[jss/f14/master] - Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS
kwright
kwright at fedoraproject.org
Tue Nov 2 22:50:20 UTC 2010
commit 2ebfc0be3544f6d02951ed7e132d06f0bb9e1805
Author: Kevin Wright <kwright at redhat.com>
Date: Tue Nov 2 15:50:14 2010 -0700
- Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS
jss-VerifyCertificate.patch | 220 +++++++++++++++++++++++++++++++++++++++++++
jss.spec | 7 +-
2 files changed, 226 insertions(+), 1 deletions(-)
---
diff --git a/jss-VerifyCertificate.patch b/jss-VerifyCertificate.patch
new file mode 100644
index 0000000..a017b77
--- /dev/null
+++ b/jss-VerifyCertificate.patch
@@ -0,0 +1,220 @@
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-10-20 09:53:10.288935000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-10-29 10:29:48.664212000 -0700
+@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
+ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
+ Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ ;+ local:
+ ;+ *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-10-28 16:44:46.366082000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-10-31 17:30:25.502670000 -0700
+@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
+ public final class CryptoManager implements TokenSupplier
+ {
+ /**
++ * note: this is obsolete in NSS
+ * CertUsage options for validation
+ */
+ public final static class CertUsage {
+@@ -86,8 +87,6 @@ public final class CryptoManager impleme
+ return name;
+ }
+
+-
+-
+ // certUsage, these must be kept in sync with nss/lib/certdb/certt.h
+ public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
+ public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
+@@ -103,6 +102,63 @@ public final class CryptoManager impleme
+ public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
+ }
+
++ /**
++ * CertificateUsage options for validation
++ */
++ public final static class CertificateUsage {
++ private int usage;
++ private String name;
++
++ // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
++ private static final int certificateUsageCheckAllUsages = 0x0000;
++ private static final int certificateUsageSSLClient = 0x0001;
++ private static final int certificateUsageSSLServer = 0x0002;
++ private static final int certificateUsageSSLServerWithStepUp = 0x0004;
++ private static final int certificateUsageSSLCA = 0x0008;
++ private static final int certificateUsageEmailSigner = 0x0010;
++ private static final int certificateUsageEmailRecipient = 0x0020;
++ private static final int certificateUsageObjectSigner = 0x0040;
++ private static final int certificateUsageUserCertImport = 0x0080;
++ private static final int certificateUsageVerifyCA = 0x0100;
++ private static final int certificateUsageProtectedObjectSigner = 0x0200;
++ private static final int certificateUsageStatusResponder = 0x0400;
++ private static final int certificateUsageAnyCA = 0x0800;
++
++ static private ArrayList list = new ArrayList();
++ private CertificateUsage() {};
++ private CertificateUsage(int usage, String name) {
++ this.usage = usage;
++ this.name = name;
++ this.list.add(this);
++
++ }
++ public int getUsage() {
++ return usage;
++ }
++
++ static public Iterator getCertificateUsages() {
++ return list.iterator();
++
++ }
++ public String toString() {
++ return name;
++ }
++
++ public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
++ public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
++ public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
++ public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
++ public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
++ public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
++ public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
++ public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
++ public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
++ public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
++ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
++ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
++ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
++ }
++
+ public final static class NotInitializedException extends Exception {}
+ public final static class NicknameConflictException extends Exception {}
+ public final static class UserCertConflictException extends Exception {}
+@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
+ }
+ return tok;
+ }
++
+ /////////////////////////////////////////////////////////////
+ // isCertValid
+ /////////////////////////////////////////////////////////////
+@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
+ * against Now.
+ * @param nickname The nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
++ * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
++ * @return true for success; false otherwise
++ *
++ * @exception InvalidNicknameException If the nickname is null
++ * @exception ObjectNotFoundException If no certificate could be found
++ * with the given nickname.
