[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 119 commits: Add helper methods for referencing Java strings

Timo Aaltonen gitlab at salsa.debian.org
Wed Jul 10 08:43:52 BST 2019



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss


Commits:
60ebccbf by Alexander Scheel at 2019-03-01T20:09:17Z
Add helper methods for referencing Java strings

Adds a JSS_RefJString method to read the UTF8 bytes of a string and a
JSS_DerefJString method to return the reference when we're done with
it. Also fixes a few helper methods to accept `const` arguments where
appropriate.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
40c82a53 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in ssl/common.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6915ccca by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in ssl/callbacks.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ef087028 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in ssl/SSLSocket.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
db246cca by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in ssl/SSLServerSocket.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
09d25215 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in provider/java/security/JSSKeyStoreSpi.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
10548b95 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in pkcs11/PK11Token.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7119db43 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in pkcs11/PK11SymKey.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
303a1cfb by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in pkcs11/PK11Store.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
fa51fc45 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in SecretDecoderRing/KeyManager.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5f19a944 by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in PK11Finder.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6bb7207e by Alexander Scheel at 2019-03-01T20:09:17Z
Use new JSS_(Ref|Deref)JString methods in CryptoManager.c

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
cae0ed69 by Alexander Scheel at 2019-03-01T20:29:47Z
Bump version to v4.5.3 in CMake

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
31ec720a by Alexander Scheel at 2019-03-01T21:28:15Z
Remove needless dependency on hamcrest

jUnit pulls in hamcrest-core for us.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8be92806 by Endi S. Dewata at 2019-03-05T21:26:37Z
Added ChainSortingTest

A new ChainSortingTest has been added to validate
Cert.sortCertificateChain().

- - - - -
fd3e9cbe by Endi S. Dewata at 2019-03-06T17:20:15Z
Added .copr/Makefile

- - - - -
65d77cf6 by Alexander Scheel at 2019-03-15T16:14:12Z
Fix release procedure in jss.spec

As discovered with the v4.4.6 release, the tarball creation process as
described in the spec file was wrong and/or generated a different
tarball than linked to by the Source URL. Update the procedure to match
the URL.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1623908f by Alexander Scheel at 2019-03-19T18:22:31Z
Branch to v4.6.x

To make packaging easier, branch v4.5.x after the TomcatJSS fixes (in
commit 91870d5b5898dcb1a82c3691449e50baa8fbd9ba). master branch becomes
the new v4.6.x series; marking this as beta.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
acb3bcb4 by Alexander Scheel at 2019-03-20T14:20:03Z
Fix IRC channel name: #dogtag-pki [no-ci]

Credit to @emaldona.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
21fc711d by Alexander Scheel at 2019-03-28T16:28:11Z
Remove 3s sleep from SetupDBs

As far as I can tell, this 3s sleep is extraneous. This test creates the
NSS DB (instead of calling certutil -N) and provides an anchor point in
the test suite. Our alternatives are to use `certutil -N` instead of
SetupDBs, but we might as well keep this, just without the sleep.

It is possible the sleep was used, perhaps to ensure that the DB is
flushed to disk before the test suite continues, but this should be
handled by the JVM and shouldn't be considered as a side-effect of a
Sleep.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
23e176bd by Alexander Scheel at 2019-03-29T15:25:22Z
Use --with-timestamp and --with-commit-id for COPR

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1d618027 by Alexander Scheel at 2019-04-01T15:33:07Z
Add dnf install -y git

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5946034e by Dinesh Prasanth M K at 2019-04-01T18:33:27Z
Minor bug fix in COPR autobuild

Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>

- - - - -
829a474a by Alexander Scheel at 2019-04-08T14:28:55Z
Add helper methods for referencing jbyteArrays

Adds a JSS_RefByteArray method to read the jbyte contents of a jbyteArray
and a JSS_DerefByteArray method to release the resources.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
cd5b990e by Alexander Scheel at 2019-04-08T14:28:55Z
Add JSS_FromByteArray to safely access jbyteArray

One issue with (*env)->GetByteArrayElements is that it does not NULL
terminate the input. Another issue is that forgetting to call
(*env)->ReleaseByteArrayElements results in a stray reference to the
byte array, preventing it from being garbage collected.
JSS_FromByteArray solves this by returning a new copy of the data,
releasing the reference right away.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d357c5b9 by Alexander Scheel at 2019-04-08T14:28:55Z
Refactor to use JSS_DerefByteArray

