diff --git a/.gitignore b/.gitignore index 6c8702e..de898e2 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,4 @@ jss-4.2.6.tar.gz /jss-4.6.2.tar.gz /jss-4.6.3.tar.gz /jss-4.6.4.tar.gz +/jss-4.7.0-b2.tar.gz diff --git a/0001-Fix-base64-encoding-of-CSRs.patch b/0001-Fix-base64-encoding-of-CSRs.patch deleted file mode 100644 index f898ed1..0000000 --- a/0001-Fix-base64-encoding-of-CSRs.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 18efce236af6a1affebb274838318ba715114218 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Tue, 25 Feb 2020 09:14:47 -0500 -Subject: [PATCH 3/8] Fix base64-encoding of CSRs - -In 8de4440c5652f6f1af5b4b923a15730ba84f29e1, the base64 encoder was -changed from apache-commons-codec to the Java standard library to drop -a dependency. However, the behavior changed as a result: the Java -standard library doesn't include a final line separator, whereas -apache-commons-codec did. This results in malformed CSRs: - -> YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST----- - -Resolves: https://pagure.io/freeipa/issue/8199 - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/netscape/security/util/Utils.java | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/org/mozilla/jss/netscape/security/util/Utils.java b/org/mozilla/jss/netscape/security/util/Utils.java -index 19f3b1f9..e6e56ce4 100644 ---- a/org/mozilla/jss/netscape/security/util/Utils.java -+++ b/org/mozilla/jss/netscape/security/util/Utils.java -@@ -378,7 +378,10 @@ public class Utils { - * @return base-64 encoded data - */ - public static String base64encodeMultiLine(byte[] bytes) { -- return Base64.getMimeEncoder().encodeToString(bytes); -+ // When switching from apache-commons-codec to the standard library, -+ // the standard library does not include a final line separator at -+ // the end of the encoded data. This results in malformed CSRs. -+ return Base64.getMimeEncoder().encodeToString(bytes) + "\r\n"; - } - - --- -2.24.1 - diff --git a/0002-Fix-swapped-parameter-names-with-PBE.patch b/0002-Fix-swapped-parameter-names-with-PBE.patch deleted file mode 100644 index c535f6e..0000000 --- a/0002-Fix-swapped-parameter-names-with-PBE.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 9f29430656342829822568f4ef49f5237b41164b Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Feb 2020 14:10:32 -0500 -Subject: [PATCH 7/8] Fix swapped parameter names with PBE - -Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression -related to extracting the parameter classes during PBE operations: -previously, the classes of the underlying encryption algorithm were -iterated over, instead of the classes of the PBE class itself. However, -this commit iterated over the PBE parameter classes; no PBE algorithm -accepts a IvParameterSpec, resulting in a null parameter passed to the -later encryption or key wrap operation. This resulted in stack traces -like the following: - -Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter - at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225) - at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89) - at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57) - at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342) - -Resolves: rh-bz#1807371 - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/pkcs7/EncryptedContentInfo.java | 2 +- - org/mozilla/jss/pkix/cms/EncryptedContentInfo.java | 2 +- - org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- - 3 files changed, 4 insertions(+), 4 deletions(-) - -diff --git a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -index 084752c3..0344b14d 100644 ---- a/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -+++ b/org/mozilla/jss/pkcs7/EncryptedContentInfo.java -@@ -182,7 +182,7 @@ public class EncryptedContentInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( - javax.crypto.spec.IvParameterSpec.class ) ) { -diff --git a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -index a4709070..d85eb0d3 100644 ---- a/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -+++ b/org/mozilla/jss/pkix/cms/EncryptedContentInfo.java -@@ -180,7 +180,7 @@ public class EncryptedContentInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( IVParameterSpec.class ) ) { - params = new IVParameterSpec( kg.generatePBE_IV() ); -diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -index b35714e3..ebd269f3 100644 ---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -@@ -147,7 +147,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( javax.crypto.spec.IvParameterSpec.class ) ) { - params = new IVParameterSpec( kg.generatePBE_IV() ); -@@ -328,7 +328,7 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - // generate IV - EncryptionAlgorithm encAlg = pbeAlg.getEncryptionAlg(); - AlgorithmParameterSpec params=null; -- Class [] paramClasses = pbeAlg.getParameterClasses(); -+ Class [] paramClasses = encAlg.getParameterClasses(); - for (int i = 0; i < paramClasses.length; i ++) { - if ( paramClasses[i].equals( - javax.crypto.spec.IvParameterSpec.class ) ) { --- -2.24.1 - diff --git a/0003-Use-specified-algorithm-for-KeyWrap.patch b/0003-Use-specified-algorithm-for-KeyWrap.patch deleted file mode 100644 index d75534a..0000000 --- a/0003-Use-specified-algorithm-for-KeyWrap.