[Pkg-fedora-ds-maintainers] jss: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Tue Aug 30 11:06:11 UTC 2016
debian/changelog | 9
debian/control | 6
debian/patches/jss-Fixed-build-failures.patch | 302 ++
debian/patches/jss-VerifyCertificate-enhancement.patch | 204 +
debian/patches/jss-WindowsCompileFix.patch | 32
debian/patches/jss-WindowsLoadLibrary.patch | 30
debian/patches/jss-crmf-envelopedData.patch | 33
debian/patches/jss-lunasaUnwrap.patch | 12
debian/patches/jss-symkey-enhancements.patch | 1814 +++++++++++++++++
debian/patches/series | 7
10 files changed, 2446 insertions(+), 3 deletions(-)
New commits:
commit 675d9f1150b19cd914cba53f439abbec1613f340
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Aug 30 14:05:56 2016 +0300
releasing package jss version 4.3.1-7
diff --git a/debian/changelog b/debian/changelog
index 5ff340a..1ce0561 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
-jss (4.3.1-7) UNRELEASED; urgency=medium
+jss (4.3.1-7) unstable; urgency=medium
* Sync patches with fedora 4.2.6-42.
- merge symkey
* control: Bump policy to 3.9.8, no changes.
* control: Use https for vcs urls.
- -- Timo Aaltonen <tjaalton at debian.org> Tue, 30 Aug 2016 13:10:05 +0300
+ -- Timo Aaltonen <tjaalton at debian.org> Tue, 30 Aug 2016 14:05:48 +0300
jss (4.3.1-6) unstable; urgency=medium
commit bf847f8a199eba537c5e7e7fb2f86e6bb8909e1e
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Aug 30 14:05:44 2016 +0300
control: Bump policy to 3.9.8, no changes.
* control: Use https for vcs urls.
diff --git a/debian/changelog b/debian/changelog
index 6b540c7..5ff340a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,8 @@ jss (4.3.1-7) UNRELEASED; urgency=medium
* Sync patches with fedora 4.2.6-42.
- merge symkey
+ * control: Bump policy to 3.9.8, no changes.
+ * control: Use https for vcs urls.
-- Timo Aaltonen <tjaalton at debian.org> Tue, 30 Aug 2016 13:10:05 +0300
diff --git a/debian/control b/debian/control
index 40f7e0b..a90bc17 100644
--- a/debian/control
+++ b/debian/control
@@ -8,9 +8,9 @@ Build-Depends: debhelper (>= 9),
libnss3-dev,
pkg-config,
quilt,
-Standards-Version: 3.9.6
-Vcs-Git: git://anonscm.debian.org/pkg-fedora-ds/jss.git
-Vcs-Browser: http://anonscm.debian.org/cgit/pkg-fedora-ds/jss.git
+Standards-Version: 3.9.8
+Vcs-Git: https://anonscm.debian.org/git/pkg-fedora-ds/jss.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-fedora-ds/jss.git
Homepage: http://www.mozilla.org/projects/security/pki/jss/
Package: libjss-java
commit bbcbfac435b52c570100656731295ecd556844e7
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Tue Aug 30 14:03:39 2016 +0300
Sync patches with fedora 4.2.6-42.
diff --git a/debian/changelog b/debian/changelog
index 16e05e9..6b540c7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jss (4.3.1-7) UNRELEASED; urgency=medium
+
+ * Sync patches with fedora 4.2.6-42.
+ - merge symkey
+
+ -- Timo Aaltonen <tjaalton at debian.org> Tue, 30 Aug 2016 13:10:05 +0300
+
jss (4.3.1-6) unstable; urgency=medium
* jss-PBE-PKCS5-V2-secure-P12.patch: Bump NUM_ALGS. (Closes: #688472)
diff --git a/debian/patches/jss-Fixed-build-failures.patch b/debian/patches/jss-Fixed-build-failures.patch
new file mode 100644
index 0000000..33c9a65
--- /dev/null
+++ b/debian/patches/jss-Fixed-build-failures.patch
@@ -0,0 +1,302 @@
+From 22092d1bde94dc8a1f6e8198fa2fcc597c36c32f Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata at redhat.com>
+Date: Wed, 9 Dec 2015 00:30:50 +0100
+Subject: [PATCH] Fixed build failures.
+
+The Javadoc on various classes have been modified to fix build
+failures on F23 and Rawhide due to stringent requirements on
+those platforms.