This fixes a few instances where byte arrays elements wouldn't be
released if they're not copies; they should always be released.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f9bb4ef3 by Alexander Scheel at 2019-04-08T14:28:55Z
Refactor to use JSS_RefByteArray

This simplifies some logic to use JSS_RefByteArray instead of separate
calls to GetByteArrayElements and GetArrayLength.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d980cfb1 by Alexander Scheel at 2019-04-08T14:29:02Z
Extend SSLVersion to support JDK names

SSLVersion currently only supports a single alias for naming TLS
protocol versions. Keep providing (and defaulting to) the NSS style
names, but also provide the JDK style names. This allows us to map
between the NSS constant and the JDK names.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
26dd3254 by Alexander Scheel at 2019-04-08T14:29:16Z
Return positive BigIntegers

Several of the usages of BigIntegers lead to the potential of negative
numbers, though only positive numbers should be returned.

PK11RSAPublicKey's getModulus() and getPublicExponent() methods can
potentially return negative values, when both the modulus and exponent
should be strictly positive.

PK11PrivKey's getDSAParams() could return negative values depending on
the PQG parameters.

The Key Identifiers printed by tests.CloseDBs should be positive (as
they're UIDs) but could be displayed as negative values; the same
happens in crmf.CertReqMsg.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d8a9d997 by Alexander Scheel at 2019-04-24T17:58:55Z
Use JDK8 as the source and target release

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8a46c60c by Alexander Scheel at 2019-04-24T17:58:55Z
Support JAVACFLAGS

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
15dd2237 by Alexander Scheel at 2019-04-24T19:10:33Z
Add hamcrest-core for Debian

While Debian packages a useful junit4 (that already includes
hamcrest-core in its MANIFEST's Class-Path), we might as well include
the correct path in the auto detection script to silence the incorrect
warning.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
652be0fb by Alexander Scheel at 2019-04-26T10:43:56Z
Add netscape.security to javadoc build

I noticed this was missing after a discussion on #dogtag-pki; we're not
building the javadocs for these packages; in part I'm guessing that this
is because there's a number of errors associated with the build (bad
formatting, parameters, etc), so these should be fixed as well.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ad71d1aa by Alexander Scheel at 2019-04-26T10:43:56Z
Fix javadocs build

Since the current javadocs build process is broken (due to various
non-fatal errors in the build), ignore the error code of make javadocs
when building the RPM for now.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
93cf4431 by Alexander Scheel at 2019-05-06T15:53:31Z
Add ring buffer implementation

This buffer will be used as the in-memory buffer for SSLEngine via
BufferPRFD. This provides a common interface to reading/writing to a
fixed location in memory.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a0026340 by Alexander Scheel at 2019-05-06T15:53:31Z
Add tests for the ring buffer

This introduces two C language tests for the ring buffer, one of a
buffer of size 1 and one of a buffer of size 4. These exhaustively test
all pairwise combinations of get/put/read/write.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2a9907db by Alexander Scheel at 2019-05-06T15:53:31Z
Minimize includes in buffer source

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
17d96e8b by Alexander Scheel at 2019-05-06T15:53:31Z
Document the j_buffer members and functions

Adds inline documentation about the structure, methods, and their
guarnatees to buffer.h

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7d6f55a4 by Alexander Scheel at 2019-05-06T16:29:12Z
Define DEBUG and FORCE_PR_ASSERT in debug build

This ensures that all PR_ASSERT(...) calls are processed and executed as
part of the test suite in a debug build. Otherwise, these calls are
ignored and their asserts are not checked by definition of PR_ASSERT in
the NSPR library.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8d751cce by Jack Magne at 2019-05-06T19:37:27Z
Resolve Bug 1666872 - CC: Enable AIA OCSP cert checking for entire cert chain.

This fix for jss, solves the one use case where the pki server is configured to perform ocsp checking ONLY with the contents of the AIA extension. Previously, jss could only check the ocsp server for the leaf node cert of the cert being verified. This fix allows the cert chain to be checked over ocsp for each cert in question. This is possible due to the fact that we have made a call in the PKIX library of nss to do the actual cert verfication. This call is made with all the needed flags to tell the PKIX library to make the ocsp verifications remotely over the network using the contents of the AIA extension.

