[jss] - bug 654657 - <jdennis at redhat.com> Incorrect socket accept error message due to bad pointer arith
kwright
kwright at fedoraproject.org
Thu Jan 6 00:34:59 UTC 2011
commit 8f6d73325cd69361b302c6498fc8960b1d7910e9
Author: Kevin Wright <kwright at redhat.com>
Date: Wed Jan 5 16:34:49 2011 -0800
- bug 654657 - <jdennis at redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
- bug 661142 - <cfu at redhat.com>
Verification should fail when a revoked certificate is added
clog | 4 +
jss-VerifyCertificateReturnCU.patch | 227 +++++++++++++++++++++++++++++++++++
jss.spec | 51 +++++----
3 files changed, 259 insertions(+), 23 deletions(-)
---
diff --git a/clog b/clog
new file mode 100644
index 0000000..3135651
--- /dev/null
+++ b/clog
@@ -0,0 +1,4 @@
+- bug 654657 - <jdennis at redhat.com>
+ Incorrect socket accept error message due to bad pointer arithmetic
+- bug 661142 - <cfu at redhat.com>
+ Verification should fail when a revoked certificate is added
diff --git a/jss-VerifyCertificateReturnCU.patch b/jss-VerifyCertificateReturnCU.patch
new file mode 100644
index 0000000..7d220ef
--- /dev/null
+++ b/jss-VerifyCertificateReturnCU.patch
@@ -0,0 +1,227 @@
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix 2010-12-21 12:35:04.360044000 -0800
++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2010-12-21 12:36:05.364105000 -0800
+@@ -332,6 +332,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
+ Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
+ ;+ local:
+ ;+ *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix 2010-12-21 12:36:24.417124000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2010-12-21 12:43:54.777575000 -0800
+@@ -157,6 +157,19 @@ public final class CryptoManager impleme
+ public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
+ public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
+ public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
++
++ /*
++ The folllowing usages cannot be verified:
++ certUsageAnyCA
++ certUsageProtectedObjectSigner
++ certUsageUserCertImport
++ certUsageVerifyCA
++ */
++ public static final int basicCertificateUsages = /*0x0b80;*/
++ certificateUsageUserCertImport |
++ certificateUsageVerifyCA |
++ certificateUsageProtectedObjectSigner |
++ certificateUsageAnyCA ;
+ }
+
+ public final static class NotInitializedException extends Exception {}
+@@ -1452,14 +1465,43 @@ public final class CryptoManager impleme
+ * against Now.
+ * @param nickname The nickname of the certificate to verify.
+ * @param checkSig verify the signature of the certificate
+- * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
+- * @return true for success; false otherwise
++ * @return currCertificateUsage which contains current usage bit map as defined in CertificateUsage
+ *
+ * @exception InvalidNicknameException If the nickname is null
+ * @exception ObjectNotFoundException If no certificate could be found
+ * with the given nickname.
+ */
++ public int isCertValid(String nickname, boolean checkSig)
++ throws ObjectNotFoundException, InvalidNicknameException
++ {
++ if (nickname==null) {
++ throw new InvalidNicknameException("Nickname must be non-null");
++ }
++ int currCertificateUsage = 0x0000; // initialize it to 0
++ currCertificateUsage = verifyCertificateNowCUNative(nickname,
++ checkSig);
++ return currCertificateUsage;
++ }
++
++ private native int verifyCertificateNowCUNative(String nickname,
++ boolean checkSig) throws ObjectNotFoundException;
+
++ /////////////////////////////////////////////////////////////
++ // isCertValid
++ /////////////////////////////////////////////////////////////
++ /**
++ * Verify a certificate that exists in the given cert database,
++ * check if is valid and that we trust the issuer. Verify time
++ * against Now.
++ * @param nickname The nickname of the certificate to verify.
++ * @param checkSig verify the signature of the certificate
++ * @param certificateUsage see certificateUsage defined to verify Certificate; to retrieve current certificate usage, call the isCertValid() above
++ * @return true for success; false otherwise
++ *
++ * @exception InvalidNicknameException If the nickname is null
++ * @exception ObjectNotFoundException If no certificate could be found
++ * with the given nickname.
