<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>



<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">

<h3>
Timo Aaltonen pushed to branch master
at <a href="https://salsa.debian.org/freeipa-team/jss">FreeIPA packaging / jss</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a9978ff7bec1b73cb9c13df2e231c8a731b9394b">a9978ff7</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-13T13:08:19-06:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark JSS Provider and PKCS#11 classes as public

This enables javadoc generation for these classes. While the JSSProvider
clases lack useful javadocs, their existence helps developers check the
supported interfaces. Additionally, the PKCS#11 PrivateKey interfaces
should be made public to mirror their PublicKey counterparts, in the
rare instances where they're used instead of the generic Java
interfaces.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ae4a9a49b3806a3ceb834117c72bbf243aa09660">ae4a9a49</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-13T14:39:56-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mark three additional PKCS#11 classes public

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/18efce236af6a1affebb274838318ba715114218">18efce23</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-26T10:28:17-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix base64-encoding of CSRs

In 8de4440c5652f6f1af5b4b923a15730ba84f29e1, the base64 encoder was
changed from apache-commons-codec to the Java standard library to drop
a dependency. However, the behavior changed as a result: the Java
standard library doesn't include a final line separator, whereas
apache-commons-codec did. This results in malformed CSRs:

> YWRPxyBKvFAOB29fwPwBJLZksrwQ0xAs7sooc+qF-----END NEW CERTIFICATE REQUEST-----

Resolves: https://pagure.io/freeipa/issue/8199

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0c97eda313c92bd7ffda430fa6aefa5297cc8969">0c97eda3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-26T16:00:31-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge IVParameterSpec into IvParameterSpec

IVParameterSpec likely predates IvParameterSpec. As a result, we've had
to introduce various hacks over the years to support both, even though
their implementations and interfaces are nearly identical.

Make IVParameterSpec extend IvParameterSpec, so we can start dropping
some of these hacks.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/83eaba176abe07ef5f869e95d0830ae646023a56">83eaba17</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-26T16:00:31-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify IvParameterSpec logic

This merges the usages of org.mozilla.jss.crypto.IVParameterSpec into
simplified code paths only caring about the preferred class,
javax.crypto.spec.IvParameterSpec.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f580a53567a59b5f2416e3362857ab7fe03af171">f580a535</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-02-26T17:34:46-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Revert "Simplify IvParameterSpec logic"

This reverts commit 83eaba176abe07ef5f869e95d0830ae646023a56.

This breaks PKI CI: https://travis-ci.org/dogtagpki/pki/jobs/655554204

Until this can be implemented in a backwards-compatible manner, revert
this commit.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9f29430656342829822568f4ef49f5237b41164b">9f294306</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-02T10:09:56-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix swapped parameter names with PBE

Commit 13998a9e77e60d6509ac814ed711dd21e1248ecd introduced a regression
related to extracting the parameter classes during PBE operations:
previously, the classes of the underlying encryption algorithm were
iterated over, instead of the classes of the PBE class itself. However,
this commit iterated over the PBE parameter classes; no PBE algorithm
accepts a IvParameterSpec, resulting in a null parameter passed to the
later encryption or key wrap operation. This resulted in stack traces
like the following:

Caused by: java.security.InvalidAlgorithmParameterException: DES3/CBC/Pad cannot use a null parameter
        at org.mozilla.jss.pkcs11.PK11KeyWrapper.checkParams(PK11KeyWrapper.java:225)
        at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:89)
        at org.mozilla.jss.pkcs11.PK11KeyWrapper.initWrap(PK11KeyWrapper.java:57)
        at org.mozilla.jss.pkix.primitive.EncryptedPrivateKeyInfo.createPBE(EncryptedPrivateKeyInfo.java:342)

Resolves: rh-bz#1807371

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/55482c8bfa0addeb9db7b590703ba3704c5db167">55482c8b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-02T10:09:56-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use specified algorithm for KeyWrap

When the token-specified from of EncryptedPrivateKeyInfo.createPBE is
called, it would always request DES3_CBC_PAD as the key wrapping
algorithm, regardless of the input PBE key type. However, the other form
(with an implicit token) was correctly handling this case.

Introduces a new KeyWrapAlgorithm method to take an OBJECT_IDENTIFIER
instead of having to convert to/from a String form.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d7fb9feefd70ad850a0637a2adccb0d5689279d9">d7fb9fee</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-05T14:32:30-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add CipherPrefSetDefault, CipherPrefGetDefault

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/56560f0014c3851bd581be24c46eeef7bba82c75">56560f00</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-05T14:32:30-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add VersionRangeGetDefault, VersionRangeSetDefault

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/aa4e2eba813623d82cb39da85c6d6a4edb6f33cb">aa4e2eba</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-09T11:01:41-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move CryptoManager logging to debug

When loading JSS as part of the default JDK setup, we don't really wish
to spam unsuspecting users with log messages. Move logger.info to
logger.debug in the CryptoManager initialization process. Leave only a
single logger.info statement, saying that JSS was successfully
initialized.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ae8728ec3ce62223b6371b5054c2c72b8af92a1e">ae8728ec</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-09T14:59:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove deprecated netscape.security.acl

The corresponding JDK interfaces under the java.security.acl package
namespace have been marked deprecated since Java 9, but a replacement
has been present since Java 1.2. The implementation of these interfaces
isn't used by JSS or Dogtag and is thus removed.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/16c8de46bb8f03a9e6e3489e751114655a31f9bf">16c8de46</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-12T12:08:29-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Detect NSS with broken CMACs during configuration

NSS versions v3.47 to v3.50 included swapped values for CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL. This adds feature detection to JSS, disabling CMAC
and KBKDF at compile time for the broken NSS versions.

Related: moz-bz#1611209

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/6a91bbc58e0941fd32ef38b4edef0fa190f02ac9">6a91bbc5</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-12T19:11:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add JSSProviderLoader implementation

Similar to the way the SunPKCS11 provider works, expose an alternative
JSSProvider, JSSProviderLoader, which loads configuration from a path or
InputStream, and configures our CryptoManager correctly. This allows us
to inject the provider via the java.security interface, rather than via
the existing CryptoManager.initialize(...) method.

Currently this only supports using a single, fixed password. In the
future, JSSProvider could be converted into an AuthProvider (which
supports logging-in to arbitrary tokens), or a more comprehensive
File-based PasswordCallback implementation added.

Additionally, this provider (unlike the JSSProvider it derives from)
supports the JDK9+ style of static initialization, accepting a path to a
configuration file.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/38324383097bb54eedd3ade7433950ecee5ed5be">38324383</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-12T19:11:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provision files for JSSProviderLoader

This allows the test suite to use the JSSProviderLoader system,
injecting the JSS Provider via a java.security override file. This
includes:

 - Updating the test framework
 - Introducing a java.security and jss.cfg configuration file
 - Updating run_test.sh to add the new parameter
 - Introducing the java.security.Provider service file in the JAR

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/836b879f6ec715e4b5e3ddb6fc33cfd1ef591fa5">836b879f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-12T19:11:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Convert test suite to JSSProviderLoader

This converts the test suite from the previous
CryptoManager.initialize() based approach to the new java.security
approach. This should work on most platforms. If this fails on your
specified platform, it is likely due to the providers contained in
tools/java.security.in; make sure to update them to match your system's
file.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5cae3675d2581b3eb9e1d0a9087bd0b9f4dc214e">5cae3675</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-17T13:00:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add diff to pkcs11check installation list

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a3a91a8e85d7f05de3c85b0ae6ad1c80cf7c5b55">a3a91a8e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-20T13:33:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove token key checks

Previously we enforced strict token key matching: the primary key used
for the operation must strictly reside on the current PKCS#11 token,
otherwise JSS would bail. However, NSS has the ability to move the key
to whichever token best supports the given operation. This means that
we'd prematurely bail when the operation would succeed if it were
actually executed. By removing these checks, we still leave the ability
to generate keys on a specific token, we just allow them to be used on
whatever token supports the given operation (and the key is allowed to
be moved to).