+
+The Debug_debug.jnot has been renamed to Debug.java to fix build
+failure in Eclipse.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1289799
+---
+ .classpath | 7 +++++++
+ .project | 17 +++++++++++++++++
+ mozilla/security/jss/build_java.pl | 2 +-
+ mozilla/security/jss/org/mozilla/jss/CryptoManager.java | 14 +++++++-------
+ .../security/jss/org/mozilla/jss/asn1/ASN1Header.java | 2 +-
+ .../security/jss/org/mozilla/jss/pkcs11/PK11Token.java | 2 +-
+ .../security/jss/org/mozilla/jss/pkcs12/CertBag.java | 1 +
+ .../security/jss/org/mozilla/jss/pkcs7/ContentInfo.java | 1 -
+ .../security/jss/org/mozilla/jss/pkcs7/SignerInfo.java | 17 ++++++++++-------
+ .../jss/org/mozilla/jss/pkix/cms/ContentInfo.java | 1 -
+ .../jss/org/mozilla/jss/pkix/cms/SignerInfo.java | 17 ++++++++++-------
+ .../jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java | 2 +-
+ .../jss/org/mozilla/jss/ssl/SSLServerSocket.java | 3 ---
+ .../mozilla/jss/util/{Debug_debug.jnot => Debug.java} | 0
+ 14 files changed, 56 insertions(+), 30 deletions(-)
+ create mode 100644 .classpath
+ create mode 100644 .project
+ rename mozilla/security/jss/org/mozilla/jss/util/{Debug_debug.jnot => Debug.java} (100%)
+
+--- /dev/null
++++ b/.classpath
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<classpath>
++ <classpathentry excluding="samples/" kind="src" path="mozilla/security/jss"/>
++ <classpathentry kind="src" path="mozilla/security/jss/samples"/>
++ <classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
++ <classpathentry kind="output" path="bin"/>
++</classpath>
+--- /dev/null
++++ b/.project
+@@ -0,0 +1,17 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<projectDescription>
++ <name>jss-4.2</name>
++ <comment></comment>
++ <projects>
++ </projects>
++ <buildSpec>
++ <buildCommand>
++ <name>org.eclipse.jdt.core.javabuilder</name>
++ <arguments>
++ </arguments>
++ </buildCommand>
++ </buildSpec>
++ <natures>
++ <nature>org.eclipse.jdt.core.javanature</nature>
++ </natures>
++</projectDescription>
+--- a/security/jss/build_java.pl
++++ b/security/jss/build_java.pl
+@@ -137,7 +137,7 @@ sub setup_vars {
+ $class_jar = "$dist_dir/$cmdline_vars{XPCLASS_DBG_JAR}";
+ $class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DBG_DIR}";
+ $javac_opt_flag = "-g";
+- $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot";
++ $debug_source_file = "org/mozilla/jss/util/Debug.java";
+ }
+ $jni_header_dir = "$dist_dir/private/jss/_jni";
+
+--- a/security/jss/org/mozilla/jss/CryptoManager.java
++++ b/security/jss/org/mozilla/jss/CryptoManager.java
+@@ -687,7 +687,7 @@ public final class CryptoManager impleme
+ * loaded cryptographic modules for the token.
+ *
+ * @param name The name of the token.
+- * @exception org.mozilla.jss.crypto.NoSuchTokenException If no token
++ * @exception NoSuchTokenException If no token
+ * is found with the given name.
+ */
+ public synchronized CryptoToken getTokenByName(String name)
+@@ -942,9 +942,9 @@ public final class CryptoManager impleme
+ * <code>initialize()</code>.
+ *
+ * @param configDir The directory containing the security databases.
+- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
++ * @exception KeyDatabaseException Unable to open
+ * the key database, or it was currupted.
+- * @exception org.mozilla.jss.util.CertDatabaseException Unable
++ * @exception CertDatabaseException Unable
+ * to open the certificate database, or it was currupted.
+ **/
+ public static synchronized void initialize( String configDir )
+@@ -965,9 +965,9 @@ public final class CryptoManager impleme
+ * <code>initialize()</code>.
+ *
+ * @param values The options with which to initialize CryptoManager.
+- * @exception org.mozilla.jss.util.KeyDatabaseException Unable to open
++ * @exception KeyDatabaseException Unable to open
+ * the key database, or it was corrupted.
+- * @exception org.mozilla.jss.util.CertDatabaseException Unable
++ * @exception CertDatabaseException Unable
+ * to open the certificate database, or it was corrupted.
+ **/
+ public static synchronized void initialize( InitializationValues values )
+@@ -1127,7 +1127,7 @@ public final class CryptoManager impleme
+ * @return The leaf certificate from the chain.
+ * @exception CertificateEncodingException If the package encoding
+ * was not recognized.
+- * @exception CertificateNicknameConflictException If the leaf certificate
++ * @exception NicknameConflictException If the leaf certificate
+ * is a user certificate, and another certificate already has the
+ * given nickname.
+ * @exception UserCertConflictException If the leaf certificate
+@@ -1165,7 +1165,7 @@ public final class CryptoManager impleme
+ * @return The leaf certificate from the chain.
+ * @exception CertificateEncodingException If the package encoding
+ * was not recognized.
+- * @exception CertificateNicknameConflictException If the leaf certificate
++ * @exception NicknameConflictException If the leaf certificate
+ * another certificate already has the given nickname.
+ * @exception UserCertConflictException If the leaf certificate
+ * has already been imported.
+--- a/security/jss/org/mozilla/jss/asn1/ASN1Header.java
++++ b/security/jss/org/mozilla/jss/asn1/ASN1Header.java
+@@ -259,7 +259,7 @@ public class ASN1Header {
+ /**
+ * This constructor is to be called when we are constructing an ASN1Value
+ * rather than decoding it.