Later on we can use this code to handle the other cases, but for now we want to solve this one particular problem. If the server is configured in any other configuration than the one stated, the original verification code will be called as before. Below is an example of a configuration in server.xml, that will trigger this new code:

< .... enableOCSP="true" ocspCacheSize="10000" ocspMinCacheEntryDuration="7200"   .... >

Note that due to ocsp caching, the cert chain verification may only be apparent after a restart of the server. A way to force an ocsp fetch every time is to set the value of ocspCacheSize=-1, which essentially disables the cache.

Added a couple of minor fixes due to review comments. Possibly more to come.
Minor include directive change to compile on branch.

- - - - -
801279d8 by Jack Magne at 2019-05-06T19:37:27Z
Additional: Resolve Bug 1666872 - CC: Enable AIA OCSP cert checking for entire cert chain.

Simple fix to make sure we are using the correct variant of the NSS cert usage quantity.

It turns out some calls need a SECCertUsage and others need a SECCertificateUsage.
We also need to convert between the two in certain instances.

Found and fixed double certificate object free issue.

- - - - -
0af945f8 by Alexander Scheel at 2019-05-06T20:05:55Z
Add Fedora 30 Dockerfile

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
bc921c6e by Alexander Scheel at 2019-05-06T20:05:55Z
Add F30 to .travis.yml, remove F28

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ba291719 by Alexander Scheel at 2019-05-10T17:47:54Z
Declare certList earlier in ssl/common.c:getRoot

This fixes the following compilation warning:

jss/org/mozilla/jss/ssl/common.c: In function ‘getRoot’:
jss/org/mozilla/jss/ssl/common.c:923:5: warning: ‘certList’ may be used uninitialized in this function [-Wmaybe-uninitialized]
     CERT_DestroyCertList (certList);
     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
36d988a5 by Alexander Scheel at 2019-05-13T17:52:16Z
Add Buffer PRFileDesc header-only implementation

This implements a NSPR PRFileDesc that utilizes two buffers owned by the
creator for read and write calls. This will eventually enable a
SSLEngine implementation to provide non-blocking SSL connections.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4a2f6db7 by Alexander Scheel at 2019-05-13T17:52:16Z
Add test case for Buffer PRFileDesc

This is a C-language test for the new PRFileDesc implementation. If the
implementation is non-blocking, both sides of a TLS connection can be
performed in the same thread/process.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
bdd07488 by Alexander Scheel at 2019-05-13T19:53:51Z
Add -Wall -Wextra -Werror to Ubuntu build

We should have at least one build using this to ensure we detect issues
earlier.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f255de54 by Alexander Scheel at 2019-05-14T18:16:04Z
Set an explicit C standard: C99 with GNU extensions

All platforms we support should support the newer C99 standard.
Explicitly pass it during build to ensure we don't fail to build on
platforms where the default is C89. Note that we need the GNU extensions
for strdup.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b8436a44 by Alexander Scheel at 2019-05-14T18:38:40Z
Fix error message generation with OCSP

The next extensions to OCSP use PORT_GetError() instead of
PR_GetError(). Additionally, don't use + for joining a
(const char *) and an int.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
bd3de75e by Alexander Scheel at 2019-05-14T18:38:40Z
Initialize root sooner in ssl/common.c

The following warnings were detected with Clang:

/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:999:8: warning: variable 'root' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
    if(ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) {
       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:1083:8: note: uninitialized use occurs here
    if(root) {
       ^~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:999:5: note: remove the 'if' if its condition is always false
    if(ocspPolicy != OCSP_LEAF_AND_CHAIN_POLICY) {
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:995:8: warning: variable 'root' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
    if(cert == NULL) {
       ^~~~~~~~~~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:1083:8: note: uninitialized use occurs here
    if(root) {
       ^~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:995:5: note: remove the 'if' if its condition is always false
    if(cert == NULL) {
    ^~~~~~~~~~~~~~~~~~
/home/ascheel/GitHub/cipherboy/jss/org/mozilla/jss/ssl/common.c:1037:5: note: variable 'root' is declared here
    CERTCertificate *root = getRoot(cert,certUsage);
    ^

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d148c68d by Alexander Scheel at 2019-05-15T13:29:24Z
CMake: Prepend command-line CFLAGS

