[jss/f14] Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping unwrapping keys should be done
kwright
kwright at fedoraproject.org
Fri Oct 21 05:32:14 UTC 2011
commit b27e0b79b24daf5afc5ce5ff402e26c07c47bb63
Author: Kevin Wright <kwright at redhat.com>
Date: Thu Oct 20 22:32:13 2011 -0700
Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
unwrapping keys should be done in the token
support for PKCS5v2; support for secure PKCS12
Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the
in-place upgrade( CS 8.0->8.1)
clog | 7 +-
jss-PBE-PKCS5-V2-secure-P12.patch | 328 +++++++++++++
jss-PKCS12-FIPS.patch | 80 ++++
jss-eliminate-java-compiler-warnings.patch | 641 ++++++++++++++++++++++++++
jss-eliminate-native-compiler-warnings.patch | 621 +++++++++++++++++++++++++
jss-eliminate-native-coverity-defects.patch | 253 ++++++++++
jss-wrapInToken.patch | 158 +++++++
jss.spec | 45 ++-
8 files changed, 2130 insertions(+), 3 deletions(-)
---
diff --git a/clog b/clog
index 6903c7f..6a41480 100644
--- a/clog
+++ b/clog
@@ -1,2 +1,5 @@
-Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
-and ECC algorithms (support tokens that don't do ECDH)
+Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
+unwrapping keys should be done in the token
+support for PKCS5v2; support for secure PKCS12
+Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the
+in-place upgrade( CS 8.0->8.1)
diff --git a/jss-PBE-PKCS5-V2-secure-P12.patch b/jss-PBE-PKCS5-V2-secure-P12.patch
new file mode 100644
index 0000000..068e4d7
--- /dev/null
+++ b/jss-PBE-PKCS5-V2-secure-P12.patch
@@ -0,0 +1,328 @@
+diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
+--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c.old 2011-09-23 10:14:24.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-22 18:39:15.000000000 -0700
+@@ -111,6 +111,9 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
+ /* 48 */ {SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE, SEC_OID_TAG},
+ /* 49 */ {SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE, SEC_OID_TAG},
+ /* 50 */ {SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST, SEC_OID_TAG},
++/* 51 */ {SEC_OID_PKCS5_PBKDF2, SEC_OID_TAG},
++/* 52 */ {SEC_OID_PKCS5_PBES2, SEC_OID_TAG},
++/* 53 */ {SEC_OID_PKCS5_PBMAC1, SEC_OID_TAG},
+ /* REMEMBER TO UPDATE NUM_ALGS!!! */
+ };
+
+diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h
+--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h.old 2011-09-23 10:14:08.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.h 2011-09-22 20:31:12.000000000 -0700
+@@ -56,7 +56,7 @@ typedef struct JSS_AlgInfoStr {
+ JSS_AlgType type;
+ } JSS_AlgInfo;
+
+-#define NUM_ALGS 51
++#define NUM_ALGS 54
+
+ extern JSS_AlgInfo JSS_AlgTable[];
+ extern CK_ULONG JSS_symkeyUsage[];
+diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java
+--- ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java.old 2011-09-23 10:14:42.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.java 2011-09-22 18:39:15.000000000 -0700
+@@ -233,5 +233,9 @@ public class Algorithm {
+ protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
+ protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
+ protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=50;
++ //PKCS5 V2
++ protected static final short SEC_OID_PKCS5_PBKDF2=51;
++ protected static final short SEC_OID_PKCS5_PBES2=52;
++ protected static final short SEC_OID_PKCS5_PBMAC1=53;
+
+ }
+diff -up ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java
+--- ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java.old 2011-09-23 10:15:04.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/crypto/PBEAlgorithm.java 2011-09-22 18:39:15.000000000 -0700
+@@ -93,6 +93,27 @@ public class PBEAlgorithm extends KeyGen
+ ///////////////////////////////////////////////////////////////////////
+
+ //////////////////////////////////////////////////////////////
++ // PKCS 5 v2
++ public static final PBEAlgorithm
++ PBE_PKCS5_PBKDF2 = new PBEAlgorithm(
++ SEC_OID_PKCS5_PBKDF2, "PBKDF2", 128,
++ PKCS5.subBranch(12), EncryptionAlgorithm.AES_128_CBC, 8 );
++
++ //////////////////////////////////////////////////////////////
++ // PKCS 5 v2
++ public static final PBEAlgorithm
++ PBE_PKCS5_PBES2 = new PBEAlgorithm(
++ SEC_OID_PKCS5_PBES2, "PBES2", 128,
++ PKCS5.subBranch(13), EncryptionAlgorithm.AES_128_CBC, 8 );
++
++ //////////////////////////////////////////////////////////////
++ // PKCS 5 v2
++ public static final PBEAlgorithm
++ PBE_PKCS5_PBMAC1 = new PBEAlgorithm(
++ SEC_OID_PKCS5_PBMAC1, "PBMAC1", 128,
++ PKCS5.subBranch(14), EncryptionAlgorithm.AES_128_CBC, 8 );
++
++ //////////////////////////////////////////////////////////////
+ public static final PBEAlgorithm
+ PBE_MD2_DES_CBC = new PBEAlgorithm(
+ SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC, "PBE/MD2/DES/CBC", 56,
+diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
+--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.old 2011-09-23 10:12:09.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-09-27 10:35:19.000000000 -0700
+@@ -324,7 +324,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
+ }
+ /* print_secitem(pwitem); */
+
+-
+ mech = JSS_getPK11MechFromAlg(env, alg);
+
+ if( mech == CKM_PBA_SHA1_WITH_SHA1_HMAC ) {
+@@ -344,7 +343,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
+ PR_ASSERT(oidTag != SEC_OID_UNKNOWN);
+
+ /* create algid */
+- algid = PK11_CreatePBEAlgorithmID(oidTag, iterationCount, salt);
++ algid = PK11_CreatePBEV2AlgorithmID(
++ oidTag,
++ SEC_OID_DES_EDE3_CBC,
++ SEC_OID_HMAC_SHA1,
++ 168/8,
++ iterationCount,
++ salt);
++
+ if( algid == NULL ) {
+ JSS_throwMsg(env, TOKEN_EXCEPTION,
+ "Unable to process PBE parameters");
+diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.old 2011-09-25 15:43:52.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-09-27 21:16:06.000000000 -0700
+@@ -324,14 +324,34 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ SECItem *wrapped=NULL, *iv=NULL, *param=NULL, *pubValue=NULL;
+ SECItem label; /* empty secitem, doesn't need to be freed */
+ PRBool token;
+- CK_ATTRIBUTE_TYPE attribs[4];
+- int numAttribs;
++ CK_ATTRIBUTE_TYPE attribs[4] = {0, 0, 0, 0};
++ int numAttribs = 0;
++ CK_TOKEN_INFO tokenInfo;
++
++ PRBool isSensitive = PR_TRUE;
++ PRBool isExtractable = PR_FALSE;
++ /* special case nethsm*/
++ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
++ PRBool isNethsm = PR_TRUE;
+
+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
+ /* exception was thrown */
+ goto finish;
+ }
+
++ if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
++ int ix = 0;
++ for(ix=0; ix < 4; ix++) {
++ if (tokenInfo.label[ix] != nethsmLabel[ix]) {
++ isNethsm = PR_FALSE;
++ break;
++ }
++ }
++
++ } else {
++ isNethsm = PR_FALSE;
++ }
++
+ /* get unwrapping key */
+ if( JSS_PK11_getSymKeyPtr(env, unwrapperObj, &unwrappingKey)
+ != PR_SUCCESS) {
+@@ -392,14 +412,24 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ }
+ keyType = PK11_GetKeyType(keyTypeMech, 0);
+
++ if( isNethsm ) {
++ isSensitive = PR_FALSE;
++ isExtractable = PR_FALSE;
++ }
++
++setAttrs:
+ /* figure out which operations to enable for this key */
+ switch (keyType) {
+ case CKK_RSA:
+ attribs[0] = CKA_SIGN;
+- attribs[1] = CKA_DECRYPT;
+- attribs[2] = CKA_SIGN_RECOVER;
+- attribs[3] = CKA_UNWRAP;
+- numAttribs = 4;
++ attribs[1] = CKA_SIGN_RECOVER;
++ attribs[2] = CKA_UNWRAP;
++ if (isExtractable) {
++ attribs[3] = CKA_EXTRACTABLE;
++ numAttribs = 4;
++ } else {
++ numAttribs = 3;
++ }
+ break;
+ case CKK_DSA:
+ attribs[0] = CKA_SIGN;
+@@ -426,7 +456,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+
+ /* perform the unwrap */
+ privk = PK11_UnwrapPrivKey(slot, unwrappingKey, wrapType, param, wrapped,
+- &label, pubValue, token, PR_TRUE /*sensitive*/, keyType,
++ &label, pubValue, token, isSensitive /*sensitive*/, keyType,
+ attribs, numAttribs, NULL /*wincx*/);
+ if( privk == NULL ) {
+ JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
+diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.old 2011-09-27 15:16:52.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-09-27 17:01:18.000000000 -0700
+@@ -190,21 +190,23 @@ final class PK11KeyWrapper implements Ke
+ if( key==null ) {
+ throw new InvalidKeyException("Key is null");
+ }
+- if( ! key.getOwningToken().equals(token) ) {
+- throw new InvalidKeyException("Key does not reside on the "+
+- "current token");
+- }
+- if( ! (key instanceof PK11SymKey) ) {
+- throw new InvalidKeyException("Key is not a PKCS #11 key");
+- }
+ try {
++ if( ! key.getOwningToken().equals(token) ) {
++ throw new InvalidKeyException("Key does not reside on the current token: key owning token="+
++ key.getOwningToken().getName());
++ }
++ if( ! (key instanceof PK11SymKey) ) {
++ throw new InvalidKeyException("Key is not a PKCS #11 key");
++ }
+ if( ((PK11SymKey)key).getKeyType() !=
+- KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
+- throw new InvalidKeyException("Key is not the right type for"+
++ KeyType.getKeyTypeFromAlgorithm(algorithm) ) {
++ throw new InvalidKeyException("Key is not the right type for"+
+ " this algorithm");
+ }
+ } catch( NoSuchAlgorithmException e ) {
+ Assert.notReached("Unknown algorithm");
++ } catch (Exception e) {
++ Assert.notReached("Exception:"+ e.toString());
+ }
+ }
+
+diff -up ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
+--- ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.old 2011-09-23 10:12:29.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-09-23 08:54:19.000000000 -0700
+@@ -106,10 +106,13 @@ public final class PK11Token implements
+ getKeyGenerator(KeyGenAlgorithm algorithm)
+ throws NoSuchAlgorithmException, TokenException
+ {
++/* NSS is capable of finding the right token to do algorithm,
++ so this call is prematurely bailing
+ if( ! doesAlgorithm(algorithm) ) {
+ throw new NoSuchAlgorithmException(
+ algorithm+" is not supported by this token");
+ }
++*/
+ return new PK11KeyGenerator(this, algorithm);
+ }
+
+diff -up ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+--- ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.old 2011-09-23 10:42:06.000000000 -0700
++++ ./mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-09-27 14:31:41.000000000 -0700
+@@ -43,6 +43,7 @@ import org.mozilla.jss.util.Assert;
+ import java.security.*;
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.util.Password;
++import org.mozilla.jss.crypto.PrivateKey;
+ import java.security.spec.AlgorithmParameterSpec;
+
+ /**
+@@ -184,6 +185,89 @@ public class EncryptedPrivateKeyInfo imp
+ return null;
+ }
+
++
++ /**
++ * Creates a new EncryptedPrivateKeyInfo, where the data is encrypted
++ * with a password-based key-
++ * with wrapping/unwrapping happening on token.
