[jss/f16] Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer identifier Bugzilla Bug #8
mharmsen
mharmsen at fedoraproject.org
Thu Mar 22 04:20:40 UTC 2012
commit d1f78b72651ff23fc885c4dda3a8461635e72419
Author: Matthew Harmsen <mharmsen at redhat.com>
Date: Wed Mar 21 21:20:25 2012 -0700
Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer identifier
Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived ECC phase2 work - support for ECC encryption key archival and recovery
Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in JSS 4.2.6 . . .
Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add benign JNI jar file symbolic link from JNI libdir to JNI jar file
clog | 5 -
jss-ECC-Phase2KeyArchivalRecovery.patch | 451 +++++++++++++++++++++++++++++++
jss-HSM-manufacturerID.patch | 62 +++++
jss-undo-JCA-deprecations.patch | 171 ++++++++++++
jss.spec | 29 ++-
5 files changed, 712 insertions(+), 6 deletions(-)
---
diff --git a/jss-ECC-Phase2KeyArchivalRecovery.patch b/jss-ECC-Phase2KeyArchivalRecovery.patch
new file mode 100644
index 0000000..1bcc238
--- /dev/null
+++ b/jss-ECC-Phase2KeyArchivalRecovery.patch
@@ -0,0 +1,451 @@
+diff -up jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig jss-4.2.6/mozilla/security/jss/build_java.pl
+--- jss-4.2.6/mozilla/security/jss/build_java.pl.cfuOrig 2012-03-19 17:48:57.615048000 -0700
++++ jss-4.2.6/mozilla/security/jss/build_java.pl 2012-03-19 17:48:53.250052000 -0700
+@@ -19,6 +19,7 @@ org.mozilla.jss.crypto.Algorithm
+ org.mozilla.jss.crypto.EncryptionAlgorithm
+ org.mozilla.jss.crypto.PQGParams
+ org.mozilla.jss.crypto.SecretDecoderRing
++org.mozilla.jss.asn1.ASN1Util
+ org.mozilla.jss.pkcs11.CertProxy
+ org.mozilla.jss.pkcs11.CipherContextProxy
+ org.mozilla.jss.pkcs11.PK11Module
+diff -up jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/config.mk
+--- jss-4.2.6/mozilla/security/jss/lib/config.mk.cfuOrig 2012-03-19 17:48:57.535048000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/config.mk 2012-03-19 17:48:53.264052000 -0700
+@@ -44,6 +44,7 @@ SHARED_LIBRARY_DIRS = \
+ ../org/mozilla/jss/SecretDecoderRing \
+ ../org/mozilla/jss \
+ ../org/mozilla/jss/pkcs11 \
++ ../org/mozilla/jss/asn1 \
+ ../org/mozilla/jss/ssl \
+ ../org/mozilla/jss/util \
+ ../org/mozilla/jss/provider/java/security \
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.cfuOrig 2012-03-19 17:48:57.362048000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/jss.def 2012-03-19 17:48:53.278052000 -0700
+@@ -333,6 +333,7 @@ Java_org_mozilla_jss_CryptoManager_OCSPC
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
+ ;+ local:
+ ;+ *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig jss-4.2.6/mozilla/security/jss/lib/rules.mk
+--- jss-4.2.6/mozilla/security/jss/lib/rules.mk.cfuOrig 2012-03-19 17:48:57.574049000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/rules.mk 2012-03-19 17:48:53.288052000 -0700
+@@ -41,6 +41,7 @@ release_sanitize::
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+@@ -48,6 +49,7 @@ ifeq ($(OS_ARCH),WINNT)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c.cfuOrig 2012-03-19 17:48:57.381048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.c 2012-03-19 17:51:32.433893000 -0700
+@@ -0,0 +1,97 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++#include "_jni/org_mozilla_jss_asn1_ASN1Util.h"
++#include <pk11func.h>
++#include <nspr.h>
++#include <seccomon.h>
++#include <key.h>
++#include <secitem.h>
++
++#include <jssutil.h>
++#include <java_ids.h>
++#include <jss_exceptions.h>
++#include <Algorithm.h>
++
++/***********************************************************************
++ *
++ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid
++ * retrieves OID description by NSS's OID Tag identifier
++ * the OID byte array is expected to be without the OID Tag (6) and size
++ * (together 2 bytes)
++ */
++JNIEXPORT jstring JNICALL
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA)
++{
++ SECItem *oid = NULL;
++ SECOidTag oidTag = SEC_OID_UNKNOWN;
++ char *oidDesc = NULL;
++ jstring description= "";
++
++ if (oidBA == NULL) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: oidBA null");
++ goto finish;
++ } else {
++ /**************************************************