When building with clang, the last-seen arguments take precedence. This
means that if the user specifies -Wall on the command line,
-Wno-unknown-warning-option gets suppressed. Thus, prepend
PASSED_C_FLAGS instead of appending them.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dc4664c5 by Alexander Scheel at 2019-05-15T13:29:24Z
Remove extraneous set of parenthesis in comparison

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e4dcbd64 by Alexander Scheel at 2019-05-15T13:29:24Z
Use double {} for subobject assignment

Fixes the following Clang warnings:

/jss/org/mozilla/jss/ssl/common.c:981:34: warning: suggest braces around initialization of subobject [-Wmissing-braces]
    CERTValOutParam cvout[20] = {0};
                                 ^
                                 {}
/jss/org/mozilla/jss/ssl/common.c:982:32: warning: suggest braces around initialization of subobject [-Wmissing-braces]
    CERTValInParam cvin[20] = {0};
                               ^
                               {}

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
08b35cce by Alexander Scheel at 2019-05-15T13:34:48Z
Add missing include from jssutil.h

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
fef67ff2 by Alexander Scheel at 2019-05-15T13:34:48Z
Add proxy for PRFileDesc

PRFDProxy wraps a single NSPR PRFileDesc so it can be used from Java
via JNI.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
075c903f by Alexander Scheel at 2019-05-15T13:34:48Z
Add common PRFileDesc functions

Several NSPR methods operate on PRFileDesc objects which are useful to
access from Java:

 - Read/Write, Send/Recv -- for IO operations on NSS SSL sockets
 - NewTCPSocket -- to hand off a socket to be wrapped by NSS
 - Shutdown -- to close a network socket
 - Open -- for testing purposes to create files

This adds these methods and their implementations in Java.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4ec24f0d by Alexander Scheel at 2019-05-15T13:34:48Z
Add PR.java methods to exported symbols

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9618202f by Alexander Scheel at 2019-05-15T13:34:48Z
Add test cases for PRFDProxy.java and PR.java

These test basic read/write and open/close socket interactions. This
ensures we can handle IO correctly.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
13b276f1 by Alexander Scheel at 2019-05-15T13:34:48Z
Add documentation to jss.nss.PR

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
5ec7945c by Alexander Scheel at 2019-05-15T13:34:48Z
Add documentation to nss/PRFDProxy.h

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
71b25009 by Alexander Scheel at 2019-05-15T15:02:12Z
Allow Travis Extras section to succeed quickly

By giving a simple `true` script, the Extras section will have a job
which succeeds quickly. This should make the entire Travis run take
less time, as while the Extras section is fast-finish, it won't finish
until the first job succeeds.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
75918f13 by Alexander Scheel at 2019-05-15T17:36:36Z
Move include after copyright in util/jssutil.h

Also, switch to including all required headers, removing the old
comment.

Reported by @emaldona.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2d67bd05 by Christina Fu at 2019-05-15T17:49:32Z
Add HSM support for PKCS#11 AES KeyWrap/Padding (#176)

* Add HSM support for PKCS#11 AES KeyWrap/Padding

This patch adds  HSM support for the PKCS#11 standard defined KeyWrap/Padding
mechanism. Prior to this patch, only NSS (CKM_NSS_AES_KEY_WRAP_PAD) was supported.
Note that this is based on Thales's projection of having the following supported
in the next SW version, 12.60: CKM_AES_KEY_WRAP_PAD
For completeness, CKM_AES_KEY_WRAP is also added, although it is not suitable
for private key wrapping.

* Added test case for AES_KEY_WRAP_PAD; also a clarification comment

This would actually test CKM_NSS_AES_KEY_WRAP_PAD if CKM_AES_KEY_WRAP_PAD
is not supported by the crypto module.

also added clarification comment in org/mozilla/jss/crypto/KeyWrapAlgorithm.java

* pulling repeated code into a method getSupportedWrappingMechanism

- - - - -
b2848538 by Alexander Scheel at 2019-05-16T19:04:21Z
Add support for NSS's SSL_ calls

Add support for low-level NSS API calls with the SSL_ prefix. This lets
us control a SSL handshake and set it up from an existing PRFileDesc.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
694f9335 by Alexander Scheel at 2019-05-16T19:04:21Z
Add tests for org.mozilla.jss.nss.SSL