+- * @param contentLength Must be >=0. Although indefinite length
++ * @param contentLength Must be >=0. Although indefinite length
+ * <i>decoding</i> is supported, indefinite length <i>encoding</i>
+ * is not.
+ */
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
+@@ -236,7 +236,7 @@ public final class PK11Token implements
+ *
+ * @param ssopwcb The security officer's current password callback.
+ * @param userpwcb The user's new password callback.
+- * @exception IncorrectPinException If the security officer PIN is
++ * @exception IncorrectPasswordException If the security officer PIN is
+ * incorrect.
+ * @exception TokenException If the PIN was already initialized,
+ * or there was an unspecified error in the token.
+--- a/security/jss/org/mozilla/jss/pkcs12/CertBag.java
++++ b/security/jss/org/mozilla/jss/pkcs12/CertBag.java
+@@ -91,6 +91,7 @@ public class CertBag implements ASN1Valu
+ * <li>If the type is <code>SDSI_CERT_TYPE</code>, returns
+ * an IA5String.
+ * <li>For all other types, returns an ANY.
++ * </ul>
+ *
+ * @exception InvalidBERException If the cert is not encoded correctly.
+ */
+--- a/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
++++ b/security/jss/org/mozilla/jss/pkcs7/ContentInfo.java
+@@ -169,7 +169,6 @@ public class ContentInfo implements ASN1
+ * an OCTET_STRING will be returned.
+ * <p>If the contentType is <b>not</b> one of the six standard types,
+ * the returned object will be an ANY.
+- * </ul>
+ */
+ public ASN1Value getInterpretedContent() throws InvalidBERException {
+ if(contentType.equals(DATA)) {
+--- a/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
++++ b/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
+@@ -129,7 +129,7 @@ public class SignerInfo implements ASN1V
+ /**
+ * Retrieves the DigestAlgorithm used in this SignerInfo.
+ *
+- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
++ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
+ */
+ public DigestAlgorithm getDigestAlgorithm()
+ throws NoSuchAlgorithmException
+@@ -402,10 +402,12 @@ public class SignerInfo implements ASN1V
+ /**
+ * Verifies that this SignerInfo contains a valid signature of the
+ * given message digest. If any authenticated attributes are present,
+- * they are also validated. The verification algorithm is as follows:<ul>
+- * <p>Note that this does <b>not</b> verify the validity of the
+- * the certificate itself, only the signature.
++ * they are also validated. The verification algorithm is as follows:
+ *
++ * Note that this does <b>not</b> verify the validity of the
++ * the certificate itself, only the signature.
++ *
++ * <ul>
+ * <li>If no authenticated attributes are present, the content type is
+ * verified to be <i>data</i>. Then it is verified that the message
+ * digest passed
+@@ -413,24 +415,25 @@ public class SignerInfo implements ASN1V
+ * digest in the SignerInfo.
+ *
+ * <li>If authenticated attributes are present,
+- * two particular attributes must be present: <ul>
++ * two particular attributes must be present:
++ * <ul>
+ * <li>PKCS #9 Content-Type, the type of content that is being signed.
+ * This must match the contentType parameter.
+ * <li>PKCS #9 Message-Digest, the digest of the content that is being
+ * signed. This must match the messageDigest parameter.
+ * </ul>
++ *
+ * After these two attributes are verified to be both present and correct,
+ * the encryptedDigest field of the SignerInfo is verified to be the
+ * signature of the contents octets of the DER encoding of the
+ * authenticatedAttributes field.
+- *
+ * </ul>
+ *
+ * @param messageDigest The hash of the content that is signed by this
+ * SignerInfo.
+ * @param contentType The type of the content that is signed by this
+ * SignerInfo.
+- * @exception NoSuchObjectException If no certificate matching the
++ * @exception ObjectNotFoundException If no certificate matching the
+ * the issuer name and serial number can be found.
+ */
+ public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
+--- a/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
++++ b/security/jss/org/mozilla/jss/pkix/cms/ContentInfo.java
+@@ -168,7 +168,6 @@ public class ContentInfo implements ASN1
+ * an OCTET_STRING will be returned.
+ * <p>If the contentType is <b>not</b> one of the six standard types,
+ * the returned object will be an ANY.
+- * </ul>
+ */
+ public ASN1Value getInterpretedContent() throws InvalidBERException {
+ if(contentType.equals(DATA)) {
+--- a/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
++++ b/security/jss/org/mozilla/jss/pkix/cms/SignerInfo.java
+@@ -130,7 +130,7 @@ public class SignerInfo implements ASN1V
+ /**
+ * Retrieves the DigestAlgorithm used in this SignerInfo.
+ *
+- * @exception NoSuchAlgorithm If the algorithm is not recognized by JSS.
++ * @exception NoSuchAlgorithmException If the algorithm is not recognized by JSS.
+ */
+ public DigestAlgorithm getDigestAlgorithm()
+ throws NoSuchAlgorithmException
+@@ -403,10 +403,12 @@ public class SignerInfo implements ASN1V
+ /**
+ * Verifies that this SignerInfo contains a valid signature of the
+ * given message digest. If any signed attributes are present,
+- * they are also validated. The verification algorithm is as follows:<ul>
+- * <p>Note that this does <b>not</b> verify the validity of the
+- * the certificate itself, only the signature.
