ); ++ s, host,SocketBase.SSL_AF_INET ) ); + + base.setProxy(sockProxy); + resetHandshake(); +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2007-03-20 15:39:28.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SocketBase.java 2009-06-24 13:50:32.000000000 -0700 +@@ -70,16 +70,16 @@ class SocketBase { + native byte[] socketCreate(Object socketObject, + SSLCertificateApprovalCallback certApprovalCallback, + SSLClientCertificateSelectionCallback clientCertSelectionCallback, +- java.net.Socket javaSock, String host) ++ java.net.Socket javaSock, String host,int family) + throws SocketException; + + byte[] socketCreate(Object socketObject, + SSLCertificateApprovalCallback certApprovalCallback, +- SSLClientCertificateSelectionCallback clientCertSelectionCallback) ++ SSLClientCertificateSelectionCallback clientCertSelectionCallback,int family) + throws SocketException + { + return socketCreate(socketObject, certApprovalCallback, +- clientCertSelectionCallback, null, null); ++ clientCertSelectionCallback, null, null,family); + } + + native void socketBind(byte[] addrBA, int port) throws SocketException; +@@ -115,6 +115,10 @@ class SocketBase { + static final int SSL_REQUIRE_FIRST_HANDSHAKE = 20; + static final int SSL_REQUIRE_NO_ERROR = 21; + ++ ++ static final int SSL_AF_INET = 50; ++ static final int SSL_AF_INET6 = 51; ++ + void close() throws IOException { + socketClose(); + } +@@ -281,13 +285,25 @@ class SocketBase { + return in; + } + ++ private native byte[] getLocalAddressByteArrayNative() throws SocketException; ++ private native byte[] getPeerAddressByteArrayNative() throws SocketException; + /** + * @return the InetAddress of the peer end of the socket. + */ + InetAddress getInetAddress() + { + try { +- return convertIntToInetAddress( getPeerAddressNative() ); ++ byte[] address = getPeerAddressByteArrayNative(); ++ ++ InetAddress iAddr = null; ++ ++ try { ++ ++ iAddr = InetAddress.getByAddress(address); ++ } catch(UnknownHostException e) { ++ } ++ ++ return iAddr; + } catch(SocketException e) { + return null; + } +@@ -299,7 +315,17 @@ class SocketBase { + */ + InetAddress getLocalAddress() { + try { +- return convertIntToInetAddress( getLocalAddressNative() ); ++ byte[] address = getLocalAddressByteArrayNative(); ++ ++ InetAddress lAddr = null; ++ ++ try { ++ ++ lAddr = InetAddress.getByAddress(address); ++ } catch(UnknownHostException e) { ++ } ++ ++ return lAddr; + } catch(SocketException e) { + return null; + } +@@ -378,4 +404,45 @@ class SocketBase { + return topException; + } + } ++ ++ static private int supportsIPV6 = -1; ++ static boolean supportsIPV6() { ++ ++ if(supportsIPV6 >= 0) { ++ if(supportsIPV6 > 0) { ++ return true; ++ } else { ++ return false; ++ } ++ } ++ ++ Enumeration netInter; ++ try { ++ netInter = NetworkInterface.getNetworkInterfaces(); ++ } catch (SocketException e) { ++ ++ return false; ++ } ++ while ( netInter.hasMoreElements() ) ++ { ++ NetworkInterface ni = (NetworkInterface)netInter.nextElement(); ++ Enumeration addrs = ni.getInetAddresses(); ++ while ( addrs.hasMoreElements() ) ++ { ++ Object o = addrs.nextElement(); ++ if ( o.getClass() == InetAddress.class || ++ o.getClass() == Inet4Address.class || ++ o.getClass() == Inet6Address.class ) ++ { ++ InetAddress iaddr = (InetAddress) o; ++ if(o.getClass() == Inet6Address.class) { ++ supportsIPV6 = 1; ++ return true; ++ } ++ } ++ } ++ } ++ supportsIPV6 = 0; ++ return false; ++ } + } +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2007-04-24 11:34:58.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2009-06-24 14:22:02.000000000 -0700 +@@ -33,7 +33,6 @@ + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +- + #include + #include + #include +@@ -51,6 +50,9 @@ + #include + #endif + ++#define SSL_AF_INET 50 ++#define SSL_AF_INET6 51 ++ + void + JSSL_throwSSLSocketException(JNIEnv *env, char *message) + { +@@ -142,7 +144,7 @@ finish: + JNIEXPORT jbyteArray JNICALL + Java_org_mozilla_jss_ssl_SocketBase_socketCreate(JNIEnv *env, jobject self, + jobject sockObj, jobject certApprovalCallback, +- jobject clientCertSelectionCallback, jobject javaSock, jstring host) ++ jobject clientCertSelectionCallback, jobject javaSock, jstring host,jint family) + { + jbyteArray sdArray = NULL; + JSSL_SocketData *sockdata = NULL; +@@ -150,10 +152,21 @@ Java_org_mozilla_jss_ssl_SocketBase_sock + PRFileDesc *newFD; + PRFileDesc *tmpFD; + PRFilePrivate *priv = NULL; ++ int socketFamily = 0; ++ ++ if (family != SSL_AF_INET6 && family != SSL_AF_INET) { ++ JSSL_throwSSLSocketException(env, ++ "socketCreate() Invalid family!"); ++ goto finish; ++ } ++ if( family == SSL_AF_INET) ++ socketFamily = PR_AF_INET; ++ else ++ socketFamily = PR_AF_INET6; + + if( javaSock == NULL ) { + /* create a TCP socket */ +- newFD = PR_NewTCPSocket(); ++ newFD = PR_OpenTCPSocket(socketFamily); + if( newFD == NULL ) { + JSSL_throwSSLSocketException(env, + "PR_NewTCPSocket() returned NULL"); +@@ -394,10 +407,10 @@ PRInt32 JSSL_enums[] = { + SSL_REQUIRE_ALWAYS, /* 19 */ /* ssl.h */ + SSL_REQUIRE_FIRST_HANDSHAKE,/* 20 */ /* ssl.h */ + SSL_REQUIRE_NO_ERROR, /* 21 */ /* ssl.h */ +- + 0 + }; + ++ + JNIEXPORT void JNICALL + Java_org_mozilla_jss_ssl_SocketBase_socketBind + (JNIEnv *env, jobject self, jbyteArray addrBA, jint port) +@@ -405,8 +418,13 @@ Java_org_mozilla_jss_ssl_SocketBase_sock + JSSL_SocketData *sock; + PRNetAddr addr; + jbyte *addrBAelems = NULL; ++ int addrBALen = 0; + PRStatus status; + ++ jmethodID supportsIPV6ID; ++ jclass socketBaseClass; ++ jboolean supportsIPV6 = 0; ++ + if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS) { + /* exception was thrown */ + goto finish; +@@ -415,19 +433,72 @@ Java_org_mozilla_jss_ssl_SocketBase_sock + /* + * setup the PRNetAddr structure + */ +- addr.inet.family = AF_INET; +- addr.inet.port = htons(port); ++ ++ /* ++ * Do we support IPV6? ++ */ ++ ++ socketBaseClass = (*env)->FindClass(env, SOCKET_BASE_NAME); ++ if( socketBaseClass == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ supportsIPV6ID = (*env)->GetStaticMethodID(env, socketBaseClass, ++ SUPPORTS_IPV6_NAME, SUPPORTS_IPV6_SIG); ++ ++ if( supportsIPV6ID == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ supportsIPV6 = (*env)->CallStaticBooleanMethod(env, socketBaseClass, ++ supportsIPV6ID); ++ ++ memset( &addr, 0, sizeof( PRNetAddr )); ++ + if( addrBA != NULL ) { +- PR_ASSERT(sizeof(addr.inet.ip) == 4); +- PR_ASSERT( (*env)->GetArrayLength(env, addrBA) == 4); + addrBAelems = (*env)->GetByteArrayElements(env, addrBA, NULL); ++ addrBALen = (*env)->GetArrayLength(env, addrBA); ++ + if( addrBAelems == NULL ) { + ASSERT_OUTOFMEM(env); + goto finish; + } +- memcpy(&addr.inet.ip, addrBAelems, 4); ++ ++ if(addrBALen != 4 && addrBALen != 16) { ++ JSS_throwMsgPrErr(env, BIND_EXCEPTION, ++ "Invalid address in bind!"); ++ goto finish; ++ } ++ ++ if( addrBALen == 4) { ++ addr.inet.family = PR_AF_INET; ++ addr.inet.port = PR_htons(port); ++ memcpy(&addr.inet.ip, addrBAelems, 4); ++ ++ if(supportsIPV6) { ++ addr.inet.family = PR_AF_INET6; ++ addr.ipv6.port = PR_htons(port); ++ PR_ConvertIPv4AddrToIPv6(addr.inet.ip,&addr.ipv6.ip); ++ } ++ ++ } else { /* Must be 16 and ipv6 */ ++ if(supportsIPV6) { ++ addr.ipv6.family = PR_AF_INET6; ++ addr.ipv6.port = PR_htons(port); ++ memcpy(&addr.ipv6.ip,addrBAelems, 16); ++ } else { ++ JSS_throwMsgPrErr(env, BIND_EXCEPTION, ++ "Invalid address in bind!"); ++ goto finish; ++ } ++ } + } else { +- addr.inet.ip = PR_htonl(INADDR_ANY); ++ if(supportsIPV6) { ++ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr); ++ } else { ++ status = PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET, port, &addr); ++ } + } + + /* do the bind() call */ +@@ -601,6 +672,78 @@ finish: + return status; + } + ++JNIEXPORT jbyteArray JNICALL ++Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressByteArrayNative ++ (JNIEnv *env, jobject self) ++{ ++ jbyteArray byteArray=NULL; ++ PRNetAddr addr; ++ jbyte *address=NULL; ++ int size=4; ++ ++ if( JSSL_getSockAddr(env, self, &addr, PEER_SOCK) != PR_SUCCESS) { ++ goto finish; ++ } ++ ++ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { ++ size = 16; ++ address = (jbyte *) &addr.ipv6.ip; ++ } else { ++ address = (jbyte *) &addr.inet.ip; ++ } ++ ++ byteArray = (*env)->NewByteArray(env,size); ++ if(byteArray == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ (*env)->SetByteArrayRegion(env, byteArray, 0,size ,address); ++ if( (*env)->ExceptionOccurred(env) != NULL) { ++ PR_ASSERT(PR_FALSE); ++ goto finish; ++ } ++ ++finish: ++ return byteArray; ++} ++ ++JNIEXPORT jbyteArray JNICALL ++Java_org_mozilla_jss_ssl_SocketBase_getLocalAddressByteArrayNative ++ (JNIEnv *env, jobject self) ++{ ++ jbyteArray byteArray=NULL; ++ PRNetAddr addr; ++ jbyte *address=NULL; ++ int size=4; ++ ++ if( JSSL_getSockAddr(env, self, &addr, LOCAL_SOCK) != PR_SUCCESS) { ++ goto finish; ++ } ++ ++ if( PR_NetAddrFamily(&addr) == PR_AF_INET6) { ++ size = 16; ++ address = (jbyte *) &addr.ipv6.ip; ++ } else { ++ address = (jbyte *) &addr.inet.ip; ++ } ++ ++ byteArray = (*env)->NewByteArray(env,size); ++ if(byteArray == NULL) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ (*env)->SetByteArrayRegion(env, byteArray, 0,size,address); ++ if( (*env)->ExceptionOccurred(env) != NULL) { ++ PR_ASSERT(PR_FALSE); ++ goto finish; ++ } ++ ++finish: ++ return byteArray; ++} ++ ++/* Leave the original versions of these functions for compatibility */ ++ + JNIEXPORT jint JNICALL + Java_org_mozilla_jss_ssl_SocketBase_getPeerAddressNative + (JNIEnv *env, jobject self) +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2007-04-24 11:34:58.