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ed9075409a2c6b680e44e203762440352d9268e4">ed907540</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-23T12:50:38-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move to proper feature checks

SSLCipher was the first use of a feature which could appear in a later
version of NSS than we support. Rather than bumping the minimum NSS
version, we chose to use compile-time detection of the NSS version and
limit our code accordingly. However, this sets a precedence for ignoring
the features actually present in the NSS system. Certain downstream
distributions are fond of backporting features, which means our code
could've executed but didn't.

Switching to feature detection (via the check_struct_has_member macro)
allows us to be sure we execute this code on as many platforms as
possible.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a9fcb05fb2f75fb5bc6bbdbccd1e5fa91e6743fc">a9fcb05f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLKEAType enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/754e89fac98545b56c343021982ba763001a4af7">754e89fa</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLNamedGroup enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/513bde3a0ff83dff39dd0a23cce8849595b361e4">513bde3a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLAuthType enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4747cb789e88955520ac318b3de57981f869a8b9">4747cb78</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLCipherAlgorithm enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/905c7c81f40ed3ce8e063596c54b2f77deb2e1d0">905c7c81</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLCompressionMethod enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/15d18d457ec2a1b0bf8c4d07c26883c22557250e">15d18d45</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLMACAlgorithm enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f16e6dada8b928b816b0e58c59a6afa35d16cc0c">f16e6dad</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLSignatureScheme enum

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/04bc82d01b73259033024f09ca90c7c40f528ed8">04bc82d0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLChannelInfo, SSLPreliminaryChannelInfo

These two types are the results of two nss.SSL calls;
SSLPreliminaryChannelInfo contains the same information as
SSLChannelInfo, with added members to check if a field has been
populated by the respective NSS call. This occurs when the SSL handshake
isn't yet complete.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8fe4879c8a794fb2ee439fa68e4511bef762b209">8fe4879c</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSL_GetChannelInfo, SSL_GetPreliminaryChannelInfo

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/7cd32c5d9905653664992157d27363b2bb662eda">7cd32c5d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for SSL_GetChannelInfo, SSL_GetPreliminaryChannelInfo

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3f2661f48f15b8868903f9402c9a1efb3f638e3a">3f2661f4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T12:40:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSL_InvalidateSession

This allows the caller to invalidate the current session on a SSLFDProxy
instance.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4fc106e8c4bb8e9594171d7ebf3104ad00f384fc">4fc106e8</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-24T16:43:52-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update PKCS11Constants from NSS v3.50

Includes the CMAC fixes backported to existing Fedora releases.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d54ea5073f3906b6a798530f7e88a31f9a70abc3">d54ea507</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T09:48:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move from #if to #ifdef in nss/SSL.c

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/7b980a0c3360a48208110ed428da5b6f700365d5">7b980a0c</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T09:48:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add detection for SSLCipherInfo's peerDelegCred

Trust but verify. NSS usually documents the version a feature was added
in. However, this wasn't documented in the peerDelegCred case; because
the comment above referred to the following fields being added in NSS
3.34, I assumed it held for this field as well. However, according to
the commit history, it was added more recently, in NSS v3.45.

Add feature detection and another conditional field for this.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/512dbec67da907d9b325c83b2f254e11c3676b22">512dbec6</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T11:30:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add zip, unzip to BuildRequires

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/36ca9b14920d19278d52529da1b2f7896f1836cd">36ca9b14</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T11:40:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add CentOS 8 Dockerfile

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/34dc07a353e71949273c4d3b2311aa0f0661eabd">34dc07a3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T11:40:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add CentOS 7 Dockerfile

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/6a347c62987eeec52520853fdf88910835805cda">6a347c62</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-26T11:40:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add CentOS 7, 8 to Optional section

This reflects that while they're platforms that receive support from
various JSS versions, upstream might pass what downstream ships in
features (either due to the downstream NSS version or for other
reasons). This lets us check the status but consciously break the build
when necessary on those platforms.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/05a4ceb2c5a3d0308a9acc7eb026466295465250">05a4ceb2</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T13:41:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add NSS-specific SSLSession

The javax.net.ssl.SSLSession interface exposes various details about
the TLS connection handled by this SSLEngine instance.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/80e69b067e22655a843bfe2d59a146840ee908c8">80e69b06</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T13:41:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add NSS-backed SSLEngine

javax.net.ssl.SSLEngine provides modern, non-blocking SSL support to
Java applications via the Provider interface. This is used by
applications such as Tomcat. The calling application controls the number
of sockets and SSLEngines, with each TLS connection using a single
SSLEngine.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e505fddfc1aaa5c3a833ea503f55141c4320c4ab">e505fddf</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T13:41:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLContext implementation

A SSLContext implementation is required for a Java Cryptography provider
to expose TLS functionality to other applications.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/499ddac48b27ef8d1d4a5b37e9c5880b22ffefa1">499ddac4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T13:41:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add tests for SSLEngine

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d3463a5dea6e8689807949e7f5855856a8caec80">d3463a5d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T14:27:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add getters to SSLChannelInfo

Marking the data members private allows us to use getters which throw an
exception when the corresponding feature isn't available from NSS. This
gives us a more descriptive error message including how to fix it, if
necessary. It also hides the less descriptive haveNSS<Version> fields
from the developer.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cfcfb455e5c4ccd5943759996541d9d67e3c0ac3">cfcfb455</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T14:27:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add getters to SSLPreliminaryChannelInfo

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/386ac1b9b2d6e46cad934560be58cf95809bca40">386ac1b9</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T16:54:46-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check for java.security loaded JSS

When JSS is initialized from java.security, loading is delayed until the
provider is used. This means that CryptoManager.getInstance() will fail,
unless such a call has been made. Security.getProvider(...) is sufficient
to check for this case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/97e5597f90df84e59e2c5669d49fed73b4681600">97e5597f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T16:54:46-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Migrate tests to local CryptoManager configuration

Two tests require the new local-preferential CryptoManager
initialization: SetupDBs and FipsTest. Refactor these tests.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/83a987a0437b404e3f9211fbfe76fd41b3bf7a8c">83a987a0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T16:54:46-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Introduce NONE java.security mode

This prevents any custom java.security policy from being used during
testing.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/834f15a398a8a168a595c74cf35394af1883088b">834f15a3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-03-31T16:54:46-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove CryptoManager initialization from tests

Except for the two tests previously excluded, this removes calls to
explicitly initialize CryptoManager from all other tests.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/61a884dfa2eb805510572ec33aaa57730e726199">61a884df</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T11:03:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Track SSFDProxy in JSSEngine

All JSSEngines will use the SSLFDProxy instance, though some will push
more into a single JNI call (rather than the multiple JNI calls that the
reference implementation uses). Open up access to the SSLFDProxy
instance to more than just the current caller.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1794760690a8ac334a7d4333f4e042ca6e7cf071">17947606</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T11:03:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Expose NSS Session information in JSSSession

This updates JSSSession to expose all session information available from
NSS, refreshing data when necessary. This allows callers to use the
standard SSLSession interface when desired, but also extends it with
access to SSLPreliminaryChannelInfo and SSLChannelInfo structs for
advanced (and JSS-specific) callers.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/78f6e06a67d030e2f668852315c35563dd3a56e9">78f6e06a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T11:03:40-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLSession to the test suite

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/18499430a9399d3ddf5d353e6f2d29b0fd5e681f">18499430</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T12:16:55-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Prevent post-handshake configuration changes

Certain parameters cannot be modified after the handshake begins. These
are which mode we're using (client/server), cipher suites, and protocol
versions. Throw an exception when these are changed after the handshake
has begun.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d748ba3f2f91ed9f728f3a61e8552a24aa7f7384">d748ba3f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T17:46:14-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Override supported SSL parameters in JSSContext