This tests some of the new changes which let us call into NSS's SSL_
prefixed API. This doesn't include a full SSL handshake though.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7de080f3 by Alexander Scheel at 2019-05-16T19:04:21Z
Document jss.nss.SSL methods

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7c9e2001 by Alexander Scheel at 2019-05-16T19:04:21Z
Document jss.nss.SecurityStatusResult

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
790820a4 by Alexander Scheel at 2019-05-16T20:01:51Z
Add BuferProxy

Adds a proxy for a j_buffer object for later use as a BufferPRFD.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4bda2411 by Alexander Scheel at 2019-05-16T20:01:51Z
Wrap j_buffer calls

Adds the org.mozilla.nss.Buffer class for operating on BufferProxy
objects, performing the associated jb_* calls.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
781094a1 by Alexander Scheel at 2019-05-16T20:01:51Z
Add tests for BufferProxy and Buffer calls

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ca60a9ed by Alexander Scheel at 2019-05-16T20:01:51Z
Document jss.nss.Buffer methods

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
67caf2d7 by Alexander Scheel at 2019-05-16T20:01:51Z
Document BufferProxy native methods

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0195f957 by Alexander Scheel at 2019-05-17T16:01:28Z
Add org.mozilla.jss.nss.PR.NewBufferPRFD

This adds support for creating a BufferPRFD from two j_buffers in JNI.

- - - - -
82792d7b by Alexander Scheel at 2019-05-17T16:01:28Z
Test PR.NewBufferPRFD

This adds a basic test for a BufferPRFD, ensuring that Send/Recv work as
expected.

- - - - -
1537ae58 by Alexander Scheel at 2019-05-17T16:20:56Z
Extend java.security.cert.X509Certificate in PK11Cert

By extending the java.security.cert.X509Certificate class, we can now
use PK11Cert in a variety of Java-standard interface, downcasting to
PK11Cert when applicable. This lets us preserve the NSS pointer to the
certificate so we can make future NSS calls on it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1b9ffdd8 by Alexander Scheel at 2019-05-17T16:30:56Z
Add SSL test case for BufferPRFD

Using the new JNI wrappers for NSPR and NSS, perform a singled-threaded
SSL handshake in Java and use it to pass data back and forth, showing
that this new stack works.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b5c236b0 by Alexander Scheel at 2019-05-20T17:47:42Z
Add PR_SHUTDOWN_{RCV,SEND,BOTH} Constants

These constants are exposed by NSPR and used for the PR_Shutdown call.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4e94fbe4 by Alexander Scheel at 2019-05-20T17:47:42Z
Add tests for new PR constants

Sanity checks to ensure the new constants are present and working.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
666a2bde by Alexander Scheel at 2019-05-20T19:49:30Z
Add SSL.OptionGet

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
410e86d1 by Alexander Scheel at 2019-05-20T19:49:30Z
Add tests for SSL.OptionGet

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
38286287 by Alexander Scheel at 2019-05-20T23:43:35Z
Add org.mozilla.jss.nss to javadoc ouput

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a2334f87 by Alexander Scheel at 2019-05-21T00:12:09Z
Add nss.SSL.{CipherPrefSet,CipherPrefGet}

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
615ed0e1 by Alexander Scheel at 2019-05-21T00:12:09Z
Add tests for nss.SSL.{CipherPrefSet,CipherPrefGet}

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
47b4711a by Alexander Scheel at 2019-05-30T13:25:55Z
Provide reverse mapping of JSSL_enums values

This is provided for convenience and to avoid rewriting the values
in-place. In certain locations, e.g., ssl/SSLSocket.c this construct is
used and the results are placed back into NSS's SSLVersionRange struct;
this is technically incorrect as the values of the struct are meant to
be NSS's SSL version constants, but are now indices into a struct.

Semantics:
 - result is the index <-> the value is found
 - result is JSSL_enums_size <-> the value is not found

This results in the possibility of the cast to a size_t if desired, but
several places in Java assume these are a (signed) int.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
22294d1d by Alexander Scheel at 2019-05-30T13:25:55Z
Add helper to wrap NSS's SSLVersionRange into Java

Also updates SSLSocket.c to remove its implementation and use the common
wrapper.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
df8b2cd8 by Alexander Scheel at 2019-05-30T13:25:55Z
Add SSL_VersionRange{Get,Set} wrappers

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
94851055 by Alexander Scheel at 2019-05-30T13:25:55Z
Add tests for SSL.VersionRange{Get,Set}

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
957d5baf by Alexander Scheel at 2019-05-30T18:06:47Z
Fix CHECK_DEPRECATION compatibility

The old build system respected the CHECK_DEPRECATION environment
variable to enforce deprecation checks during (Java) compilation
time. In the new system, this was broken by not using the ENV{}
construct and not adding the flag to the correct variable.