++ * they are also validated. The verification algorithm is as follows:
+ *
++ * Note that this does <b>not</b> verify the validity of the
++ * the certificate itself, only the signature.
++ *
++ * <ul>
+ * <li>If no signed attributes are present, the content type is
+ * verified to be <i>data</i>. Then it is verified that the message
+ * digest passed
+@@ -414,24 +416,25 @@ public class SignerInfo implements ASN1V
+ * digest in the SignerInfo.
+ *
+ * <li>If signed attributes are present,
+- * two particular attributes must be present: <ul>
++ * two particular attributes must be present:
++ * <ul>
+ * <li>PKCS #9 Content-Type, the type of content that is being signed.
+ * This must match the contentType parameter.
+ * <li>PKCS #9 Message-Digest, the digest of the content that is being
+ * signed. This must match the messageDigest parameter.
+ * </ul>
++ *
+ * After these two attributes are verified to be both present and correct,
+ * the encryptedDigest field of the SignerInfo is verified to be the
+ * signature of the contents octets of the DER encoding of the
+ * signedAttributes field.
+- *
+ * </ul>
+ *
+ * @param messageDigest The hash of the content that is signed by this
+ * SignerInfo.
+ * @param contentType The type of the content that is signed by this
+ * SignerInfo.
+- * @exception NoSuchObjectException If no certificate matching the
++ * @exception ObjectNotFoundException If no certificate matching the
+ * the issuer name and serial number can be found.
+ */
+ public void verify(byte[] messageDigest, OBJECT_IDENTIFIER contentType)
+--- a/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
++++ b/security/jss/org/mozilla/jss/pkix/crmf/CertReqMsg.java
+@@ -112,7 +112,7 @@ public class CertReqMsg implements ASN1V
+
+ /**
+ * Constructs a <i>CertReqmsg</i> from a <i>CertRequest</i> and, optionally,
+- * a <i>pop>/i> and a <i>regInfo</i>.
++ * a <i>pop</i> and a <i>regInfo</i>.
+ * @param pop May be NULL.
+ * @param regInfo May be NULL.
+ */
diff --git a/debian/patches/jss-VerifyCertificate-enhancement.patch b/debian/patches/jss-VerifyCertificate-enhancement.patch
new file mode 100644
index 0000000..29839d7
--- /dev/null
+++ b/debian/patches/jss-VerifyCertificate-enhancement.patch
@@ -0,0 +1,204 @@
+From 3c4ca8a2010889fe292704ebcc8b922f77f2f7c2 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata at redhat.com>
+Date: Wed, 9 Dec 2015 00:30:50 +0100
+Subject: [PATCH] Added verifyCertificate() method.
+
+A new CryptoManager.verifyCertificate() method has been added as
+an alternative to isCertValid(). If there is a certificate
+validation problem, the method will throw a CertificateValidation
+exception that contains the NSS error message and code. The
+exception will also provide a stack trace to help troubleshoot
+validation issues.
+
+https://fedorahosted.org/pki/ticket/850
+---
+ .../jss/org/mozilla/jss/CryptoManager.java | 54 ++++++++------
+ mozilla/security/jss/org/mozilla/jss/PK11Finder.c | 83 +++++++++++++++++++---
+ .../jss/org/mozilla/jss/util/jss_exceptions.h | 2 +
+ 3 files changed, 110 insertions(+), 29 deletions(-)
+
+diff --git a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java b/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+index 0a4f59064bfddb42d473022550c24f251719d02b..54ffd8130b0e1f1fca49dd8b130a621e449c7ce7 100644
+--- a/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
++++ b/security/jss/org/mozilla/jss/CryptoManager.java
+@@ -1515,30 +1515,44 @@ public final class CryptoManager implements TokenSupplier
+ CertificateUsage certificateUsage)
+ throws ObjectNotFoundException, InvalidNicknameException
+ {
+- if (nickname==null) {
+- throw new InvalidNicknameException("Nickname must be non-null");
+- }
+- // 0 certificate usage will get current usage
+- // should call isCertValid() call above that returns certificate usage
+- if ((certificateUsage == null) ||
+- (certificateUsage == CertificateUsage.CheckAllUsages)){
+- int currCertificateUsage = 0x0000;
+- currCertificateUsage = verifyCertificateNowCUNative(nickname,
+- checkSig);
++ try {
++ verifyCertificate(nickname, checkSig, certificateUsage);
++ return true;
++
++ } catch (ObjectNotFoundException | InvalidNicknameException e) {
++ throw e;
+
+- if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
+- // cert is good for nothing
+- return false;
+- } else
+- return true;
+- } else {
+- return verifyCertificateNowNative(nickname, checkSig,
+- certificateUsage.getUsage());
++ } catch (CertificateException e) {
++ return false;
+ }
+ }
+
+- private native boolean verifyCertificateNowNative(String nickname,
+- boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
++ /**
++ * Verify a certificate that exists in the given cert database,
++ * check if it's valid and that we trust the issuer. Verify time
++ * against now.
++ * @param nickname nickname of the certificate to verify.