The default JDK implementation assumes that all SSLContextSpi
implementations expose a SSLSocket; it doesn't use a SSLEngine
when a SSLSocket is unavailable, instead throwing an NPE. Lack
of an overridden SSLParameters breaks Tomcat.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c8ea17000234c689e9a42ef501afeb9bea7d900d">c8ea1700</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T19:16:20-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update version script with missing functions

jss.map was missing several functions in the version script, thus
removing them as public symbols from libjss4.so. This introduces those
missing symbols, allowing the native function calls to succeed.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/92657a86b98563d3eb8eb014e62800f4bea9696c">92657a86</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-01T19:16:20-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add CI to check version script symbols

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ae808f7034bdcb21aa20fb88a1275ea15c5a0c81">ae808f70</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-02T10:50:30-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add optional CI to check if PKI is broken

This adds an optional CI check that builds JSS and then builds PKI,
installing both sets of RPMs.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0789edca8c0d82bbc43466b4f546e5e40250d3d2">0789edca</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-02T12:22:22-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add unchecked exceptions to debug build tests

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1886ac1a6cdd1399ade4fa788791dc8a40483b33">1886ac1a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T18:56:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test for GlobalRefProxy

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0bb89734f277d232d601ecc39ba0bdbfaab5fb65">0bb89734</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:34:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable BadSSL tests with internet connection

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0aeff1f82354c9a127543a1a7c1a5a4717ec56de">0aeff1f8</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:34:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Set WITH_INTERNET=1 in rawhide CI

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/453f482fd62f1a13029e708746e81120c3176247">453f482f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:34:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Document WITH_INTERNET option

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c0f4d20d38710efde2eaa636668545ba129637f4">c0f4d20d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:54:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Extend default valgrind leak checking

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5925ff3f56dfad3e82407f8f0e99f4ffaa019549">5925ff3f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:54:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable CryptoManager Shutdown

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9550e9adfdb997c05e3617fa04e9f9fdaed0022b">9550e9ad</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T19:54:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test for CryptoManager.shutdown()

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cadc299fa69554e2e7ab9226298be639219476ab">cadc299f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T21:25:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support RSA-PSS Signature scheme

Provide support for the various SHAxxxwithRSAPSS algorithms, including
SHA-256, SHA-384, and SHA-512 variants.

Authored by Jack Magne; revised patch forwarded ported from v4.4.x by
Alexander Scheel.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a4dd80d626f3feb0f2ff6988c5d9d4038987f667">a4dd80d6</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T21:25:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactor JCASigTest

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f48986f3fecdf08329265e6e2476420c6fcc5061">f48986f3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-06T21:25:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactor SigTest

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/dd9fc06b9ba487cf982c8dbfd73c616754dbac0d">dd9fc06b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-07T12:08:36-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move from _NETSCAPE_ to _NSS_ PKCS#11 constants

In NSS v3.52, support is coming for PKCS#11 v3.0. This deprecates the
_NETSCAPE_ namespace for PKCS#11 constants in favor of _NSS_. The few
remaining _NETSCAPE_ constants will be moved to _NSS_. We only use one,
CKM_NETSCAPE_PBE_SHA1_DES_CBC. Add an #ifdef for compatibility with the
new preferred name.

See also: moz-bz#1603628

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0ac36dc38a1f1b8cefe815b9a37d3ae5ca4d300b">0ac36dc3</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-08T15:04:47-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added stack trace in Utils.base64decode()
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3b34c2ca6a8a8e3801ce3181fb904e02f8327e53">3b34c2ca</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-09T13:49:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Branch to v4.7.0 beta release 1

Since SSLEngine is a breaking change introducing significant new
functionality (and strictly requiring NSS v3.44 or greater), move
to a new minor version.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3860960dca5b64e417b942b06a40415a69a9eb31">3860960d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-09T13:53:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Throw NPE in PK11PrivKey.getPublicKey()

In NSS < v3.44, getPublicKey() will return null, resulting in a
RuntimException about an unknown key type during a call to
PK11ECPrivateKey.getParams(). This isn't strictly true; the
reason is that the native code doesn't handle NSS returning NULL
from SECKEY_ConvertToPublicKey(...). This only happens when NSS is
an old enough version.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/b73595e93d81498b1c7cd6aca55da0f80b58c455">b73595e9</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-09T13:53:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Bump minimum required NSS version to 3.44

Due to a bug in NSS not fixed until v3.44, bump the minimum required NSS
version to v3.44.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f74dd43e44c106f16c2750c2918c104eaa568c8c">f74dd43e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-09T13:53:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Document known NSS incompatibilities

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/814fa9621ec42e6b99307f223db0a3119bf046d7">814fa962</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-13T17:25:53-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix latest jss.map entry to v4.7.0

When v4.6.x was branched off of v4.6.3, jss.map wasn't updated to
reflect the next version on the master branch.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/451f78b5d48fab46505c37a79d503e12197f3e3b">451f78b5</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-14T10:48:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Accept NULL in CryptoManager.setPasswordCallback()

In the javadocs for CryptoManager.setPasswordCallback(), it says:

> The callback may be NULL, in which case password callbacks will
> fail gracefully.

However, setNativePasswordCallback() will assert on a NULL callback.
Fix this to handle NULL gracefully.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/30b3cde147283d32ec2fd902128e18f54252cf4d">30b3cde1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T10:54:36-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow NULL PK11PrivKey identifiers

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f7f0e2652af0f0f8d7a3db360ade42e762f5007e">f7f0e265</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11Cert AutoCloseable

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d57c7a8ac6d3678884cd86f9df8cb392007785b8">d57c7a8a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11Cipher AutoCloseable

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/de6f81e4a9ba7a5ea7c63b553c557bab932ee730">de6f81e4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11Key AutoCloseable

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5bb02e2d02bd1419ee5229a7d9f079af4705a2fa">5bb02e2d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11MessageDigest AutoCloseable

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f678f583e0dfb539e7f9cc9ec985ff6f9dada2e7">f678f583</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11Signature AutoCloseable

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/33ae12d7055271b7ff5a95867302f9c6358eeb0a">33ae12d7</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix NativeProxy registry tracking

When the switch was made to a HashSet-based registry in
eb5df01003d74b57473eacb84e538d31f5bb06ca, NativeProxy didn't override
hashCode(...). This resulted in calls to close() (and thus, finalize())
not invoking the releaseNativeResources() function to release the
underlying memory.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9cdc9101d6ecad1309640a2c428823fd08bcff8f">9cdc9101</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve SSLFDProxy's globalRef access

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d00a2fe9aa6406f94382738492841ea8ceb51174">d00a2fe9</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix SSLSocketBase/SocketProxy closure

With NativeProxy now exposing a close method, we can fix the interaction
between SSLSocketBase and its wrapped SocketProxy. Previously,
SSLSocketBase invoked a native method, socketClose() during its close()
handler (which is invoked from SSLSocket.close() and in turn from
SSLSocket.finalize()). This gives a potential race condition when the
value of mPointer is NULLed between SocketProxy.finalize() and
SSLSocket.close() / SSLSocket.finalize() -- if the former executes
before the latter, socketClose() would attempt to dereference a NULL
pointer.