++ * Setup the parameters
++ *************************************************/
++ oid = JSS_ByteArrayToSECItem(env, oidBA);
++ if (oid == NULL) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed");
++ goto finish;
++ }
++
++ /*
++ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match
++ */
++ oidTag = SECOID_FindOIDTag(oid);
++ if (oidTag == SEC_OID_UNKNOWN) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: OID UNKNOWN");
++ goto finish;
++ }
++
++ oidDesc = SECOID_FindOIDTagDescription(oidTag);
++ if (oidDesc == NULL) {
++ oidDesc = "";
++ }
++ description = (*env)->NewStringUTF(env, oidDesc);
++ }
++
++finish:
++ return description;
++}
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java.cfuOrig 2012-03-19 17:48:57.119048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/ASN1Util.java 2012-03-19 18:03:20.766186000 -0700
+@@ -36,6 +36,8 @@
+ package org.mozilla.jss.asn1;
+
+ import java.io.*;
++import java.util.Arrays;
++
+ import org.mozilla.jss.asn1.InvalidBERException;
+ import org.mozilla.jss.util.Assert;
+
+@@ -114,4 +116,71 @@ public class ASN1Util {
+ numRead += nr;
+ }
+ }
++
++ /**
++ * returns the ECC curve byte array given the X509 public key byte array
++ *
++ * @param X509PubKeyBytes byte array of an X509PubKey
++ * @param withHeader tells if the return byes should inclulde the tag and size header or not
++ */
++ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes,
++ boolean withHeader)
++ throws IllegalArgumentException, ArrayIndexOutOfBoundsException,
++ NullPointerException
++ {
++ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) {
++ throw new IllegalArgumentException("X509PubKeyBytes null");
++ }
++
++ /* EC public key OID complete with tag and size */
++ byte[] EC_PubOIDBytes_full =
++ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID);
++
++ /* EC public key OID without tag and size */
++ byte[] EC_PubOIDBytes =
++ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length);
++
++ int curveBeginIndex = 0;
++ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) {
++ byte[] tmp =
++ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length);
++ if (Arrays.equals(tmp, EC_PubOIDBytes)) {
++ curveBeginIndex = idx+ EC_PubOIDBytes.length;
++ break;
++ }
++ }
++
++ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1];
++
++ if (withHeader) {
++ /* actual curve with tag and size */
++ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2);
++ return curve;
++ } else {
++ /* actual curve without tag and size */
++ byte curve[] =
++ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2,
++ curveBeginIndex + 2 + curveByteArraySize);
++ return curve;
++ }
++ }
++
++ /**
++ * getOIDdescription() returns a text description of the OID
++ * from OID byte array
++ * the OID byte array is expected to be without the OID Tag (6) and size
++ * (together 2 bytes)
++ */
++ public static String
++ getOIDdescription(byte[] oidBA) {
++ return getTagDescriptionByOid(oidBA);
++ }
++
++ /**
++ * get OID description JNI method
++ */
++ private native static String
++ getTagDescriptionByOid(byte[] oidBA);
++
++
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile.cfuOrig 2012-03-19 17:48:57.467048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/Makefile 2012-03-19 17:48:53.348052000 -0700
+@@ -57,7 +57,7 @@ include $(CORE_DEPTH)/$(MODULE)/config/c
+ #######################################################################
+ # (4) Include "local" platform-dependent assignments (OPTIONAL). #
+ #######################################################################
+-#include config.mk
++include config.mk
+
+
+ #######################################################################
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java.cfuOrig 2012-03-19 17:48:57.178048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java 2012-03-19 17:48:53.364052000 -0700
+@@ -52,6 +52,12 @@ public class OBJECT_IDENTIFIER implement
+ ///////////////////////////////////////////////////////////////////////
+
+ /**
++ * The OID space for EC
++ */
++ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID =
++ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} );
++
++ /**
+ * The OID space for RSA Data Security, Inc.