++ *
++ * @param keyGenAlg The algorithm for generating a symmetric key from
++ * a password, salt, and iteration count.
++ * @param password The password to use in generating the key.
++ * @param salt The salt to use in generating the key.
++ * @param iterationCount The number of hashing iterations to perform
++ * while generating the key.
++ * @param charToByteConverter The mechanism for converting the characters
++ * in the password into bytes. If null, the default mechanism
++ * will be used, which is UTF8.
++ * @param pri The PrivateKey to be encrypted and stored in the
++ * EncryptedContentInfo.
++ */
++ public static EncryptedPrivateKeyInfo
++ createPBE(PBEAlgorithm keyGenAlg, Password password, byte[] salt,
++ int iterationCount,
++ KeyGenerator.CharToByteConverter charToByteConverter,
++ PrivateKey pri, CryptoToken token)
++ throws CryptoManager.NotInitializedException, NoSuchAlgorithmException,
++ InvalidKeyException, InvalidAlgorithmParameterException, TokenException,
++ CharConversionException
++ {
++ try {
++
++ // check key gen algorithm
++
++ if( ! (keyGenAlg instanceof PBEAlgorithm) ) {
++ throw new NoSuchAlgorithmException("Key generation algorithm"+
++ " is not a PBE algorithm");
++ }
++
++ PBEAlgorithm pbeAlg = (PBEAlgorithm) keyGenAlg;
++
++ // generate key
++
++ KeyGenerator kg = token.getKeyGenerator( keyGenAlg );
++ PBEKeyGenParams pbekgParams = new PBEKeyGenParams(
++ password, salt, iterationCount);
++ if( charToByteConverter != null ) {
++ kg.setCharToByteConverter( charToByteConverter );
++ }
++ kg.initialize(pbekgParams);
++ kg.temporaryKeys(true);
++ SymmetricKey key = kg.generate();
++
++ // generate IV
++ EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg();
++ AlgorithmParameterSpec params=null;
++ if( encAlg.getParameterClass().equals( IVParameterSpec.class ) ) {
++ params = new IVParameterSpec( kg.generatePBE_IV() );
++ }
++
++ KeyWrapper wrapper = token.getKeyWrapper(
++ KeyWrapAlgorithm.DES3_CBC);
++ wrapper.initWrap(key, params);
++ byte encrypted[] = wrapper.wrap(pri);
++
++ // make encryption algorithm identifier
++ PBEParameter pbeParam = new PBEParameter( salt, iterationCount );
++ AlgorithmIdentifier encAlgID = new AlgorithmIdentifier(
++ keyGenAlg.toOID(), pbeParam);
++
++ // create EncryptedPrivateKeyInfo
++ EncryptedPrivateKeyInfo epki = new EncryptedPrivateKeyInfo (
++ encAlgID,
++ new OCTET_STRING(encrypted) );
++
++ return epki;
++
++ } catch (Exception e) {
++ Assert.notReached("EncryptedPrivateKeyInfo exception:"
++ +".createPBE");
++ }
++
++ return null;
++ }
++
++
+ /**
+ * Decrypts an EncryptedPrivateKeyInfo that was encrypted with a PBE
+ * algorithm. The algorithm and its parameters are extracted from
diff --git a/jss-PKCS12-FIPS.patch b/jss-PKCS12-FIPS.patch
new file mode 100644
index 0000000..b2aa854
--- /dev/null
+++ b/jss-PKCS12-FIPS.patch
@@ -0,0 +1,80 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c.fix 2011-08-15 15:39:56.633158000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-15 20:43:34.947749000 -0700
+@@ -239,40 +239,47 @@ print_secitem(SECItem *item) {
+ * TokenException if an error occurs.
+ */
+ static PK11SymKey*
+-constructSHA1PBAKey(JNIEnv *env, SECItem *pwitem, SECItem *salt,
++constructSHA1PBAKey(JNIEnv *env, PK11SlotInfo *slot, SECItem *pwitem, SECItem *salt,
+ int iterationCount)
+ {
+- PBEBitGenContext* pbeCtxt=NULL;
+- SECItem *keyBits=NULL;
+ PK11SymKey *key=NULL;
+
+- pbeCtxt = PBE_CreateContext( SEC_OID_SHA1, pbeBitGenIntegrityKey,
+- pwitem, salt, 160 /* SHA1 key length */, iterationCount);
+- if( pbeCtxt == NULL ) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to create PBE context");
++ unsigned char ivData[8];
++ SECItem mechItem;
++ CK_PBE_PARAMS pbe_params;
++
++ if( pwitem == NULL ) {
++ JSS_throwMsg(env, TOKEN_EXCEPTION,
++ "constructSHA1PAKey:"
++ " pwitem NULL");
+ goto finish;
+ }
+-
+- keyBits = PBE_GenerateBits(pbeCtxt);
+- if( keyBits == NULL ) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to generate bits from"
+- "PBE context");
++ if( salt == NULL ) {
++ JSS_throwMsg(env, TOKEN_EXCEPTION,
++ "constructSHA1PAKey:"
++ " salt NULL");
+ goto finish;
+ }
+
+- key = PK11_ImportSymKey( PK11_GetInternalSlot(), CKM_SHA_1,
+- PK11_OriginGenerated, CKA_SIGN, keyBits, NULL);
++ pbe_params.pInitVector = ivData;
++ pbe_params.pPassword = pwitem->data;
++ pbe_params.ulPasswordLen = pwitem->len;
++ pbe_params.pSalt = salt->data;
++ pbe_params.ulSaltLen = salt->len;
++ pbe_params.ulIteration = iterationCount;
++ mechItem.data = (unsigned char *) &pbe_params;
++ mechItem.len = sizeof(pbe_params);
++
++ key = PK11_RawPBEKeyGen(slot, CKM_PBA_SHA1_WITH_SHA1_HMAC, &mechItem, pwitem, PR_FALSE, NULL);
++
+ if( key == NULL ) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION, "Failed to import PBA key from"
+- " PBA-generated bits");
++ JSS_throwMsg(env, TOKEN_EXCEPTION,
++ "PK11_RawPBEKeyGen:"
++ " failed to generate key");
+ goto finish;
+ }
+
+ finish:
+- if( pbeCtxt ) {
+- PBE_DestroyContext(pbeCtxt);
+- }
+- /* keyBits == pbeCtxt, so we don't need to free it */
+ return key;
+ }
+
+@@ -324,7 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyGener
+
+ /* special case, construct key by hand. Bug #336587 */
+
+- skey = constructSHA1PBAKey(env, pwitem, salt, iterationCount);
++ skey = constructSHA1PBAKey(env, slot, pwitem, salt, iterationCount);
+ if( skey==NULL ) {
+ /* exception was thrown */
+ goto finish;
diff --git a/jss-eliminate-java-compiler-warnings.patch b/jss-eliminate-java-compiler-warnings.patch
new file mode 100644
index 0000000..1df99d3
--- /dev/null
+++ b/jss-eliminate-java-compiler-warnings.patch
@@ -0,0 +1,641 @@
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-10 16:21:30.837765000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java 2011-08-12 13:13:34.449664000 -0700
+@@ -1125,7 +1125,7 @@ public final class CryptoManager impleme
+ * Imports a single certificate into the permanent certificate
+ * database.
+ *
+- * @param derCert the certificate you want to add
++ * @param cert the certificate you want to add
+ * @param nickname the nickname you want to refer to the certificate as
+ * (must not be null)
+ */
+@@ -1391,11 +1391,11 @@ public final class CryptoManager impleme
+ public static final String
+ JAR_JDK_VERSION = "JDK_VERSION = N/A";
+ public static final String
+- JAR_NSS_VERSION = "NSS_VERSION = NSS_3_11_9_RTM";
++ JAR_NSS_VERSION = "NSS_VERSION = N/A";
+ public static final String
+ JAR_DBM_VERSION = "DBM_VERSION = N/A";
+ public static final String
+- JAR_NSPR_VERSION = "NSPR_VERSION = NSPR_4_7_RTM";
++ JAR_NSPR_VERSION = "NSPR_VERSION = N/A";
+
+ /**
+ * Loads the JSS dynamic library if necessary.
+@@ -1433,8 +1433,8 @@ public final class CryptoManager impleme
+ * this thread's token to <tt>null</tt> will also cause the
+ * InternalKeyStorageToken to be used.
+ *
+- * @param The token to use for crypto operations. Specifying <tt>null</tt>
+- * will cause the InternalKeyStorageToken to be used.
++ * @param token The token to use for crypto operations. Specifying
++ * <tt>null</tt> will cause the InternalKeyStorageToken to be used.
+ */
+ public void setThreadToken(CryptoToken token) {
+ if( token != null ) {
+@@ -1579,7 +1579,7 @@ public final class CryptoManager impleme
+ * Verify a certificate in memory. Check if
+ * valid and that we trust the issuer. Verify time
+ * against Now.