++ */
++
++ public boolean isCertValid(String nickname, boolean checkSig,
++ CertificateUsage certificateUsage)
++ throws ObjectNotFoundException, InvalidNicknameException
++ {
++ if (nickname==null) {
++ throw new InvalidNicknameException("Nickname must be non-null");
++ }
++ // 0 certificate usage was supposed to get current usage, however,
++ // it is not exposed at this point
++ return verifyCertificateNowNative(nickname,
++ checkSig,
++ (certificateUsage == null) ? 0:certificateUsage.getUsage());
++ }
++
++ private native boolean verifyCertificateNowNative(String nickname,
++ boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
++
++ /**
++ * note: this method calls obsolete function in NSS
++ *
++ * Verify a certificate that exists in the given cert database,
++ * check if is valid and that we trust the issuer. Verify time
++ * against Now.
++ * @param nickname The nickname of the certificate to verify.
++ * @param checkSig verify the signature of the certificate
+ * @param certUsage see exposed certUsage defines to verify Certificate
+ * @return true for success; false otherwise
+ *
+@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
+ return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
+ }
+
++ /*
++ * Obsolete in NSS
++ */
+ private native boolean verifyCertNowNative(String nickname,
+ boolean checkSig, int cUsage) throws ObjectNotFoundException;
+
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-10-28 16:45:46.501899000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-10-31 17:25:53.575482000 -0700
+@@ -1575,11 +1575,62 @@ finish:
+ }
+
+ /***********************************************************************
+- * CryptoManager.verifyCertNowNative
++ * CryptoManager.verifyCertificateNowNative
+ *
+ * Returns JNI_TRUE if success, JNI_FALSE otherwise
+ */
+ JNIEXPORT jboolean JNICALL
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
++ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
++{
++ SECStatus rv = SECFailure;
++ SECCertificateUsage certificateUsage;
++ SECCertificateUsage currUsage; /* unexposed for now */
++ CERTCertificate *cert=NULL;
++ char *nickname=NULL;
++
++ nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
++ if( nickname == NULL ) {
++ goto finish;
++ }
++
++ certificateUsage = required_certificateUsage;
++
++ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
++
++ if (cert == NULL) {
++ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++ goto finish;
++ } else {
++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
++ * just get the current usage (which we are not passing back for now
++ * but will bypass the certificate usage check
++ */
++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
++ checkSig, certificateUsage, NULL, &currUsage );
++ }
++
++finish:
++ if(nickname != NULL) {
++ (*env)->ReleaseStringUTFChars(env, nickString, nickname);
++ }
++ if(cert != NULL) {
++ CERT_DestroyCertificate(cert);
++ }
++ if( rv == SECSuccess) {
++ return JNI_TRUE;
++ } else {
++ return JNI_FALSE;
++ }
++}
++
++
++/***********************************************************************
++ * CryptoManager.verifyCertNowNative
++ * note: this calls obsolete NSS function
++ * Returns JNI_TRUE if success, JNI_FALSE otherwise
++ */
++JNIEXPORT jboolean JNICALL
+ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig, jint cUsage)
+ {
diff --git a/jss.spec b/jss.spec
index 9390220..032e397 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@@ -29,6 +29,7 @@ Patch4: jss-ECC-pop.patch
Patch5: jss-loadlibrary.patch
Patch6: jss-ocspSettings.patch
Patch7: jss-ECC_keygen_byCurveName.patch
+Patch8: jss-VerifyCertificate.patch
%description
@@ -53,6 +54,7 @@ This package contains the API documentation for JSS.
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
%build
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -148,6 +150,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Mon Nov 1 2010 Christina Fu <cfu at redhat.com> 4.2.6-8
+- Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS
+
* Wed Oct 20 2010 Christina Fu <cfu at redhat.com> 4.2.6-7
- Bugzilla Bug # 638833 - rfe ecc - add ec curve name support in JSS and CS
- Bugzilla Bug # 529945 - expose NSS calls for OCSP settings
More information about the scm-commits
mailing list