++ * @param checkSig verify the signature of the certificate
++ * @param certificateUsage see certificate usage defined to verify certificate
++ *
++ * @exception InvalidNicknameException If the nickname is null.
++ * @exception ObjectNotFoundException If no certificate could be found
++ * with the given nickname.
++ * @exception CertificateException If certificate is invalid.
++ */
++ public void verifyCertificate(String nickname,
++ boolean checkSig,
++ CertificateUsage certificateUsage)
++ throws ObjectNotFoundException, InvalidNicknameException, CertificateException {
++ int usage = certificateUsage == null ? 0 : certificateUsage.getUsage();
++ verifyCertificateNowNative(nickname, checkSig, usage);
++ }
++
++ private native void verifyCertificateNowNative(
++ String nickname,
++ boolean checkSig,
++ int certificateUsage)
++ throws ObjectNotFoundException, InvalidNicknameException, CertificateException;
+
+ /**
+ * note: this method calls obsolete function in NSS
+diff --git a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c b/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+index 8c7f0b4c05b58527a41cac140dbb5dc30578570f..4986478ffc860e145cd31e41c2880fcc2b5e007e 100644
+--- a/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
++++ b/security/jss/org/mozilla/jss/PK11Finder.c
+@@ -1667,21 +1667,86 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
+ /***********************************************************************
+ * CryptoManager.verifyCertificateNowNative
+ *
+- * Returns JNI_TRUE if success, JNI_FALSE otherwise
++ * Verify a certificate that exists in the given cert database,
++ * check if it's valid and that we trust the issuer. Verify time
++ * against now.
++ * @param nickname nickname of the certificate to verify.
++ * @param checkSig verify the signature of the certificate
++ * @param certificateUsage see certificate usage defined to verify certificate
++ *
++ * @exception InvalidNicknameException If the nickname is null.
++ * @exception ObjectNotFoundException If no certificate could be found
++ * with the given nickname.
++ * @exception CertificateException If certificate is invalid.
+ */
+-JNIEXPORT jboolean JNICALL
++JNIEXPORT void JNICALL
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
++ jobject self, jstring nickString, jboolean checkSig, jint certificateUsage)
+ {
+- SECStatus rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
++ SECStatus rv = SECFailure;
++ CERTCertificate *cert = NULL;
++ char *nickname = NULL;
+
+- rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
++ if (nickString == NULL) {
++ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
++ goto finish;
++ }
+
+- if( rv == SECSuccess) {
+- return JNI_TRUE;
+- } else {
+- return JNI_FALSE;
++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
++
++ if (nickname == NULL) {
++ JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
++ goto finish;
++ }
++
++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
++
++ if (cert == NULL) {
++ char *msgBuf;
++ msgBuf = PR_smprintf("Certificate not found: %s", nickname);
++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, msgBuf);
++ PR_Free(msgBuf);
++ goto finish;
++ }
++
++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
++ * retrieve the current valid usage into currUsage
++ */
++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
++ checkSig, certificateUsage, NULL, &currUsage);
++
++ if (rv != SECSuccess) {
++ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate");
++ goto finish;
++ }
++
++ if ((certificateUsage == 0x0000) &&
++ (currUsage ==
++ ( certUsageUserCertImport |
++ certUsageVerifyCA |
++ certUsageProtectedObjectSigner |
++ certUsageAnyCA ))) {
++
++ /* The certificate is good for nothing.
++ * The following usages cannot be verified:
++ * certUsageAnyCA
++ * certUsageProtectedObjectSigner
++ * certUsageUserCertImport
++ * certUsageVerifyCA
++ * (0x0b80)
++ */
++
++ JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Unusable certificate");
++ goto finish;
++ }
++
++finish:
++ if (nickname != NULL) {
++ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
++ }
++ if (cert != NULL) {
++ CERT_DestroyCertificate(cert);
+ }
+ }
+
+diff --git a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h b/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