+- * @param certificate in memory
++ * @param certPackage certificate in memory
+ * @param checkSig verify the signature of the certificate
+ * @param certUsage see exposed certUsage defines to verify Certificate
+ * @return true for success; false otherwise
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-10 17:29:33.476661000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/JSSProvider.java 2011-08-12 11:00:26.456852000 -0700
+@@ -51,7 +51,7 @@ public final class JSSProvider extends j
+
+ private static int JSS_MAJOR_VERSION = 4;
+ private static int JSS_MINOR_VERSION = 2;
+- private static int JSS_PATCH_VERSION = 5;
++ private static int JSS_PATCH_VERSION = 6;
+ private static double JSS_VERSION = JSS_MAJOR_VERSION +
+ (JSS_MINOR_VERSION * 100 +
+ JSS_PATCH_VERSION)/10000.0;
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2004-04-25 08:02:21.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2011-08-12 13:10:50.781827000 -0700
+@@ -144,8 +144,8 @@ public abstract class Cipher {
+ * <i>B</i> is the block size, the padding string consists of
+ * <i>B</i> - (<i>M</i> mod <i>B</i>) octets, each having the value
+ * <i>B</i> - (<i>M</i> mod <i>B</i>).
+- * @param The block size of the encryption algorithm. Must be greater
+- * than zero.
++ * @param blockSize The block size of the encryption algorithm.
++ * Must be greater than zero.
+ * @see #unPad
+ */
+ public static byte[]
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2007-11-09 16:37:56.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2011-08-12 11:07:20.326438000 -0700
+@@ -194,7 +194,7 @@ public interface CryptoToken {
+ * Login to the token. If a token is logged in, it will not trigger
+ * password callbacks.
+ *
+- * @param password The password for this token.
++ * @param pwcb The password callback for this token.
+ * @exception IncorrectPasswordException If the supplied password is
+ * incorrect.
+ * @see #setLoginMode
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2004-04-25 08:02:21.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2011-08-12 11:08:37.747360000 -0700
+@@ -88,7 +88,7 @@ public abstract class JSSMessageDigest {
+ * Completes digestion.
+ *
+ * @return The, ahem, output of the digest operation.
+- * @param If an error occurs while digesting.
++ * @exception DigestException If an error occurs while digesting.
+ */
+ public byte[] digest() throws DigestException {
+ byte[] output = new byte[getOutputSize()];
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2004-04-25 08:02:21.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PBEKeyGenParams.java 2011-08-12 11:09:41.345296000 -0700
+@@ -60,7 +60,7 @@ public class PBEKeyGenParams implements
+ * Must not be null. It is the responsibility of the caller to
+ * use the right salt length for the algorithm. Most algorithms
+ * use 8 bytes of salt.
+- * @param The iteration count for the PBE algorithm.
++ * @param iterations The iteration count for the PBE algorithm.
+ */
+ public PBEKeyGenParams(Password pass, byte[] salt, int iterations) {
+ if(pass==null || salt==null) {
+@@ -80,7 +80,7 @@ public class PBEKeyGenParams implements
+ * Must not be null. It is the responsibility of the caller to
+ * use the right salt length for the algorithm. Most algorithms
+ * use 8 bytes of salt.
+- * @param The iteration count for the PBE algorithm.
++ * @param iterations The iteration count for the PBE algorithm.
+ */
+ public PBEKeyGenParams(char[] pass, byte[] salt, int iterations) {
+ if(pass==null || salt==null) {
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2007-11-09 16:37:57.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-08-12 11:13:51.807047000 -0700
+@@ -228,8 +228,8 @@ public final class PK11Token implements
+ * Initialize PIN. This sets the user's new PIN, using the current
+ * security officer PIN for authentication.
+ *
+- * @param ssopw The security officer's current password.
+- * @param userpw The user's new password.
++ * @param ssopwcb The security officer's current password callback.
++ * @param userpwcb The user's new password callback.
+ * @exception IncorrectPinException If the security officer PIN is
+ * incorrect.
+ * @exception TokenException If the PIN was already initialized,
+@@ -322,8 +322,8 @@ public final class PK11Token implements
+ * Change password. This changes the user's PIN after it has already
+ * been initialized.
+ *
+- * @param oldPIN The user's old PIN.
+- * @param newPIN The new PIN.
++ * @param oldPINcb The user's old PIN callback.
++ * @param newPINcb The new PIN callback.
+ * @exception IncorrectPasswordException If the old PIN is incorrect.
+ * @exception TokenException If some other error occurs on the token.
+ *
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2005-09-22 10:58:35.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs12/SafeBag.java 2011-08-12 11:14:44.011995000 -0700
+@@ -288,7 +288,7 @@ public final class SafeBag implements AS
+ * as the nickname of the associated cert.
+ * @param localKeyID The localKeyID for the key; should be the same as
+ * the localKeyID of the associated cert.
+- * @param The password used to encrypt the private key.
++ * @param password The password used to encrypt the private key.
+ */
+ public static SafeBag
+ createEncryptedPrivateKeyBag(PrivateKeyInfo privk, String friendlyName,
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2004-04-25 08:02:23.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs7/SignerInfo.java 2011-08-12 11:12:13.957145000 -0700
+@@ -430,7 +430,6 @@ public class SignerInfo implements ASN1V
+ * SignerInfo.
+ * @param contentType The type of the content that is signed by this
+ * SignerInfo.
+- * @param pubkey The public key to use to verify the signature.
+ * @exception NoSuchObjectException If no certificate matching the
+ * the issuer name and serial number can be found.
+ */
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2004-11-18 14:56:11.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmc/CMCStatusInfo.java 2011-08-12 11:20:39.240639000 -0700
+@@ -108,7 +108,7 @@ public class CMCStatusInfo implements AS
+ * @param status A CMCStatus constant.
+ * @param bodyList The sequence of bodyPartID.
+ * @param statusString A String.
+- * @param OtherInfo The OtherInfo choice.
++ * @param otherInfo The OtherInfo choice.
+ */
+ public CMCStatusInfo(int status, SEQUENCE bodyList, String
+ statusString, OtherInfo otherInfo) {
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2006-05-23 20:18:17.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/cmmf/PKIStatusInfo.java 2011-08-12 11:21:27.389591000 -0700
+@@ -88,7 +88,6 @@ public class PKIStatusInfo implements AS
+ /**
+ * Create a PKIStatusInfo with no failure info.
+ * @param status A PKIStatus constant.
+- * @param failInfo The bitwise AND of the PKIFailureInfo constants.
+ */
+ public PKIStatusInfo(int status) {
+ this.status = new INTEGER(status);
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2004-04-25 08:02:26.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/DirectoryString.java 2011-08-12 11:20:11.194667000 -0700
+@@ -115,10 +115,6 @@ public class DirectoryString implements
+
+ /**
+ * Converts an ASN.1 DirectoryString to a Java string.
+- *
+- * @param dirstr An ANY containing a BER-encoded DirectoryString.
+- * @exception InvalidBERException If the encoding does not contain a
+- * valid DirectoryString.
+ */
+ public String toString() {
+ return asn1String.toString();
+@@ -176,6 +172,8 @@ public class DirectoryString implements
+ /**
+ * @param implicitTag <b>This paramter is ignored</b>, because
+ * DirectoryStrings (being CHOICEs) cannot have implicit tags.
++ * @exception InvalidBERException If the encoding does not contain a
++ * valid DirectoryString.
+ */
+ public ASN1Value decode(Tag implicitTag, InputStream istream)
+ throws IOException, InvalidBERException
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2003-04-28 14:48:33.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java 2011-08-12 10:58:39.589958000 -0700
+@@ -91,14 +91,18 @@ class JSSSecretKeyFactorySpi extends Sec
+ // versions is to use the reflection API.
+ Class specClass = spec.getClass();
+ try {
+- Method getSaltMethod = specClass.getMethod("getSalt", null);
++ Method getSaltMethod = specClass.getMethod("getSalt",
++ (java.lang.Class) null);
+ Method getIterationMethod =
+- specClass.getMethod("getIterationCount", null);
++ specClass.getMethod("getIterationCount",
++ (java.lang.Class) null);
+
+- byte[] salt = (byte[]) getSaltMethod.invoke(spec, null);
++ byte[] salt = (byte[]) getSaltMethod.invoke(spec,
++ (java.lang.Class) null);
+
+ Integer itCountObj =
+- (Integer) getIterationMethod.invoke(spec,null);
++ (Integer) getIterationMethod.invoke(spec,
++ (java.lang.Class) null);
+ int iterationCount = itCountObj.intValue();
+
+ Password pass = new Password(spec.getPassword());
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-10 16:21:30.412765000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java 2011-08-12 11:47:38.385021000 -0700
+@@ -182,11 +182,11 @@ public class SSLSocket extends java.net.
+ }
+
+ /**
+- * Creates an SSL client socket and connects to the specified host and
++ * Creates an SSL client socket and connects to the specified address and
+ * port. Binds to the given local address and port. Installs the given
+ * callbacks for certificate approval and client certificate selection.
+ *
+- * @param host The hostname to connect to.
++ * @param address The IP address to connect to.
+ * @param port The port to connect to.
+ * @param localAddr The local address to bind to. It can be null, in which
+ * case an unspecified local address will be chosen.
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2006-02-23 08:47:17.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/HMACTest.java 2011-08-12 13:11:11.790805000 -0700
+@@ -96,7 +96,7 @@ public class HMACTest {
+
+ /**
+ * Main test method.
+- * @params args[]
++ * @param argv
+ */
+ public static void main(String []argv) {
+
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-10 16:21:30.337766000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JCASymKeyGen.java 2011-08-12 11:53:56.192644000 -0700
+@@ -116,9 +116,9 @@ public class JCASymKeyGen {
+ }
+ /**
+ *
+- * @param key
+- * @param kg
+- * @return
++ * @param keyType
++ * @param provider
++ * @return javax.crypto.SecretKey key
+ */
+ public javax.crypto.SecretKey genSecretKey(String keyType, String provider){
+ javax.crypto.SecretKey key = null;
+@@ -155,7 +155,7 @@ public class JCASymKeyGen {
+ *
+ * @param keyType
+ * @param provider
+- * @return
++ * @return javax.crypto.SecretKey key
+ */
+ public javax.crypto.SecretKey genPBESecretKey(String keyType,
+ String provider){
+@@ -197,8 +197,10 @@ public class JCASymKeyGen {
+ /**
+ *
+ * @param sKey
+- * @param AlgType
+- * @param provider
++ * @param algFamily
++ * @param algType
++ * @param providerForEncrypt
++ * @param providerForDecrypt
+ */
+ public void testCipher(javax.crypto.SecretKey sKey, String algFamily,
+ String algType, String providerForEncrypt, String providerForDecrypt)
+@@ -304,8 +306,10 @@ public class JCASymKeyGen {
+ /**
+ *
+ * @param sKey
+- * @param AlgType
+- * @param provider
++ * @param algFamily
++ * @param algType
++ * @param providerForEncrypt
++ * @param providerForDecrypt
+ */
+ public void testMultiPartCipher(javax.crypto.SecretKey sKey, String algFamily,
+ String algType, String providerForEncrypt, String providerForDecrypt)
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2007-11-15 13:30:19.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java 2011-08-12 12:56:15.480701000 -0700
+@@ -78,7 +78,7 @@ public class JSSE_SSLClient {
+
+ /**
+ * Set the protocol type and revision
+- * @param String sslRevision
++ * @param fSslRevision
+ */
+ public void setSslRevision(String fSslRevision) {
+
+@@ -91,7 +91,7 @@ public class JSSE_SSLClient {
+
+ /**
+ * Set the host name to connect to.