++ */
+ public boolean isCertValid(String nickname, boolean checkSig,
+ CertificateUsage certificateUsage)
+ throws ObjectNotFoundException, InvalidNicknameException
+@@ -1467,11 +1509,23 @@ public final class CryptoManager impleme
+ if (nickname==null) {
+ throw new InvalidNicknameException("Nickname must be non-null");
+ }
+- // 0 certificate usage was supposed to get current usage, however,
+- // it is not exposed at this point
+- return verifyCertificateNowNative(nickname,
+- checkSig,
+- (certificateUsage == null) ? 0:certificateUsage.getUsage());
++ // 0 certificate usage will get current usage
++ // should call isCertValid() call above that returns certificate usage
++ if ((certificateUsage == null) ||
++ (certificateUsage == CertificateUsage.CheckAllUsages)){
++ int currCertificateUsage = 0x0000;
++ currCertificateUsage = verifyCertificateNowCUNative(nickname,
++ checkSig);
++
++ if (currCertificateUsage == CertificateUsage.basicCertificateUsages){
++ // cert is good for nothing
++ return false;
++ } else
++ return true;
++ } else {
++ return verifyCertificateNowNative(nickname, checkSig,
++ certificateUsage.getUsage());
++ }
+ }
+
+ private native boolean verifyCertificateNowNative(String nickname,
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix 2010-12-21 12:36:29.023129000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2010-12-21 16:03:34.599742000 -0800
+@@ -1574,18 +1574,16 @@ finish:
+ }
+ }
+
++
+ /***********************************************************************
+- * CryptoManager.verifyCertificateNowNative
+- *
+- * Returns JNI_TRUE if success, JNI_FALSE otherwise
++ * CryptoManager.verifyCertificateNow
+ */
+-JNIEXPORT jboolean JNICALL
+-Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
+- jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
++SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
++ jboolean checkSig, jint required_certificateUsage,
++ SECCertificateUsage *currUsage)
+ {
+ SECStatus rv = SECFailure;
+ SECCertificateUsage certificateUsage;
+- SECCertificateUsage currUsage; /* unexposed for now */
+ CERTCertificate *cert=NULL;
+ char *nickname=NULL;
+
+@@ -1602,12 +1600,28 @@ Java_org_mozilla_jss_CryptoManager_verif
+ JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
+ goto finish;
+ } else {
+- /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
+- * just get the current usage (which we are not passing back for now
+- * but will bypass the certificate usage check
++ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
++ * retrieve the current valid usage into currUsage
+ */
+ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
+- checkSig, certificateUsage, NULL, &currUsage );
++ checkSig, certificateUsage, NULL, currUsage );
++ if ((rv == SECSuccess) && certificateUsage == 0x0000) {
++ if (*currUsage ==
++ ( certUsageUserCertImport |
++ certUsageVerifyCA |
++ certUsageProtectedObjectSigner |
++ certUsageAnyCA )) {
++
++ /* the cert is good for nothing
++ The folllowing usages cannot be verified:
++ certUsageAnyCA
++ certUsageProtectedObjectSigner
++ certUsageUserCertImport
++ certUsageVerifyCA
++ (0x0b80) */
++ rv =SECFailure;
++ }
++ }
+ }
+
+ finish:
+@@ -1617,6 +1631,49 @@ finish:
+ if(cert != NULL) {
+ CERT_DestroyCertificate(cert);
+ }
++
++ return rv;
++}
++
++/***********************************************************************
++ * CryptoManager.verifyCertificateNowCUNative
++ *
++ * Returns jint which contains bits in SECCertificateUsage that reflects
++ * the cert usage(s) that the cert is good for
++ * if the cert is good for nothing, returned value is
++ * (0x0b80):
++ * certUsageUserCertImport |
++ * certUsageVerifyCA |
++ * certUsageProtectedObjectSigner |
++ * certUsageAnyCA
++ */
++JNIEXPORT jint JNICALL
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
++ jobject self, jstring nickString, jboolean checkSig)
++{
++ SECStatus rv = SECFailure;
++ SECCertificateUsage currUsage = 0x0000;
++
++ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
++ /* rv is ignored */