+ */
+ public static final OBJECT_IDENTIFIER RSADSI =
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk.cfuOrig 2012-03-19 17:48:57.398048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/config.mk 2012-03-19 17:48:53.381052000 -0700
+@@ -0,0 +1,41 @@
++#
++# ***** BEGIN LICENSE BLOCK *****
++# Version: MPL 1.1/GPL 2.0/LGPL 2.1
++#
++# The contents of this file are subject to the Mozilla Public License Version
++# 1.1 (the "License"); you may not use this file except in compliance with
++# the License. You may obtain a copy of the License at
++# http://www.mozilla.org/MPL/
++#
++# Software distributed under the License is distributed on an "AS IS" basis,
++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++# for the specific language governing rights and limitations under the
++# License.
++#
++# The Original Code is the Netscape Security Services for Java.
++#
++# The Initial Developer of the Original Code is
++# Netscape Communications Corporation.
++# Portions created by the Initial Developer are Copyright (C) 1998-2000
++# the Initial Developer. All Rights Reserved.
++#
++# Contributor(s):
++#
++# Alternatively, the contents of this file may be used under the terms of
++# either the GNU General Public License Version 2 or later (the "GPL"), or
++# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++# in which case the provisions of the GPL or the LGPL are applicable instead
++# of those above. If you wish to allow use of your version of this file only
++# under the terms of either the GPL or the LGPL, and not to allow others to
++# use your version of this file under the terms of the MPL, indicate your
++# decision by deleting the provisions above and replace them with the notice
++# and other provisions required by the GPL or the LGPL. If you do not delete
++# the provisions above, a recipient may use your version of this file under
++# the terms of any one of the MPL, the GPL or the LGPL.
++#
++# ***** END LICENSE BLOCK *****
++TARGETS=$(LIBRARY)
++SHARED_LIBRARY=
++IMPORT_LIBRARY=
++
++NO_MD_RELEASE = 1
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn.cfuOrig 2012-03-19 17:48:57.434048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/asn1/manifest.mn 2012-03-19 17:48:53.401052000 -0700
+@@ -41,6 +41,8 @@ MODULE = jss
+
+ NS_USE_JDK = 1
+
++REQUIRES = nspr20 nss
++
+ PACKAGE = org/mozilla/jss/asn1
+
+ CLASSES = \
+@@ -112,3 +114,9 @@ JSRCS = \
+ UTCTime.java \
+ UTF8String.java \
+ $(NULL)
++
++CSRCS = \
++ ASN1Util.c \
++ $(NULL)
++
++LIBRARY_NAME = jssasn1
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn.cfuOrig 2012-03-19 17:48:57.502048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/manifest.mn 2012-03-19 17:48:53.413052000 -0700
+@@ -48,6 +48,7 @@ DIRS = \
+ crypto \
+ SecretDecoderRing \
+ pkcs11 \
++ asn1 \
+ ssl \
+ provider \
+ $(NULL)
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java.cfuOrig 2012-03-19 17:48:57.238048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java 2012-03-19 17:48:53.432052000 -0700
+@@ -61,15 +61,29 @@ public final class PK11ECPublicKey exten
+ // }
+ // }
+ //
+-// public BigInteger getW() {
+-// try {
+-// return new BigInteger( getWByteArray() );
+-// } catch(NumberFormatException e) {
+-// Assert.notReached("Unable to decode DSA public value");
+-// return null;
+-// }
+-// }
+-//
+-// private native byte[] getCurveByteArray();
+-// private native byte[] getWByteArray();
++
++ public BigInteger getCurve() {
++ try {
++ return new BigInteger( getCurveByteArray() );
++ } catch(NumberFormatException e) {
++ Assert.notReached("Unable to decode EC curve");
++ return null;
++ }
++ }
++
++ public byte[] getCurveBA() {
++ return getCurveByteArray();
++ }
++
++ public BigInteger getW() {
++ try {
++ return new BigInteger( getWByteArray() );
++ } catch(NumberFormatException e) {
++ Assert.notReached("Unable to decode EC public value");
++ return null;
++ }
++ }
++
++ private native byte[] getCurveByteArray();
++ private native byte[] getWByteArray();
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfuOrig 2012-03-19 17:48:57.272048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2012-03-19 17:48:53.450052000 -0700
+@@ -450,6 +450,14 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ numAttribs = 4;
+ }
+ break;
++ case CKK_EC:
++ numAttribs = 1;
++ attribs[0] = CKA_SIGN;
++ if (isExtractable) {
++ attribs[1] = CKA_EXTRACTABLE;
++ numAttribs = 2;
++ }
++ break;
+ case CKK_DSA:
+ attribs[0] = CKA_SIGN;
+ numAttribs = 1;