+- * @param String hostname
++ * @param fHost
+ */
+ public void setHost(String fHost) {
+ this.host = fHost;
+@@ -99,7 +99,7 @@ public class JSSE_SSLClient {
+
+ /**
+ * Set the port number to connect to.
+- * @param int portnumber
++ * @param fPort
+ */
+ public void setPort(int fPort) {
+ this.port = fPort;
+@@ -107,7 +107,7 @@ public class JSSE_SSLClient {
+
+ /**
+ * Set the cipher suite name to use.
+- * @param String cipherSuiteName
++ * @param fCipherSuite
+ */
+ public void setCipherSuite(String fCipherSuite) {
+ this.cipherName = fCipherSuite;
+@@ -115,7 +115,7 @@ public class JSSE_SSLClient {
+
+ /**
+ * Set the location of rsa.pfx
+- * @param String fKeystoreLoc
++ * @param fKeystoreLoc
+ */
+ public void setKeystoreLoc(String fKeystoreLoc) {
+ keystoreLoc = fKeystoreLoc + "/" + keystoreLoc;
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2007-11-15 13:30:19.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java 2011-08-12 12:57:18.987637000 -0700
+@@ -75,7 +75,7 @@ public class JSSE_SSLServer {
+
+ /**
+ * Set the provider to use.
+- * @param String p
++ * @param p
+ */
+ public void setProvider(String p) {
+ provider = p;
+@@ -90,7 +90,7 @@ public class JSSE_SSLServer {
+ }
+ /**
+ * Set the location of keystore file.
+- * @param String fconfigDir
++ * @param fconfigDir
+ */
+ public void setKeystore(String fconfigDir) {
+ configDir = fconfigDir;
+@@ -117,7 +117,7 @@ public class JSSE_SSLServer {
+
+ /**
+ * Start SSLServer and accept connections.
+- * @param args[]
++ * @param args
+ */
+ public void startSSLServer(String[] args) throws Exception {
+ String configDir = "";
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2005-08-11 11:28:59.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_FileUploadClient.java 2011-08-12 12:50:45.946239000 -0700
+@@ -79,7 +79,7 @@ public class JSS_FileUploadClient {
+ /**
+ * Initialize the desired cipher to be set
+ * on the socket.
+- * @param int Cipher
++ * @param aCipher
+ */
+ public void setCipher(int aCipher) {
+ fCipher = aCipher;
+@@ -87,7 +87,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Initialize the hostname to run the server
+- * @param String ServerName
++ * @param aHostName
+ */
+ public void setHostName(String aHostName) {
+ serverHost = aHostName;
+@@ -95,7 +95,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Initialize the port to run the server
+- * @param int port
++ * @param aPort
+ */
+ public void setPort(int aPort) {
+ port = aPort;
+@@ -103,7 +103,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Initialize the passwords file name
+- * @param String passwords
++ * @param aPasswordFile
+ */
+ public void setPasswordFile(String aPasswordFile) {
+ fPasswordFile = aPasswordFile;
+@@ -111,7 +111,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Initialize the cert db path name
+- * @param String CertDbPath
++ * @param aCertDbPath
+ */
+ public void setCertDbPath(String aCertDbPath) {
+ fCertDbPath = aCertDbPath;
+@@ -120,7 +120,7 @@ public class JSS_FileUploadClient {
+ /**
+ * Initialize the name of the file to
+ * be used for testing along with full path.
+- * @param String UploadFile
++ * @param aUploadFile
+ */
+ public void setUploadFile(String aUploadFile) {
+ fUploadFile = aUploadFile;
+@@ -128,7 +128,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Enable/disable Test Cert Callback.
+- * @param boolean
++ * @param aTestCertCallback
+ */
+ public void setTestCertCallback(boolean aTestCertCallback) {
+ TestCertCallBack = aTestCertCallback;
+@@ -136,7 +136,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Set client certificate
+- * @param String Certificate Nick Name
++ * @param aClientCertNick Certificate Nick Name
+ */
+ public void setClientCertNick(String aClientCertNick) {
+ clientCertNick = aClientCertNick;
+@@ -170,7 +170,7 @@ public class JSS_FileUploadClient {
+
+ /**
+ * Set EOF for closinng server socket
+- * @param null for closing server socket
++ * @param fEof null for closing server socket
+ */
+ public void setEOF(String fEof) {
+ this.EOF = fEof;
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2007-08-20 17:07:58.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SSLClient.java 2011-08-12 12:54:46.978789000 -0700
+@@ -99,7 +99,7 @@ public class JSS_SSLClient {
+ /**
+ * Initialize the desired cipher to be set
+ * on the socket.
+- * @param int Cipher
++ * @param aCipher
+ */
+ public void setCipher(int aCipher) {
+ fCipher = aCipher;
+@@ -107,7 +107,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Initialize the hostname to run the server
+- * @param String ServerName
++ * @param aHostName
+ */
+ public void setHostName(String aHostName) {
+ serverHost = aHostName;
+@@ -115,7 +115,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Initialize the port to run the server
+- * @param int port
++ * @param aPort
+ */
+ public void setPort(int aPort) {
+ port = aPort;
+@@ -123,7 +123,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Initialize the passwords file name
+- * @param String passwords
++ * @param aPasswordFile
+ */
+ public void setPasswordFile(String aPasswordFile) {
+ fPasswordFile = aPasswordFile;
+@@ -131,7 +131,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Initialize the cert db path name
+- * @param String CertDbPath
++ * @param aCertDbPath
+ */
+ public static void setCertDbPath(String aCertDbPath) {
+ fCertDbPath = aCertDbPath;
+@@ -147,7 +147,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Enable/disable Test Cert Callback.
+- * @param boolean
++ * @param bypass
+ */
+ public void setBypass(boolean bypass) {
+ testBypass = bypass;
+@@ -155,7 +155,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Enable/disable Test Cert Callback.
+- * @param boolean
++ * @param aTestCertCallback
+ */
+ public void setTestCertCallback(boolean aTestCertCallback) {
+ TestCertCallBack = aTestCertCallback;
+@@ -163,7 +163,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Set client certificate
+- * @param String Certificate Nick Name
++ * @param aClientCertNick Certificate Nick Name
+ */
+ public void setClientCertNick(String aClientCertNick) {
+ clientCertNick = aClientCertNick;
+@@ -197,7 +197,7 @@ public class JSS_SSLClient {
+
+ /**
+ * Set EOF for closinng server socket
+- * @param null for closing server socket
++ * @param fEof null for closing server socket
+ */
+ public void setEOF(String fEof) {
+ this.EOF = fEof;
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2007-11-15 13:30:19.000000000 -0800
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/JSS_SelfServClient.java 2011-08-12 12:52:43.644913000 -0700
+@@ -326,7 +326,7 @@ public class JSS_SelfServClient implemen
+ /**
+ * Initialize the desired ciphersuite to be set
+ * on the socket.
+- * @param int Cipher
++ * @param aCipher
+ */
+ public void setCipher(int aCipher) {
+
+@@ -378,7 +378,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Initialize the hostname to run the server
+- * @param String ServerName
++ * @param aHostName
+ */
+ public void setHostName(String aHostName) {
+ serverHost = aHostName;
+@@ -386,7 +386,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Initialize the port to run the server
+- * @param int port
++ * @param aPort
+ */
+ public void setPort(int aPort) {
+ port = aPort;
+@@ -394,7 +394,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Initialize the passwords file name
+- * @param String passwords
++ * @param aPasswordFile
+ */
+ public void setPasswordFile(String aPasswordFile) {
+ fPasswordFile = aPasswordFile;
+@@ -402,7 +402,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Initialize the cert db path name
+- * @param String CertDbPath
++ * @param aCertDbPath
+ */
+ public void setCertDbPath(String aCertDbPath) {
+ fCertDbPath = aCertDbPath;
+@@ -410,7 +410,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Enable/disable Test Cert Callback.
+- * @param boolean
++ * @param aTestCertCallback
+ */
+ public void setTestCertCallback(boolean aTestCertCallback) {
+ TestCertCallBack = aTestCertCallback;
+@@ -418,7 +418,7 @@ public class JSS_SelfServClient implemen
+
+ /**
+ * Set client certificate
+- * @param String Certificate Nick Name
++ * @param aClientCertNick Certificate Nick Name
+ */
+ public void setClientCertNick(String aClientCertNick) {
+ clientCertNick = aClientCertNick;
+diff -rupN alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java
+--- alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2007-08-23 16:21:13.000000000 -0700
++++ java-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java 2011-08-12 12:58:27.925569000 -0700
+@@ -78,7 +78,7 @@ public class SSLClientAuth implements Ru
+ * @param rand
+ * @param extensions
+ * @throws java.lang.Exception
+- * @return
++ * @return Certificate
+ */
+ public static Certificate makeCert(String issuerName, String subjectName,
+ int serialNumber, PrivateKey privKey, PublicKey pubKey, int rand,
diff --git a/jss-eliminate-native-compiler-warnings.patch b/jss-eliminate-native-compiler-warnings.patch
new file mode 100644
index 0000000..d981eb7
--- /dev/null
+++ b/jss-eliminate-native-compiler-warnings.patch
@@ -0,0 +1,621 @@
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-10 16:21:30.609765000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-08-11 17:54:57.255176000 -0700
+@@ -55,7 +55,7 @@
+
+ #include "pk11util.h"
+
+-#if defined(AIX) || defined(HPUX) || defined(LINUX)
++#if defined(AIX) || defined(HPUX)
+ #include <signal.h>
+ #endif
+
+@@ -90,11 +90,11 @@ const char * jss_sccsid() {
+ /********************************************************************/
+
+ /* JSS_VERSION from mozilla/security/jss/org/mozilla/jss/util/jssver.h */
+-static const char* DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
++static const char* VARIABLE_MAY_NOT_BE_USED DLL_JSS_VERSION = "JSS_VERSION = " JSS_VERSION;
+ /* NSS_VERSION from mozilla/security/nss/lib/nss/nss.h */
+-static const char* DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
++static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSS_VERSION = "NSS_VERSION = " NSS_VERSION;
+ /* NSPR_version from mozilla/nsprpub/pr/include/prinit.h */
+-static const char* DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
++static const char* VARIABLE_MAY_NOT_BE_USED DLL_NSPR_VERSION = "NSPR_VERSION = " PR_VERSION;
+
+
+
+@@ -106,13 +106,13 @@ static char*
+ getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg);
+
+ /*************************************************************
+- * AIX, HP, and Linux signal handling madness
++ * AIX and HP signal handling madness
+ *
+ * In order for the JVM, kernel, and NSPR to work together, we setup
+ * a signal handler for SIGCHLD that does nothing. This is only done
+- * on AIX, HP, and Linux.