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2009-06-24 13:43:13.000000000 -0700 +@@ -290,6 +290,7 @@ getInetAddress(PRFileDesc *fd, PRNetAddr + jobject inetAddress; + jbyteArray addrByteArray; + jint port; ++ int addrBALen = 0; + + if( GET_ENV(fd->secret->javaVM, env) ) goto finish; + +@@ -377,8 +378,9 @@ getInetAddress(PRFileDesc *fd, PRNetAddr + + memset(addr, 0, sizeof(PRNetAddr)); + +- /* we only handle IPV4 */ +- PR_ASSERT( (*env)->GetArrayLength(env, addrByteArray) == 4 ); ++ addrBALen = (*env)->GetArrayLength(env, addrByteArray); ++ ++ PR_ASSERT( (addrBALen == 4) || (addrBALen == 16 ) ); + + /* make sure you release them later */ + addrBytes = (*env)->GetByteArrayElements(env, addrByteArray, NULL); +@@ -388,9 +390,16 @@ getInetAddress(PRFileDesc *fd, PRNetAddr + } + + /* ip field is in network byte order */ +- memcpy( (void*) &addr->inet.ip, addrBytes, 4); +- addr->inet.family = PR_AF_INET; +- addr->inet.port = port; ++ ++ if (addrBALen == 4) { ++ memcpy( (void*) &addr->inet.ip, addrBytes, 4); ++ addr->inet.family = PR_AF_INET; ++ addr->inet.port = port; ++ } else { ++ memcpy( (void*) &addr->ipv6.ip,addrBytes, 16); ++ addr->inet.family = PR_AF_INET6; ++ addr->inet.port = port; ++ } + + (*env)->ReleaseByteArrayElements(env, addrByteArray, addrBytes, + JNI_ABORT); +diff -rupN jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h +--- jss-4.2.6.pre-IPv6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2006-02-22 17:21:52.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/java_ids.h 2009-06-19 17:56:00.000000000 -0700 +@@ -312,6 +312,8 @@ PR_BEGIN_EXTERN_C + #define SOCKET_BASE_NAME "org/mozilla/jss/ssl/SocketBase" + #define PROCESS_EXCEPTIONS_NAME "processExceptions" + #define PROCESS_EXCEPTIONS_SIG "(Ljava/lang/Throwable;Ljava/lang/Throwable;)Ljava/lang/Throwable;" ++#define SUPPORTS_IPV6_NAME "supportsIPV6" ++#define SUPPORTS_IPV6_SIG "()Z" + + /* + * SSLCertificateApprovalCallback diff --git a/SOURCES/jss-javadocs-param.patch b/SOURCES/jss-javadocs-param.patch new file mode 100644 index 0000000..5cf92e3 --- /dev/null +++ b/SOURCES/jss-javadocs-param.patch @@ -0,0 +1,13 @@ +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java.orig 2008-01-18 16:39:46.000000000 -0500 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2009-06-05 11:08:54.000000000 -0400 +@@ -116,7 +116,9 @@ + } + /** + * +- * @param ++ * @param key ++ * @param kg ++ * @return + */ + public javax.crypto.SecretKey genSecretKey(String keyType, String provider){ + javax.crypto.SecretKey key = null; diff --git a/SOURCES/jss-key_pair_usage_with_op_flags.patch b/SOURCES/jss-key_pair_usage_with_op_flags.patch new file mode 100644 index 0000000..a7ca9df --- /dev/null +++ b/SOURCES/jss-key_pair_usage_with_op_flags.patch @@ -0,0 +1,544 @@ +diff -rupN jss-4.2.5/mozilla/security/jss/lib/jss.def jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.5/mozilla/security/jss/lib/jss.def 2007-05-08 18:40:14.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-05-30 01:57:48.000000000 -0700 +@@ -316,3 +316,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_isFip + ;+ local: + ;+ *; + ;+}; ++;+JSS_4.2.6 { # JSS 4.2.6 release ++;+ global: ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; ++;+ local: ++;+ *; ++;+}; ++ +diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java +--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2005-11-14 14:15:06.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2009-05-22 07:40:14.000000000 -0700 +@@ -81,7 +81,6 @@ public class KeyPairGenerator { + genKeyPair() throws TokenException { + return engine.generateKeyPair(); + } +- + /** + * @return The type of key that this generator generates. + */ +@@ -192,6 +191,15 @@ public class KeyPairGenerator { + engine.extractablePairs(extractable); + } + ++ public void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, ++ KeyPairGeneratorSpi.Usage[] usages_mask) { ++ engine.setKeyPairUsages(usages,usages_mask); ++ } ++ ++ ++ ++ ++ + protected KeyPairAlgorithm algorithm; + protected KeyPairGeneratorSpi engine; + } +diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java +--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2005-11-14 14:15:06.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGeneratorSpi.java 2009-05-30 03:24:31.000000000 -0700 +@@ -60,4 +60,38 @@ public abstract class KeyPairGeneratorSp + public abstract void extractablePairs(boolean extractable); + + public abstract boolean keygenOnInternalToken(); ++ ++ /** ++ * In PKCS #11, each keypair can be marked with the operations it will ++ * be used to perform. Some tokens require that a key be marked for ++ * an operation before the key can be used to perform that operation; ++ * other tokens don't care. NSS provides a way to specify a set of ++ * flags and a corresponding mask for these flags. If a specific usage ++ * is desired set the value for that usage. If it is not set, let NSS ++ * behave in it's default fashion. If a behavior is desired, also set ++ * that behavior in the mask as well as the flags. ++ * ++ */ ++ public final static class Usage { ++ private Usage() { } ++ private Usage(int val) { this.val = val;} ++ private int val; ++ ++ public int getVal() { return val; } ++ ++ // these enums must match the ++ // and the opFlagForUsage list in PK11KeyPairGenerator.java ++ public static final Usage ENCRYPT = new Usage(0); ++ public static final Usage DECRYPT = new Usage(1); ++ public static final Usage SIGN = new Usage(2); ++ public static final Usage SIGN_RECOVER = new Usage(3); ++ public static final Usage VERIFY = new Usage(4); ++ public static final Usage VERIFY_RECOVER = new Usage(5); ++ public static final Usage WRAP = new Usage(6); ++ public static final Usage UNWRAP = new Usage(7); ++ public static final Usage DERIVE = new Usage(8); ++ } ++ ++ public abstract void setKeyPairUsages(KeyPairGeneratorSpi.Usage[] usages, ++ KeyPairGeneratorSpi.Usage[] usages_mask); + } +diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c +--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2006-02-22 17:21:42.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2009-06-02 10:36:46.819581000 -0700 +@@ -120,13 +120,11 @@ finish: + + int PK11_NumberObjectsFor(PK11SlotInfo*, CK_ATTRIBUTE*, int); + +-/* +- * make a common key gen function for both this file and PK11Token.c +- */ + SECStatus +-JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, ++JSS_PK11_generateKeyPairWithOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, + PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, +- void *params, PRBool temporary, jint sensitive, jint extractable) ++ void *params, PRBool temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask) + { + PK11AttrFlags attrFlags = 0; + *privk=NULL; +@@ -173,12 +171,16 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK + } else { + attrFlags |= (PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC); + } +- *privk = PK11_GenerateKeyPairWithFlags(slot, ++ ++ *privk = PK11_GenerateKeyPairWithOpFlags(slot, + mechanism, + params, + pubk, + attrFlags, ++ (CK_FLAGS) op_flags, ++ (CK_FLAGS) op_flags_mask/* the ones we don't want*/, + NULL /* default PW callback */ ); ++ + if( *privk == NULL ) { + int errLength; + char *errBuf; +@@ -217,13 +219,28 @@ finish: + return SECFailure; + } + ++/* ++ * make a common key gen function for both this file and PK11Token.c ++ */ ++SECStatus ++JSS_PK11_generateKeyPair(JNIEnv *env, CK_MECHANISM_TYPE mechanism, ++ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, ++ void *params, PRBool temporary, jint sensitive, jint extractable) ++{ ++ ++ return JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, pubk, privk, params, temporary, sensitive, extractable, 0, 0); ++} ++ ++ + /********************************************************************** +- * Local generic helper ++ * Local generic helpers + */ ++ + static jobject +-PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, ++PK11KeyPairGeneratorWithOpFlags(JNIEnv *env, jobject this, jobject token, + CK_MECHANISM_TYPE mechanism, void *params, +- jboolean temporary, jint sensitive, jint extractable) ++ jboolean temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask) + { + PK11SlotInfo* slot; + SECKEYPrivateKey *privk=NULL; +@@ -242,8 +259,8 @@ PK11KeyPairGenerator(JNIEnv *env, jobjec + } + PR_ASSERT(slot != NULL); + +- rv = JSS_PK11_generateKeyPair(env, mechanism, slot, &pubk, &privk, +- params, temporary, sensitive, extractable); ++ rv = JSS_PK11_generateKeyPairWithOpFlags(env, mechanism, slot, &pubk, &privk, ++ params, temporary, sensitive, extractable, op_flags, op_flags_mask); + if (rv != SECSuccess) { + goto finish; + } +@@ -267,6 +284,16 @@ finish: + return keyPair; + } + ++static jobject ++PK11KeyPairGenerator(JNIEnv *env, jobject this, jobject token, ++ CK_MECHANISM_TYPE mechanism, void *params, ++ jboolean temporary, jint sensitive, jint extractable) ++{ ++ return PK11KeyPairGeneratorWithOpFlags(env, this, token, mechanism, params, temporary, sensitive, extractable, 0, 0); ++} ++ ++ ++ + /********************************************************************** + * PK11KeyPairGenerator.generateRSAKeyPair + */ +@@ -289,6 +316,30 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG + ¶ms, temporary, sensitive, extractable); + } + ++/********************************************************************** ++ * PK11KeyPairGenerator.generateRSAKeyPairWithOpFlags ++ */ ++JNIEXPORT jobject JNICALL ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags ++ (JNIEnv *env, jobject this, jobject token, jint keySize, jlong publicExponent, ++ jboolean temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask) ++{ ++ PK11RSAGenParams params; ++ ++ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL); ++ ++ /************************************************** ++ * setup parameters ++ *************************************************/ ++ params.keySizeInBits = keySize; ++ params.pe = publicExponent; ++ ++ return PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_RSA_PKCS_KEY_PAIR_GEN, ++ ¶ms, temporary, sensitive, extractable, op_flags, op_flags_mask); ++} ++ ++ + #define ZERO_SECITEM(item) {(item).len=0; (item).data=NULL;} + + /********************************************************************** +@@ -339,6 +390,57 @@ finish: + return keyPair; + } + ++/********************************************************************** ++ * ++ * PK11KeyPairGenerator.generateDSAKeyPair ++ * ++ */ ++JNIEXPORT jobject JNICALL ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags ++ (JNIEnv *env, jobject this, jobject token, jbyteArray P, jbyteArray Q, ++ jbyteArray G, jboolean temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask) ++{ ++ SECItem p, q, g; ++ PQGParams *params=NULL; ++ jobject keyPair=NULL; ++ ++ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && P!