+@@ -460,11 +468,6 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ attribs[0] = CKA_DERIVE;
+ numAttribs = 1;
+ break;
+- case CKK_EC:
+- attribs[0] = CKA_SIGN;
+- attribs[1] = CKA_DERIVE;
+- numAttribs = 2;
+- break;
+ default:
+ /* unknown key type */
+ PR_ASSERT(PR_FALSE);
+@@ -479,7 +482,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ attribs, numAttribs, NULL /*wincx*/);
+ if( privk == NULL ) {
+ char err[256] = {0};
+- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
++ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ goto finish;
+ }
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java.cfuOrig 2012-03-19 17:48:57.298048000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java 2012-03-19 17:48:53.471052000 -0700
+@@ -459,13 +459,19 @@ final class PK11KeyWrapper implements Ke
+ if( type == PrivateKey.RSA ) {
+ if( !(publicKey instanceof RSAPublicKey)) {
+ throw new InvalidKeyException("Type of public key does not "+
+- "match type of private key");
++ "match type of private key which is RSA");
+ }
+ return ((RSAPublicKey)publicKey).getModulus().toByteArray();
++ } else if(type == PrivateKey.EC) {
++ if( !(publicKey instanceof PK11ECPublicKey) ) {
++ throw new InvalidKeyException("Type of public key does not "+
++ "match type of private key which is EC");
++ }
++ return ((PK11ECPublicKey)publicKey).getW().toByteArray();
+ } else if(type == PrivateKey.DSA) {
+ if( !(publicKey instanceof DSAPublicKey) ) {
+ throw new InvalidKeyException("Type of public key does not "+
+- "match type of private key");
++ "match type of private key which is DSA");
+ }
+ return ((DSAPublicKey)publicKey).getY().toByteArray();
+ } else {
diff --git a/jss-HSM-manufacturerID.patch b/jss-HSM-manufacturerID.patch
new file mode 100644
index 0000000..2a7bdff
--- /dev/null
+++ b/jss-HSM-manufacturerID.patch
@@ -0,0 +1,62 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800
+@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE
+ }
+ PR_GetErrorText(errBuf);
+ }
+- msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
++ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s",
++ PR_GetError(),
+ errLength>0? errBuf : "");
+ if(errLength>0) {
+ PR_Free(errBuf);
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800
+@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ PRBool isExtractable = PR_FALSE;
+
+ /* special case nethsm and lunasa*/
+- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
+- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
++ const int numManufacturerIDchars = 7;
++ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'};
++ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'};
+ PRBool isNethsm = PR_TRUE;
+ PRBool isLunasa = PR_TRUE;
+
++ tokenInfo.manufacturerID[0] = 0;
++
+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
+ /* exception was thrown */
+ goto finish;
+ }
+
+- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
++ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) &&
++ (tokenInfo.manufacturerID[0] != 0)) {
+ int ix = 0;
+- for(ix=0; ix < 4; ix++) {
+- if (tokenInfo.label[ix] != nethsmLabel[ix]) {
++
++ for(ix=0; ix < numManufacturerIDchars; ix++) {
++ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) {
+ isNethsm = PR_FALSE;
+ break;
+ }
+ }
+- ix = 0;
+- for(ix=0; ix < 4; ix++) {
+- if (tokenInfo.label[ix] != lunasaLabel[ix]) {
++
++ for(ix=0; ix < numManufacturerIDchars; ix++) {
++ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) {
+ isLunasa = PR_FALSE;
+ break;
+ }
+ }
+-
+ } else {
+ isNethsm = PR_FALSE;
+ isLunasa = PR_FALSE;
diff --git a/jss-undo-JCA-deprecations.patch b/jss-undo-JCA-deprecations.patch
new file mode 100644
index 0000000..a51c51a
--- /dev/null
+++ b/jss-undo-JCA-deprecations.patch
@@ -0,0 +1,171 @@
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:30:26.570338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Cipher.java 2012-03-20 16:39:59.083196000 -0700
+@@ -49,7 +49,6 @@ import org.mozilla.jss.util.Assert;
+ * it is not necessary to call <code>update</code> if all of the data is
+ * available at once. In this case, all of the input can be processed with one
+ * call to <code>doFinal</code>.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+ */
+ public abstract class Cipher {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:30:26.587338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/CryptoToken.java 2012-03-20 16:41:54.792964000 -0700
+@@ -60,7 +60,6 @@ public interface CryptoToken {
+ * @param algorithm The algorithm used for the signing/verification.