++ * on AIX and HP.
+ *************************************************************/
+-#if defined(AIX) || defined(HPUX) || defined(LINUX)
++#if defined(AIX) || defined(HPUX)
+
+ static PRStatus
+ handleSigChild(JNIEnv *env) {
+@@ -333,8 +333,6 @@ Java_org_mozilla_jss_CryptoManager_initi
+ jboolean initializeJavaOnly )
+ {
+ SECStatus rv = SECFailure;
+- JavaVM *VMs[5];
+- jint numVMs;
+ char *szConfigDir = NULL;
+ char *szCertPrefix = NULL;
+ char *szKeyPrefix = NULL;
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 16:21:30.849767000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-08-10 18:22:37.887077000 -0700
+@@ -263,7 +263,7 @@ JNIEXPORT jobject JNICALL
+ Java_org_mozilla_jss_CryptoManager_findPrivKeyByCertNative
+ (JNIEnv *env, jobject this, jobject Cert)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
+ CERTCertificate *cert;
+ PK11SlotInfo *slot;
+ SECKEYPrivateKey *privKey=NULL;
+@@ -458,7 +458,7 @@ JNIEXPORT jobjectArray JNICALL
+ Java_org_mozilla_jss_CryptoManager_buildCertificateChainNative
+ (JNIEnv *env, jobject this, jobject leafCert)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread=NULL;
+ CERTCertificate *leaf;
+ jobjectArray chainArray=NULL;
+ CERTCertDBHandle *certdb;
+@@ -812,7 +812,7 @@ Java_org_mozilla_jss_CryptoManager_impor
+ SECItem *derCerts=NULL;
+ int certi= -1;
+ SECItem theDerCert;
+- int numCerts;
++ int numCerts = 0;
+ jbyte *packageBytes=NULL;
+ jsize packageLen;
+ SECStatus status;
+@@ -1486,7 +1486,7 @@ Java_org_mozilla_jss_CryptoManager_impor
+ CERTSignedCrl *crl = NULL;
+ SECItem *packageItem = NULL;
+ int status = SECFailure;
+- char *url;
++ char *url = NULL;
+ char *errmsg = NULL;
+
+ /***************************************************
+@@ -1651,7 +1651,7 @@ JNIEXPORT jint JNICALL
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative(JNIEnv *env,
+ jobject self, jstring nickString, jboolean checkSig)
+ {
+- SECStatus rv = SECFailure;
++ SECStatus VARIABLE_MAY_NOT_BE_USED rv = SECFailure;
+ SECCertificateUsage currUsage = 0x0000;
+
+ rv = verifyCertificateNow(env, self, nickString, checkSig, 0, &currUsage);
+@@ -1736,7 +1736,6 @@ Java_org_mozilla_jss_CryptoManager_verif
+ SECStatus rv = SECFailure;
+ SECCertUsage certUsage;
+ SECItem *derCerts[2];
+- SECStatus status;
+ CERTCertificate **certArray = NULL;
+ CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2003-12-19 11:36:30.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/SecretDecoderRing/KeyManager.c 2011-08-10 16:58:52.527501000 -0700
+@@ -358,7 +358,6 @@ Java_org_mozilla_jss_SecretDecoderRing_K
+ {
+ PK11SlotInfo *slot = NULL;
+ PK11SymKey *symk = NULL;
+- SECStatus status;
+
+ /* get the slot */
+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS ) {
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2004-04-25 08:02:21.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/PQGParams.c 2011-08-11 09:40:34.001421000 -0700
+@@ -371,7 +371,7 @@ Java_org_mozilla_jss_crypto_PQGParams_pa
+ /***********************************************************************
+ * Perform the verification.
+ */
+- if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != PR_SUCCESS) {
++ if( PK11_PQG_VerifyParams(pParams, pVfy, &verifyResult) != SECSuccess) {
+ JSS_throw(env, OUT_OF_MEMORY_ERROR);
+ goto finish;
+ }
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2004-04-25 08:02:22.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cert.c 2011-08-10 18:30:07.942629000 -0700
+@@ -62,7 +62,7 @@
+ JNIEXPORT jbyteArray JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getEncoded
+ (JNIEnv *env, jobject this)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ CERTCertificate *cert;
+ SECItem *derCert;
+ jbyteArray derArray=NULL;
+@@ -118,9 +118,9 @@ finish:
+ JNIEXPORT jint JNICALL Java_org_mozilla_jss_pkcs11_PK11Cert_getVersion
+ (JNIEnv *env, jobject this)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ CERTCertificate *cert;
+- long lVersion;
++ long lVersion = 0;
+
+ pThread = PR_AttachThread(PR_SYSTEM_THREAD, 0, NULL);
+ PR_ASSERT(pThread != NULL);
+@@ -165,7 +165,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cert_get
+ {
+ CERTCertificate *cert;
+ SECKEYPublicKey *pubk=NULL;
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ jobject pubKey=NULL;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+@@ -210,7 +210,7 @@ Java_org_mozilla_jss_pkcs11_CertProxy_re
+ (JNIEnv *env, jobject this)
+ {
+ CERTCertificate *cert;
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2004-04-25 08:02:22.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Cipher.c 2011-08-10 16:42:43.822494000 -0700
+@@ -73,7 +73,7 @@ Java_org_mozilla_jss_pkcs11_PK11Cipher_i
+ SECItem *iv=NULL;
+ PK11Context *context=NULL;
+ CK_ATTRIBUTE_TYPE op;
+- jobject contextObj;
++ jobject contextObj = NULL;
+
+ PR_ASSERT(env!=NULL && clazz!=NULL && keyObj!=NULL && algObj!=NULL);
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2005-11-14 14:15:06.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyGenerator.c 2011-08-11 09:23:03.220470000 -0700
+@@ -207,7 +207,7 @@ finish:
+ }
+ #endif
+
+-static void
++static void FUNCTION_MAY_NOT_BE_USED
+ print_secitem(SECItem *item) {
+ int i;
+ int online;
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 16:21:30.270767000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-08-10 18:33:11.773445000 -0700
+@@ -450,7 +450,7 @@ DumpItem(SECItem *item)
+ for (i=0; i < item->len; i++) {
+ printf(" %02x",data[i]);
+ }
+- printf(" : 0x%08x %d\n", data, item->len);
++ printf(" : %8p %d\n", data, item->len);
+ }
+
+ /**********************************************************************
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2006-02-22 17:21:42.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-08-10 16:52:03.052910000 -0700
+@@ -562,7 +562,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ jint keyLen, jbyteArray ivBA, jint usageEnum)
+ {
+ PK11SymKey *symKey=NULL;
+- CK_MECHANISM_TYPE wrappingMech, keyTypeMech;
++ CK_MECHANISM_TYPE wrappingMech=0, keyTypeMech=0;
+ SECItem *wrappedKey=NULL, *iv=NULL, *param=NULL;
+ jobject keyObj=NULL;
+ SECKEYPrivateKey *wrappingKey=NULL;
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2004-04-25 08:02:22.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-08-10 16:52:54.951857000 -0700
+@@ -88,7 +88,6 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
+ PK11Context *context = NULL;
+ CK_MECHANISM_TYPE mech;
+ SECItem param;
+- PK11SlotInfo *slot=NULL;
+ jobject contextObj=NULL;
+
+ mech = JSS_getPK11MechFromAlg(env, algObj);
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2007-02-23 09:40:21.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Module.c 2011-08-10 16:53:28.788823000 -0700
+@@ -254,7 +254,7 @@ Java_org_mozilla_jss_pkcs11_ModuleProxy_
+ {
+ SECMODModule *module;
+
+- if (JSS_getPtrFromProxy(env, this, &module) != PR_SUCCESS) {
++ if (JSS_getPtrFromProxy(env, this, (void **)&module) != PR_SUCCESS) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2006-04-24 18:26:42.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PrivKey.c 2011-08-10 18:34:20.954376000 -0700
+@@ -174,7 +174,7 @@ JNIEXPORT jobject JNICALL
+ Java_org_mozilla_jss_pkcs11_PK11PrivKey_getKeyType
+ (JNIEnv *env, jobject this)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ SECKEYPrivateKey *privk;
+ KeyType keyType;
+ char* keyTypeFieldName;
+@@ -259,7 +259,7 @@ Java_org_mozilla_jss_pkcs11_PrivateKeyPr
+ (JNIEnv *env, jobject this)
+ {
+ SECKEYPrivateKey *privk;
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+@@ -358,7 +358,6 @@ Java_org_mozilla_jss_pkcs11_PK11PrivKey_
+ (JNIEnv *env, jobject this)
+ {
+ SECKEYPrivateKey *key = NULL;
+- PK11SlotInfo *slot = NULL;
+ SECItem *idItem = NULL;
+ jbyteArray byteArray = NULL;
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2006-02-22 17:21:42.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-08-10 18:35:04.390333000 -0700
+@@ -62,7 +62,7 @@ JNIEXPORT void JNICALL Java_org_mozilla_
+ (JNIEnv *env, jobject this)
+ {
+ SECKEYPublicKey *pubk;
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+@@ -179,7 +179,7 @@ JNIEXPORT void JNICALL
+ Java_org_mozilla_jss_pkcs11_PK11PubKey_verifyKeyIsOnToken
+ (JNIEnv *env, jobject this, jobject token)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ SECKEYPublicKey *key = NULL;
+ PK11SlotInfo *slot = NULL;
+ PK11SlotInfo *keySlot = NULL;
+@@ -231,7 +231,7 @@ JNIEXPORT jobject JNICALL
+ Java_org_mozilla_jss_pkcs11_PK11PubKey_getKeyType
+ (JNIEnv *env, jobject this)
+ {
+- PRThread *pThread;
++ PRThread * VARIABLE_MAY_NOT_BE_USED pThread;
+ SECKEYPublicKey *pubk;
+ KeyType keyType;
+ char* keyTypeFieldName;
+@@ -454,7 +454,7 @@ get_public_key_info
+ {
+ SECKEYPublicKey *pubk;
+ jbyteArray byteArray=NULL;
+- SECItem *item;
++ SECItem *item=NULL;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+@@ -526,7 +526,6 @@ pubkFromRaw(JNIEnv *env, CK_KEY_TYPE typ
+ {