Fix this in two parts:

 1. Make SocketProxy.releaseNativeResource() actually release native
    resources by calling JSSL_DestroySocketData(...); at the same time,
    make closeSocket merely call PR_Close(...).
 2. Update SSLSocketBase to call SocketProxy.close() explicitly.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0c5f6703ce736782b554665dc6b584313757fb23">0c5f6703</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-15T20:06:48-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle NULL pointers in releaseNativeResources

In the style of the previous commit, ensure all pointers are
non-NULL before continuing to free them. Some of these are excessive as
NSS does do some checking, but in this case consistency is better.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9342d695dfad0fd37ef62fc321b991056979d692">9342d695</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-20T12:38:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add documentation on the Mozilla-JSS Provider

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/fe382e5255d3c92a4d41515b92f25245dc24d3ba">fe382e52</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-20T12:38:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Improve documentation in InitializationValues

Also add clearer InvalidLengthException descriptions.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/51e88434018d84335962c582b2f9ead67396c047">51e88434</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-20T13:38:31-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove space from AlgorithmId.toString()

In cadc299fa69554e2e7ab9226298be639219476ab and v4.4.x commit
e1ee07a3c19cd15d7dab1dedf383128a2b83b925, AlgorithmId was updated
to unconditionally add an extra space to toString, to separate the
algorithm name from the parameters. This suffices in some cases, but
AlgorithmId.toString() is used by PKI to compare against a tokenized
list of characters. Removing the extraneous whitespace was the solution
proposed in PKI commit 53de751485b04fe2a1555228342ed642c9a9e347, but
this should really be handled in JSS instead of PKI.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8627b3c0c87b21be6d0ca27cb24365923fcd531b">8627b3c0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-21T14:02:09-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix NPE in Utils.HexEncode

In 30b3cde147283d32ec2fd902128e18f54252cf4d, allowances were made for
keys without a unique identifier yet. This happens when the key is new
and code is racing to create an identifier for a key held by another
process which is also accessing the NSS DB. Mostly, this occurs in the
JSS test suite process.

As a result of the now-NULL result, JSSKeyStoreSpi.getAliases will call
Utils.HexEncode with a value of null, raising a NPE. Allow
Utils.HexEncode to return an empty string instead of raising an NPE in
this case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/edfdbb545c9e2d8921b9c30c7f2a83b7ffa0fe97">edfdbb54</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-21T21:44:04-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify PR.Close() logic

>From earlier discussions on memory management, we should isolate the
concerns of the NSPR layer from having to deal with SSL FD specific
stuff as much as possible. Move what used to be in the SSLFD-specific
NSPR close layer to SSLEngine itself.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8b517720079967471e61558286ea9b43e4c81048">8b517720</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-04-23T11:36:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Minor improvement to GH actions

Add matrix strategy to avoid redundant code

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/268825522a57eecde1dab9829792381a98291d5d">26882552</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-23T12:09:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix SHA512withRSA/PSS identifier

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cac2f35bbcd9bfe71367b4f51509bf8669c0c3df">cac2f35b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-23T13:56:09-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Consume all input bytes in logging sockets

When the read end of the logging socket is full, writing also tends to
hang. Drain the read end of both sockets before attempting any writes
to help ensure nothing hangs.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/6225bf8718df4a2d34d6999b716732f7ba4f09db">6225bf87</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-23T13:56:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable debug logging with run_test.sh

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4974db8661e838de9ed2ff8bda78dbcc77ef82a1">4974db86</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-23T17:08:09-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add AlgorithmId.toStringWithParams, fix toString

PKI's usage of AlgorithmId.toString() doesn't handle having the
parameters encoded in the toString() representation of the id.
Move toString() back to only having the contents of algName, and
move parameters to a separate method.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c5691d07c98bf3952668d4eb2002343151664ec8">c5691d07</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-27T12:20:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Refactored CertificateChain

The CertificateChain class has been modified to use
a List instead of a fixed array of X509Certificates.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/2cba9b8643ff2baee9868ce9abaafc384573dd01">2cba9b86</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-27T12:20:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added CertificateChainTest
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1c7193ca15f98118762fd2983533dcedf44f49df">1c7193ca</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-27T13:40:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Comply with crypto-policies outside of Tomcat

When constructing a new SSLEngine, Tomcat will take the supported
ciphers and limit the enabled cipher suites to only ones which are
supported by this SSLEngine implementation. Because the list of cipher
suites we returned were allowed by local crypto policy, out result was
compliant. However, other usages of SSLEngine aren't guaranteed to
behave the same; make sure we explicitly filter to only supported cipher
suites.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9711bfdd2f5629993ba45ed61079c8b8311f51bf">9711bfdd</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-27T16:06:50-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use non-interactive apt installation

Lately an update for tzdata has been breaking CI tests for Ubuntu:

    Setting up tzdata (2019c-3ubuntu1) ...
    debconf: unable to initialize frontend: Dialog
    debconf: (TERM is not set, so the dialog frontend is not usable.)
    debconf: falling back to frontend: Readline
    Configuring tzdata
    ------------------

    Please select the geographic area in which you live. Subsequent configuration
    questions will narrow this down by presenting a list of cities, representing
    the time zones in which they are located.

      1. Africa      4. Australia  7. Atlantic  10. Pacific  13. Etc
      2. America     5. Arctic     8. Europe    11. SystemV
      3. Antarctica  6. Asia       9. Indian    12. US

Setting DEBIAN_FRONTEND=noninteractive should prevent apt from querying
information from the container image.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4ecd5bac2d73b3566640b88c64d028277194a706">4ecd5bac</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-27T16:53:23-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Always run workflows regardless of branch

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ba07d407cfc38fa6fdf6be24f300e188c1c90db2">ba07d407</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-28T12:38:08-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added PKCS7 constructor

A new constructor has been added to create a PKCS7 from
an array of certificates. This can be used to simplify
CertificateChain.encode() and some other code in PKI.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d6872887290ca87f0b80ff29dbee1a5191af48a6">d6872887</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-28T15:27:16-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Added CertificateChain.sort()

The CertificateChain.sort() has been added to sort the
certificates in the certificate chain.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/03afe804421f6671f0d277ec9313e6610cee7d2b">03afe804</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-28T16:47:44-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle premature JSSEngine.cleanup()

When JSSengine.cleanup is called prematurely, before ssl_fd or any
buffers are created, many of the native methods would segfault if
called with NULL buffers.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/2a6b443fbc776c5ff3ba295a0729c4a820fdb58e">2a6b443f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-04-29T13:40:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fixed CertificateChainTest.testGetterMethods()

The CertificateChainTest.testGetterMethods() has been
modified to ignore the exception message since it may
change in different JDK versions.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/20a3497ba05580d07ff2ee683f4d8e5869c2aa61">20a3497b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Expose SSL_ENABLE_POST_HANDSHAKE_AUTH

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cb117b7f40c4c68bc2384eb1217c4d8854642fce">cb117b7f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Expose SSL renegotiation related options

Includes:
 - SSL_ENABLE_RENEGOTIATION and its four values:
    - SSL_RENEGOTIATE_NEVER
    - SSL_RENEGOTIATE_UNRESTRICTED
    - SSL_RENEGOTIATE_REQUIRES_XTN
    - SSL_RENEGOTIATE_TRANSITIONAL
 - SSL_REQUIRE_SAFE_NEGOTIATION
 - SSL_ENABLE_FALLBACK_SCSV

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/305b55c289878e26dc191507f44ef76adb6d18c1">305b55c2</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Expose SSL_ReHandshake

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/115b233fb088b42c7909d759da567f6bd2e5e5cc">115b233f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Track handshake completion in SSLFDProxy

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3107b195b1630ebbf9d9572a67f7e7321ca17091">3107b195</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement SSL_SendCertificateRequest

This method is experimental for TLS v1.3 support and replaces
SSL_ReHandshake(...) for proper Post-Handshake Authentication
support.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d9da9bf3a846e2ca54fb12380a3f1ee2a427854a">d9da9bf3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSL_REQUIRE_CERTIFICATE Values

This adds the following values for use with SSL_REQUIRE_CERTIFICATE:

 - SSL_REQUIRE_NEVER
 - SSL_REQUIRE_ALWAYS
 - SSL_REQUIRE_FIRST_HANDSHAKE
 - SSL_REQUIRE_NO_ERROR

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f677a71bfbd84747e3f26ee8991ef236b0ef9d3b">f677a71b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement SSL_KeyUpdate

This method is experimental for TLS v1.3 support and issues a key update
request, similar to a reduced handshake.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1e18963b9a7172aecfb121427e13f5771045027c">1e18963b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Introduce JSSEngine configuration, PHA support

NSS (and TomcatJSS) claim post-handshake authentication (PHA) support.
In order to support this, we need two features in JSSEngine:

 - Expose configuration options from NSS, including PHA options,
 - Adding ability to notify JSSEngine implementations about
   certain configuration changes.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4cadb954b6567bec5f683b6070e08e479ac03598">4cadb954</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T13:41:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Post-Handshake/rehandshake SSLEngine tests

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c5a6d68ea4c2a318996e644ee28626b44885c828">c5a6d68e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-29T14:42:39-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move JDK11 test to required section

Fedora 33 will ship with OpenJDK 11 by default and packages will be
required to compile with it. Move this to the default section so we
can catch failures with JDK11 support.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/01aee640091972deb21a0190a7acd65432230f00">01aee640</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test case for large wrap/unwrap

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1b95a46910e40482c73fce014b92cb94ab035f16">1b95a469</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow dummy PR.Write with NULL buffer

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/004d3aa928095f7c8ae8c406d013164dfed61968">004d3aa9</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow JSSEngine.wrap/unwrap of large buffers

Because JSSEngine wraps the native NSS, there are two places data can be
buffered:

 - Within JSSEngine's internal buffers,
 - Within NSS's internal buffers.

When the handshake has completed, we need to ensure we always drain as
much data as possible from these buffers into wrap/unwrap. This requires
us to invoke multiple calls to PR.Read and PR.Write, until they
eventually return EWOULDBLOCK or 0 data written.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/74c5ffabc509a79a47ba84128ab6a23b4c08bd9a">74c5ffab</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Gate socket logging behind debug flag

This debug logging is broken for large messages because it timesout
trying to write data. Disable it by default unless explicitly recompiled
with support in the test suite.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/074a389d1f9c20e56b713ad5c6d8f0e0b1dff54b">074a389d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle JSSEngine.putData(...) with large arrays

When data and the destination buffer are roughly the same size, and both
suitably large, it makes more sense to use ByteBuffer.put(...) with
the source array (providing offset and lengths) rather than manually
putting each byte into the buffer.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8763efc484a4d18cb871bb82008d925b61dfa8d6">8763efc4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle PR.Writes of smaller sizes in JSSEngine

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e58cd6976f566b51d95e9db316e56cad9533484e">e58cd697</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T09:55:01-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Return FINISHED status from JSSEngine.{un,}wrap

When handling large messages, updateHandshakeState() gets called
multiple times during handshaking. If the handshake becomes FINISHED
and data gets written to a buffer, we'll call updateHandshakeState()
again, resulting in it immediately moving to NOT_HANDSHAKING. Because
clients expect a FINISHED message before NOT_HANDSHAKING, only step
further after FINISHED has been returned from either wrap or unwrap.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c0d054b8f8118a45db59bf3f994ff6414439d9ea">c0d054b8</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-04-30T18:27:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Hack: provide JSSContext's SSLSocket via SunJSSE

Use the default SunJSSE provider to implement getSocketFactory and
getServerSocketFactory rather than returning null. This should appease
implementations expecting a SocketFactory instance.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4f63549e84402cde5d8b2eebc1665a0fe91b4687">4f63549e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-04T10:27:47-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add getSSLParameters to JSSEngine

This returns a new instance of JSSParameters which can be used to clone
the configuration of this SSLEngine into another. This is helpful for
implementing SSLServerSocket, which must accept(), creating a new
SSLSocket with the same initial configuration.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/32844305b93e9dace7260be368b225c70369dbf7">32844305</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-05T13:19:09-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Gate JSSContextSpi behind SSLEngine feature flag

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/13734eafc107463e9c7bd52827bba640e0abc35f">13734eaf</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-07T13:00:32-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Switch to using %license macro for LICENSE files

See: https://pagure.io/packaging-committee/issue/411
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3416031d6d0ad49e5f995970d0cceeddec5656e0">3416031d</a></strong>
<div>
<span>by Jack Magne</span>
<i>at 2020-05-07T13:24:20-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix RSA/PSS with SHA-512 signature algorithm

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/dce67265fdaea0a82a29624872e1771902d25d4f">dce67265</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-07T16:03:42-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide JSSSocket for JSSContextSpi

JSSSocket provides a way of utilizing JSSEngine over an existing Socket,
thus utilizing NSS to provide TLS capabilities for this socket. Unlike
the existing org.mozilla.jss.ssl.SSLSocket, JSS socket complies with
the standard javax.net.ssl.SSLSocket interface, making it compatible
with existing applications and libraries expecting the SSLSocketFactory
from SSLContext to provide SSLSocket instances. This is necessary as
many applications don't handle when SSLContext returns null from the
getSocketFactory() call.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1ca5fa6fcd1a83de0d9467c3cda3bf3d8088f9a3">1ca5fa6f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-07T16:03:42-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Introduce JSSSocketChannel for JSSSocket

Under java.net.Socket semantics, non-blocking sockets have a
java.nio.SocketChannel member exposed via getChannel(); the older
org.mozilla.jss.ssl.SSLSocket implementation lacks this as it was
implemented over NSPR-backed sockets. However, java.nio.SocketChannel
semantics makes it easier to implement the core interactions with our
JSSEngine. We chose to always expose a JSSSocketChannel instance, even
when the underlying socket isn't explicitly configured as non-blocking.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8f42f34999a83abe4c59222fdd56dc5fc6c38749">8f42f349</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-08T11:24:13-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">SSLSocket: detect failure to recieve CLOSE_NOTIFY

An important part of the TLS protocol is the ability to detect whether
or not the peer closed the connection or if an attacker terminated the
connection prematurely. In order to do this, both sides send a
CLOSE_NOTIFY event. When this event isn't detected, raise an IOException
to inform the application about it.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f8b589eb07b6efb407093a65f677a841508c3292">f8b589eb</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-11T17:49:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Provide a JSSServerSocket implementation

JSSServerSocket implements the javax.net.ssl.SSLServerSocket interface;
this is an interface over java.net.ServerSocket that, upon accept,
creates a JSSSocket and initializes it with configuration from the
ServerSocket. This allows child sockets to be used with minimal extra
configuration beyond what the server itself has.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c799038524509290911c865729b9a88d31a3e0b0">c7990385</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-11T17:49:51-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add JSSServerSocketChannel for JSSServerSocket

JSSServerSocketChannel introduces the semantics of ServerSocketChannel
to JSSServerSocket. Like JSSSocketChannel and JSSSocket, the server
socket always has a channel associated with it, even if the underlying
socket doesn't.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/07ff6dad5d2ab96296b3714b8681d5aeff004d0b">07ff6dad</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-11T19:27:45-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Simplify JSSServerSocketChannel.accept()

Since we won't return the JSSServerSocketChannel in situations where the
wrapped socket lacks a channel, it is highly unlikely that this method
will ever be called when the parent channel is null. Simplify the logic
and throw an exception in this case instead of returning an accepted
socket channel. Note that, while calling accept() on the parent socket will
allows return a non-null socket, it isn't guaranteed to have a
SocketChannel.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a57bd7c81bc57a358f7b70e167cbe8e025e54065">a57bd7c8</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-12T10:12:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Introduce JSS-specific SocketFactories

In order to finish implementing the SSLContext interface, we need to
introduce SocketFactories which return instances of our sockets. The
methods available on these factories influenced the design of the
socket implementations: because SSLSocketFactory can wrap an existing
Socket into a SSLSocket, we made JSSSocket a wrapped implementation.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d16099c09cb987ea79e49fd95bfb55652fb5ab29">d16099c0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-12T10:12:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Switch to JSS-provided SSL Sockets, Factories