This was reported by @emaldona.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4cb275b5 by Alexander Scheel at 2019-05-31T17:41:11Z
Add JSSKeyManager from TomcatJSS

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c0913c90 by Alexander Scheel at 2019-05-31T17:41:11Z
Fix JSSKeyManager build

After migration to JSS, fix JSSKeyManager to have the correct package
and update it to use PK11Cert directly, instead of converting to a
X509Certificate.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c6fbf64e by Alexander Scheel at 2019-05-31T17:41:11Z
Add JSSTrustManager from TomcatJSS

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
082bf0c2 by Alexander Scheel at 2019-05-31T17:41:11Z
Fix JSSTrustManager build

After migration to JSS< fix JSSTrustManager to have the correct package
and update it to use PK11Cert directly, instead of converting to a
X509Certificate.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1f4fd89a by Alexander Scheel at 2019-05-31T17:41:11Z
Add a KeyManagerFactory implementation

This returns our JSSKeyManager class, when required.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7b6a2c18 by Alexander Scheel at 2019-05-31T17:41:11Z
Add KeyManagerFactory to JSSProvider

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c8fa4a9d by Alexander Scheel at 2019-05-31T17:41:11Z
Add a TrustManagerFactory implementation

Returns our JSSTrustManager when required.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f8b9e411 by Alexander Scheel at 2019-05-31T17:41:11Z
Add JSSTrustManagerFactory to JSSProvider

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
df85c7fd by Alexander Scheel at 2019-05-31T19:57:16Z
Return PK11Cert in JSSKeyStoreSpi

Now that PK11Certs implement the java.security.cert.X509Certificate
class, we can return PK11Certs directly from the JSSKeyStoreSpi
interface, rather than encoding and decoding the certificate contents.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
277cfc97 by Alexander Scheel at 2019-05-31T20:04:45Z
Implement jb_read_capacity and jb_write_capacity

This lets us expose the remaining capacity of a j_buffer, making it
easier to know how large to size buffers for reading and writing.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
bf128d84 by Alexander Scheel at 2019-05-31T20:04:45Z
Expose Buffer.{Read,Write}Capacity

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
227e4296 by Alexander Scheel at 2019-05-31T20:04:45Z
Add Buffer.{Read,Write}Capacity tests

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ad584dbb by Alexander Scheel at 2019-06-03T14:27:00Z
Add JSSProvider test case

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a065347e by Alexander Scheel at 2019-06-05T19:15:09Z
Expose SSL_{REQUEST,REQUIRE}_CERTIFICATE constants

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
44066eb1 by Elio Maldonado at 2019-06-06T16:19:53Z
Fix some trivial depercation warnings #33

- - - - -
5f2c9b68 by Alexander Scheel at 2019-06-07T16:35:52Z
Add ssl.javax.JSSParameters

This class extends SSLParameters to provide convenience wrappers for
interacting with NSS classes in a standard Java environment. In
particular, they allow for the parsing of cipher suites into and out of
ssl.SSLCipher enum values, and for handling the differences between the
Java standard form of TLS versions as a String, ssl.SSLVersion enum
values, and ssl.SSLVersionRange instances.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3f1b7f99 by Endi S. Dewata at 2019-06-07T17:38:33Z
Fixed exception handling in X509CertImpl

The X509CertImpl has been modified to chain the original
exception whenever possible.