+ jobject pubkObj=NULL;
+ SECKEYPublicKey *pubk=NULL;
+- SECStatus rv;
+ SECItem *pubkDER=NULL;
+
+ /* validate args */
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2005-01-28 11:16:11.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SecureRandom.c 2011-08-10 18:36:05.252271000 -0700
+@@ -112,7 +112,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
+ * "C" data members
+ */
+
+- PRThread* pThread = NULL;
++ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
+ SECStatus status = PR_FALSE;
+ PK11SlotInfo* slot = NULL;
+
+@@ -262,7 +262,7 @@ Java_org_mozilla_jss_pkcs11_PK11SecureRa
+ * "C" data members
+ */
+
+- PRThread* pThread = NULL;
++ PRThread* VARIABLE_MAY_NOT_BE_USED pThread = NULL;
+ SECStatus status = PR_FALSE;
+
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2006-04-03 16:09:49.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-08-10 18:38:12.365145000 -0700
+@@ -319,7 +319,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
+ (JNIEnv *env, jobject this, jobject certObject)
+ {
+ CERTCertificate *cert;
+- SECStatus status;
++ SECStatus VARIABLE_MAY_NOT_BE_USED status;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+ if(certObject == NULL) {
+@@ -349,7 +349,7 @@ Java_org_mozilla_jss_pkcs11_PK11Store_de
+ (JNIEnv *env, jobject this, jobject certObject)
+ {
+ CERTCertificate *cert;
+- SECStatus status;
++ SECStatus VARIABLE_MAY_NOT_BE_USED status;
+
+ PR_ASSERT(env!=NULL && this!=NULL);
+ if(certObject == NULL) {
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2004-04-25 08:02:22.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11SymKey.c 2011-08-11 09:42:52.967282000 -0700
+@@ -233,7 +233,7 @@ Java_org_mozilla_jss_pkcs11_PK11SymKey_g
+ jfieldID typeField=NULL;
+ jobject typeObject=NULL;
+
+- if( JSS_PK11_getSymKeyPtr(env, this, &key) != SECSuccess ) {
++ if( JSS_PK11_getSymKeyPtr(env, this, &key) != PR_SUCCESS ) {
+ ASSERT_OUTOFMEM(env);
+ goto finish;
+ }
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2007-11-09 16:37:57.000000000 -0800
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-08-10 18:38:52.421104000 -0700
+@@ -961,9 +961,9 @@ JNIEXPORT jstring JNICALL Java_org_mozil
+ jstring keyType, jbyteArray P, jbyteArray Q, jbyteArray G)
+ {
+ PK11SlotInfo *slot;
+- const char* c_subject;
++ const char* c_subject=NULL;
+ jboolean isCopy;
+- unsigned char *b64request;
++ unsigned char *b64request=NULL;
+ SECItem p, q, g;
+ PQGParams *dsaParams=NULL;
+ const char* c_keyType;
+@@ -1080,7 +1080,7 @@ GenerateCertRequest(JNIEnv *env,
+ SECStatus rv;
+ PRArenaPool *arena;
+ SECItem result_der, result;
+- SECItem *blob;
++ SECItem * VARIABLE_MAY_NOT_BE_USED blob;
+ CK_MECHANISM_TYPE signMech;
+ CK_MECHANISM_TYPE keygenMech;
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2003-09-24 15:20:05.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.c 2011-08-10 16:57:42.991570000 -0700
+@@ -89,7 +89,6 @@ traverseTokenObjects
+ SECKEYPublicKeyList* pubkList = NULL;
+ PK11SymKey *symKey = NULL;
+ CERTCertList *certList = NULL;
+- SECStatus secstat;
+
+ /*
+ * Get all private keys
+@@ -508,7 +507,6 @@ lookupCertByNickname(JNIEnv *env, jobjec
+ {
+ PK11SlotInfo *slot;
+ EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
+- jbyteArray derCertBA = NULL;
+ PRStatus status = PR_FAILURE;
+
+ if( alias == NULL ) goto finish;
+@@ -813,7 +811,6 @@ Java_org_mozilla_jss_provider_java_secur
+ PK11SlotInfo *slot;
+ EngineGetCertificateCBInfo cbinfo = {NULL,NULL};
+ jboolean retVal = JNI_FALSE;
+- SECKEYPrivateKey *privk = NULL;
+
+ if( alias == NULL ) goto finish;
+
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 16:21:30.395765000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-08-10 17:05:15.363117000 -0700
+@@ -397,7 +397,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getSo
+ {
+ PRSocketOptionData sockOptions;
+ JSSL_SocketData *sock = NULL;
+- jint retval;
++ jint retval=-1;
+ PRStatus status;
+
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+@@ -874,7 +874,7 @@ JNIEXPORT jint JNICALL
+ Java_org_mozilla_jss_ssl_SSLSocket_socketAvailable(
+ JNIEnv *env, jobject self)
+ {
+- jint available;
++ jint available=0;
+ JSSL_SocketData *sock = NULL;
+
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-10 16:21:30.434766000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/common.c 2011-08-11 09:44:12.310202000 -0700
+@@ -64,7 +64,7 @@ JSSL_throwSSLSocketException(JNIEnv *env
+ jmethodID excepCons;
+ jobject excepObj;
+ jstring msgString;
+- jint result;
++ jint VARIABLE_MAY_NOT_BE_USED result;
+
+ /*
+ * get the error code and error string
+@@ -149,8 +149,8 @@ Java_org_mozilla_jss_ssl_SocketBase_sock
+ jbyteArray sdArray = NULL;
+ JSSL_SocketData *sockdata = NULL;
+ SECStatus status;
+- PRFileDesc *newFD;
+- PRFileDesc *tmpFD;
++ PRFileDesc *newFD = NULL;
++ PRFileDesc *tmpFD = NULL;
+ PRFilePrivate *priv = NULL;
+ int socketFamily = 0;
+
+@@ -627,7 +627,7 @@ Java_org_mozilla_jss_ssl_SocketBase_getS
+ SECStatus status = SECSuccess;
+ PRBool bOption = PR_FALSE;
+
+- if( JSSL_getSockData(env, self, &sock) != SECSuccess ) {
++ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+ goto finish;
+ }
+
+@@ -649,7 +649,7 @@ JSSL_getSockAddr
+ (JNIEnv *env, jobject self, PRNetAddr *addr, LocalOrPeer localOrPeer)
+ {
+ JSSL_SocketData *sock = NULL;
+- PRStatus status;
++ PRStatus status=PR_FAILURE;
+
+ /* get my fd */
+ if( JSSL_getSockData(env, self, &sock) != PR_SUCCESS ) {
+@@ -893,7 +893,7 @@ JSS_SSL_processExceptions(JNIEnv *env, P
+
+ finish:
+ if( currentExcep != NULL && (*env)->ExceptionOccurred(env) == NULL) {
+- int ret = (*env)->Throw(env, currentExcep);
++ int VARIABLE_MAY_NOT_BE_USED ret = (*env)->Throw(env, currentExcep);
+ PR_ASSERT(ret == 0);
+ }
+ }
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 16:21:30.446765000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-08-10 17:03:48.769206000 -0700
+@@ -92,7 +92,7 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
+ jmethodID getOutputStream, writeMethod;
+ jclass sockClass, osClass;
+ jobject outputStream;
+- jint arrayLen;
++ jint arrayLen=-1;
+ PRInt32 retval;
+
+ /*
+@@ -211,7 +211,7 @@ jsock_write(PRFileDesc *fd, const PRIOVe
+ jobject sockObj;
+ JNIEnv *env;
+ jbyteArray outbufArray;
+- PRInt32 retval;
++ PRInt32 retval=-1;
+
+ if( GET_ENV(fd->secret->javaVM, env) ) goto finish;
+
+@@ -500,7 +500,7 @@ static PRInt32
+ jsock_recv(PRFileDesc *fd, void *buf, PRInt32 amount,
+ PRIntn flags, PRIntervalTime timeout)
+ {
+- PRInt32 retval;
++ PRInt32 retval=-1;
+ JNIEnv *env;
+ jobject sockObj;
+ jbyteArray byteArray;
+@@ -637,7 +637,7 @@ getIntProperty(JNIEnv *env, jobject sock
+ {
+ jclass sockClass;
+ jmethodID method;
+- jint retval;
++ jint retval=0;
+
+ sockClass = (*env)->GetObjectClass(env, sock);
+ if( sockClass == NULL ) goto finish;
+@@ -1001,12 +1001,6 @@ static const PRIOMethods jsockMethods =
+ (PRReservedFN) invalidInt
+ };
+
+-static const PRIOMethods*
+-getJsockMethods()
+-{
+- return &jsockMethods;
+-}
+-
+ static void
+ jsockDestructor(PRFileDesc *fd)
+ {
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2004-04-25 08:02:29.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-08-10 18:24:58.470937000 -0700
+@@ -115,7 +115,7 @@ void
+ JSS_throwMsg(JNIEnv *env, char *throwableClassName, char *message) {
+
+ jclass throwableClass;
+- jint result;
++ jint VARIABLE_MAY_NOT_BE_USED result;
+
+ /* validate arguments */
+ PR_ASSERT(env!=NULL && throwableClassName!=NULL && message!=NULL);
+@@ -156,7 +156,7 @@ JSS_throw(JNIEnv *env, char *throwableCl
+ jclass throwableClass;
+ jobject throwable;
+ jmethodID constructor;
+- jint result;
++ jint VARIABLE_MAY_NOT_BE_USED result;
+
+ PR_ASSERT( (*env)->ExceptionOccurred(env) == NULL );
+
+@@ -222,7 +222,9 @@ JSS_throw(JNIEnv *env, char *throwableCl
+ PRStatus
+ JSS_getPtrFromProxy(JNIEnv *env, jobject nativeProxy, void **ptr)
+ {
++#ifdef DEBUG
+ jclass nativeProxyClass;
++#endif
+ jclass proxyClass;
+ jfieldID byteArrayField;
+ jbyteArray byteArray;
+@@ -745,7 +747,7 @@ JSS_trace(JNIEnv *env, jint level, char
+ void
+ JSS_assertOutOfMem(JNIEnv *env)
+ {
+- jclass memErrClass;
++ jclass VARIABLE_MAY_NOT_BE_USED memErrClass;
+ jthrowable excep;
+
+ PR_ASSERT(env != NULL);
+@@ -804,7 +806,7 @@ JSS_SECItemToByteArray(JNIEnv *env, SECI
+ goto finish;
+ }
+
+- (*env)->SetByteArrayRegion(env, array, 0, item->len, item->data);
++ (*env)->SetByteArrayRegion(env, array, 0, item->len, (jbyte*)item->data);
+
+ finish:
+ return array;
+diff -rupN patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h
+--- patched-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2004-04-25 08:02:29.000000000 -0700
++++ alt-jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.h 2011-08-11 18:12:56.926098000 -0700
+@@ -36,6 +36,19 @@
+ #ifndef JSS_NATIVE_UTIL_H
+ #define JSS_NATIVE_UTIL_H
+
++/* The following #defines are used to suppress undesired compiler warnings
++ * that have been deemed inappropriate.