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/fb7424e3fc8b8930a684bbcc0195c6a9cc9ab4d5">fb7424e3</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-12T10:12:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move classpath, java.security to variables

This allows for easier editing when running select external tests.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/74f06c6dfd91af139d58a9e0935128c713bba0af">74f06c6d</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-12T10:12:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update BadSSL to test JSSSocket as well

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/015d299f425ef80e6a98cf8adf058197885cedbc">015d299f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-12T10:12:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow null src[index] in JSSEngine

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1ca5d62253a944a6805835a82185f1f9efcb0cd2">1ca5d622</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-14T14:07:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move to shared buffers for TestSSLEngine

This reduces the load on the allocator and on the GC by moving to a
single set of shared, pre-allocated buffers for all tests. We clear
them between tests, ensuring data isn't reused.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1bd646a45613d16f18f28c641381f680ba1df319">1bd646a4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-14T14:07:15-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add support for running under perf

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/02725fd5478e8396d7e59aac2242f380c758766d">02725fd5</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-14T14:35:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make PK11Cert hashable

This hashes a PK11Cert instance based on the encoded contents of the
cert itself. Two certs are equal if their encoding is the same.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/947c996489b45afeee6d24bb673c431d871b1ae9">947c9964</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-14T14:35:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Reuse Server SSLFDProxy instances

One of the slowest calls in JSSEngine is the call to
SSL_ConfigServerCert. By calling this once per certificate on a
model SSL PRFileDesc instance, we can reuse it on all other
server sockets using the same cert, saving us the overhead of
that call.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/791630dccca020c4aad81d234453ae06878bd896">791630dc</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-20T15:28:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable JSS-Provided SSLEngine

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9ae00be85204655e23f3931ca28fec80d9c0ebe3">9ae00be8</a></strong>
<div>
<span>by Jack Magne</span>
<i>at 2020-05-21T09:56:07-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Related: Bug 1710105 - JSS: add RSA PSS support

Add PSS cases to algorithm name translating method.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/10ca1539ae6e47e86f7e0bf561c82184b9aa07d4">10ca1539</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-22T11:33:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't wait for peer close confirmation

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e64413a138a3e9acb865c52a5ccc4e290fad05c1">e64413a1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-22T11:33:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Throw SSLException in JSSEngineReferenceImpl.init

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/b01412ad28358a75b0f8bf9fd5900cf44d005b20">b01412ad</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-22T11:33:19-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix race in configuring session cache

When multiple JSSSockets and/or JSSEngines are started concurrently,
they will race to configure the session cache. However, the cache can
only be created by one thread at a time and only needs to be done once
in the lifetime of JSS. Make JSSEngine take ownership of cache creation
and utilize this within the legacy SSLSocket as well.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5b5b1a64711c27b73e3c8fdcae8157c7d7666285">5b5b1a64</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-22T12:10:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add SSLSocket benchmark

This benchmark supports three providers:

 1. org.mozilla.jss.ssl.SSLSocket, named JSS.legacy
 2. org.mozilla.jss.ssl.javax.JSSSocket, named JSS.SSLSocket
 3. the JDK's SunJSSE provider's SSLSocket, named SunJSSE.SSLSocket

Documentation for this benchmark is available under the docs/usage
folder.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/4791c10f3a199f7c06d8a258ec56b448cec00d82">4791c10f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-05-22T17:16:02-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow URL-safe Base64 decoding

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1884371599d4c91c7271e2143967c74506cb344f">18843715</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-05-26T21:31:11-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 4.7.0-0.1 (beta 1)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e4028b1e8e4a9752a725198e0cc9b402eadd6794">e4028b1e</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-05-27T21:51:27+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream-next' into m-n
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/761fcc3fa13d097b4302fa65ef76b0c0571a3e53">761fcc3f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-05-27T21:57:01+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/b6d34ae604a5a60c222be262e472c2bde324aa5a">b6d34ae6</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-05-27T23:32:03+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">disable-kbkdf.diff: Dropped, we have nss 3.51 now.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a208640f40058f88bfd3219889d9af6d6fb706e5">a208640f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-05-27T23:36:08+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package jss version 4.7.0~b1-1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/b9abee598a6faa10f7685eb894449d292e112f55">b9abee59</a></strong>
<div>
<span>by Andrew Helgeson</span>
<i>at 2020-06-02T13:31:58-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix memory leak caused by not freeing ref counted key in hmac initialization
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3ceb5b37bf5ac41451e34802ee5102187a37359e">3ceb5b37</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-10T09:09:10-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove Fedora 30, introduce Fedora 32 for CI

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/80ef41c407a539af3d1619aca6c592a474acd8e8">80ef41c4</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-10T09:24:29-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Move informational messages to debug

Previously these were warnings, resulting in many messages during normal
operation that weren't necessarily important.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ac6495f90defa11f073fcf21602c15eab9d9c531">ac6495f9</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-10T11:35:54-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 4.7.0-0.2 (beta 2)
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/393dc27a02b3afd28b46f9961e3215498a0502ff">393dc27a</a></strong>
<div>
<span>by Dinesh Prasanth M K</span>
<i>at 2020-06-10T16:06:52-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove Group tag from spec

Removing Group tag from spec file, as it has been deprecated
https://fedoraproject.org/wiki/RPMGroups#DEPRECATION_ALERT

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3789795e651d6f4d1e4c404fa0d7402a2d0a740a">3789795e</a></strong>
<div>
<span>by Christina Fu</span>
<i>at 2020-06-16T14:30:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bug1846565 - JSS: Extensions in CertificateExtensions class could get out of order and cause signature discrepency

This patch replaces Hashtable with LinkedHashMap to ensure order of
extensions.

https://bugzilla.redhat.com/show_bug.cgi?id=1846565
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ff9b5d98076a9f55b5a8173cc26f305003304702">ff9b5d98</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-06-17T08:00:40+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">watch: Updated.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/2b0f9eea8b29679fdef3845d1b71485952e3f910">2b0f9eea</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add documentation about JSSEngine usage and design

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9736786e654f2ebb4235600798df2f4af2041020">9736786e</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add documentation on PHA/renegotation

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e6155359fe3f427ac6e8857ee44d723f517a0cb1">e6155359</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Document key selection in JSSEngine

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/9daf425613ba083f59205f9827f1b3f65363cd06">9daf4256</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Document cipher, protocol selection, sessions

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e509d73464279d150cb5e704f0038a148b713797">e509d734</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Document large wrap/unwrap theory

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e72367bcc44cd8721ed0e118c3bae3d96922aae3">e72367bc</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Further document JSSParameters

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e09588382e6441a905ad7b8f2fecbea14c40edf5">e0958838</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Mention JSSSocket, clarify performance issues

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3e97e9da137ad48d03a105da03500d4bec58f3ef">3e97e9da</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-19T20:58:17-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Minor improvements to SSLEngine documentation

Addresses feedback by jmagne.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/20a15857b4a0ab411ff5d8c035aa7d14a00031de">20a15857</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-22T12:32:42-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 4.7.0-0.3 (beta 3)

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5c6cef6711c47e26cd2aec397d0a49c2b32dbd42">5c6cef67</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-24T12:09:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix loading of CryptoManager in JSSLoader scenario

When using JSSLoader to initialize JSSProvider from the java.security
list, sometimes CryptoManager.getInstance() will fail. Usually this is
because instance is still null, even though

    Security.getProvider("Mozilla-JSS") != null

The error message will usually be something like:

    FINE: CryptoManager: loading JSS library
    FINE: CryptoManager: loaded JSS library from java.library.path
    Exception in thread "main" org.mozilla.jss.NotInitializedException
           at org.mozilla.jss.CryptoManager.getInstance(CryptoManager.java:365)
           at org.mozilla.jss.tests.SigTest.main(SigTest.java:52)

Allow JSSLoader to return the new CryptoManager object, let JSSProvider
store it, so that in this case, CryptoManager.getInstance() will return
an initialized instance.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/2bc188e6da40e2688b89b71218acd6eb76037cf8">2bc188e6</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-24T15:02:04-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up PKCS10Attributes

The PKCS10Attributes has been modified to use a SLF4J logger
instead of printing to standard output.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/642aa37fe25adb0f9178ba83fc6c3f167923e082">642aa37f</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-06-24T15:02:04-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Cleaned up EncryptedContentInfo.decrypt()

The EncryptedContentInfo.decrypt() has been modified to clear
PBEKeyGenParams to avoid warnings about uncleared passwords.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cac4b5590bf2857e3f349d00c2ec01e0f2d23ea4">cac4b559</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:37:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Split JSSKeyManager interface, implementation

JSSKeyManager extends X509KeyManager and provides one additional call
that is used by JSSEngine. We also introduce a token-backed KeyManager,
using the existing KeyStore API. When no KeyStore is provided, this
KeyManager falls back to loading certificates from the CryptoManager,
matching existing behavior.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/231091600e39127146ebb54733a86467d77190f3">23109160</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:37:26-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test for Token-based KeyManager

Into the JSSEngine tests, we introduce an additional path which uses the
new JSSTokenKeyManager both with the KeyStore and without it.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/65b484baeb605b53b3c22a00a82bfe3768ee4d01">65b484ba</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support asynchronous certificate authentication

This exposes support for the SSL_AuthCertificateComplete API call, which
allows us to create a SSL_AuthCertificateHook handler which returns
SECWouldBlock. This returns control back to the caller, allowing them to
execute certificate authentication on their own, lazily. When the result
is available, the Complete call can be performed with the result of the
check. This will enable us to do external (non-native) X509TrustManager
checking in JSS's SSLEngine implementation in a Runnable, implementing
the DelegatedTask aspect.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/23f8aed1cf6bc76306b8c47c221f2ff140c30b3f">23f8aed1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check whether DSS certificates are required

Allow SSLCipher to check whether or not a DSS certificate is strictly
required by the given cipher suite. This will be used in SSLEngine to
determine the AuthType to pass to the X509TrustManager.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e0d66ba2780d2255c766e9e9f24f6069df59c974">e0d66ba2</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Handle NSS/TLS SSLVersion identifiers

NSS uses the TLS protocol version identifiers from the specs (two byte
integers, 0x0002 for SSLv2, 0x0300 for SSLv3, and 0x030{version+1} for
TLSv1.0 -> TLSv1.3); when the caller forgets to convert the value to the
internal JSS enum index, they're left holding a NULL enum value.
Instead, track the real NSS value and return the proper Enum for it.
This shouldn't be a problem as these values are mostly unique (sans a
SSLv2 / SSL_ENABLE_TLS conflict with value 0x0002.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f5d07a1fb72b220ada7840d7ed08ae2e06287e90">f5d07a1f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Map certificate exceptions to NSS error codes

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5e0284d5735194963320515e8b554e23dc48db4f">5e0284d5</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement synchronous CertAuthHook for SSLFDProxy

In conjunction with the previous commit enabling asynchronous
certificate authentication, NSS as of v3.53 still doesn't support
asynchronous certificate authentication on the server side of the
handshake. This implementation allows for easy implementation of both
synchronous and asynchronous certificate authentication handlers.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/cc2937cf80defe75055352edd4c7540c25cddee8">cc2937cf</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add TrustManager validation support to JSSEngine

This implements external (to NSS) TrustManager validation in
JSSEngineReferenceImpl, allowing validation of certs from
TrustManagers provided by the caller. This works with both client and
server SSLEngines, though while the former delegates the task via
getDelegatedTask, the latter cannot and does it synchronously.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/775d588fe4ef28dcf539873c7b81445e12efb862">775d588f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T12:54:33-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Support NEED_TASK in SSLSocket

Note that the JSSTrustManager doesn't give the same output as
JSSNativeTrustManager so we cannot enable this in the BadSSL tests.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1efa2db767605fcac0c20b0c24892f949aa87215">1efa2db7</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Limit JSSSession refreshData calls

Calling refreshData excessively doesn't necessarily bring any fresh
data, while hurting performance. Remove the call to check peer's
certificate chain and only check it after the handshake has completed.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/c38222a6c08ae7a785ebd96f5e45ecc513b9ca7e">c38222a6</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make sure sockets closed in BadSSL

Sometimes we leak a socket because it throws an exception (that we're
expecting!). Use the try-with-resources pattern to make sure we close
it.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/a13d8fe065be3310c891247a1fb6e2bf5573303a">a13d8fe0</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Ensure JSSEngine gets freed in JSSSocket, Channel

By calling cleanup() on our JSSEngine, we can ensure that all of its
associated resources can get cleaned up as well, including the
underlying PRFileDesc * instance. Call it both during JSSSocket close
and JSSSocketChannel close.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0e76ce92a178f11dfb7a33568dedf84cf0ff8309">0e76ce92</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Correctly implement BufferPRFD

This fixes several issues with our BufferPRFD implementation:

 - It needs a unique layer identifier,
 - It needs to be created via PR_CreateIOLayerStub,
 - We shouldn't override the default dtor,
 - And we should make sure to delete ourselves from our Close
   implementation.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d29c7603f01a7204e0dafc56e681d412284d1137">d29c7603</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Free values in SecurityStatusResult

Because we create a copy of their values, we are safe to free these
values on exiting from JSS_NewSecurityStatusResult().

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/276b3d0fe62b3571fb8c127e9516120c9e9a5022">276b3d0f</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T17:33:43-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Implement PRFDProxy.releaseNativeResources

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/7dd264225a0a891419e8a33ec16c4033b0047fe2">7dd26422</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-06-25T18:40:12-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated version number to 4.7.0-0.4 (beta 4)

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/d9d09619804688f223ec1e75e2e1e6d4fa484e20">d9d09619</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-01T06:51:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream-next' into master-next
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/406e61583c13c96eab5e5534bb2f03ebccc15c9b">406e6158</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-01T06:51:59+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/2b39412d3d6d86fd0c0d89dd884aa51395f31166">2b39412d</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-01T07:02:51+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package jss version 4.7.0~b4-1
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1fb6097a2ab73ef897d011e7383d7f5f1bf6a1df">1fb6097a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-01T13:05:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Replace SHA-1 signature with SHA-256

A recent change in Fedora Rawhide's crypto-policies package caused
failures in the tests like the following:

    Exception in thread "main" java.io.IOException: SocketException cannot read on socket: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1494)
        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:38)
        at org.mozilla.jss.ssl.SSLInputStream.read(SSLInputStream.java:25)
        at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:435)
        at java.lang.Thread.run(Thread.java:748)
    Caused by: org.mozilla.jss.ssl.SSLSocketException: Error reading from socket: (-12271) SSL peer cannot verify your certificate.
        at org.mozilla.jss.ssl.SSLSocket.socketRead(Native Method)
        at org.mozilla.jss.ssl.SSLSocket.read(SSLSocket.java:1488)
        ... 4 more
    Server exiting
    org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8016) Unknown error
        at org.mozilla.jss.ssl.SSLSocket.forceHandshake(Native Method)
        at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:345)
        at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156)
        at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)

This was caused by dropping SHA-1 as an allowed hash during handshakes.
However, because SSLClientAuth manually generated its certificate (and
explicitly asked for SHA-1), it failed.