+index 4884928306223ff0699a22e7da33e3d13a904d39..acd329a4ecd3592ebe1d72c7bdac435d84dcae99 100644
+--- a/mozilla/security/jss/org/mozilla/jss/util/jss_exceptions.h
++++ b/security/jss/org/mozilla/jss/util/jss_exceptions.h
+@@ -79,6 +79,8 @@ PR_BEGIN_EXTERN_C
+
+ #define INTERRUPTED_IO_EXCEPTION "java/io/InterruptedIOException"
+
++#define INVALID_NICKNAME_EXCEPTION "org/mozilla/jss/util/InvalidNicknameException"
++
+ #define INVALID_KEY_FORMAT_EXCEPTION "org/mozilla/jss/crypto/InvalidKeyFormatException"
+
+ #define INVALID_PARAMETER_EXCEPTION "java/security/InvalidParameterException"
+--
+2.5.0
+
diff --git a/debian/patches/jss-WindowsCompileFix.patch b/debian/patches/jss-WindowsCompileFix.patch
new file mode 100644
index 0000000..4dd4717
--- /dev/null
+++ b/debian/patches/jss-WindowsCompileFix.patch
@@ -0,0 +1,32 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c.cfu 2015-04-23 13:25:45.104249135 -0700
++++ jss-4.2.6/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2015-04-23 13:39:29.958813779 -0700
+@@ -49,10 +49,12 @@
+
+ #ifdef WINNT
+ #include <private/pprio.h>
++#define AF_INET6 23
+ #endif
+
+ #ifdef WIN32
+ #include <winsock.h>
++#define AF_INET6 23
+ #endif
+
+
+@@ -66,6 +68,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
+ {
+ SECStatus status;
+ SSLVersionRange vrange;
++ SSLVersionRange supported_range;
+
+ if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
+ min <0 || min >= JSSL_enums_size ||
+@@ -80,7 +83,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSS
+ vrange.max = JSSL_enums[max];
+
+ /* get supported range */
+- SSLVersionRange supported_range;
+ status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
+ &supported_range);
+ if( status != SECSuccess ) {
diff --git a/debian/patches/jss-WindowsLoadLibrary.patch b/debian/patches/jss-WindowsLoadLibrary.patch
new file mode 100644
index 0000000..eb29e50
--- /dev/null
+++ b/debian/patches/jss-WindowsLoadLibrary.patch
@@ -0,0 +1,30 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.cfu 2015-07-08 12:02:13.192000000 +0200
++++ jss-4.2.6/security/jss/org/mozilla/jss/CryptoManager.java 2015-07-08 12:04:56.213000000 +0200
+@@ -1404,17 +1404,23 @@ public final class CryptoManager impleme
+ synchronized static void loadNativeLibraries()
+ {
+ if( ! mNativeLibrariesLoaded ) {
+- try {
++ try { // 64 bit rhel/fedora
+ System.load( "/usr/lib64/jss/libjss4.so" );
+ Debug.trace(Debug.VERBOSE, "jss library loaded");
+ mNativeLibrariesLoaded = true;
+ } catch( UnsatisfiedLinkError e ) {
+- try {
++ try { // 32 bit rhel/fedora
+ System.load( "/usr/lib/jss/libjss4.so" );
+ Debug.trace(Debug.VERBOSE, "jss library loaded");
+ mNativeLibrariesLoaded = true;
+ } catch( UnsatisfiedLinkError f ) {
+- Debug.trace(Debug.VERBOSE, "jss library load failed");
++ try {// possibly other platforms
++ System.loadLibrary( "jss4" );
++ Debug.trace(Debug.VERBOSE, "jss library loaded");
++ mNativeLibrariesLoaded = true;
++ } catch( UnsatisfiedLinkError g ) {
++ Debug.trace(Debug.VERBOSE, "jss library load failed");
++ }
+ }
+ }
+ }
diff --git a/debian/patches/jss-crmf-envelopedData.patch b/debian/patches/jss-crmf-envelopedData.patch
new file mode 100644
index 0000000..1f3e138
--- /dev/null
+++ b/debian/patches/jss-crmf-envelopedData.patch
@@ -0,0 +1,33 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java.roysjosh 2016-06-24 14:51:48.929122053 -0700
++++ jss-4.2.6/security/jss/org/mozilla/jss/pkix/crmf/EncryptedKey.java 2016-06-24 14:52:29.487027005 -0700
+@@ -127,7 +127,8 @@ public class EncryptedKey implements ASN
+ } else {
+ Assert._assert(type == ENVELOPED_DATA);
+ Assert._assert(envelopedData != null);
+- envelopedData.encode(implicitTag, ostream);
++ EXPLICIT explicit = new EXPLICIT( new Tag(0), envelopedData );
++ explicit.encode(tag, ostream);
+ }
+ }
+
+@@ -147,7 +148,9 @@ public class EncryptedKey implements ASN
+ choicet = new CHOICE.Template();
+
+ choicet.addElement( EncryptedValue.getTemplate() );
+- choicet.addElement( new Tag(0), ANY.getTemplate() );
++ choicet.addElement( new EXPLICIT.Template(
++ new Tag(0),
++ ANY.getTemplate() ));
+ }
+
+ public boolean tagMatch(Tag tag) {
+@@ -164,7 +167,7 @@ public class EncryptedKey implements ASN
+ return new EncryptedKey( (EncryptedValue) choice.getValue() );
+ } else {
+ Assert._assert( choice.getTag().equals(new Tag(0)) );
+- return new EncryptedKey( (ANY) choice.getValue() );