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 55482c8bfa0addeb9db7b590703ba3704c5db167 Mon Sep 17 00:00:00 2001 -From: Alexander Scheel -Date: Fri, 28 Feb 2020 14:39:29 -0500 -Subject: [PATCH 8/8] Use specified algorithm for KeyWrap - -When the token-specified from of EncryptedPrivateKeyInfo.createPBE is -called, it would always request DES3_CBC_PAD as the key wrapping -algorithm, regardless of the input PBE key type. However, the other form -(with an implicit token) was correctly handling this case. - -Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER -instead of having to convert to/from a String form. - -Signed-off-by: Alexander Scheel ---- - org/mozilla/jss/crypto/KeyWrapAlgorithm.java | 5 ++++- - org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java | 4 ++-- - 2 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -index 3113f614..3a106977 100644 ---- a/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -+++ b/org/mozilla/jss/crypto/KeyWrapAlgorithm.java -@@ -138,7 +138,10 @@ public class KeyWrapAlgorithm extends Algorithm { - - public static KeyWrapAlgorithm fromOID(String wrapOID) throws NoSuchAlgorithmException { - OBJECT_IDENTIFIER oid = new OBJECT_IDENTIFIER(wrapOID); -+ return fromOID(oid); -+ } - -+ public static KeyWrapAlgorithm fromOID(OBJECT_IDENTIFIER oid) throws NoSuchAlgorithmException { - if (oid.equals(AES_KEY_WRAP_PAD_OID)) - return AES_KEY_WRAP_PAD; - -@@ -154,6 +157,6 @@ public class KeyWrapAlgorithm extends Algorithm { - if (oid.equals(DES_CBC_PAD_OID)) - return DES_CBC_PAD; - -- throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + wrapOID); -+ throw new NoSuchAlgorithmException("Unknown Algorithm for OID: " + oid); - } - } -diff --git a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -index ebd269f3..abfc39a7 100644 ---- a/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -+++ b/org/mozilla/jss/pkix/primitive/EncryptedPrivateKeyInfo.java -@@ -337,8 +337,8 @@ public class EncryptedPrivateKeyInfo implements ASN1Value { - } - } - -- KeyWrapper wrapper = token.getKeyWrapper( -- KeyWrapAlgorithm.DES3_CBC_PAD); -+ // wrap the key -+ KeyWrapper wrapper = token.getKeyWrapper(KeyWrapAlgorithm.fromOID(encAlg.toOID())); - wrapper.initWrap(key, params); - byte encrypted[] = wrapper.wrap(pri); - --- -2.24.1 - diff --git a/jss.spec b/jss.spec index 0920b44..abb49ae 100644 --- a/jss.spec +++ b/jss.spec @@ -6,9 +6,9 @@ Summary: Java Security Services (JSS) URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ -Version: 4.6.4 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} -# global _phase -a1 +Version: 4.7.0 +Release: 0.2%{?_timestamp}%{?_commit_id}%{?dist} +%global _phase -b2 # To generate the source tarball: # $ git clone https://github.com/dogtagpki/jss.git @@ -34,11 +34,13 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas BuildRequires: git BuildRequires: make BuildRequires: cmake +BuildRequires: zip +BuildRequires: unzip BuildRequires: gcc-c++ BuildRequires: nspr-devel >= 4.13.1 -BuildRequires: nss-devel >= 3.30 -BuildRequires: nss-tools >= 3.30 +BuildRequires: nss-devel >= 3.44 +BuildRequires: nss-tools >= 3.44 BuildRequires: java-devel BuildRequires: jpackage-utils BuildRequires: slf4j @@ -49,11 +51,10 @@ BuildRequires: glassfish-jaxb-api BuildRequires: slf4j-jdk14 %endif BuildRequires: apache-commons-lang -BuildRequires: apache-commons-codec BuildRequires: junit -Requires: nss >= 3.30 +Requires: nss >= 3.44 Requires: java-headless Requires: jpackage-utils Requires: slf4j @@ -64,7 +65,6 @@ Requires: glassfish-jaxb-api Requires: slf4j-jdk14 %endif Requires: apache-commons-lang -Requires: apache-commons-codec Conflicts: ldapjdk < 4.20 Conflicts: idm-console-framework < 1.2 @@ -116,7 +116,7 @@ rm -rf build && mkdir -p build && cd build .. %{__make} all -%{__make} javadoc || true +%{__make} javadoc ctest --output-on-failure ################################################################################ @@ -147,7 +147,8 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} %files %defattr(-,root,root,-) -%doc jss.html MPL-1.1.txt gpl.txt lgpl.txt +%doc jss.html +%license MPL-1.1.txt gpl.txt lgpl.txt %{_libdir}/* %{_jnidir}/* @@ -159,6 +160,10 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Wed Jun 10 2020 Dogtag PKI Team - 4.7.0-0.2 +- Rebase to latest upstream JSS 4.7.0 +- JSS Provided SSLEngine + * Mon Apr 27 2020 Dogtag PKI Team - 4.6.4-1 - Rebase to JSS 4.6.4 - Fixes memory leak present since v4.6.2 diff --git a/sources b/sources index 25b6a59..eaf917e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jss-4.6.4.tar.gz) = c0adc950e1ce5e0f3d846dcb158d831575be84176ded3eec7ce3569cfd96c872a2089a2eede249c5924e1eee58d88574accd3403623910343130cf90b504b348 +SHA512 (jss-4.7.0-b2.tar.gz) = 6bd5fd4823ea4b14bfd53dc64796b6fcb7018a6118b943b46be7a5caf874a386802f1e6e0e542743be505d73f2b9625b0f1d479b1292c7364ac62d8cee3e4e52