=NULL && Q!=NULL ++ && G!=NULL); ++ ++ /* zero these so we can free them indiscriminately later */ ++ ZERO_SECITEM(p); ++ ZERO_SECITEM(q); ++ ZERO_SECITEM(g); ++ ++ /************************************************** ++ * Setup the parameters ++ *************************************************/ ++ if( JSS_ByteArrayToOctetString(env, P, &p) || ++ JSS_ByteArrayToOctetString(env, Q, &q) || ++ JSS_ByteArrayToOctetString(env, G, &g) ) ++ { ++ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); ++ goto finish; ++ } ++ params = PK11_PQG_NewParams(&p, &q, &g); ++ if(params == NULL) { ++ JSS_throw(env, OUT_OF_MEMORY_ERROR); ++ goto finish; ++ } ++ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_DSA_KEY_PAIR_GEN, ++ params, temporary, sensitive, extractable, ++ op_flags, op_flags_mask); ++ ++finish: ++ SECITEM_FreeItem(&p, PR_FALSE); ++ SECITEM_FreeItem(&q, PR_FALSE); ++ SECITEM_FreeItem(&g, PR_FALSE); ++ PK11_PQG_DestroyParams(params); ++ return keyPair; ++} ++ ++ + void + DumpItem(SECItem *item) + { +@@ -361,6 +463,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG + (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, + jboolean temporary, jint sensitive, jint extractable) + { ++ + SECItem curve; + jobject keyPair=NULL; + +@@ -385,3 +488,39 @@ finish: + SECITEM_FreeItem(&curve, PR_FALSE); + return keyPair; + } ++ ++/********************************************************************** ++ * ++ * PK11KeyPairGenerator.generateECKeyPairWithOpFlags ++ * ++ */ ++JNIEXPORT jobject JNICALL ++Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags ++ (JNIEnv *env, jobject this, jobject token, jbyteArray Curve, ++ jboolean temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask) ++{ ++ SECItem curve; ++ jobject keyPair=NULL; ++ ++ PR_ASSERT(env!=NULL && this!=NULL && token!=NULL && Curve!=NULL ); ++ ++ /* zero these so we can free them indiscriminately later */ ++ ZERO_SECITEM(curve); ++ ++ /************************************************** ++ * Setup the parameters ++ *************************************************/ ++ if( JSS_ByteArrayToOctetString(env, Curve, &curve)) ++ { ++ PR_ASSERT( (*env)->ExceptionOccurred(env) != NULL); ++ goto finish; ++ } ++ keyPair = PK11KeyPairGeneratorWithOpFlags(env, this, token, CKM_EC_KEY_PAIR_GEN, ++ &curve, temporary, sensitive, extractable, ++ op_flags, op_flags_mask); ++ ++finish: ++ SECITEM_FreeItem(&curve, PR_FALSE); ++ return keyPair; ++} +diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java +--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2006-02-22 17:21:42.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java 2009-05-30 05:30:25.000000000 -0700 +@@ -55,6 +55,39 @@ public final class PK11KeyPairGenerator + extends org.mozilla.jss.crypto.KeyPairGeneratorSpi + { + ++ // opFlag constants: each of these flags specifies a crypto operation ++ // the key will support. Their values must match the same-named C ++ // preprocessor macros defined in the PKCS #11 header pkcs11t.h. ++ private static final int CKF_ENCRYPT = 0x00000100; ++ private static final int CKF_DECRYPT = 0x00000200; ++ private static final int CKF_SIGN = 0x00000800; ++ private static final int CKF_SIGN_RECOVER = 0x00001000; ++ private static final int CKF_VERIFY = 0x00002000; ++ private static final int CKF_VERIFY_RECOVER = 0x00004000; ++ private static final int CKF_WRAP = 0x00020000; ++ private static final int CKF_UNWRAP = 0x00040000; ++ private static final int CKF_DERIVE = 0x00080000; ++ ++ // A table for mapping SymmetricKey.Usage to opFlag. This must be ++ // synchronized with SymmetricKey.Usage. ++ private static final int opFlagForUsage[] = { ++ CKF_ENCRYPT, /* 0 */ ++ CKF_DECRYPT, /* 1 */ ++ CKF_SIGN, /* 2 */ ++ CKF_SIGN_RECOVER, /* 3 */ ++ CKF_VERIFY, /* 4 */ ++ CKF_VERIFY_RECOVER, /* 5 */ ++ CKF_WRAP, /* 6 */ ++ CKF_UNWRAP, /* 7 */ ++ CKF_DERIVE /* 8 */ ++ }; ++ ++ // The crypto operations the key will support. It is the logical OR ++ // of the opFlag constants, each specifying a supported operation. ++ private int opFlags = 0; ++ private int opFlagsMask = 0; ++ ++ + /////////////////////////////////////////////////////////////////////// + /////////////////////////////////////////////////////////////////////// + // Constructors +@@ -189,41 +222,45 @@ public final class PK11KeyPairGenerator + * Generates a key pair on a token. Uses parameters if they were passed + * in through a call to initialize, otherwise uses defaults. + */ ++ + public KeyPair generateKeyPair() + throws TokenException + { + if(algorithm == KeyPairAlgorithm.RSA) { + if(params != null) { + RSAParameterSpec rsaparams = (RSAParameterSpec)params; +- return generateRSAKeyPair( ++ return generateRSAKeyPairWithOpFlags( + token, + rsaparams.getKeySize(), + rsaparams.getPublicExponent().longValue(), + temporaryPairMode, + sensitivePairMode, +- extractablePairMode); ++ extractablePairMode, ++ opFlags, opFlagsMask); + } else { +- return generateRSAKeyPair( ++ return generateRSAKeyPairWithOpFlags( + token, + DEFAULT_RSA_KEY_SIZE, + DEFAULT_RSA_PUBLIC_EXPONENT.longValue(), + temporaryPairMode, + sensitivePairMode, +- extractablePairMode); ++ extractablePairMode, ++ opFlags, opFlagsMask); + } + } else if(algorithm == KeyPairAlgorithm.DSA ) { + if(params==null) { + params = PQG1024; + } + DSAParameterSpec dsaParams = (DSAParameterSpec)params; +- return generateDSAKeyPair( ++ return generateDSAKeyPairWithOpFlags( + token, + PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getP()), + PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getQ()), + PQGParams.BigIntegerToUnsignedByteArray(dsaParams.getG()), + temporaryPairMode, + sensitivePairMode, +- extractablePairMode); ++ extractablePairMode, ++ opFlags, opFlagsMask); + } else { + Assert._assert( algorithm == KeyPairAlgorithm.EC ); + // requires JAVA 1.5 for ECParameters. +@@ -233,12 +270,14 @@ public final class PK11KeyPairGenerator + // ecParams.init(params); + PK11ParameterSpec ecParams = (PK11ParameterSpec) params; + +- return generateECKeyPair( ++ return generateECKeyPairWithOpFlags( + token, + ecParams.getEncoded(), /* curve */ + temporaryPairMode, + sensitivePairMode, +- extractablePairMode); ++ extractablePairMode, ++ opFlags, ++ opFlagsMask); + } + } + +@@ -266,6 +305,17 @@ public final class PK11KeyPairGenerator + throws TokenException; + + /** ++ * Generates an RSA key pair with the given size and public exponent. ++ * Adds the ability to specify a set of flags and masks ++ * to control how NSS generates the key pair. ++ */ ++ private native KeyPair ++ generateRSAKeyPairWithOpFlags(PK11Token token, int keySize, long publicExponent, ++ boolean temporary, int sensitive, int extractable, ++ int op_flags, int op_flags_mask) ++ throws TokenException; ++ ++ /** + * Generates a DSA key pair with the given P, Q, and G values. + * P, Q, and G are stored as big-endian twos-complement octet strings. + */ +@@ -275,6 +325,19 @@ public final class PK11KeyPairGenerator + throws TokenException; + + /** ++ * Generates a DSA key pair with the given P, Q, and G values. ++ * P, Q, and G are stored as big-endian twos-complement octet strings. ++ * Adds the ability to specify a set of flags and masks ++ * to control how NSS generates the key pair. ++ */ ++ private native KeyPair ++ generateDSAKeyPairWithOpFlags(PK11Token token, byte[] P, byte[] Q, byte[] G, ++ boolean temporary, int sensitive, int extractable, ++ int op_flags, int op_flags_mask) ++ throws TokenException; ++ ++ ++ /** + * Generates a EC key pair with the given a curve. + * Curves are stored as DER Encoded Parameters. + */ +@@ -282,6 +345,18 @@ public final class PK11KeyPairGenerator + generateECKeyPair(PK11Token token, byte[] Curve, + boolean temporary, int sensitive, int extractable) + throws TokenException; ++ /** ++ * Generates a EC key pair with the given a curve. ++ * Curves are stored as DER Encoded Parameters. ++ * Adds the ability to specify a set of flags and masks ++ * to control how NSS generates the key pair. ++ */ ++ ++ private native KeyPair ++ generateECKeyPairWithOpFlags(PK11Token token, byte[] Curve, ++ boolean temporary, int sensitive, int extractable, ++ int op_flags, int op_flags_mask) ++ throws TokenException; + + /////////////////////////////////////////////////////////////////////// + /////////////////////////////////////////////////////////////////////// +@@ -397,6 +472,38 @@ public final class PK11KeyPairGenerator + extractablePairMode = extractable ? 1 : 0; + } + ++ /** ++ * Sets the requested key usages desired for the ++ * generated key pair. ++ * This allows the caller to suggest how NSS generates the key pair. ++ * @param usages List of desired key usages. ++ * @param usages_mask Corresponding mask for the key usages. ++ * if a usages is desired, make sure it is in the mask as well. ++ */ ++ ++ public void setKeyPairUsages(org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages, ++ org.mozilla.jss.crypto.KeyPairGeneratorSpi.Usage[] usages_mask) { ++ ++ this.opFlags = 0; ++ this.opFlagsMask = 0; ++ ++ if(usages != null) { ++ for( int i = 0; i < usages.length; i++ ) { ++ if( usages[i] != null ) { ++ this.opFlags |= opFlagForUsage[usages[i].getVal()]; ++ } ++ } ++ } ++ ++ if(usages_mask != null) { ++ for( int i = 0; i < usages_mask.length; i++ ) { ++ if( usages_mask[i] != null ) { ++ this.opFlagsMask |= opFlagForUsage[usages_mask[i].getVal()]; ++ } ++ } ++ } ++ } ++ + // + // requires JAVA 1.5 + // +diff -rupN jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h +--- jss-4.2.5/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2006-02-22 17:21:42.