++ return new EncryptedKey( (ANY) ((EXPLICIT) choice.getValue()).getContent() );
+ }
+
+ } catch(InvalidBERException e) {
diff --git a/debian/patches/jss-lunasaUnwrap.patch b/debian/patches/jss-lunasaUnwrap.patch
new file mode 100644
index 0000000..41f6c0f
--- /dev/null
+++ b/debian/patches/jss-lunasaUnwrap.patch
@@ -0,0 +1,12 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2016-04-28 16:50:06.000000000 -0700
++++ jss-4.2.6/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2016-04-28 16:50:00.000000000 -0700
+@@ -434,7 +434,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ isSensitive = PR_FALSE;
+ isExtractable = PR_FALSE;
+ } else if ( isLunasa) {
+- isSensitive = PR_FALSE;
++ isSensitive = PR_TRUE;
+ isExtractable = PR_TRUE;
+ }
+
diff --git a/debian/patches/jss-symkey-enhancements.patch b/debian/patches/jss-symkey-enhancements.patch
new file mode 100644
index 0000000..fe14e11
--- /dev/null
+++ b/debian/patches/jss-symkey-enhancements.patch
@@ -0,0 +1,1814 @@
+--- a/security/jss/build_java.pl
++++ b/security/jss/build_java.pl
+@@ -31,7 +31,8 @@ org.mozilla.jss.pkcs11.PK11MessageDigest
+ org.mozilla.jss.pkcs11.PK11PrivKey
+ org.mozilla.jss.pkcs11.PK11PubKey
+ org.mozilla.jss.pkcs11.PK11SymKey
+-org.mozilla.jss.pkcs11.PK11KeyPairGenerator
++org.mozilla.jss.pkcs11.PK11KeyPairGenerator
++org.mozilla.jss.pkcs11.PK11SymmetricKeyDeriver
+ org.mozilla.jss.pkcs11.PK11KeyGenerator
+ org.mozilla.jss.pkcs11.PK11Token
+ org.mozilla.jss.pkcs11.PrivateKeyProxy
+--- a/security/jss/lib/jss.def
++++ b/security/jss/lib/jss.def
+@@ -158,6 +158,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
+ Java_org_mozilla_jss_pkcs11_PK11Store_importPrivateKey;
+ Java_org_mozilla_jss_pkcs11_PK11Store_putCertsInVector;
+ Java_org_mozilla_jss_pkcs11_PK11Store_putKeysInVector;
++Java_org_mozilla_jss_pkcs11_PK11Store_putSymKeysInVector;
+ Java_org_mozilla_jss_pkcs11_SigContextProxy_releaseNativeResources;
+ Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getModulusByteArray;
+ Java_org_mozilla_jss_pkcs11_PK11RSAPublicKey_getPublicExponentByteArray;
+@@ -335,6 +336,8 @@ Java_org_mozilla_jss_CryptoManager_verif
+ Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
+ Java_org_mozilla_jss_ssl_SocketBase_setSSLVersionRange;
+ Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault;
++Java_org_mozilla_jss_pkcs11_PK11SymmetricKeyDeriver_nativeDeriveSymKey;
++Java_org_mozilla_jss_pkcs11_PK11SymKey_setNickNameNative;
+ ;+ local:
+ ;+ *;
+ ;+};
+--- a/security/jss/org/mozilla/jss/crypto/Algorithm.c
++++ b/security/jss/org/mozilla/jss/crypto/Algorithm.c
+@@ -117,6 +117,8 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
+ /* 54 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG},
+ /* 55 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG},
+ /* 56 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
++/* 57 */ {SEC_OID_HMAC_SHA1,SEC_OID_TAG},
++/* 58 */ {SEC_OID_HMAC_SHA224,SEC_OID_TAG},
+ /* REMEMBER TO UPDATE NUM_ALGS!!! */
+ };
+
+--- a/security/jss/org/mozilla/jss/crypto/Algorithm.h
++++ b/security/jss/org/mozilla/jss/crypto/Algorithm.h
+@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
+ JSS_AlgType type;
+ } JSS_AlgInfo;
+
+-#define NUM_ALGS 57
++#define NUM_ALGS 58
+
+ extern JSS_AlgInfo JSS_AlgTable[];
+ extern CK_ULONG JSS_symkeyUsage[];
+--- a/security/jss/org/mozilla/jss/crypto/Algorithm.java
++++ b/security/jss/org/mozilla/jss/crypto/Algorithm.java
+@@ -240,5 +240,6 @@ public class Algorithm {
+ protected static final short SEC_OID_PKCS5_PBKDF2=54;
+ protected static final short SEC_OID_PKCS5_PBES2=55;
+ protected static final short SEC_OID_PKCS5_PBMAC1=56;
+-
++ protected static final short SEC_OID_HMAC_SHA1=57;
++ protected static final short SEC_OID_HMAC_SHA224=58;
+ }
+--- a/security/jss/org/mozilla/jss/crypto/CryptoStore.java
++++ b/security/jss/org/mozilla/jss/crypto/CryptoStore.java
+@@ -75,6 +75,18 @@ public interface CryptoStore {
+ getPrivateKeys() throws TokenException;
+
+ /**
++ * Returns all symmetric keys stored on this token.
++ *
++ * @return An array of all symmetric keys stored on this token.
++ * @exception TokenException If an error occurs on the token while
++ * gathering the keys.
++ */
++ public SymmetricKey[]
++ getSymmetricKeys() throws TokenException;
++
++
++
++ /**
+ * Deletes the given PrivateKey from the CryptoToken.