- - - - -
1e618b3c by Alexander Scheel at 2019-06-10T14:19:37Z
Store cert alias in JSSParameters

This lets us find the certificate in the NSS DB by alias; none of the
existing SSLParameters are sufficient for this task.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dc5df0fb by Alexander Scheel at 2019-06-10T14:42:37Z
Add org.mozilla.jss.ssl.javax to javadoc generation

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a422380b by Alexander Scheel at 2019-06-10T14:43:09Z
Update PKCS11Constants

This includes the new ChaCha20 constant, CKM_NSS_CHACHA20_CTR,
introduced in upstream commit e9fdd32dc33febcd0a3fcd46de1b223781b6960a.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
cec6c905 by Elio Maldonado at 2019-06-10T14:44:09Z
Fix additional trivial deprecation warnings #34

- - - - -
4f0dfadd by Alexander Scheel at 2019-06-10T18:47:58Z
Test SSL handshake without TCP model

The NSS documentation allows SSL_ImportFD to take a null first
parameter; in this case, NSS defaults will be used instead of defaults
from the model. Since we're creating the model *with* default parameters
(and not really saving a global model with updated parameters), don't
bother creating a model PRFileDesc.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9be5795e by Alexander Scheel at 2019-06-10T18:48:08Z
[nss.PR] Create BufferPRFD when peer_info is null

Unlike read_buf or write_buf, peer_info can reasonably be null; handle
this gracefully and create the BufferPRFD instead of returning a null
PRFDProxy reference.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
68f4f351 by Alexander Scheel at 2019-06-11T00:56:50Z
Add SECStatus constants to nss.SSL

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
07d3175e by Alexander Scheel at 2019-06-11T00:56:50Z
Use new SECStatus constants in test cases

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6338edfa by Alexander Scheel at 2019-06-11T00:56:50Z
Add PRStatus constants to nss.PR

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9552abc2 by Alexander Scheel at 2019-06-11T00:56:50Z
Use new PRStatus constants in test cases

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
dff79626 by Alexander Scheel at 2019-06-11T00:56:50Z
Add PR Error constants

Some org.mozilla.jss.nss.PR methods return errors as ints; add
org.mozilla.jss.nss.PRErrors which contains constants for common errors.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3fff8fdf by Alexander Scheel at 2019-06-11T00:56:50Z
Update TestBufferPRFD to use PR Errors constants

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4761cfdc by Alexander Scheel at 2019-06-12T10:55:33Z
Track server hostname in JSSParameters

When using NSS as a client, SSL_SetURL must be called with the remote
host for certificate verification. Store the hostname in JSSParameters
so we can set it later in the JSSEngine.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
58c8fb81 by Alexander Scheel at 2019-06-12T19:26:30Z
Release v4.6.0

This version of JSS features many enhancements.

 - HSM KeyWrap support
 - An extended JSS Provider
 - OCSP support in SSLSocket and SSLServerSocket
 - Internal improvements to JNI handling
 - Various small bugfixes and enhancements

A special thanks to external contributor @emaldona for his contributions
around JDK9+ deprecations.

Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>

- - - - -


30 changed files:

- .classpath
- + .copr/Makefile
- .travis.yml
- CMakeLists.txt
- README.md
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- docs/contributing.md
- docs/dependencies.md
- jss.spec
- lib/jss.map
- org/mozilla/jss/CryptoManager.c
- org/mozilla/jss/CryptoManager.java
- org/mozilla/jss/JSSProvider.java
- org/mozilla/jss/PK11Finder.c
- org/mozilla/jss/SecretDecoderRing/KeyManager.c
- org/mozilla/jss/asn1/ASN1Header.java
- org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
- org/mozilla/jss/asn1/SET.java
- org/mozilla/jss/crypto/Algorithm.c
- org/mozilla/jss/crypto/Algorithm.h
- org/mozilla/jss/crypto/Algorithm.java
- org/mozilla/jss/crypto/EncryptionAlgorithm.java
- org/mozilla/jss/crypto/KeyWrapAlgorithm.java
- org/mozilla/jss/netscape/security/pkcs/PKCS8Key.java
- org/mozilla/jss/netscape/security/util/Cert.java
- org/mozilla/jss/netscape/security/util/ObjectIdentifier.java
- org/mozilla/jss/netscape/security/x509/IPAddressName.java
- org/mozilla/jss/netscape/security/x509/X509CertImpl.java
- org/mozilla/jss/netscape/security/x509/X509Key.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/77497a7ac9b8e6e28d9e26a4be4059154dd07118...58c8fb81ca48153ec144a0742e146e56301ab835

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/77497a7ac9b8e6e28d9e26a4be4059154dd07118...58c8fb81ca48153ec144a0742e146e56301ab835
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190710/5050e4bf/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list