[jss/f14] Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode and ECC algorithms (suppo

Wed Jul 20 23:03:51 UTC 2011

commit 4b688562053f98a2b2ea3e68faa16f8b2b486301
Author: Kevin Wright <kwright at redhat.com>
Date:   Wed Jul 20 16:03:41 2011 -0700

    Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
    and ECC algorithms (support tokens that don't do ECDH)

 clog                      |    3 +-
 jss-ECC-HSM-FIPS.patch    |   62 ++++++++++++++++
 jss-slots-not-freed.patch |  169 ---------------------------------------------
 jss.spec                  |   16 ++++-
 4 files changed, 77 insertions(+), 173 deletions(-)
---

diff --git a/clog b/clog
index 6f583af..6903c7f 100644
--- a/clog
+++ b/clog
@@ -1 +1,2 @@
-- bug 676083 - JSS: slots not freed 
+Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
+and ECC algorithms (support tokens that don't do ECDH)
diff --git a/jss-ECC-HSM-FIPS.patch b/jss-ECC-HSM-FIPS.patch
new file mode 100644
index 0000000..739c930
--- /dev/null
+++ b/jss-ECC-HSM-FIPS.patch
@@ -0,0 +1,62 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.orig	2011-05-18 10:01:36.792151000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c	2011-05-18 10:06:07.483691000 -0700
+@@ -110,6 +110,7 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
+ /* 47 */    {SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE, SEC_OID_TAG},
+ /* 48 */    {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
+ /* 49 */    {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
++/* 50 */    {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
+ /* REMEMBER TO UPDATE NUM_ALGS!!! */
+ };
+ 
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.orig	2011-05-18 10:01:43.561164000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h	2011-05-18 10:06:07.489690000 -0700
+@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
+     JSS_AlgType type;
+ } JSS_AlgInfo;
+ 
+-#define NUM_ALGS 50
++#define NUM_ALGS 51
+ 
+ extern JSS_AlgInfo JSS_AlgTable[];
+ extern CK_ULONG JSS_symkeyUsage[];
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.orig	2011-05-18 10:01:51.232179000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java	2011-05-18 10:06:07.493690000 -0700
+@@ -232,5 +232,6 @@ public class Algorithm {
+     protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
+     protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
+     protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
++    protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
+ 
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java.orig	2011-05-18 10:02:01.056198000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairAlgorithm.java	2011-05-18 13:46:33.452948000 -0700
+@@ -94,7 +94,12 @@ public class KeyPairAlgorithm extends Al
+     DSAFamily = new Algorithm(SEC_OID_ANSIX9_DSA_SIGNATURE, "DSA");
+ 
+     public static final Algorithm
+-    ECFamily = new Algorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, "EC");
++
++//    To support both ECDSA and ECDH, it is best to provide two EC Families;
++//    However, since there is no token that does only CKM_DERIVE to
++//    date, we will just do ECDSA for now as it is sufficient enough today.
++//    This fix will support tokens that do not do ECDH
++    ECFamily = new Algorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, "EC");
+ 
+     public static final KeyPairAlgorithm
+     RSA = new KeyPairAlgorithm(CKM_RSA_PKCS_KEY_PAIR_GEN, "RSA", RSAFamily);
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java.orig	2011-05-18 10:02:10.696218000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/SignatureAlgorithm.java	2011-05-18 10:06:07.496691000 -0700
+@@ -124,7 +124,7 @@ public class SignatureAlgorithm extends 
+      * operates on its input, which should be a hash.
+      */
+     public static final SignatureAlgorithm
+-    ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_EC_PUBLIC_KEY, 
++    ECSignature = new SignatureAlgorithm(SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, 
+ 	"EC",
+         null, null, ANSI_X962_OID.subBranch(2).subBranch(1) );
+ 
diff --git a/jss.spec b/jss.spec
index 595f9e8..d69e6a0 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
 Name:           jss
 Version:        4.2.6
-Release:        15%{?dist}
+Release:        17%{?dist}
 Summary:        Java Security Services (JSS)
 
 Group:          System Environment/Libraries
@@ -32,7 +32,8 @@ Patch7:         jss-ECC_keygen_byCurveName.patch
 Patch8:         jss-VerifyCertificate.patch
 Patch9:         jss-bad-error-string-pointer.patch
 Patch10:        jss-VerifyCertificateReturnCU.patch
-Patch11:        jss-slots-not-freed.patch
+#Patch11:        jss-slots-not-freed.patch
+Patch12:        jss-ECC-HSM-FIPS.patch
 
 
 %description
@@ -60,7 +61,8 @@ This package contains the API documentation for JSS.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
-%patch11 -p1
+#%patch11 -p1
+%patch12 -p1
 
 %build
 [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -144,6 +146,14 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed May 18 2011 Christina Fu <cfu at redhat.com> - 4.2.6-17
+- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
+  and ECC algorithms (support tokens that don't do ECDH)
+
+* Fri Apr 08 2011 Jack Magne <jmagne at redhat.com> - 4.2.6-15.99
+- bug 694661 - TKS instance crash during token enrollment.
+  Back out of previous patch for #676083.
+
 * Thu Feb 24 2011 Andrew Wnuk <awnuk at redhat.com> - 4.2.6-15
 - bug 676083 - JSS: slots not freed 
 