++
++ return currUsage;
++}
++
++/***********************************************************************
++ * CryptoManager.verifyCertificateNowNative
++ *
++ * Returns JNI_TRUE if success, JNI_FALSE otherwise
++ */
++JNIEXPORT jboolean JNICALL
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
++ jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
++{
++ SECStatus rv = SECFailure;
++ SECCertificateUsage currUsage = 0x0000;
++
++ rv = verifyCertificateNow(env, self, nickString, checkSig, required_certificateUsage, &currUsage);
++
+ if( rv == SECSuccess) {
+ return JNI_TRUE;
+ } else {
+@@ -1624,7 +1681,6 @@ finish:
+ }
+ }
+
+-
+ /***********************************************************************
+ * CryptoManager.verifyCertNowNative
+ * note: this calls obsolete NSS function
diff --git a/jss.spec b/jss.spec
index f2b1785..10fedb9 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@@ -31,6 +31,7 @@ Patch6: jss-ocspSettings.patch
Patch7: jss-ECC_keygen_byCurveName.patch
Patch8: jss-VerifyCertificate.patch
Patch9: jss-bad-error-string-pointer.patch
+Patch10: jss-VerifyCertificateReturnCU.patch
%description
@@ -153,35 +154,39 @@ rm -rf $RPM_BUILD_ROOT
%changelog
-* Thu Dec 16 2010 John Dennis <jdennis at redhat.com> - 4.2.6-10
-- move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this:
- /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar
- /usr/lib/jss/jss4-<version>.jar
- /usr/lib/jss/jss4.jar -> jss4-<version>.jar
- /usr/lib/jss/libjss4.so
-
-* Mon Dec 6 2010 John Dennis <jdennis at redhat.com> - 4.2.6-9
-- Resolves: bug 654657 - <jdennis at redhat.com>
+* Tue Dec 21 2010 Christina Fu <cfu at redhat.com> - 4.2.6-11
+- bug 654657 - <jdennis at redhat.com>
Incorrect socket accept error message due to bad pointer arithmetic
+- bug 661142 - <cfu at redhat.com>
+ Verification should fail when a revoked certificate is added
-* Mon Nov 1 2010 Christina Fu <cfu at redhat.com> 4.2.6-8
-- Resolves: bug 647364 - <cfu at redhat.com>
+* Thu Dec 16 2010 John Dennis <jdennis at redhat.com> - 4.2.6-10
+- Resolves: bug 656094 - <jdennis at redhat.com>
+ Rebase jss to at least jss-4.2.6-9
+- <jdennis at redhat.com>
+ merge in updates from Fedora
+ move jar location to %%{_libdir}/jss and provide symlinks, on 32bit looks like this:
+ /usr/lib/java/jss4.jar -> /usr/lib/jss/jss4.jar
+ /usr/lib/jss/jss4-<version>.jar
+ /usr/lib/jss/jss4.jar -> jss4-<version>.jar
+ /usr/lib/jss/libjss4.so
+- bug 654657 - <jdennis at redhat.com>
+ Incorrect socket accept error message due to bad pointer arithmetic
+- bug 647364 - <cfu at redhat.com>
Expose updated certificate verification function in JSS
-
-* Wed Oct 20 2010 Christina Fu <cfu at redhat.com> 4.2.6-7
-- Resolves: bug 529945 - <cfu at redhat.com>
+- bug 529945 - <cfu at redhat.com>
expose NSS calls for OCSP settings
-- Resolves: bug 638833 - <cfu at redhat.com>
+- bug 638833 - <cfu at redhat.com>
rfe ecc - add ec curve name support in JSS and CS
-
-* Wed Jan 13 2010 Rob Crittenden <rcritten at redhat.com> 4.2.6-6
-- Need to explicitly catch UnsatisfiedLinkError exception for System.load()
-
-* Thu Jan 7 2010 Rob Crittenden <rcritten at redhat.com> 4.2.6-5
-- Resolves: bug 533304 - <rcritten at redhat.com>
+- <rcritten at redhat.com>
+ Need to explicitly catch UnsatisfiedLinkError exception for System.load()
+- bug 533304 - <rcritten at redhat.com>
Move location of libjss4.so to subdirectory and use System.load() to
load it instead of System.loadLibrary() for Fedora packaging compliance
+* Mon Nov 30 2009 Dennis Gregorovic <dgregor at redhat.com> - 4.2.6-4.1
+- Rebuilt for RHEL 6
+
* Fri Jul 31 2009 Rob Crittenden <rcritten at redhat.com> 4.2.6-4
- Resolves: bug 224688 - <cfu at redhat.com>
Support ECC POP on the server
@@ -208,7 +213,7 @@ rm -rf $RPM_BUILD_ROOT
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.2.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
-
+
* Tue Aug 5 2008 Tom "spot" Callaway <tcallawa at redhat.com> - 4.2.5-3
- fix license tag
More information about the scm-commits
mailing list