diff --git a/jss-aia-ocsp-1.patch b/jss-aia-ocsp-1.patch new file mode 100644 index 0000000..f20207c --- /dev/null +++ b/jss-aia-ocsp-1.patch @@ -0,0 +1,659 @@ +From 8975c8ae1d0c8b916c5c73aff12046b01d3e6ef0 Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 25 Jan 2019 14:54:11 -0800 +Subject: [PATCH] Resolve Bug 1666872 - CC: Enable AIA OCSP cert checking for + entire cert chain. + +This fix for jss, solves the one use case where the pki server is configured to perform ocsp checking ONLY with the contents of the AIA extension. Previously, jss could only check the ocsp server for the leaf node cert of the cert being verified. This fix allows the cert chain to be checked over ocsp for each cert in question. This is possible due to the fact that we have made a call in the PKIX library of nss to do the actual cert verfication. This call is made with all the needed flags to tell the PKIX library to make the ocsp verifications remotely over the network using the contents of the AIA extension. + +Later on we can use this code to handle the other cases, but for now we want to solve this one particular problem. If the server is configured in any other configuration than the one stated, the original verification code will be called as before. Below is an example of a configuration in server.xml, that will trigger this new code: + +< .... enableOCSP="true" ocspCacheSize="10000" ocspMinCacheEntryDuration="7200" .... > + +Note that due to ocsp caching, the cert chain verification may only be apparent after a restart of the server. A way to force an ocsp fetch every time is to set the value of ocspCacheSize=-1, which essentially disables the cache. + +Added a couple of minor fixes due to review comments. Possibly more to come. +Minor include directive change to compile on branch. +--- + org/mozilla/jss/CryptoManager.java | 48 +++++++ + org/mozilla/jss/PK11Finder.c | 95 ++++++++++++-- + org/mozilla/jss/ssl/callbacks.c | 67 ++++++++-- + org/mozilla/jss/ssl/common.c | 196 +++++++++++++++++++++++++++++ + org/mozilla/jss/ssl/jssl.h | 29 +++++ + org/mozilla/jss/util/java_ids.h | 9 ++ + 6 files changed, 422 insertions(+), 22 deletions(-) + +diff --git a/org/mozilla/jss/CryptoManager.java b/org/mozilla/jss/CryptoManager.java +index 9b86bf9e..c9a3fb2b 100644 +--- a/org/mozilla/jss/CryptoManager.java ++++ b/org/mozilla/jss/CryptoManager.java +@@ -1201,6 +1201,44 @@ private native boolean verifyCertTempNative(byte[] certPackage, + // OCSP management + /////////////////////////////////////////////////////////////////////// + ++ /* OCSP Policy related */ ++ ++ public enum OCSPPolicy { ++ NONE, ++ NORMAL, ++ LEAF_AND_CHAIN; ++ } ++ ++ private static OCSPPolicy ocspPolicy = OCSPPolicy.NONE; ++ ++ /** ++ * Gets the current ocsp Policy. ++ * Currently we only support 2 modes OCSP_LEAF_AND_CHAIN_POLICY. ++ * And OCSP_NORMAL_POLICY, which is current processing , by default. ++ * If we have AIA based OCSP enabled we will check all certs in the chain. ++ * using PKIX cert verfication calls in the various cert auth callbacks we ++ * have. ++ * @return - The current ocsp policy in effect. ++ */ ++ ++ public static synchronized int getOCSPPolicy() { ++ return ocspPolicy.ordinal(); ++ } ++ ++ /** ++ * Sets the current ocsp Policy. ++ * Currently we only support one mode OCSP_LEAF_AND_CHAIN_POLICY. ++ * If we have AIA based OCSP enabled we will check all certs in the chain. ++ * using PKIX cert verfication calls in the various cert auth callbacks we ++ * have. ++ * @param policy - Either cert and chain or normal default processing. ++ * ++ */ ++ ++ public static synchronized void setOCSPPolicy(OCSPPolicy policy) { ++ ocspPolicy = policy; ++ } ++ + /** + * Enables OCSP, note when you Initialize JSS for the first time, for + * backwards compatibility, the initialize will enable OCSP if you +@@ -1220,6 +1258,16 @@ public void configureOCSP( + String ocspResponderCertNickname ) + throws GeneralSecurityException + { ++ /* set the ocsp policy */ ++ ++ if(ocspCheckingEnabled && ++ ocspResponderURL == null && ++ ocspResponderCertNickname == null) { ++ setOCSPPolicy(OCSPPolicy.LEAF_AND_CHAIN); ++ } else { ++ setOCSPPolicy(OCSPPolicy.NORMAL); ++ } ++ + configureOCSPNative(ocspCheckingEnabled, + ocspResponderURL, + ocspResponderCertNickname ); +diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c +index 45958181..0329e91d 100644 +--- a/org/mozilla/jss/PK11Finder.c ++++ b/org/mozilla/jss/PK11Finder.c +@@ -14,9 +14,9 @@ + #include + + #include +- + #include + #include "pk11util.h" ++#include "ssl/jssl.h" + #include + + /* +@@ -1574,6 +1574,9 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, + goto finish; + } + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ ++ + certificateUsage = required_certificateUsage; + + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); +@@ -1587,8 +1590,24 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString, + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will + * retrieve the current valid usage into currUsage + */ +- rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certificateUsage, NULL, currUsage ); ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv = JSSL_verifyCertPKIX( cert, certificateUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, currUsage); ++ ++ /* we need to do this just to get the cert usages, the pkix version ++ doesn't seem to honor the method to get the usages as of yet. ++ Let the PKIX call only determine the final fate. ++ */ ++ if(rv == SECSuccess) { ++ CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, currUsage ); ++ } ++ ++ } else { ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, currUsage ); ++ } ++ + if ((rv == SECSuccess) && certificateUsage == 0x0000) { + if (*currUsage == + ( certUsageUserCertImport | +@@ -1639,6 +1658,8 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, + goto finish; + } + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + certificateUsage = required_certificateUsage; + + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); +@@ -1653,8 +1674,23 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env, + * just get the current usage (which we are not passing back for now + * but will bypass the certificate usage check + */ +- rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certificateUsage, NULL, &currUsage ); ++ ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv= JSSL_verifyCertPKIX( cert, certificateUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, &currUsage); ++ ++ /* we need to do this just to get the cert usages, the pkix version ++ doesn't seem to honor the method to get the usages as of yet. ++ Let the PKIX call only determine the final fate. ++ */ ++ if(rv == SECSuccess) { ++ CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, &currUsage ); ++ } ++ } else { ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, &currUsage ); ++ } + } + + finish: +@@ -1720,12 +1756,14 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative2(JNIEnv *env, + SECStatus rv = SECFailure; + CERTCertificate *cert = NULL; + char *nickname = NULL; +- ++ + if (nickString == NULL) { + JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); + goto finish; + } + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL); + if (nickname == NULL) { + JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname"); +@@ -1747,8 +1785,25 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative2(JNIEnv *env, + /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will + * retrieve the current valid usage into currUsage + */ +- rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certificateUsage, NULL, &currUsage); ++ ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv = JSSL_verifyCertPKIX( cert, certificateUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, &currUsage); ++ ++ /* we need to do this just to get the cert usages, the pkix version ++ doesn't seem to honor the method to get the usages as of yet. ++ Let the PKIX call only determine the final fate. ++ */ ++ if(rv == SECSuccess) { ++ CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, &currUsage ); ++ ++ } ++ ++ } else { ++ rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certificateUsage, NULL, &currUsage); ++ } + + if (rv != SECSuccess) { + JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate"); +@@ -1803,6 +1858,9 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, + if( nickname == NULL ) { + goto finish; + } ++ ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + certUsage = cUsage; + cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname); + +@@ -1812,8 +1870,13 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env, + PR_smprintf_free(message); + goto finish; + } else { +- rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert, +- checkSig, certUsage, NULL ); ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv = JSSL_verifyCertPKIX( cert, certUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, NULL); ++ } else { ++ rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert, ++ checkSig, certUsage, NULL ); ++ } + } + + finish: +@@ -1858,6 +1921,8 @@ Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env, + derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray); + derCerts[1] = NULL; + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + rv = CERT_ImportCerts(certdb, cUsage, + 1, derCerts, &certArray, PR_FALSE /*temp Certs*/, + PR_FALSE /*caOnly*/, NULL); +@@ -1869,8 +1934,14 @@ Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env, + } + + certUsage = cUsage; +- rv = CERT_VerifyCertNow(certdb, certArray[0], +- checkSig, certUsage, NULL ); ++ ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv = JSSL_verifyCertPKIX( certArray[0], certUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, NULL); ++ } else { ++ rv = CERT_VerifyCertNow(certdb, certArray[0], ++ checkSig, certUsage, NULL ); ++ } + + finish: + /* this checks for NULL */ +diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c +index 634f31ec..42594a14 100644 +--- a/org/mozilla/jss/ssl/callbacks.c ++++ b/org/mozilla/jss/ssl/callbacks.c +@@ -20,6 +20,40 @@ + #include + #include + ++int ++JSSL_getOCSPPolicy() { ++ JNIEnv *env; ++ jint policy = -1; ++ ++ jmethodID getOCSPPolicyID; ++ jclass cryptoManagerClass; ++ ++ /* get the JNI environment */ ++ if((*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL) != 0){ ++ PR_ASSERT(PR_FALSE); ++ goto finish; ++ } ++ ++ cryptoManagerClass = (*env)->FindClass(env, CRYPTO_MANAGER_NAME); ++ if( cryptoManagerClass == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ getOCSPPolicyID = (*env)->GetStaticMethodID(env, cryptoManagerClass, ++ GET_OCSP_POLICY_NAME,GET_OCSP_POLICY_SIG); ++ ++ if( getOCSPPolicyID == NULL ) { ++ ASSERT_OUTOFMEM(env); ++ goto finish; ++ } ++ ++ policy = (*env)->CallStaticIntMethod(env, cryptoManagerClass, ++ getOCSPPolicyID); ++ ++finish: ++ return (int) policy; ++} ++ + static SECStatus + secCmpCertChainWCANames(CERTCertificate *cert, CERTDistNames *caNames) + { +@@ -443,8 +477,9 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + SECCertUsage certUsage; + CERTCertificate *peerCert=NULL; + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; +- + + /* SSL_PeerCertificate() returns a shallow copy of the cert, so we + must destroy it before we exit this function */ +@@ -452,8 +487,13 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + peerCert = SSL_PeerCertificate(fd); + + if (peerCert) { +- rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, +- checkSig, certUsage, NULL /*pinarg*/); ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ rv = JSSL_verifyCertPKIX( peerCert, certUsage, ++ NULL /* pin arg */, ocspPolicy, NULL, NULL); ++ } else { ++ rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, ++ checkSig, certUsage, NULL /*pinarg*/); ++ } + } + + /* if we're a server, then we don't need to check the CN of the +@@ -569,6 +609,8 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + log.tail = NULL; + log.count = 0; + ++ int ocspPolicy = JSSL_getOCSPPolicy(); ++ + /* get the JNI environment */ + if((*JSS_javaVM)->AttachCurrentThread(JSS_javaVM, (void**)&env, NULL) != 0){ + PR_ASSERT(PR_FALSE); +@@ -589,13 +631,18 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + * logging parameter) + */ + +- verificationResult = CERT_VerifyCert( CERT_GetDefaultCertDB(), +- peerCert, +- checkSig, +- certUsage, +- PR_Now(), +- NULL /*pinarg*/, +- &log); ++ if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { ++ verificationResult = JSSL_verifyCertPKIX( peerCert, certUsage, ++ NULL /* pin arg */, ocspPolicy, &log, NULL); ++ } else { ++ verificationResult = CERT_VerifyCert( CERT_GetDefaultCertDB(), ++ peerCert, ++ checkSig, ++ certUsage, ++ PR_Now(), ++ NULL /*pinarg*/, ++ &log); ++ } + + if (verificationResult == SECSuccess && log.count > 0) { + verificationResult = SECFailure; +diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c +index 5c6efa85..aec88552 100644 +--- a/org/mozilla/jss/ssl/common.c ++++ b/org/mozilla/jss/ssl/common.c +@@ -15,6 +15,7 @@ + #include + #include "_jni/org_mozilla_jss_ssl_SSLSocket.h" + #include "jssl.h" ++#include "cert.h" + + #ifdef WIN32 + #include +@@ -889,3 +890,198 @@ JSS_SSL_processExceptions(JNIEnv *env, PRFilePrivate *priv) + PR_ASSERT(ret == 0); + } + } ++ ++/* Get the trusted anchor for pkix */ ++ ++CERTCertificate * getRoot(CERTCertificate *cert, ++ SECCertificateUsage certUsage) ++{ ++ CERTCertificate *root = NULL; ++ CERTCertListNode *node = NULL; ++ ++ if( !cert ) { ++ goto finish; ++ } ++ ++ CERTCertList *certList = CERT_GetCertChainFromCert(cert, ++ PR_Now(), ++ certUsage); ++ ++ if( certList == NULL) { ++ goto finish; ++ } ++ ++ for (node = CERT_LIST_HEAD(certList); ++ !CERT_LIST_END(node, certList); ++ node = CERT_LIST_NEXT(node)) { ++ ++ /* try to find the root */ ++ if( node->cert && node->cert->isRoot ) { ++ root = CERT_DupCertificate(node->cert) ; ++ } ++ } ++ ++finish: ++ ++ CERT_DestroyCertList (certList); ++ return root; ++} ++ ++/* Verify a cert using explicit PKIX call. ++ * For now only used in OCSP AIA context. ++ * The result of this call will be a full chain ++ * and leaf network AIA ocsp validation. ++ * The policy param will be used in the future to ++ * handle more scenarios. ++ */ ++ ++SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, ++ SECCertificateUsage certUsage,secuPWData *pwdata, int ocspPolicy, ++ CERTVerifyLog *log, SECCertificateUsage *usage) ++{ ++ ++ /* put the first set of possible flags internally here first */ ++ /* later there could be a more complete list to choose from */ ++ /* support our hard core fetch aia ocsp policy for now */ ++ ++ static PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = { ++ /* crl */ ++ 0, ++ /* ocsp */ ++ CERT_REV_M_TEST_USING_THIS_METHOD | ++ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO ++ }; ++ ++ static PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = { ++ /* crl */ ++ 0, ++ /* ocsp */ ++ CERT_REV_M_TEST_USING_THIS_METHOD | ++ CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO ++ }; ++ ++ static CERTRevocationMethodIndex ++ ocsp_Enabled_Hard_Policy_Method_Preference = { ++ cert_revocation_method_ocsp ++ }; ++ ++ static CERTRevocationFlags ocsp_Enabled_Hard_Policy = { ++ { /* leafTests */ ++ 2, ++ ocsp_Enabled_Hard_Policy_LeafFlags, ++ 1, ++ &ocsp_Enabled_Hard_Policy_Method_Preference, ++ 0 }, ++ { /* chainTests */ ++ 2, ++ ocsp_Enabled_Hard_Policy_ChainFlags, ++ 1, ++ &ocsp_Enabled_Hard_Policy_Method_Preference, ++ 0 } ++ }; ++ ++ /* for future expansion */ ++ ++ CERTValOutParam cvout[20] = {0}; ++ CERTValInParam cvin[20] = {0}; ++ ++ int inParamIndex = 0; ++ int outParamIndex = 0; ++ CERTRevocationFlags *rev = NULL; ++ ++ CERTCertList *trustedCertList = NULL; ++ ++ PRBool fetchCerts = PR_FALSE; ++ ++ SECStatus res = SECFailure; ++ if(cert == NULL) { ++ goto finish; ++ } ++ ++ if(ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) { ++ goto finish; ++ } ++ ++ /* Force the strict ocsp network check on chain ++ and leaf. ++ */ ++ ++ fetchCerts = PR_TRUE; ++ rev = &ocsp_Enabled_Hard_Policy; ++ ++ /* fetch aia over net */ ++ ++ cvin[inParamIndex].type = cert_pi_useAIACertFetch; ++ cvin[inParamIndex].value.scalar.b = fetchCerts; ++ inParamIndex++; ++ ++ /* time */ ++ ++ cvin[inParamIndex].type = cert_pi_date; ++ cvin[inParamIndex].value.scalar.time = PR_Now(); ++ inParamIndex++; ++ ++ /* flags */ ++ ++ cvin[inParamIndex].type = cert_pi_revocationFlags; ++ cvin[inParamIndex].value.pointer.revocation = rev; ++ inParamIndex++; ++ ++ ++ /* establish trust anchor */ ++ ++ CERTCertificate *root = getRoot(cert,certUsage); ++ ++ /* Try to add the root as the trust anchor so all the ++ other memebers of the ca chain will get validated. ++ */ ++ ++ if( root != NULL ) { ++ trustedCertList = CERT_NewCertList(); ++ CERT_AddCertToListTail(trustedCertList, root); ++ ++ cvin[inParamIndex].type = cert_pi_trustAnchors; ++ cvin[inParamIndex].value.pointer.chain = trustedCertList; ++ ++ inParamIndex++; ++ } ++ ++ cvin[inParamIndex].type = cert_pi_end; ++ ++ if(log != NULL) { ++ cvout[outParamIndex].type = cert_po_errorLog; ++ cvout[outParamIndex].value.pointer.log = log; ++ outParamIndex ++; ++ } ++ ++ int usageIndex = 0; ++ if(usage != NULL) { ++ usageIndex = outParamIndex; ++ cvout[outParamIndex].type = cert_po_usages; ++ cvout[outParamIndex].value.scalar.usages = 0; ++ outParamIndex ++; ++ } ++ ++ cvout[outParamIndex].type = cert_po_end; ++ ++ res = CERT_PKIXVerifyCert(cert, certUsage, cvin, cvout, &pwdata); ++ ++finish: ++ /* clean up any trusted cert list */ ++ ++ if (trustedCertList) { ++ CERT_DestroyCertList(trustedCertList); ++ trustedCertList = NULL; ++ } ++ ++ if(root) { ++ CERT_DestroyCertificate(root); ++ root = NULL; ++ } ++ ++ if(res == SECSuccess && usage) { ++ *usage = cvout[usageIndex].value.scalar.usages; ++ } ++ ++ return res; ++} +diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h +index c15acf87..0e93eebe 100644 +--- a/org/mozilla/jss/ssl/jssl.h ++++ b/org/mozilla/jss/ssl/jssl.h +@@ -5,8 +5,27 @@ + #ifndef ORG_MOZILLA_JSS_SSL_JSSL_H + #define ORG_MOZILLA_JSS_SSL_JSSL_H + ++/* ocsp policy constants */ ++ ++/* ocsp policy constants */ ++static const int OCSP_NO_POLICY = 0; ++static const int OCSP_NORMAL_POLICY = 1; ++static const int OCSP_LEAF_AND_CHAIN_POLICY = 2; ++ + #include + ++typedef struct ++{ ++ enum ++ { ++ PW_NONE = 0, ++ PW_FROMFILE = 1, ++ PW_PLAINTEXT = 2, ++ PW_EXTERNAL = 3 ++ } source; ++ char *data; ++} secuPWData; ++ + struct JSSL_SocketData { + PRFileDesc *fd; + jobject socketObject; /* weak global ref */ +@@ -120,4 +139,14 @@ JSS_SSL_processExceptions(JNIEnv *env, PRFilePrivate *priv); + + void JSSL_throwSSLSocketException(JNIEnv *env, char *message); + ++int ++JSSL_getOCSPPolicy(); ++ ++ ++SECStatus ++JSSL_verifyCertPKIX(CERTCertificate *cert, ++ SECCertificateUsage certUsage, ++ secuPWData *pwdata, int ocspPolicy, ++ CERTVerifyLog *log,SECCertificateUsage *usage); ++ + #endif +diff --git a/org/mozilla/jss/util/java_ids.h b/org/mozilla/jss/util/java_ids.h +index 73b31fa9..4053d9a7 100644 +--- a/org/mozilla/jss/util/java_ids.h ++++ b/org/mozilla/jss/util/java_ids.h +@@ -276,6 +276,15 @@ PR_BEGIN_EXTERN_C + #define GET_RECV_BUF_SIZE "getReceiveBufferSize" + #define GET_BUF_SIZE_SIG "()I" + ++/* ++ * CryptoManager ++ * ++*/ ++ ++#define CRYPTO_MANAGER_NAME "org/mozilla/jss/CryptoManager" ++#define GET_OCSP_POLICY_NAME "getOCSPPolicy" ++#define GET_OCSP_POLICY_SIG "()I" ++ + /* + * SocketBase + */ diff --git a/jss-aia-ocsp-2.patch b/jss-aia-ocsp-2.patch new file mode 100644 index 0000000..c6b2f1c --- /dev/null +++ b/jss-aia-ocsp-2.patch @@ -0,0 +1,141 @@ +From 1fe6a451ec0c3ec960ac1119b39c406d999da5ec Mon Sep 17 00:00:00 2001 +From: Jack Magne +Date: Fri, 8 Feb 2019 11:21:48 -0800 +Subject: [PATCH] Additional: Resolve Bug 1666872 - CC: Enable AIA OCSP cert + checking for entire cert chain. + +Simple fix to make sure we are using the correct variant of the NSS cert usage quantity. + +It turns out some calls need a SECCertUsage and others need a SECCertificateUsage. +We also need to convert between the two in certain instances. + +Found and fixed double certificate object free issue. +--- + org/mozilla/jss/ssl/callbacks.c | 10 ++++++++-- + org/mozilla/jss/ssl/common.c | 19 ++++++++++++++----- + org/mozilla/jss/ssl/jssl.h | 2 +- + 3 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/org/mozilla/jss/ssl/callbacks.c b/org/mozilla/jss/ssl/callbacks.c +index 42594a14..4fe08a29 100644 +--- a/org/mozilla/jss/ssl/callbacks.c ++++ b/org/mozilla/jss/ssl/callbacks.c +@@ -481,6 +481,9 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + + certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; + ++ /* PKIX call needs a SECCertificate usage, convert */ ++ SECCertificateUsage certificateUsage = (SECCertificateUsage)1 << certUsage; ++ + /* SSL_PeerCertificate() returns a shallow copy of the cert, so we + must destroy it before we exit this function */ + +@@ -488,7 +491,7 @@ JSSL_DefaultCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + + if (peerCert) { + if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { +- rv = JSSL_verifyCertPKIX( peerCert, certUsage, ++ rv = JSSL_verifyCertPKIX( peerCert, certificateUsage, + NULL /* pin arg */, ocspPolicy, NULL, NULL); + } else { + rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), peerCert, +@@ -624,6 +627,9 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + if (peerCert == NULL) goto finish; + + certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; ++ /* PKIX call needs a SECCertificate usage, convert */ ++ SECCertificateUsage certificateUsage = (SECCertificateUsage)1 << certUsage; ++ + + /* + * verify it against current time - (can't use +@@ -632,7 +638,7 @@ JSSL_JavaCertAuthCallback(void *arg, PRFileDesc *fd, PRBool checkSig, + */ + + if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) { +- verificationResult = JSSL_verifyCertPKIX( peerCert, certUsage, ++ verificationResult = JSSL_verifyCertPKIX( peerCert, certificateUsage, + NULL /* pin arg */, ocspPolicy, &log, NULL); + } else { + verificationResult = CERT_VerifyCert( CERT_GetDefaultCertDB(), +diff --git a/org/mozilla/jss/ssl/common.c b/org/mozilla/jss/ssl/common.c +index aec88552..cb281798 100644 +--- a/org/mozilla/jss/ssl/common.c ++++ b/org/mozilla/jss/ssl/common.c +@@ -894,7 +894,7 @@ JSS_SSL_processExceptions(JNIEnv *env, PRFilePrivate *priv) + /* Get the trusted anchor for pkix */ + + CERTCertificate * getRoot(CERTCertificate *cert, +- SECCertificateUsage certUsage) ++ SECCertUsage certUsage) + { + CERTCertificate *root = NULL; + CERTCertListNode *node = NULL; +@@ -936,7 +936,7 @@ CERTCertificate * getRoot(CERTCertificate *cert, + */ + + SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, +- SECCertificateUsage certUsage,secuPWData *pwdata, int ocspPolicy, ++ SECCertificateUsage certificateUsage,secuPWData *pwdata, int ocspPolicy, + CERTVerifyLog *log, SECCertificateUsage *usage) + { + +@@ -993,6 +993,8 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, + + PRBool fetchCerts = PR_FALSE; + ++ SECCertUsage certUsage = certUsageSSLClient /* 0 */; ++ + SECStatus res = SECFailure; + if(cert == NULL) { + goto finish; +@@ -1027,9 +1029,15 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, + cvin[inParamIndex].value.pointer.revocation = rev; + inParamIndex++; + +- + /* establish trust anchor */ + ++ /* We need to convert the SECCertificateUsage to a SECCertUsage to obtain ++ * the root. ++ */ ++ ++ SECCertificateUsage testUsage = certificateUsage; ++ while (0 != (testUsage = testUsage >> 1)) { certUsage++; } ++ + CERTCertificate *root = getRoot(cert,certUsage); + + /* Try to add the root as the trust anchor so all the +@@ -1064,7 +1072,7 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, + + cvout[outParamIndex].type = cert_po_end; + +- res = CERT_PKIXVerifyCert(cert, certUsage, cvin, cvout, &pwdata); ++ res = CERT_PKIXVerifyCert(cert, certificateUsage, cvin, cvout, &pwdata); + + finish: + /* clean up any trusted cert list */ +@@ -1074,8 +1082,9 @@ SECStatus JSSL_verifyCertPKIX(CERTCertificate *cert, + trustedCertList = NULL; + } + ++ /* CERT_DestroyCertList destroys interior certs for us. */ ++ + if(root) { +- CERT_DestroyCertificate(root); + root = NULL; + } + +diff --git a/org/mozilla/jss/ssl/jssl.h b/org/mozilla/jss/ssl/jssl.h +index 0e93eebe..925e1225 100644 +--- a/org/mozilla/jss/ssl/jssl.h ++++ b/org/mozilla/jss/ssl/jssl.h +@@ -145,7 +145,7 @@ JSSL_getOCSPPolicy(); + + SECStatus + JSSL_verifyCertPKIX(CERTCertificate *cert, +- SECCertificateUsage certUsage, ++ SECCertificateUsage certificateUsage, + secuPWData *pwdata, int ocspPolicy, + CERTVerifyLog *log,SECCertificateUsage *usage); + diff --git a/jss.spec b/jss.spec index 50f3e36..3f103ed 100644 --- a/jss.spec +++ b/jss.spec @@ -7,7 +7,7 @@ URL: http://www.dogtagpki.org/wiki/JSS License: MPLv1.1 or GPLv2+ or LGPLv2+ Version: 4.5.3 -Release: 1%{?_timestamp}%{?_commit_id}%{?dist} +Release: 2%{?_timestamp}%{?_commit_id}%{?dist} # global _phase -a1 # To generate the source tarball: @@ -26,6 +26,8 @@ Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas # \ # > jss-VERSION-RELEASE.patch # Patch: jss-VERSION-RELEASE.patch +Patch0: jss-aia-ocsp-1.patch +Patch1: jss-aia-ocsp-2.patch ################################################################################ # Build Dependencies @@ -156,6 +158,9 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version} ################################################################################ %changelog +* Mon May 06 2019 Dogtag PKI Team - 4.5.3-2 +- Add AIA OCSP certificate checking patch + * Tue Mar 19 2019 Dogtag PKI Team - 4.5.3-1 - Rebase to JSS 4.5.3