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/pk11util.h 2009-05-29 08:34:24.000000000 -0700 +@@ -157,6 +157,12 @@ JSS_PK11_generateKeyPair(JNIEnv *env, CK + PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privK, + void *params, PRBool temporary, jint senstive, jint extractable); + ++SECStatus ++JSS_PK11_generateKeyPair_withOpFlags(JNIEnv *env, CK_MECHANISM_TYPE mechanism, ++ PK11SlotInfo *slot, SECKEYPublicKey **pubk, SECKEYPrivateKey **privk, ++ void *params, PRBool temporary, jint sensitive, jint extractable, ++ jint op_flags, jint op_flags_mask); ++ + /*===================================================================== + C E R T I F I C A T E S + =====================================================================*/ diff --git a/SOURCES/jss-loadlibrary.patch b/SOURCES/jss-loadlibrary.patch new file mode 100644 index 0000000..a8643a4 --- /dev/null +++ b/SOURCES/jss-loadlibrary.patch @@ -0,0 +1,29 @@ +diff -uN --recursive jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2008-01-31 17:29:16.000000000 -0500 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-01-07 10:47:04.000000000 -0500 +@@ -1334,11 +1334,20 @@ + */ + synchronized static void loadNativeLibraries() + { +- if( ! mNativeLibrariesLoaded ) +- { +- System.loadLibrary("jss4"); +- Debug.trace(Debug.VERBOSE, "jss library loaded"); +- mNativeLibrariesLoaded = true; ++ if( ! mNativeLibrariesLoaded ) { ++ try { ++ System.load( "/usr/lib64/jss/libjss4.so" ); ++ Debug.trace(Debug.VERBOSE, "jss library loaded"); ++ mNativeLibrariesLoaded = true; ++ } catch( UnsatisfiedLinkError e ) { ++ try { ++ System.load( "/usr/lib/jss/libjss4.so" ); ++ Debug.trace(Debug.VERBOSE, "jss library loaded"); ++ mNativeLibrariesLoaded = true; ++ } catch( UnsatisfiedLinkError f ) { ++ Debug.trace(Debug.VERBOSE, "jss library load failed"); ++ } ++ } + } + } + static private boolean mNativeLibrariesLoaded = false; diff --git a/SOURCES/jss-ocspSettings.patch b/SOURCES/jss-ocspSettings.patch new file mode 100644 index 0000000..c9ac226 --- /dev/null +++ b/SOURCES/jss-ocspSettings.patch @@ -0,0 +1,106 @@ +diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.orig jss-4.2.6/mozilla/security/jss/lib/jss.def +--- jss-4.2.6/mozilla/security/jss/lib/jss.def.orig 2009-11-04 14:26:26.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2009-11-04 14:11:05.000000000 -0800 +@@ -329,6 +329,8 @@ Java_org_mozilla_jss_pkcs11_PK11Token_ne + Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPairWithOpFlags; + Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateRSAKeyPairWithOpFlags; + Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags; ++Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative; ++Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative; + ;+ local: + ;+ *; + ;+}; +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c.orig 2009-11-04 14:20:43.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2009-11-05 10:48:32.590000000 -0800 +@@ -976,3 +976,45 @@ Java_org_mozilla_jss_CryptoManager_confi + } + } + ++ ++/********************************************************************** ++* OCSPCacheSettingsNative ++* ++* Allows configuration of the OCSP responder cache during runtime. ++*/ ++JNIEXPORT void JNICALL ++Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative( ++ JNIEnv *env, jobject this, ++ jint ocsp_cache_size, ++ jint ocsp_min_cache_entry_duration, ++ jint ocsp_max_cache_entry_duration) ++{ ++ SECStatus rv = SECFailure; ++ ++ rv = CERT_OCSPCacheSettings( ++ ocsp_cache_size, ocsp_min_cache_entry_duration, ++ ocsp_max_cache_entry_duration); ++ ++ if (rv != SECSuccess) { ++ JSS_throwMsgPrErr(env, ++ GENERAL_SECURITY_EXCEPTION, ++ "Failed to set OCSP cache: error "+ PORT_GetError()); ++ } ++} ++ ++JNIEXPORT void JNICALL ++Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative( ++ JNIEnv *env, jobject this, ++ jint ocsp_timeout ) ++{ ++ SECStatus rv = SECFailure; ++ ++ rv = CERT_SetOCSPTimeout(ocsp_timeout); ++ ++ if (rv != SECSuccess) { ++ JSS_throwMsgPrErr(env, ++ GENERAL_SECURITY_EXCEPTION, ++ "Failed to set OCSP timeout: error "+ PORT_GetError()); ++ } ++} ++ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.orig 2009-11-04 14:20:33.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2009-11-05 10:48:59.415001000 -0800 +@@ -1479,4 +1479,41 @@ public final class CryptoManager impleme + String ocspResponderCertNickname ) + throws GeneralSecurityException; + ++ /** ++ * change OCSP cache settings ++ * * @param ocsp_cache_size max cache entries ++ * * @param ocsp_min_cache_entry_duration minimum seconds to next fetch attempt ++ * * @param ocsp_max_cache_entry_duration maximum seconds to next fetch attempt ++ */ ++ public void OCSPCacheSettings( ++ int ocsp_cache_size, ++ int ocsp_min_cache_entry_duration, ++ int ocsp_max_cache_entry_duration) ++ throws GeneralSecurityException ++ { ++ OCSPCacheSettingsNative(ocsp_cache_size, ++ ocsp_min_cache_entry_duration, ++ ocsp_max_cache_entry_duration); ++ } ++ ++ private native void OCSPCacheSettingsNative( ++ int ocsp_cache_size, ++ int ocsp_min_cache_entry_duration, ++ int ocsp_max_cache_entry_duration) ++ throws GeneralSecurityException; ++ ++ /** ++ * set OCSP timeout value ++ * * @param ocspTimeout OCSP timeout in seconds ++ */ ++ public void setOCSPTimeout( ++ int ocsp_timeout ) ++ throws GeneralSecurityException ++ { ++ setOCSPTimeoutNative( ocsp_timeout); ++ } ++ ++ private native void setOCSPTimeoutNative( ++ int ocsp_timeout ) ++ throws GeneralSecurityException; + } diff --git a/SOURCES/jss-undo-BadPaddingException-deprecation.patch b/SOURCES/jss-undo-BadPaddingException-deprecation.patch new file mode 100644 index 0000000..1b372a7 --- /dev/null +++ b/SOURCES/jss-undo-BadPaddingException-deprecation.patch @@ -0,0 +1,13 @@ +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700 +@@ -35,9 +35,6 @@ + * ***** END LICENSE BLOCK ***** */ + package org.mozilla.jss.crypto; + +-/** +- * @deprecated Use javax.crypto.BadPaddingException. +- */ + public class BadPaddingException extends Exception { + public BadPaddingException() { + super(); diff --git a/SOURCES/jss-undo-JCA-deprecations.patch b/SOURCES/jss-undo-JCA-deprecations.patch new file mode 100644 index 0000000..a51c51a --- /dev/null +++ b/SOURCES/jss-undo-JCA-deprecations.patch @@ -0,0 +1,171 @@ +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700 +@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert; + * it is not necessary to call update if all of the data is + * available at once. In this case, all of the input can be processed with one + * call to doFinal. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) + */ + public abstract class Cipher { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700 +@@ -60,7 +60,6 @@ public interface CryptoToken { + * @param algorithm The algorithm used for the signing/verification. + * @exception java.security.NoSuchAlgorithmException If the given + * algorithm is not supported by this provider. +- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) + */ + public abstract org.mozilla.jss.crypto.Signature + getSignatureContext(SignatureAlgorithm algorithm) +@@ -73,7 +72,6 @@ public interface CryptoToken { + * @param algorithm The algorithm used for digesting. + * @exception java.security.NoSuchAlgorithmException If this provider + * does not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) + */ + public abstract JSSMessageDigest + getDigestContext(DigestAlgorithm algorithm) +@@ -89,15 +87,11 @@ public interface CryptoToken { + * @param algorithm The algorithm used for encryption/decryption. + * @exception java.security.NoSuchAlgorithmException If this provider + * does not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) + */ + public abstract Cipher + getCipherContext(EncryptionAlgorithm algorithm) + throws java.security.NoSuchAlgorithmException, TokenException; + +- /** +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) +- */ + public abstract KeyWrapper + getKeyWrapper(KeyWrapAlgorithm algorithm) + throws java.security.NoSuchAlgorithmException, TokenException; +@@ -123,7 +117,6 @@ public interface CryptoToken { + * @param algorithm The algorithm that the keys will be used with. + * @exception java.security.NoSuchAlgorithmException If this token does not + * support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) + */ + public abstract KeyGenerator + getKeyGenerator(KeyGenAlgorithm algorithm) +@@ -136,7 +129,6 @@ public interface CryptoToken { + * cannot be extracted from the current token. + * @exception InvalidKeyException If the owning token cannot process + * the key to be cloned. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory}) + */ + public SymmetricKey cloneKey(SymmetricKey key) + throws SymmetricKey.NotExtractableException, +@@ -151,7 +143,6 @@ public interface CryptoToken { + * DSA, EC, etc.) + * @exception java.security.NoSuchAlgorithmException If this token does + * not support the given algorithm. +- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) + */ + public abstract KeyPairGenerator + getKeyPairGenerator(KeyPairAlgorithm algorithm) +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700 +@@ -41,7 +41,6 @@ import java.security.InvalidKeyException + + /** + * A class for performing message digesting (hashing) and MAC operations. +- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest}) + */ + public abstract class JSSMessageDigest { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700 +@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto; + + /** + * An interface for secure random numbers. +- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom}) + */ + public interface JSSSecureRandom { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700 +@@ -43,7 +43,6 @@ import java.io.CharConversionException; + + /** + * Generates symmetric keys for encryption and decryption. +- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator}) + */ + public interface KeyGenerator { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700 +@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam + * keygenOnInternalToken to find out if this is happening. + * + * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator +- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator}) + */ + public class KeyPairGenerator { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700 +@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar + import java.security.PublicKey; + import java.security.InvalidKeyException; + +-/** +- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher}) +- */ + public interface KeyWrapper { + + public void initWrap(SymmetricKey wrappingKey, +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700 +@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam + * Instances of this class can be obtain from CryptoTokens. + * + * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext +- * @deprecated Use the JCA interface instead ({@link java.security.Signature}) + */ + public class Signature { + +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700 +@@ -37,15 +37,10 @@ + + /* This program demonstrates how to sign data with keys from JSS + * +- * Most of this code is deprecated look at JCASigTest.java +- * + * The token name can be either the name of a hardware token, or + * one of the internal tokens: + * Internal Crypto Services Token + * Internal Key Storage Token (keys stored in key3.db) +- * +- * @see org.mozilla.jss.tests.JCASigTest +- * @deprecated Use the JCA interface instead + */ + + package org.mozilla.jss.tests; +diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl +--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700 +@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature " + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile"; + run_test($testname, $command); + ++$testname = "Mozilla-JSS NSS Signature "; ++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile"; ++run_test($testname, $command); ++ + $testname = "Secret Decoder Ring"; + $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile"; + run_test($testname, $command); diff --git a/SOURCES/jss-wrapInToken.patch b/SOURCES/jss-wrapInToken.patch new file mode 100644 index 0000000..697895f --- /dev/null +++ b/SOURCES/jss-wrapInToken.patch @@ -0,0 +1,158 @@ +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700 +@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param, + &wrapped, NULL /* wincx */ ); + if(status != SECSuccess) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, +- "Wrapping operation failed on token"); ++ char err[256] = {0}; ++ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError()); ++ JSS_throwMsg(env, TOKEN_EXCEPTION, err); + goto finish; + } + PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL); +@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + int numAttribs = 0; + CK_TOKEN_INFO tokenInfo; + ++ /* ideal defaults */ + PRBool isSensitive = PR_TRUE; + PRBool isExtractable = PR_FALSE; +- /* special case nethsm*/ ++ ++ /* special case nethsm and lunasa*/ + CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'}; ++ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'}; + PRBool isNethsm = PR_TRUE; ++ PRBool isLunasa = PR_TRUE; + + if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) { + /* exception was thrown */ +@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + break; + } + } ++ ix = 0; ++ for(ix=0; ix < 4; ix++) { ++ if (tokenInfo.label[ix] != lunasaLabel[ix]) { ++ isLunasa = PR_FALSE; ++ break; ++ } ++ } + + } else { + isNethsm = PR_FALSE; ++ isLunasa = PR_FALSE; + } + + /* get unwrapping key */ +@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp + } + keyType = PK11_GetKeyType(keyTypeMech, 0); + ++ /* special case nethsm and lunasa*/ + if( isNethsm ) { + isSensitive = PR_FALSE; + isExtractable = PR_FALSE; ++ } else if ( isLunasa) { ++ isSensitive = PR_FALSE; ++ isExtractable = PR_TRUE; + } + +-setAttrs: + /* figure out which operations to enable for this key */ + switch (keyType) { + case CKK_RSA: ++ numAttribs = 3; + attribs[0] = CKA_SIGN; + attribs[1] = CKA_SIGN_RECOVER; + attribs[2] = CKA_UNWRAP; + if (isExtractable) { + attribs[3] = CKA_EXTRACTABLE; + numAttribs = 4; +- } else { +- numAttribs = 3; + } + break; + case CKK_DSA: +@@ -459,7 +474,9 @@ setAttrs: + &label, pubValue, token, isSensitive /*sensitive*/, keyType, + attribs, numAttribs, NULL /*wincx*/); + if( privk == NULL ) { +- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token"); ++ char err[256] = {0}; ++ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError()); ++ JSS_throwMsg(env, TOKEN_EXCEPTION, err); + goto finish; + } + +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700 +@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke + throw new InvalidKeyException("key to be wrapped is not a "+ + "PKCS #11 key"); + } ++/* NSS is capable of moving keys appropriately, ++ so this call is prematurely bailing + if( ! symKey.getOwningToken().equals(token) ) { + throw new InvalidKeyException("key to be wrapped does not live"+ + " on the same token as the wrapping key"); + } ++*/ + } + + /** +@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke + throw new InvalidKeyException("key to be wrapped is not a "+ + "PKCS #11 key"); + } ++/* NSS is capable of moving keys appropriately, ++ so this call is prematurely bailing + if( ! privKey.getOwningToken().equals(token) ) { + throw new InvalidKeyException("key to be wrapped does not live"+ + " on the same token as the wrapping key"); + } ++*/ + } + + /** +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700 +@@ -135,10 +135,13 @@ public final class PK11Token implements + getKeyWrapper(KeyWrapAlgorithm algorithm) + throws NoSuchAlgorithmException, TokenException + { ++/* NSS is capable of finding the right token to do algorithm, ++ so this call is prematurely bailing + if( ! doesAlgorithm(algorithm) ) { + throw new NoSuchAlgorithmException( + algorithm+" is not supported by this token"); + } ++*/ + return new PK11KeyWrapper(this, algorithm); + } + +diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java +--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700 ++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700 +@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp + } + + KeyWrapper wrapper = token.getKeyWrapper( +- KeyWrapAlgorithm.DES3_CBC); ++ KeyWrapAlgorithm.DES3_CBC_PAD); + wrapper.initWrap(key, params); + byte encrypted[] = wrapper.wrap(pri); + +@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp + return epki; + + } catch (Exception e) { ++ System.out.println("createPBE: exception:"+e.toString()); + Assert.notReached("EncryptedPrivateKeyInfo exception:" + +".createPBE"); + } diff --git a/SOURCES/lgpl.txt b/SOURCES/lgpl.txt new file mode 100644 index 0000000..5ab7695 --- /dev/null +++ b/SOURCES/lgpl.txt @@ -0,0 +1,504 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 2.1, February 1999 + + Copyright (C) 1991, 1999 Free Software Foundation, Inc. + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +[This is the first released version of the Lesser GPL. It also counts + as the successor of the GNU Library Public License, version 2, hence + the version number 2.1.] + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +Licenses are intended to guarantee your freedom to share and change +free software--to make sure the software is free for all its users. + + This license, the Lesser General Public License, applies to some +specially designated software packages--typically libraries--of the +Free Software Foundation and other authors who decide to use it. You +can use it too, but we suggest you first think carefully about whether +this license or the ordinary General Public License is the better +strategy to use in any particular case, based on the explanations below. + + When we speak of free software, we are referring to freedom of use, +not price. Our General Public Licenses are designed to make sure that +you have the freedom to distribute copies of free software (and charge +for this service if you wish); that you receive source code or can get +it if you want it; that you can change the software and use pieces of +it in new free programs; and that you are informed that you can do +these things. + + To protect your rights, we need to make restrictions that forbid +distributors to deny you these rights or to ask you to surrender these +rights. These restrictions translate to certain responsibilities for +you if you distribute copies of the library or if you modify it. + + For example, if you distribute copies of the library, whether gratis +or for a fee, you must give the recipients all the rights that we gave +you. You must make sure that they, too, receive or can get the source +code. If you link other code with the library, you must provide +complete object files to the recipients, so that they can relink them +with the library after making changes to the library and recompiling +it. And you must show them these terms so they know their rights. + + We protect your rights with a two-step method: (1) we copyright the +library, and (2) we offer you this license, which gives you legal +permission to copy, distribute and/or modify the library. + + To protect each distributor, we want to make it very clear that +there is no warranty for the free library. Also, if the library is +modified by someone else and passed on, the recipients should know +that what they have is not the original version, so that the original +author's reputation will not be affected by problems that might be +introduced by others. + + Finally, software patents pose a constant threat to the existence of +any free program. We wish to make sure that a company cannot +effectively restrict the users of a free program by obtaining a +restrictive license from a patent holder. Therefore, we insist that +any patent license obtained for a version of the library must be +consistent with the full freedom of use specified in this license. + + Most GNU software, including some libraries, is covered by the +ordinary GNU General Public License. This license, the GNU Lesser +General Public License, applies to certain designated libraries, and +is quite different from the ordinary General Public License. We use +this license for certain libraries in order to permit linking those +libraries into non-free programs. + + When a program is linked with a library, whether statically or using +a shared library, the combination of the two is legally speaking a +combined work, a derivative of the original library. The ordinary +General Public License therefore permits such linking only if the +entire combination fits its criteria of freedom. The Lesser General +Public License permits more lax criteria for linking other code with +the library. + + We call this license the "Lesser" General Public License because it +does Less to protect the user's freedom than the ordinary General +Public License. It also provides other free software developers Less +of an advantage over competing non-free programs. These disadvantages +are the reason we use the ordinary General Public License for many +libraries. However, the Lesser license provides advantages in certain +special circumstances. + + For example, on rare occasions, there may be a special need to +encourage the widest possible use of a certain library, so that it becomes +a de-facto standard. To achieve this, non-free programs must be +allowed to use the library. A more frequent case is that a free +library does the same job as widely used non-free libraries. In this +case, there is little to gain by limiting the free library to free +software only, so we use the Lesser General Public License. + + In other cases, permission to use a particular library in non-free +programs enables a greater number of people to use a large body of +free software. For example, permission to use the GNU C Library in +non-free programs enables many more people to use the whole GNU +operating system, as well as its variant, the GNU/Linux operating +system. + + Although the Lesser General Public License is Less protective of the +users' freedom, it does ensure that the user of a program that is +linked with the Library has the freedom and the wherewithal to run +that program using a modified version of the Library. + + The precise terms and conditions for copying, distribution and +modification follow. Pay close attention to the difference between a +"work based on the library" and a "work that uses the library". The +former contains code derived from the library, whereas the latter must +be combined with the library in order to run. + + GNU LESSER GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License Agreement applies to any software library or other +program which contains a notice placed by the copyright holder or +other authorized party saying it may be distributed under the terms of +this Lesser General Public License (also called "this License"). +Each licensee is addressed as "you". + + A "library" means a collection of software functions and/or data +prepared so as to be conveniently linked with application programs +(which use some of those functions and data) to form executables. + + The "Library", below, refers to any such software library or work +which has been distributed under these terms. A "work based on the +Library" means either the Library or any derivative work under +copyright law: that is to say, a work containing the Library or a +portion of it, either verbatim or with modifications and/or translated +straightforwardly into another language. (Hereinafter, translation is +included without limitation in the term "modification".) + + "Source code" for a work means the preferred form of the work for +making modifications to it. For a library, complete source code means +all the source code for all modules it contains, plus any associated +interface definition files, plus the scripts used to control compilation +and installation of the library. + + Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running a program using the Library is not restricted, and output from +such a program is covered only if its contents constitute a work based +on the Library (independent of the use of the Library in a tool for +writing it). Whether that is true depends on what the Library does +and what the program that uses the Library does. + + 1. You may copy and distribute verbatim copies of the Library's +complete source code as you receive it, in any medium, provided that +you conspicuously and appropriately publish on each copy an +appropriate copyright notice and disclaimer of warranty; keep intact +all the notices that refer to this License and to the absence of any +warranty; and distribute a copy of this License along with the +Library. + + You may charge a fee for the physical act of transferring a copy, +and you may at your option offer warranty protection in exchange for a +fee. + + 2. You may modify your copy or copies of the Library or any portion +of it, thus forming a work based on the Library, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) The modified work must itself be a software library. + + b) You must cause the files modified to carry prominent notices + stating that you changed the files and the date of any change. + + c) You must cause the whole of the work to be licensed at no + charge to all third parties under the terms of this License. + + d) If a facility in the modified Library refers to a function or a + table of data to be supplied by an application program that uses + the facility, other than as an argument passed when the facility + is invoked, then you must make a good faith effort to ensure that, + in the event an application does not supply such function or + table, the facility still operates, and performs whatever part of + its purpose remains meaningful. + + (For example, a function in a library to compute square roots has + a purpose that is entirely well-defined independent of the + application. Therefore, Subsection 2d requires that any + application-supplied function or table used by this function must + be optional: if the application does not supply it, the square + root function must still compute square roots.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Library, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Library, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote +it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Library. + +In addition, mere aggregation of another work not based on the Library +with the Library (or with a work based on the Library) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may opt to apply the terms of the ordinary GNU General Public +License instead of this License to a given copy of the Library. To do +this, you must alter all the notices that refer to this License, so +that they refer to the ordinary GNU General Public License, version 2, +instead of to this License. (If a newer version than version 2 of the +ordinary GNU General Public License has appeared, then you can specify +that version instead if you wish.) Do not make any other change in +these notices. + + Once this change is made in a given copy, it is irreversible for +that copy, so the ordinary GNU General Public License applies to all +subsequent copies and derivative works made from that copy. + + This option is useful when you wish to copy part of the code of +the Library into a program that is not a library. + + 4. You may copy and distribute the Library (or a portion or +derivative of it, under Section 2) in object code or executable form +under the terms of Sections 1 and 2 above provided that you accompany +it with the complete corresponding machine-readable source code, which +must be distributed under the terms of Sections 1 and 2 above on a +medium customarily used for software interchange. + + If distribution of object code is made by offering access to copy +from a designated place, then offering equivalent access to copy the +source code from the same place satisfies the requirement to +distribute the source code, even though third parties are not +compelled to copy the source along with the object code. + + 5. A program that contains no derivative of any portion of the +Library, but is designed to work with the Library by being compiled or +linked with it, is called a "work that uses the Library". Such a +work, in isolation, is not a derivative work of the Library, and +therefore falls outside the scope of this License. + + However, linking a "work that uses the Library" with the Library +creates an executable that is a derivative of the Library (because it +contains portions of the Library), rather than a "work that uses the +library". The executable is therefore covered by this License. +Section 6 states terms for distribution of such executables. + + When a "work that uses the Library" uses material from a header file +that is part of the Library, the object code for the work may be a +derivative work of the Library even though the source code is not. +Whether this is true is especially significant if the work can be +linked without the Library, or if the work is itself a library. The +threshold for this to be true is not precisely defined by law. + + If such an object file uses only numerical parameters, data +structure layouts and accessors, and small macros and small inline +functions (ten lines or less in length), then the use of the object +file is unrestricted, regardless of whether it is legally a derivative +work. (Executables containing this object code plus portions of the +Library will still fall under Section 6.) + + Otherwise, if the work is a derivative of the Library, you may +distribute the object code for the work under the terms of Section 6. +Any executables containing that work also fall under Section 6, +whether or not they are linked directly with the Library itself. + + 6. As an exception to the Sections above, you may also combine or +link a "work that uses the Library" with the Library