+ * @exception java.security.NoSuchAlgorithmException If the given
+ * algorithm is not supported by this provider.
+- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+ */
+ public abstract org.mozilla.jss.crypto.Signature
+ getSignatureContext(SignatureAlgorithm algorithm)
+@@ -73,7 +72,6 @@ public interface CryptoToken {
+ * @param algorithm The algorithm used for digesting.
+ * @exception java.security.NoSuchAlgorithmException If this provider
+ * does not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+ */
+ public abstract JSSMessageDigest
+ getDigestContext(DigestAlgorithm algorithm)
+@@ -89,15 +87,11 @@ public interface CryptoToken {
+ * @param algorithm The algorithm used for encryption/decryption.
+ * @exception java.security.NoSuchAlgorithmException If this provider
+ * does not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+ */
+ public abstract Cipher
+ getCipherContext(EncryptionAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+
+- /**
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+- */
+ public abstract KeyWrapper
+ getKeyWrapper(KeyWrapAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+@@ -123,7 +117,6 @@ public interface CryptoToken {
+ * @param algorithm The algorithm that the keys will be used with.
+ * @exception java.security.NoSuchAlgorithmException If this token does not
+ * support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+ */
+ public abstract KeyGenerator
+ getKeyGenerator(KeyGenAlgorithm algorithm)
+@@ -136,7 +129,6 @@ public interface CryptoToken {
+ * cannot be extracted from the current token.
+ * @exception InvalidKeyException If the owning token cannot process
+ * the key to be cloned.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory})
+ */
+ public SymmetricKey cloneKey(SymmetricKey key)
+ throws SymmetricKey.NotExtractableException,
+@@ -151,7 +143,6 @@ public interface CryptoToken {
+ * DSA, EC, etc.)
+ * @exception java.security.NoSuchAlgorithmException If this token does
+ * not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+ */
+ public abstract KeyPairGenerator
+ getKeyPairGenerator(KeyPairAlgorithm algorithm)
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:30:26.595338000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java 2012-03-20 16:38:31.987370000 -0700
+@@ -41,7 +41,6 @@ import java.security.InvalidKeyException
+
+ /**
+ * A class for performing message digesting (hashing) and MAC operations.
+- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+ */
+ public abstract class JSSMessageDigest {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java 2012-03-20 16:39:02.938308000 -0700
+@@ -38,7 +38,6 @@ package org.mozilla.jss.crypto;
+
+ /**
+ * An interface for secure random numbers.
+- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom})
+ */
+ public interface JSSSecureRandom {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2005-11-14 14:15:06.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyGenerator.java 2012-03-20 16:39:19.687274000 -0700
+@@ -43,7 +43,6 @@ import java.io.CharConversionException;
+
+ /**
+ * Generates symmetric keys for encryption and decryption.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+ */
+ public interface KeyGenerator {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:30:25.755340000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java 2012-03-20 16:38:03.635426000 -0700
+@@ -49,7 +49,6 @@ import java.security.spec.AlgorithmParam
+ * <code>keygenOnInternalToken</code> to find out if this is happening.
+ *
+ * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator
+- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+ */
+ public class KeyPairGenerator {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/KeyWrapper.java 2012-03-20 16:39:40.551232000 -0700
+@@ -40,9 +40,6 @@ import java.security.InvalidAlgorithmPar
+ import java.security.PublicKey;
+ import java.security.InvalidKeyException;
+
+-/**
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+- */
+ public interface KeyWrapper {
+
+ public void initWrap(SymmetricKey wrappingKey,
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2004-04-25 08:02:21.000000000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/Signature.java 2012-03-20 16:38:46.468340000 -0700
+@@ -44,7 +44,6 @@ import java.security.spec.AlgorithmParam
+ * Instances of this class can be obtain from <code>CryptoToken</code>s.