++ *
++ * IMPORTANT: These are ONLY used on an "as-needed" basis!
++ */
++#ifdef __GNUC__
++#define FUNCTION_MAY_NOT_BE_USED __attribute__ ((unused))
++#define VARIABLE_MAY_NOT_BE_USED __attribute__ ((unused))
++#else
++#define FUNCTION_MAY_NOT_BE_USED
++#define VARIABLE_MAY_NOT_BE_USED
++#endif
++
+ /* Need to include these first.
+ * #include <nspr.h>
+ * #include <jni.h>
diff --git a/jss-eliminate-native-coverity-defects.patch b/jss-eliminate-native-coverity-defects.patch
new file mode 100644
index 0000000..68e0fad
--- /dev/null
+++ b/jss-eliminate-native-coverity-defects.patch
@@ -0,0 +1,253 @@
+diff -rupN jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c
+--- jss-4.2.6.orig/mozilla/security/coreconf/nsinstall/pathsub.c 2004-04-25 08:02:18.000000000 -0700
++++ jss-4.2.6/mozilla/security/coreconf/nsinstall/pathsub.c 2011-09-17 18:37:39.875900000 -0700
+@@ -275,9 +275,11 @@ diagnosePath(const char * path)
+ rv = readlink(myPath, buf, sizeof buf);
+ if (rv < 0) {
+ perror("readlink");
+- buf[0] = 0;
+- } else {
++ buf[0] = 0;
++ } else if ( rv < BUFSIZ ) {
+ buf[rv] = 0;
++ } else {
++ buf[BUFSIZ-1] = 0;
+ }
+ fprintf(stderr, "%s is a link to %s\n", myPath, buf);
+ } else if (S_ISDIR(sb.st_mode)) {
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 17:33:08.823975000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.c 2011-09-17 20:09:35.446977000 -0700
+@@ -728,14 +728,14 @@ getPWFromCallback(PK11SlotInfo *slot, PR
+ }
+
+ finish:
+- if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
+ #ifdef DEBUG
++ if( (exception=(*env)->ExceptionOccurred(env)) != NULL) {
+ jclass giveupClass;
+ jmethodID printStackTrace;
+ jclass excepClass;
+-#endif
++
+ (*env)->ExceptionClear(env);
+-#ifdef DEBUG
++
+ giveupClass = (*env)->FindClass(env, GIVE_UP_EXCEPTION);
+ PR_ASSERT(giveupClass != NULL);
+ if( ! (*env)->IsInstanceOf(env, exception, giveupClass) ) {
+@@ -746,8 +746,12 @@ finish:
+ PR_ASSERT( PR_FALSE );
+ }
+ PR_ASSERT(returnchars==NULL);
+-#endif
+ }
++#else
++ if( ((*env)->ExceptionOccurred(env)) != NULL) {
++ (*env)->ExceptionClear(env);
++ }
++#endif
+ return returnchars;
+ }
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-17 17:33:08.834976000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c 2011-09-19 16:51:46.438021000 -0700
+@@ -768,6 +768,10 @@ static int find_leaf_cert(
+ int *linked = NULL;
+
+ linked = PR_Malloc( sizeof(int) * numCerts );
++ if (linked == NULL) {
++ status = 0;
++ goto finish;
++ }
+
+ /* initialize the bitmap */
+ for (i = 0; i < numCerts; i++) {
+@@ -1735,7 +1739,7 @@ Java_org_mozilla_jss_CryptoManager_verif
+ {
+ SECStatus rv = SECFailure;
+ SECCertUsage certUsage;
+- SECItem *derCerts[2];
++ SECItem *derCerts[2] = { NULL, NULL };
+ CERTCertificate **certArray = NULL;
+ CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
+
+@@ -1749,7 +1753,6 @@ Java_org_mozilla_jss_CryptoManager_verif
+ }
+ PR_ASSERT(certdb != NULL);
+
+- derCerts[0] = NULL;
+ derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
+ derCerts[1] = NULL;
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 17:33:08.708976000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Algorithm.c 2011-09-17 19:37:52.834292000 -0700
+@@ -235,7 +235,7 @@ static PRStatus
+ getAlgInfo(JNIEnv *env, jobject alg, JSS_AlgInfo *info)
+ {
+ jint index;
+- PRStatus status;
++ PRStatus status = PR_FAILURE;
+
+ PR_ASSERT(env!=NULL && alg!=NULL && info!=NULL);
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 17:33:08.970975000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c 2011-09-17 19:47:21.850722000 -0700
+@@ -181,7 +181,7 @@ Java_org_mozilla_jss_pkcs11_PK11MessageD
+ PK11Context *context=NULL;
+ jbyte *bytes=NULL;
+ SECStatus status;
+- unsigned int outLen;
++ unsigned int outLen = 0;
+
+ if( JSS_PK11_getCipherContext(env, proxyObj, &context) != PR_SUCCESS) {
+ /* exception was thrown */
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 17:33:09.013977000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11PubKey.c 2011-09-17 18:16:40.231161000 -0700
+@@ -273,6 +273,7 @@ Java_org_mozilla_jss_pkcs11_PK11PubKey_g
+ break;
+ case keaKey:
+ keyTypeFieldName = KEA_KEYTYPE_FIELD;
++ break;
+ default:
+ PR_ASSERT(PR_FALSE);
+ keyTypeFieldName = NULL_KEYTYPE_FIELD;
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 17:33:09.032977000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Store.c 2011-09-17 19:48:57.776628000 -0700
+@@ -390,12 +390,6 @@ importPrivateKey
+ SECStatus status;
+ SECItem nickname;
+
+- keyType = JSS_PK11_getKeyType(env, keyTypeObj);
+- if( keyType == nullKey ) {
+- /* exception was thrown */
+- goto finish;
+- }
+-
+ /*
+ * initialize so we can goto finish
+ */
+@@ -403,6 +397,12 @@ importPrivateKey
+ derPK.len = 0;
+
+
++ keyType = JSS_PK11_getKeyType(env, keyTypeObj);
++ if( keyType == nullKey ) {
++ /* exception was thrown */
++ goto finish;
++ }
++
+ PR_ASSERT(env!=NULL && this!=NULL);
+
+ if(keyArray == NULL) {
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 17:33:09.050976000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.c 2011-09-17 19:53:46.184339000 -0700
+@@ -962,12 +962,12 @@ JNIEXPORT jstring JNICALL Java_org_mozil
+ {
+ PK11SlotInfo *slot;
+ const char* c_subject=NULL;
+- jboolean isCopy;
++ jboolean isCopy = JNI_FALSE;
+ unsigned char *b64request=NULL;
+ SECItem p, q, g;
+ PQGParams *dsaParams=NULL;
+ const char* c_keyType;
+- jboolean k_isCopy;
++ jboolean k_isCopy = JNI_FALSE;
+ SECOidTag signType = SEC_OID_UNKNOWN;
+ PK11RSAGenParams rsaParams;
+ void *params = NULL;
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 17:33:09.073977000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c 2011-09-17 19:56:20.428184000 -0700
+@@ -516,11 +516,6 @@ Java_org_mozilla_jss_ssl_SSLSocket_socke
+ goto finish;
+ }
+
+- if( addrBAelems == NULL ) {
+- ASSERT_OUTOFMEM(env);
+- goto finish;
+- }
+-
+ if(addrBALen != 4 && addrBALen != 16) {
+ JSSL_throwSSLSocketException(env, "Invalid address in connect!");
+ goto finish;
+@@ -720,7 +715,7 @@ Java_org_mozilla_jss_ssl_SSLSocket_getCi
+ {
+ JSSL_SocketData *sock=NULL;
+ SECStatus status;
+- PRBool enabled;
++ PRBool enabled = PR_FAILURE;
+
+ /* get the fd */
+ if( JSSL_getSockData(env, sockObj, &sock) != PR_SUCCESS) {
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2004-09-03 11:32:03.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/callbacks.c 2011-09-17 18:15:07.825252000 -0700
+@@ -684,17 +684,13 @@ JSSL_ConfirmExpiredPeerCert(void *arg, P
+ * Now check the name field in the cert against the desired hostname.
+ * NB: This is our only defense against Man-In-The-Middle (MITM) attacks!