+ * This is a very dangerous call: it deletes the key from the underlying
+ * token. After calling this, the PrivateKey passed in must no longer
+--- a/security/jss/org/mozilla/jss/crypto/CryptoToken.java
++++ b/security/jss/org/mozilla/jss/crypto/CryptoToken.java
+@@ -92,6 +92,9 @@ public interface CryptoToken {
+ getCipherContext(EncryptionAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+
++ public abstract SymmetricKeyDeriver getSymmetricKeyDeriver()
++ throws TokenException;
++
+ public abstract KeyWrapper
+ getKeyWrapper(KeyWrapAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+--- a/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java
++++ b/security/jss/org/mozilla/jss/crypto/HMACAlgorithm.java
+@@ -86,6 +86,10 @@ public class HMACAlgorithm extends Diges
+ (CKM_SHA_1_HMAC, "SHA-1-HMAC",
+ OBJECT_IDENTIFIER.ALGORITHM.subBranch(26), 20);
+
++ public static final HMACAlgorithm SHA224 = new HMACAlgorithm
++ (SEC_OID_HMAC_SHA224, "SHA-224-HMAC",
++ OBJECT_IDENTIFIER.RSADSI.subBranch(8), 28);
++
+ public static final HMACAlgorithm SHA256 = new HMACAlgorithm
+ (SEC_OID_HMAC_SHA256, "SHA-256-HMAC",
+ OBJECT_IDENTIFIER.RSA_DIGEST.subBranch(9), 32);
+--- a/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
++++ b/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
+@@ -133,4 +133,21 @@ public interface KeyWrapper {
+ throws TokenException, IllegalStateException,
+ InvalidAlgorithmParameterException;
+
++ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
++ SymmetricKey.Usage usage, int keyLength)
++ throws TokenException, IllegalStateException,
++ InvalidAlgorithmParameterException;
++
++ /**
++ * Unwraps a key and allows it to be used for all operations.
++ * @param keyLength The expected length of the key in bytes. This is
++ * only used for variable-length keys (RC4) and non-padding
++ * algorithms. Otherwise, it can be set to anything(like 0).
++ */
++ public SymmetricKey unwrapSymmetricPerm(byte[] wrapped, SymmetricKey.Type type,
++ int keyLength)
++ throws TokenException, IllegalStateException,
++ InvalidAlgorithmParameterException;
++
++
+ }
+--- /dev/null
++++ b/security/jss/org/mozilla/jss/crypto/SymmetricKeyDeriver.java
+@@ -0,0 +1,79 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++
++package org.mozilla.jss.crypto;
++
++import java.security.spec.AlgorithmParameterSpec;
++import java.security.InvalidAlgorithmParameterException;
++import java.security.PublicKey;
++import java.security.InvalidKeyException;
++
++public interface SymmetricKeyDeriver {
++
++ /* Use with the encrypt type mechanisms
++ Example: initDerive(
++ symKey, (PKCS11Constants.CKM_DES3_ECB_ENCRYPT_DATA) 4354L, derivationData, null,
++ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE, 16);
++ */
++
++ public abstract void initDerive(SymmetricKey baseKey,
++ long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
++ throws InvalidKeyException;
++
++
++
++ /* Use with key extraction and key concatanation mechanisms
++
++ Example:
++ param: byte array that has the bit position of where to extract
++ initDerive(
++ derivedKey, PKCS11Constants.CKM_EXTRACT_KEY_FROM_KEY,param,null,
++ PKCS11Constants.CKA_ENCRYPT, PKCS11Constants.CKA_DERIVE,8);
++
++
++ initDerive(
++ baseSymKey,secondarySymKey, PKCS11Constants.CKM_CONCATENATE_BASE_AND_KEY,null,null,
++ PKCS11Constants.CKM_DES3_ECB, PKCS11Constants.CKA_DERIVE,0);
++
++ */
++
++ public abstract void initDerive(SymmetricKey baseKey,
++ SymmetricKey secondaryKey, long deriveMech, byte[] param, byte[] iv, long targetMech, long operation, long keySize)
++ throws InvalidKeyException;
++
++ public abstract SymmetricKey derive()
++ throws TokenException;
++}
+--- a/security/jss/org/mozilla/jss/crypto/SymmetricKey.java
++++ b/security/jss/org/mozilla/jss/crypto/SymmetricKey.java
+@@ -71,6 +71,10 @@ public interface SymmetricKey {
+
+ String getFormat();
+
++ String getNickName();
++
++ void setNickName(String nickName);
++
+ public final static class Type {
+ // all names converted to lowercase for case insensitivity
+ private static Hashtable nameMap = new Hashtable();
+--- a/security/jss/org/mozilla/jss/pkcs11/manifest.mn
++++ b/security/jss/org/mozilla/jss/pkcs11/manifest.mn
+@@ -64,6 +64,7 @@ CSRCS = \
+ PK11Store.c \
+ PK11SymKey.c \
+ PK11Token.c \
++ PK11SymmetricKeyDeriver.c \
+ $(NULL)
+
+
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+@@ -519,7 +519,7 @@ JNIEXPORT jobject JNICALL
+ Java_org_mozilla_jss_pkcs11_PK11KeyWrapper_nativeUnwrapSymWithSym
+ (JNIEnv *env, jclass clazz, jobject tokenObj, jobject unwrapperObj,
+ jbyteArray wrappedBA, jobject wrapAlgObj, jobject typeAlgObj,
+- jint keyLen, jbyteArray ivBA, jint usageEnum)
++ jint keyLen, jbyteArray ivBA, jint usageEnum,jboolean temporary)
+ {
More information about the Pkg-fedora-ds-maintainers
mailing list