to produce a +work containing portions of the Library, and distribute that work +under terms of your choice, provided that the terms permit +modification of the work for the customer's own use and reverse +engineering for debugging such modifications. + + You must give prominent notice with each copy of the work that the +Library is used in it and that the Library and its use are covered by +this License. You must supply a copy of this License. If the work +during execution displays copyright notices, you must include the +copyright notice for the Library among them, as well as a reference +directing the user to the copy of this License. Also, you must do one +of these things: + + a) Accompany the work with the complete corresponding + machine-readable source code for the Library including whatever + changes were used in the work (which must be distributed under + Sections 1 and 2 above); and, if the work is an executable linked + with the Library, with the complete machine-readable "work that + uses the Library", as object code and/or source code, so that the + user can modify the Library and then relink to produce a modified + executable containing the modified Library. (It is understood + that the user who changes the contents of definitions files in the + Library will not necessarily be able to recompile the application + to use the modified definitions.) + + b) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (1) uses at run time a + copy of the library already present on the user's computer system, + rather than copying library functions into the executable, and (2) + will operate properly with a modified version of the library, if + the user installs one, as long as the modified version is + interface-compatible with the version that the work was made with. + + c) Accompany the work with a written offer, valid for at + least three years, to give the same user the materials + specified in Subsection 6a, above, for a charge no more + than the cost of performing this distribution. + + d) If distribution of the work is made by offering access to copy + from a designated place, offer equivalent access to copy the above + specified materials from the same place. + + e) Verify that the user has already received a copy of these + materials or that you have already sent this user a copy. + + For an executable, the required form of the "work that uses the +Library" must include any data and utility programs needed for +reproducing the executable from it. However, as a special exception, +the materials to be distributed need not include anything that is +normally distributed (in either source or binary form) with the major +components (compiler, kernel, and so on) of the operating system on +which the executable runs, unless that component itself accompanies +the executable. + + It may happen that this requirement contradicts the license +restrictions of other proprietary libraries that do not normally +accompany the operating system. Such a contradiction means you cannot +use both them and the Library together in an executable that you +distribute. + + 7. You may place library facilities that are a work based on the +Library side-by-side in a single library together with other library +facilities not covered by this License, and distribute such a combined +library, provided that the separate distribution of the work based on +the Library and of the other library facilities is otherwise +permitted, and provided that you do these two things: + + a) Accompany the combined library with a copy of the same work + based on the Library, uncombined with any other library + facilities. This must be distributed under the terms of the + Sections above. + + b) Give prominent notice with the combined library of the fact + that part of it is a work based on the Library, and explaining + where to find the accompanying uncombined form of the same work. + + 8. You may not copy, modify, sublicense, link with, or distribute +the Library except as expressly provided under this License. Any +attempt otherwise to copy, modify, sublicense, link with, or +distribute the Library is void, and will automatically terminate your +rights under this License. However, parties who have received copies, +or rights, from you under this License will not have their licenses +terminated so long as such parties remain in full compliance. + + 9. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Library or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Library (or any work based on the +Library), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Library or works based on it. + + 10. Each time you redistribute the Library (or any work based on the +Library), the recipient automatically receives a license from the +original licensor to copy, distribute, link with or modify the Library +subject to these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties with +this License. + + 11. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Library at all. For example, if a patent +license would not permit royalty-free redistribution of the Library by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Library. + +If any portion of this section is held invalid or unenforceable under any +particular circumstance, the balance of the section is intended to apply, +and the section as a whole is intended to apply in other circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 12. If the distribution and/or use of the Library is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Library under this License may add +an explicit geographical distribution limitation excluding those countries, +so that distribution is permitted only in or among countries not thus +excluded. In such case, this License incorporates the limitation as if +written in the body of this License. + + 13. The Free Software Foundation may publish revised and/or new +versions of the Lesser General Public License from time to time. +Such new versions will be similar in spirit to the present version, +but may differ in detail to address new problems or concerns. + +Each version is given a distinguishing version number. If the Library +specifies a version number of this License which applies to it and +"any later version", you have the option of following the terms and +conditions either of that version or of any later version published by +the Free Software Foundation. If the Library does not specify a +license version number, you may choose any version ever published by +the Free Software Foundation. + + 14. If you wish to incorporate parts of the Library into other free +programs whose distribution conditions are incompatible with these, +write to the author to ask for permission. For software which is +copyrighted by the Free Software Foundation, write to the Free +Software Foundation; we sometimes make exceptions for this. Our +decision will be guided by the two goals of preserving the free status +of all derivatives of our free software and of promoting the sharing +and reuse of software generally. + + NO WARRANTY + + 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO +WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. +EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR +OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY +KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE +LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME +THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN +WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY +AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU +FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR +CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE +LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING +RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A +FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF +SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH +DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Libraries + + If you develop a new library, and you want it to be of the greatest +possible use to the public, we recommend making it free software that +everyone can redistribute and change. You can do so by permitting +redistribution under these terms (or, alternatively, under the terms of the +ordinary General Public License). + + To apply these terms, attach the following notices to the library. It is +safest to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least the +"copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with this library; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +Also add information on how to contact you by electronic and paper mail. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the library, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the + library `Frob' (a library for tweaking knobs) written by James Random Hacker. + + , 1 April 1990 + Ty Coon, President of Vice + +That's all there is to it! + + diff --git a/SPECS/jss.spec b/SPECS/jss.spec new file mode 100644 index 0000000..7e6f669 --- /dev/null +++ b/SPECS/jss.spec @@ -0,0 +1,359 @@ +Name: jss +Version: 4.2.6 +Release: 30%{?dist} +Summary: Java Security Services (JSS) + +Group: System Environment/Libraries +License: MPLv1.1 or GPLv2+ or LGPLv2+ +URL: http://www.mozilla.org/projects/security/pki/jss/ +# The source for this package was pulled from upstream's cvs. Use the +# following commands to generate the tarball: +# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot export -r JSS_4_2_6_RTM -d jss-4.2.6 -N mozilla/security/coreconf mozilla/security/jss +# tar -czvf jss-4.2.6.tar.gz jss-4.2.6 +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/%{name}-%{version}.tar.gz +Source1: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/MPL-1.1.txt +Source2: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/gpl.txt +Source3: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}-%{release}/lgpl.txt +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: nss-devel >= 3.12.3.99 +BuildRequires: nspr-devel >= 4.6.99 +BuildRequires: java-devel +Requires: java +Requires: nss >= 3.12.3.99 + +Patch1: jss-key_pair_usage_with_op_flags.patch +Patch2: jss-javadocs-param.patch +Patch3: jss-ipv6.patch +Patch4: jss-ECC-pop.patch +Patch5: jss-loadlibrary.patch +Patch6: jss-ocspSettings.patch +Patch7: jss-ECC_keygen_byCurveName.patch +Patch8: jss-VerifyCertificate.patch +Patch9: jss-bad-error-string-pointer.patch +Patch10: jss-VerifyCertificateReturnCU.patch +#Patch11: jss-slots-not-freed.patch +Patch12: jss-ECC-HSM-FIPS.patch +Patch13: jss-eliminate-native-compiler-warnings.patch +Patch14: jss-eliminate-java-compiler-warnings.patch +Patch15: jss-PKCS12-FIPS.patch +Patch16: jss-eliminate-native-coverity-defects.patch +Patch17: jss-PBE-PKCS5-V2-secure-P12.patch +Patch18: jss-wrapInToken.patch +Patch19: jss-HSM-manufacturerID.patch +Patch20: jss-ECC-Phase2KeyArchivalRecovery.patch +Patch21: jss-undo-JCA-deprecations.patch +Patch22: jss-undo-BadPaddingException-deprecation.patch +Patch23: jss-fixed-build-issue-on-F17-or-newer.patch + + +%description +Java Security Services (JSS) is a java native interface which provides a bridge +for java-based applications to use native Network Security Services (NSS). +This only works with gcj. Other JREs require that JCE providers be signed. + +%package javadoc +Summary: Java Security Services (JSS) Javadocs +Group: Documentation +Requires: jss = %{version}-%{release} + +%description javadoc +This package contains the API documentation for JSS. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +#%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 + +%build +[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java + +# Enable compiler optimizations and disable debugging code +BUILD_OPT=1 +export BUILD_OPT + +# Generate symbolic info for debuggers +XCFLAGS="-g $RPM_OPT_FLAGS" +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` +NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR +export NSS_INCLUDE_DIR +export NSS_LIB_DIR + +%ifarch x86_64 ppc64 ia64 s390x sparc64 +USE_64=1 +export USE_64 +%endif + +%if 0%{?fedora} >= 16 +cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk +sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk + +cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk +sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk + +cp -p mozilla/security/coreconf/Linux3.2.mk mozilla/security/coreconf/Linux3.6.mk +sed -i -e 's;LINUX3_1;LINUX3_6;' mozilla/security/coreconf/Linux3.6.mk +%endif + +# The Makefile is not thread-safe +make -C mozilla/security/coreconf +make -C mozilla/security/jss +make -C mozilla/security/jss javadoc + +%install +rm -rf $RPM_BUILD_ROOT docdir + +# Copy the license files here so we can include them in %doc +cp -p %{SOURCE1} . +cp -p %{SOURCE2} . +cp -p %{SOURCE3} . + +# There is no install target so we'll do it by hand + +# jars +%if 0%{?fedora} >= 16 +install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} +install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar +%else +install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss +install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_libdir}/jss/jss4-%{version}.jar +ln -fs jss4-%{version}.jar $RPM_BUILD_ROOT%{_libdir}/jss/jss4.jar + +install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir} +ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar +%endif + +# We have to use the name libjss4.so because this is dynamically +# loaded by the jar file. +install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss +install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/ +%if 0%{?fedora} >= 16 +pushd ${RPM_BUILD_ROOT}%{_libdir}/jss + ln -fs %{_jnidir}/jss4.jar jss4.jar +popd +%endif + +# javadoc +install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} +cp -rp mozilla/dist/jssdoc/* $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} + +%clean +rm -rf $RPM_BUILD_ROOT + +# No ldconfig is required since this library is loaded by Java itself. +%files +%defattr(-,root,root,-) +%doc mozilla/security/jss/jss.html MPL-1.1.txt gpl.txt lgpl.txt +%{_libdir}/jss/* +%{_jnidir}/* + +%files javadoc +%defattr(-,root,root,-) +%dir %{_javadocdir}/%{name}-%{version} +%{_javadocdir}/%{name}-%{version}/* + + +%changelog +* Wed Jul 17 2013 Nathan Kinder - 4.2.6-30 +- Bugzilla Bug #847120 - Unable to build JSS on F17 or newer + +* Thu Feb 14 2013 Fedora Release Engineering - 4.2.6-29 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Dec 19 2012 Stanislav Ochotnicky - 4.2.6-28 +- revbump after jnidir change + +* Wed Dec 12 2012 Stanislav Ochotnicky - 4.2.6-27 +- Simple rebuild + +* Mon Nov 19 2012 Christina Fu - 4.2.6-26 +- added source URLs in spec file to pass Package Wrangler + +* Thu Jul 19 2012 Fedora Release Engineering - 4.2.6-25 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Mar 30 2012 Matthew Harmsen - 4.2.6-24 +- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in + JSS 4.2.6 . . . BadPaddingException (mharmsen) + +* Tue Mar 20 2012 Christina Fu - 4.2.6-23 +- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer + identifier (cfu) +- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived + ECC phase2 work - support for ECC encryption key archival and recovery (cfu) +- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in + JSS 4.2.6 . . . (mharmsen) +- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add + benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen) + +* Fri Jan 13 2012 Fedora Release Engineering - 4.2.6-22 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Oct 19 2011 Christina Fu - 4.2.6-21 +- Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping + unwrapping keys should be done in the token +- support for PKCS5v2; support for secure PKCS12 +- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the + in-place upgrade( CS 8.0->8.1) + +* Mon Sep 19 2011 Matthew Harmsen - 4.2.6-20 +- Bugzilla Bug #715621 - Defects revealed by Coverity scan + +* Wed Aug 31 2011 Matthew Harmsen - 4.2.6-19.1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Mon Aug 15 2011 Christina Fu - 4.2.6-19 +- Bugzilla Bug 733550 - DRM failed to recovery keys when in FIPS mode + (HSM + NSS) + +* Fri Aug 12 2011 Matthew Harmsen - 4.2.6-18 +- Bugzilla Bug #660436 - Warnings should be cleaned up in JSS build + (jdennis, mharmsen) + +* Wed May 18 2011 Christina Fu - 4.2.6-17 +- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode + and ECC algorithms (support tokens that don't do ECDH) + +* Fri Apr 08 2011 Jack Magne - 4.2.6-15.99 +- bug 694661 - TKS instance crash during token enrollment. + Back out of previous patch for #676083. + +* Thu Feb 24 2011 Andrew Wnuk - 4.2.6-15 +- bug 676083 - JSS: slots not freed + +* Wed Feb 09 2011 Fedora Release Engineering - 4.2.6-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 31 2011 John Dennis - 4.2.6-13 +- remove misleading comment in spec file concerning jar signing + +* Tue Jan 11 2011 Kevin Wright - 4.2.6-12 +- added missing patch line + +* Tue Dec 21 2010 Christina Fu - 4.2.6-11 +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 661142 - + Verification should fail when a revoked certificate is added + +* Thu Dec 16 2010 John Dennis - 4.2.6-10 +- Resolves: bug 656094 - + Rebase jss to at least jss-4.2.6-9 +- + merge in updates from Fedora + move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this: + /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar + /usr/lib/jss/jss4-.jar + /usr/lib/jss/jss4.jar -> jss4-.jar + /usr/lib/jss/libjss4.so +- bug 654657 - + Incorrect socket accept error message due to bad pointer arithmetic +- bug 647364 - + Expose updated certificate verification function in JSS +- bug 529945 - + expose NSS calls for OCSP settings +- bug 638833 - + rfe ecc - add ec curve name support in JSS and CS +- + Need to explicitly catch UnsatisfiedLinkError exception for System.load() +- bug 533304 - + Move location of libjss4.so to subdirectory and use System.load() to + load it instead of System.loadLibrary() for Fedora packaging compliance + +* Mon Nov 30 2009 Dennis Gregorovic - 4.2.6-4.1 +- Rebuilt for RHEL 6 + +* Fri Jul 31 2009 Rob Crittenden 4.2.6-4 +- Resolves: bug 224688 - + Support ECC POP on the server +- Resolves: bug 469456 - + Server Sockets are hard coded to IPV4 +- Resolves: bug 509183 - + Set NSS dependency >= 3.12.3.99 + +* Fri Jul 24 2009 Fedora Release Engineering - 4.2.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Jun 5 2009 Rob Crittenden 4.2.6-2 +- Include patch to fix missing @param so javadocs will build + +* Fri Jun 5 2009 Rob Crittenden 4.2.6-1 +- Resolves: bug 455305 - + CA ECC Signing Key Failure +- Resolves: bug 502111 - + Need JSS interface for NSS's PK11_GenerateKeyPairWithOpFlags() function +- Resolves: bug 503809 - + Update JSS version to 4.2.6 +- Resolves: bug 503817 - + Create JSS Javadocs as their own RPM + +* Wed Feb 25 2009 Fedora Release Engineering - 4.2.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Aug 5 2008 Tom "spot" Callaway - 4.2.5-3 +- fix license tag + +* Tue Feb 19 2008 Fedora Release Engineering - 4.2.5-2 +- Autorebuild for GCC 4.3 + +* Fri Aug 3 2007 Rob Crittenden 4.2.5-1 +- update to 4.2.5 + +* Thu May 24 2007 Rob Crittenden 4.2.4-6 +- Use _jnidir macro instead of _javadir for the jar files. This will break + multilib installs but adheres to the jpackage spec. + +* Wed May 16 2007 Rob Crittenden 4.2.4-5 +- Include the 3 license files +- Remove Requires for nss and nspr. These libraries have versioned symbols + so BuildRequires is enough to set the minimum. +- Add sparc64 for the 64-bit list + +* Mon May 14 2007 Rob Crittenden 4.2.4-4 +- Included additional comments on jar signing and why ldconfig is not + required. + +* Thu May 10 2007 Rob Crittenden 4.2.4-3 +- Added information on how to pull the source into a tar.gz + +* Thu Mar 15 2007 Rob Crittenden 4.2.4-2 +- Added RPM_OPT_FLAGS to XCFLAGS +- Added link to Sun JCE information + +* Tue Feb 27 2007 Rob Crittenden 4.2.4-1 +- Initial build