+ */
+- if( peerCert == NULL ) {
+- rv = SECFailure;
++ char* hostname = NULL;
++ hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
++ if (hostname && hostname[0]) {
++ rv = CERT_VerifyCertName(peerCert, hostname);
++ PORT_Free(hostname);
+ } else {
+- char* hostname = NULL;
+- hostname = SSL_RevealURL(fd); /* really is a hostname, not a URL */
+- if (hostname && hostname[0]) {
+- rv = CERT_VerifyCertName(peerCert, hostname);
+- PORT_Free(hostname);
+- } else {
+- rv = SECFailure;
+- }
++ rv = SECFailure;
+ }
+ }
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 17:33:09.094977000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/ssl/javasock.c 2011-09-17 19:16:38.546566000 -0700
+@@ -95,6 +95,10 @@ writebuf(JNIEnv *env, PRFileDesc *fd, jo
+ jint arrayLen=-1;
+ PRInt32 retval;
+
++ if( env == NULL ) {
++ goto finish;
++ }
++
+ /*
+ * get the OutputStream
+ */
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2002-07-03 17:25:46.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/NativeErrcodes.c 2011-09-18 23:02:28.130883000 -0700
+@@ -427,6 +427,7 @@ JSS_ConvertNativeErrcodeToJava(PRErrorCo
+ #endif
+
+ key.native = nativeErrcode;
++ key.java = -1;
+ target = bsearch( &key, errcodeTable, numErrcodes, sizeof(Errcode),
+ errcodeCompare );
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-17 17:33:09.103977000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/util/jssutil.c 2011-09-19 16:38:19.428634000 -0700
+@@ -529,7 +529,7 @@ JSS_wipeCharArray(char* array)
+ */
+ static char* getPWFromConsole()
+ {
+- char c;
++ int c;
+ char *ret;
+ int i;
+ char buf[200]; /* no buffer overflow: we bail after 200 chars */
diff --git a/jss-wrapInToken.patch b/jss-wrapInToken.patch
new file mode 100644
index 0000000..697895f
--- /dev/null
+++ b/jss-wrapInToken.patch
@@ -0,0 +1,158 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-10-18 09:16:08.362000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-10-19 17:55:01.162000000 -0700
+@@ -283,8 +283,9 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ status = PK11_WrapPrivKey(slot, wrapping, toBeWrapped, mech, param,
+ &wrapped, NULL /* wincx */ );
+ if(status != SECSuccess) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION,
+- "Wrapping operation failed on token");
++ char err[256] = {0};
++ PR_snprintf(err, 256, "Wrapping operation failed on token:%d", PR_GetError());
++ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ goto finish;
+ }
+ PR_ASSERT(wrapped.len>0 && wrapped.data!=NULL);
+@@ -328,11 +329,15 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ int numAttribs = 0;
+ CK_TOKEN_INFO tokenInfo;
+
++ /* ideal defaults */
+ PRBool isSensitive = PR_TRUE;
+ PRBool isExtractable = PR_FALSE;
+- /* special case nethsm*/
++
++ /* special case nethsm and lunasa*/
+ CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
++ CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
+ PRBool isNethsm = PR_TRUE;
++ PRBool isLunasa = PR_TRUE;
+
+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
+ /* exception was thrown */
+@@ -347,9 +352,17 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ break;
+ }
+ }
++ ix = 0;
++ for(ix=0; ix < 4; ix++) {
++ if (tokenInfo.label[ix] != lunasaLabel[ix]) {
++ isLunasa = PR_FALSE;
++ break;
++ }
++ }
+
+ } else {
+ isNethsm = PR_FALSE;
++ isLunasa = PR_FALSE;
+ }
+
+ /* get unwrapping key */
+@@ -412,23 +425,25 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ }
+ keyType = PK11_GetKeyType(keyTypeMech, 0);
+
++ /* special case nethsm and lunasa*/
+ if( isNethsm ) {
+ isSensitive = PR_FALSE;
+ isExtractable = PR_FALSE;
++ } else if ( isLunasa) {
++ isSensitive = PR_FALSE;
++ isExtractable = PR_TRUE;
+ }
+
+-setAttrs:
+ /* figure out which operations to enable for this key */
+ switch (keyType) {
+ case CKK_RSA:
++ numAttribs = 3;
+ attribs[0] = CKA_SIGN;
+ attribs[1] = CKA_SIGN_RECOVER;
+ attribs[2] = CKA_UNWRAP;
+ if (isExtractable) {
+ attribs[3] = CKA_EXTRACTABLE;
+ numAttribs = 4;
+- } else {
+- numAttribs = 3;
+ }
+ break;
+ case CKK_DSA:
+@@ -459,7 +474,9 @@ setAttrs:
+ &label, pubValue, token, isSensitive /*sensitive*/, keyType,
+ attribs, numAttribs, NULL /*wincx*/);
+ if( privk == NULL ) {
+- JSS_throwMsg(env, TOKEN_EXCEPTION, "Key Unwrap failed on token");
++ char err[256] = {0};
++ PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
++ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ goto finish;
+ }
+
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfu 2011-10-18 15:29:50.597000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2011-10-18 15:49:40.073000000 -0700
+@@ -322,10 +322,13 @@ final class PK11KeyWrapper implements Ke
+ throw new InvalidKeyException("key to be wrapped is not a "+
+ "PKCS #11 key");
+ }
++/* NSS is capable of moving keys appropriately,
++ so this call is prematurely bailing
+ if( ! symKey.getOwningToken().equals(token) ) {
+ throw new InvalidKeyException("key to be wrapped does not live"+
+ " on the same token as the wrapping key");
+ }
++*/
+ }
+
+ /**
+@@ -340,10 +343,13 @@ final class PK11KeyWrapper implements Ke
+ throw new InvalidKeyException("key to be wrapped is not a "+
+ "PKCS #11 key");
+ }
++/* NSS is capable of moving keys appropriately,
++ so this call is prematurely bailing
+ if( ! privKey.getOwningToken().equals(token) ) {
+ throw new InvalidKeyException("key to be wrapped does not live"+
+ " on the same token as the wrapping key");
+ }
++*/
+ }
+
+ /**
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java.cfu 2011-10-18 14:34:32.148000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11Token.java 2011-10-18 14:35:20.402000000 -0700
+@@ -135,10 +135,13 @@ public final class PK11Token implements
+ getKeyWrapper(KeyWrapAlgorithm algorithm)
+ throws NoSuchAlgorithmException, TokenException
+ {
++/* NSS is capable of finding the right token to do algorithm,
++ so this call is prematurely bailing
+ if( ! doesAlgorithm(algorithm) ) {
+ throw new NoSuchAlgorithmException(
+ algorithm+" is not supported by this token");
+ }
++*/
+ return new PK11KeyWrapper(this, algorithm);
+ }
+
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java.cfu 2011-10-18 09:24:13.796001000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java 2011-10-18 15:41:24.687000000 -0700
+@@ -243,7 +243,7 @@ public class EncryptedPrivateKeyInfo imp
+ }
+
+ KeyWrapper wrapper = token.getKeyWrapper(
+- KeyWrapAlgorithm.DES3_CBC);
++ KeyWrapAlgorithm.DES3_CBC_PAD);
+ wrapper.initWrap(key, params);
+ byte encrypted[] = wrapper.wrap(pri);
+
+@@ -260,6 +260,7 @@ public class EncryptedPrivateKeyInfo imp
+ return epki;
+
+ } catch (Exception e) {
++ System.out.println("createPBE: exception:"+e.toString());
+ Assert.notReached("EncryptedPrivateKeyInfo exception:"
+ +".createPBE");
+ }
diff --git a/jss.spec b/jss.spec
index d69e6a0..a4c43af 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
-Release: 17%{?dist}
+Release: 21%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@@ -34,6 +34,12 @@ Patch9: jss-bad-error-string-pointer.patch
Patch10: jss-VerifyCertificateReturnCU.patch
#Patch11: jss-slots-not-freed.patch
Patch12: jss-ECC-HSM-FIPS.patch
+Patch13: jss-eliminate-native-compiler-warnings.patch
+Patch14: jss-eliminate-java-compiler-warnings.patch
+Patch15: jss-PKCS12-FIPS.patch
+Patch16: jss-eliminate-native-coverity-defects.patch
+Patch17: jss-PBE-PKCS5-V2-secure-P12.patch
+Patch18: jss-wrapInToken.patch
%description
@@ -63,6 +69,12 @@ This package contains the API documentation for JSS.
%patch10 -p1
#%patch11 -p1
%patch12 -p1
+%patch13 -p1
+%patch14 -p1
+%patch15 -p1
+%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%build
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -97,6 +109,11 @@ USE_64=1
export USE_64
%endif
+%if 0%{?fedora} >= 16
+cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk
+sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk
+%endif
+
# The Makefile is not thread-safe
make -C mozilla/security/coreconf
make -C mozilla/security/jss
@@ -113,12 +130,17 @@ cp -p %{SOURCE3} .
# There is no install target so we'll do it by hand
# jars
+%if 0%{?fedora} >= 16
+install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
+install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_jnidir}/jss4.jar
+%else
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
install -m 644 mozilla/dist/xpclass.jar ${RPM_BUILD_ROOT}%{_libdir}/jss/jss4-%{version}.jar
ln -fs jss4-%{version}.jar $RPM_BUILD_ROOT%{_libdir}/jss/jss4.jar
install -d -m 0755 $RPM_BUILD_ROOT%{_jnidir}
ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar
+%endif
# We have to use the name libjss4.so because this is dynamically
# loaded by the jar file.
@@ -146,6 +168,27 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Oct 19 2011 Christina Fu <cfu at redhat.com> - 4.2.6-21
+- Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
+ unwrapping keys should be done in the token
+- support for PKCS5v2; support for secure PKCS12
+- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after the
+ in-place upgrade( CS 8.0->8.1)
+
+* Mon Sep 19 2011 Matthew Harmsen <mharmsen at redhat.com> - 4.2.6-20
+- Bugzilla Bug #715621 - Defects revealed by Coverity scan
+
+* Wed Aug 31 2011 Matthew Harmsen <mharmsen at redhat.com> - 4.2.6-19.1
+- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . .
+
+* Mon Aug 15 2011 Christina Fu <cfu at redhat.com> - 4.2.6-19
+- Bugzilla Bug 733550 - DRM failed to recovery keys when in FIPS mode
+ (HSM + NSS)
+
+* Fri Aug 12 2011 Matthew Harmsen <mharmsen at redhat.com> - 4.2.6-18
+- Bugzilla Bug #660436 - Warnings should be cleaned up in JSS build
+ (jdennis, mharmsen)
+
* Wed May 18 2011 Christina Fu <cfu at redhat.com> - 4.2.6-17
- Bug 670980 - Cannot create system certs when using LunaSA HSM in FIPS Mode
and ECC algorithms (support tokens that don't do ECDH)
More information about the scm-commits
mailing list