From 8c1db99e9a883b40f9008445ab0424f965c79e97 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 28 2020 13:29:22 +0000
Subject: import tomcatjss-7.5.0-0.2.module+el8.3.0+7178+12af6fad


---

diff --git a/.gitignore b/.gitignore
index 67701cd..e5a3916 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/tomcatjss-7.4.1.tar.gz
+SOURCES/tomcatjss-7.5.0-a1.tar.gz
diff --git a/.tomcatjss.metadata b/.tomcatjss.metadata
index 5cfe0c4..0363b74 100644
--- a/.tomcatjss.metadata
+++ b/.tomcatjss.metadata
@@ -1 +1 @@
-f0069873f3b72269add041f926f8a24e5abeabda SOURCES/tomcatjss-7.4.1.tar.gz
+731bf76056488deb18c0794f921606af7a428900 SOURCES/tomcatjss-7.5.0-a1.tar.gz
diff --git a/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch b/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
new file mode 100644
index 0000000..8dcf646
--- /dev/null
+++ b/SOURCES/0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
@@ -0,0 +1,89 @@
+From 54e26482643023a7fcbbba25376d691980ed6471 Mon Sep 17 00:00:00 2001
+From: Alexander Scheel <ascheel@redhat.com>
+Date: Thu, 25 Jun 2020 13:41:59 -0400
+Subject: [PATCH] Use factory for JSSKeyManager, JSSTrustManager
+
+Signed-off-by: Alexander Scheel <ascheel@redhat.com>
+---
+ tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java | 12 ++++++++++--
+ tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java    | 11 +++++++----
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
+index 1f2082e..a3630e2 100644
+--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
++++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
+@@ -9,6 +9,7 @@ import java.util.List;
+ import javax.net.ssl.KeyManager;
+ import javax.net.ssl.KeyManagerFactory;
+ import javax.net.ssl.TrustManager;
++import javax.net.ssl.TrustManagerFactory;
+ 
+ import org.apache.tomcat.util.net.SSLContext;
+ 
+@@ -36,8 +37,15 @@ public class JSSContext implements org.apache.tomcat.util.net.SSLContext {
+ 
+         /* These KeyManagers and TrustManagers aren't used with the SSLEngine;
+          * they're only used to implement certain function calls below. */
+-        jkm = new JSSKeyManager();
+-        jtm = new JSSTrustManager();
++        try {
++            KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++            jkm = (JSSKeyManager) kmf.getKeyManagers()[0];
++
++            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++            jtm = (JSSTrustManager) tmf.getTrustManagers()[0];
++        } catch (Exception e) {
++            throw new RuntimeException(e.getMessage(), e);
++        }
+     }
+ 
+     public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
+diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+index 8930bbd..cad3163 100644
+--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
++++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
+@@ -26,7 +26,9 @@ import java.util.Set;
+ import java.util.HashSet;
+ 
+ import javax.net.ssl.KeyManager;
++import javax.net.ssl.KeyManagerFactory;
+ import javax.net.ssl.TrustManager;
++import javax.net.ssl.TrustManagerFactory;
+ import javax.net.ssl.SSLEngine;
+ 
+ import org.apache.juli.logging.Log;
+@@ -39,9 +41,7 @@ import org.apache.tomcat.util.net.SSLUtilBase;
+ 
+ import org.mozilla.jss.JSSProvider;
+ import org.mozilla.jss.crypto.Policy;
+-import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+ import org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager;
+-import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+ import org.mozilla.jss.ssl.SSLCipher;
+ import org.mozilla.jss.ssl.SSLVersion;
+ 
+@@ -86,15 +86,18 @@ public class JSSUtil extends SSLUtilBase {
+     @Override
+     public KeyManager[] getKeyManagers() throws Exception {
+         logger.debug("JSSUtil: getKeyManagers()");
+-        return new KeyManager[] { new JSSKeyManager() };
++        KeyManagerFactory jkm = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
++        return jkm.getKeyManagers();
+     }
+ 
+     @Override
+     public TrustManager[] getTrustManagers() throws Exception {
+         logger.debug("JSSUtil: getTrustManagers()");
+         if (!JSSProvider.ENABLE_JSSENGINE) {
+-            return new TrustManager[] { new JSSTrustManager() };
++            TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509");
++            return tmf.getTrustManagers();
+         }
++
+         return new TrustManager[] { new JSSNativeTrustManager() };
+     }
+ 
+-- 
+2.26.2
+
diff --git a/SPECS/tomcatjss.spec b/SPECS/tomcatjss.spec
index 19919bf..0bbe4f0 100644
--- a/SPECS/tomcatjss.spec
+++ b/SPECS/tomcatjss.spec
@@ -7,9 +7,9 @@ URL:              http://www.dogtagpki.org/wiki/TomcatJSS
 License:          LGPLv2+
 BuildArch:        noarch
 
-Version:          7.4.1
-Release:          2%{?_timestamp}%{?_commit_id}%{?dist}
-# global           _phase -a1
+Version:          7.5.0
+Release:          0.2%{?_timestamp}%{?_commit_id}%{?dist}
+%global           _phase -a1
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/tomcatjss.git
@@ -27,6 +27,7 @@ Source:           https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_
 #     <version tag> \
 #     > tomcatjss-VERSION-RELEASE.patch
 # Patch: tomcatjss-VERSION-RELEASE.patch
+Patch0: 0001-Use-factory-for-JSSKeyManager-JSSTrustManager.patch
 
 ################################################################################
 # Build Dependencies
@@ -57,7 +58,7 @@ BuildRequires:    slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires:    jss >= 4.4.0-7
 %else
-BuildRequires:    jss >= 4.6.0
+BuildRequires:    jss >= 4.7.0
 %endif
 
 # Tomcat
@@ -104,7 +105,7 @@ Requires:         slf4j-jdk14
 %if 0%{?rhel} && 0%{?rhel} <= 7
 Requires:         jss >= 4.4.0-7
 %else
-Requires:         jss >= 4.6.0
+Requires:         jss >= 4.7.0
 %endif
 
 # Tomcat
@@ -126,12 +127,6 @@ Requires:         tomcat >= 1:9.0.7
 %endif
 %endif
 
-# The 'tomcatjss' package conflicts with the 'tomcat-native' package
-# because it uses an underlying NSS security model rather than the
-# OpenSSL security model, so these two packages may not co-exist.
-# (see Bugzilla Bug #441974 for details)
-Conflicts:        tomcat-native
-
 # PKI
 Conflicts:        pki-base < 10.6.5
 
@@ -182,6 +177,8 @@ ant -f build.xml \
 %files
 ################################################################################
 
+%license LICENSE
+
 %defattr(-,root,root)
 %doc README
 %doc LICENSE
@@ -189,6 +186,12 @@ ant -f build.xml \
 
 ################################################################################
 %changelog
+* Thu Jun 25 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 7.5.0-0.2
+- Rebased to TomcatJSS 7.5.0-a2
+
+* Tue May 26 2020 Red Hat PKI Team <rhcs-maint@redhat.com> 7.5.0-0.1
+- Rebased to TomcatJSS 7.5.0-a1
+
 * Thu Oct 31 2019 Red Hat PKI Team <rhcs-maint@redhat.com> 7.4.1-2
 - Bumping min requirement for jss to 4.6.0