Switch to SHA-256 instead.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/8ed5a82a973922d07d0610fd42c48b2a0ec97d6c">8ed5a82a</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-01T13:05:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove all legacy DSS/DSA tests

The only signature algorithm suppoted with DSS is SHA-1, which will soon
become deprecated and broken. DSS itself isn't widely used either, so we
should remove it from the test suite as well.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/e158c7cc723306f0ea08b14754107aa04496727e">e158c7cc</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-02T14:34:44+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package jss version 4.7.0~b4-2
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/93d88fcb4bf4ac66ec38ded79106fb0731a8b7dd">93d88fcb</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-02T11:37:06-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add concurrency limit on BenchmarkSSLSocket

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/ab8346383a9280ca403080e1da182310e03d7c15">ab834638</a></strong>
<div>
<span>by Endi S. Dewata</span>
<i>at 2020-07-02T15:53:26-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Updated build.sh to generate UTC timestamp

The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/1dd7166be91088897bb27bd45cf793d720798e18">1dd7166b</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-06T12:37:24-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Close outbound when inbound side is closed

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/3e1750a12bfc8aebf70665c0a779ec7e51bd0587">3e1750a1</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-06T14:38:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add jdk11u Basics tests

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/f4a2aad6d3f5a1b60265e0f8c7b5bf481dcb212e">f4a2aad6</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-06T14:38:49-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test semantics of ByteBuffer indices

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/5ef4c22cdd83a09cca44df3389bc0b99ede1bb93">5ef4c22c</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-06T18:24:21-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Detect and report buffer underflow status

This fixes an issue with large POST requests and Tomcat looping. Tomcat
is expecting unwrap() to produce data, but NSS won't produce any data
until it has the entire packet and can validate the message signatures.
This means we need to report the status back to Tomcat, so it can add
more data to the buffer (occasionally, increasing the size of the buffer
when necessary).

Occasionally this will report a false-positive: if we get an alert or a
protocol-level message after the handshake (such as a re-key event or a
post-handshake auth event in TLSv1.3), we'll report the status as
BUFFER_UNDERFLOW. However, this should largely be fine unless our caller
gets stuck querying more data from the socket. In the worst case, it'll
trigger a premature close notification (and corresponding wrap call).

However, from our testing, this appears to be safe.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/30162370f1e6302e5425a044067632b0a7c22bbd">30162370</a></strong>
<div>
<span>by Alexander Scheel</span>
<i>at 2020-07-06T18:24:21-04:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update JSSSocketChannel to handle BUFFER_UNDERFLOW

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/0315dacebb7a990aa6a716fe6afaa4b0d11a21f3">0315dace</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-28T10:56:34+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge branch 'upstream' into master-next
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/97beda0fe1f7ddeadcbf6a02e8edb3e5506f6827">97beda0f</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-28T11:13:31+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">bump the version
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/jss/-/commit/217dc9e4421f67c1836f261373a0297fff68adc9">217dc9e4</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-07-28T11:32:35+03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">releasing package jss version 4.7.0-1
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#441184c80664659e692970e9e1012922ff92a4f2">
.github/workflows/optional.yml
</a>
</li>
<li class="file-stats">
<a href="#5a8c90f0f1247e55f28895fb8ea7046d8987974f">
.github/workflows/required.yml
</a>
</li>
<li class="file-stats">
<a href="#a5cc2925ca8258af241be7e5b0381edf30266302">
.gitignore
</a>
</li>
<li class="file-stats">
<a href="#9a2aa4db38d3115ed60da621e012c0efc0172aae">
CMakeLists.txt
</a>
</li>
<li class="file-stats">
<a href="#59f81c123b3abbcb97274545796dd18706c3e106">
build.sh
</a>
</li>
<li class="file-stats">
<a href="#9476b08a5c3527067a65d63cb640555273d0ea4a">
cmake/JSSCommon.cmake
</a>
</li>
<li class="file-stats">
<a href="#9f3af9fef0e3976107ab469d0eb1c9684c9aa796">
cmake/JSSConfig.cmake
</a>
</li>
<li class="file-stats">
<a href="#a8a567af8ceb46f449dc0e7aaaf4ce0465d01d9e">
cmake/JSSTests.cmake
</a>
</li>
<li class="file-stats">
<a href="#9c96da0e9f91d7d8937b69b524702c106258f0d1">
debian/changelog
</a>
</li>
<li class="file-stats">
<a href="#27a59d7bbc4386a46ecee0baa581242256175d98">
<span class="deleted-file">

debian/patches/disable-kbkdf.diff
</span>
</a>
</li>
<li class="file-stats">
<a href="#bc34014ab4b9a49dd7a27bdd8d352912607c3a96">
debian/patches/series
</a>
</li>
<li class="file-stats">
<a href="#68ef9f98c01c7eecd4c605cc26048a06f3304b79">
debian/watch
</a>
</li>
<li class="file-stats">
<a href="#fc8bb6166f7ee0c5a8f314d71eb720595afaccf5">
docs/build_system.md
</a>
</li>
<li class="file-stats">
<a href="#8ef6e954989f98623a7c599f036efdd555ced6b3">
docs/dependencies.md
</a>
</li>
<li class="file-stats">
<a href="#90c974cf37d0352530c3d76bba644f47e91bdb05">
<span class="new-file">
+
docs/nss.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#abf43dad5a6ea37e9babd71ec755db5caf9645e8">
<span class="new-file">
+
docs/usage/benchmarksslsocket.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#9f0afad4d967307fde14562e18a725bfa430703f">
<span class="new-file">
+
docs/usage/jssengine.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#68ae852f2a432586f24884cf5028a829398051ed">
<span class="new-file">
+
docs/usage/jssprovider.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#54fbe7fbffc78bf38cd47d73a04149869dc04133">
docs/using_jss.md
</a>
</li>
<li class="file-stats">
<a href="#063bf4b6263fbc45f86d361246396c742b514a97">
jss.spec
</a>
</li>
<li class="file-stats">
<a href="#348fe23155622a99de9370e2850039b65e900f6f">
<span class="new-file">
+
lib/java.security.Provider.in
</span>
</a>
</li>
<li class="file-stats">
<a href="#b12d4bb39e2227abf2936f0537fc380e566dcdc9">
lib/jss.map
</a>
</li>
<li class="file-stats">
<a href="#d060b1b57a3488a669e60d6168b7b90edb50e1ae">
org/mozilla/jss/CryptoManager.c
</a>
</li>
<li class="file-stats">
<a href="#6722cbd0f8d28e4aaa6caeeef3d82a2704da7b07">
org/mozilla/jss/CryptoManager.java
</a>
</li>
<li class="file-stats">
<a href="#bd00db5307ecf60dc43f849feb9c41ce2d04f26b">
org/mozilla/jss/InitializationValues.java
</a>
</li>
<li class="file-stats">
<a href="#2f920a7ced3dbb9ec9abf0984bb848106353e526">
org/mozilla/jss/InvalidLengthException.java
</a>
</li>
<li class="file-stats">
<a href="#f25327ca669e703a8591fc937649e0fef06630d8">
<span class="new-file">
+
org/mozilla/jss/JSSLoader.java
</span>
</a>
</li>
<li class="file-stats">
<a href="#203cdf732fbb9205397f279bd7e42f3af0fb737d">
org/mozilla/jss/JSSProvider.java
</a>
</li>
<li class="file-stats">
<a href="#8833ba33d533b57513711e07f2773adb0f9f409f">
org/mozilla/jss/crypto/Algorithm.c
</a>
</li>
<li class="file-stats">
<a href="#84d9750968259e68434fbcc99aa64720b205d6c1">
org/mozilla/jss/crypto/Algorithm.h
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>

</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">

<br>
<a href="https://salsa.debian.org/freeipa-team/jss/-/compare/9b452f1c1af32ca71f0f02aabe1b2e49c336f9bf...217dc9e4421f67c1836f261373a0297fff68adc9">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.



</p>
</div>
</body>
</html>