+ *
+ * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext
+- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+ */
+ public class Signature {
+
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2005-11-23 15:40:26.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/SigTest.java 2012-03-20 16:35:13.653766000 -0700
+@@ -37,15 +37,10 @@
+
+ /* This program demonstrates how to sign data with keys from JSS
+ *
+- * Most of this code is deprecated look at JCASigTest.java
+- *
+ * The token name can be either the name of a hardware token, or
+ * one of the internal tokens:
+ * Internal Crypto Services Token
+ * Internal Key Storage Token (keys stored in key3.db)
+- *
+- * @see org.mozilla.jss.tests.JCASigTest
+- * @deprecated Use the JCA interface instead
+ */
+
+ package org.mozilla.jss.tests;
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl
+--- jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2007-12-20 10:38:44.000000000 -0800
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/tests/all.pl 2012-03-20 16:36:37.711598000 -0700
+@@ -534,6 +534,10 @@ $testname = "Mozilla-JSS JCA Signature "
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
+ run_test($testname, $command);
+
++$testname = "Mozilla-JSS NSS Signature ";
++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
++run_test($testname, $command);
++
+ $testname = "Secret Decoder Ring";
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
+ run_test($testname, $command);
diff --git a/jss.spec b/jss.spec
index a4c43af..c5d3b9a 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
Name: jss
Version: 4.2.6
-Release: 21%{?dist}
+Release: 23%{?dist}
Summary: Java Security Services (JSS)
Group: System Environment/Libraries
@@ -40,6 +40,9 @@ Patch15: jss-PKCS12-FIPS.patch
Patch16: jss-eliminate-native-coverity-defects.patch
Patch17: jss-PBE-PKCS5-V2-secure-P12.patch
Patch18: jss-wrapInToken.patch
+Patch19: jss-HSM-manufacturerID.patch
+Patch20: jss-ECC-Phase2KeyArchivalRecovery.patch
+Patch21: jss-undo-JCA-deprecations.patch
%description
@@ -75,6 +78,9 @@ This package contains the API documentation for JSS.
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
%build
[ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -112,6 +118,9 @@ export USE_64
%if 0%{?fedora} >= 16
cp -p mozilla/security/coreconf/Linux2.6.mk mozilla/security/coreconf/Linux3.1.mk
sed -i -e 's;LINUX2_1;LINUX3_1;' mozilla/security/coreconf/Linux3.1.mk
+
+cp -p mozilla/security/coreconf/Linux3.1.mk mozilla/security/coreconf/Linux3.2.mk
+sed -i -e 's;LINUX3_1;LINUX3_2;' mozilla/security/coreconf/Linux3.2.mk
%endif
# The Makefile is not thread-safe
@@ -146,6 +155,11 @@ ln -fs %{_libdir}/jss/jss4.jar $RPM_BUILD_ROOT%{_jnidir}/jss4.jar
# loaded by the jar file.
install -d -m 0755 $RPM_BUILD_ROOT%{_libdir}/jss
install -m 0755 mozilla/dist/Linux*.OBJ/lib/libjss4.so ${RPM_BUILD_ROOT}%{_libdir}/jss/
+%if 0%{?fedora} >= 16
+pushd ${RPM_BUILD_ROOT}%{_libdir}/jss
+ ln -fs %{_jnidir}/jss4.jar jss4.jar
+popd
+%endif
# javadoc
install -d -m 0755 $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
@@ -168,6 +182,19 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Tue Mar 20 2012 Christina Fu <cfu at redhat.com> - 4.2.6-23
+- Bugzilla Bug #797351 - JSS - HSM token name was mistaken for manufacturer
+ identifier (cfu)
+- Bugzilla Bug #804840 - [RFE] ECC encryption keys cannot be archived
+ ECC phase2 work - support for ECC encryption key archival and recovery (cfu)
+- Bugzilla Bug #783007 - Un-deprecate previously deprecated methods in
+ JSS 4.2.6 . . . (mharmsen)
+- Dogtag TRAC Task #109 (https://fedorahosted.org/pki/ticket/109) - add
+ benign JNI jar file symbolic link from JNI libdir to JNI jar file (mharmsen)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 4.2.6-22
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
* Wed Oct 19 2011 Christina Fu <cfu at redhat.com> - 4.2.6-21
- Bugzilla Bug #737122 - DRM: during archiving and recovering, wrapping
unwrapping keys should be done in the token
More information about the scm-commits
mailing list