[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 65 commits: Remove all usage of Assert._assert
Timo Aaltonen
gitlab at salsa.debian.org
Thu Oct 17 11:01:19 BST 2019
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss
Commits:
ffd07ad7 by Alexander Scheel at 2019-08-08T20:38:55Z
Remove all usage of Assert._assert
Assert._assert is probably a relic from an older era. The class
incorrectly identifies them as "C-style assertions": the assert keyword
is actually closer to "C-style assertions" as they require the explicit
flag "-ea" (or "-enableassertions") to be passed to the JVM, similar to
how DEBUG needs to be defined for assert(...) to work in C.
In two places, where Assert._assert(false, msg) was called, I've instead
chosen to directly raise an org.mozilla.jss.util.AssertionException.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
65182214 by Alexander Scheel at 2019-08-08T20:38:55Z
Deprecate both forms of Assert._assert
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d9f314a8 by Alexander Scheel at 2019-08-09T15:17:59Z
Add exit(1) in failure case of TestBufferPRFD
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
43651428 by Alexander Scheel at 2019-08-12T12:49:41Z
Increase size of async io buffer in TestBufferPRFD
NSS on s390x seems to ignore the semantics of async io/EWOULDBLOCK:
rather than retrying the failing write, it drops the data and refuses to
continue. This manifests itself as RSA-based TLS handshakes failing,
because the certificate and associated packets exceeded the size of the
internal buffer (2048).
Bumping the buffer for the tests to 4096 plasters over the issue (so
long as we only include one certificate and not the entire chain).
redhat-bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1730109
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
19fef145 by Alexander Scheel at 2019-08-12T20:15:51Z
Add CHECK_DEPRECATION CMake option
This mirrors the behavior of the environment variable.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
9e668057 by Alexander Scheel at 2019-08-12T20:16:19Z
Introduce JSS_throwMsgPortErr
When NSS is built without FIPS mode, enabling FIPS mode fails. The
output from CryptoManager is non-obvious (it states that it fails but
doesn't passthrough the underlying NSS error).
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
27d2ab93 by Alexander Scheel at 2019-08-12T20:16:19Z
Support sandboxed builds
The old build system supported building NSPR, NSS, and JSS together.
This facilitated testing changes across all three. This iteration for
the new build system requires you to build NSS separately according to
the build method of your choice. To use, set the SANDBOX option or set
the SANDBOX environment variable:
cd sandbox/nss && ./build.sh -g --enable-fips
cd ../jss/build && SANDBOX=1 cmake .. && make && ctest
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
13998a9e by Elio Maldonado at 2019-08-13T19:20:28Z
Fix jss internal deprecation warnings #35
- - - - -
587f4f02 by Alexander Scheel at 2019-08-13T20:17:02Z
Document CMake options
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
9a009b04 by Alexander Scheel at 2019-08-13T20:17:02Z
Document adding a test case
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d3a2de3e by Alexander Scheel at 2019-08-14T19:34:40Z
Clarify CMS provider
The CMS provider differs from the SUN provider; it only provides a few
X509-related operations.
It is also used in CMSEngine in PKI, though its functionality could be
exposed from Mozilla-JSS in the future if we desire.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
34e52cf5 by Alexander Scheel at 2019-08-14T19:34:40Z
Remove legacy DSA implementation
This is better suited for NSS via the Mozilla-JSS provider. This entire
provider could eventually be removed if we wished, but certain
functionality required by PKI transitively depends on it. It is never
explicitly added though, so I'm not convinced those places truly use it
via the intended APIs. However, various classes inside the provider are
used directly (such as RSAPublicKey and DSAPublicKey).
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3fb3bb9a by Alexander Scheel at 2019-08-15T20:15:44Z
Move buffer.{c,h} -> j_buffer.{c,h}
Naming a file "buffer.h" on MacOS has the unfortunate consequence of
conflicting with other includes. Rename our copy to j_buffer.h to
avoid this problem.
Reported by @c42-arthur in issue #226.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a272589d by Alexander Scheel at 2019-08-16T16:29:13Z
Fix BufferPRFD's PRBufferGetSocketOption
PRBufferGetSocketOption takes two parameters: the PRFileDesc that we're
operating on and a PRSocketOptionData where we place the result. I
incorrectly treated this as a struct holding all options for a socket.
In reality, it contains two fields:
- the option requested
- the value of that option (via a union)
We thus need to condition on the option requested and return *only* its
value.
Under the previous implementation, we clobbered all options we set,
except the last one, data->value.send_buffer_size. In TestBufferPRFD.c,
we set the capacity of the buffer as 2048. Since sizeof(PRSize) >=
sizeof(PRBool), we did not perform an out of bounds write. On big endian
systems such as s390x, we stored the value 0x00000000 00000800: this
meant accessing data->value.non_blocking returned PR_FALSE (0x00).
Since the condition in ssl_FdIsBlocking is "!opt.value.non_blocking",
this resulted in NSS assuming our buffer was blocking.
Many thanks to Bob Relyea for finding this.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1730109
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
670eb090 by Alexander Scheel at 2019-08-16T16:29:13Z
Move TestBufferPRFD -> TestBufferPRFDSSL
This move lets us put direct test for the Buffer PRFileDesc
implementation in a new file called TestBufferPRFD, keeping the SSL
tests separate.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
b0ba1f96 by Alexander Scheel at 2019-08-16T16:29:13Z
Add test for PR_GetSocketOption
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e21f50ef by Alexander Scheel at 2019-08-22T18:52:18Z
Fix unsigned comparisons and declarations
There are two issues with debug builds in JSS right now: a number of
comparisons between unsigned variables and signed literals, and a use of
a potentially uninitialized variable due to an incorrect conditional and
late variable declaration.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
242e9e44 by Alexander Scheel at 2019-08-22T18:52:18Z
Add PR_Read and PR_Write methods
When executing the tests in a debug build, TestBufferPRFD aborts
because PR.Write isn't defined for Buffer backed PRFileDesc's. Even
though it isn't strictly required for SSLEngine support, implementing
it is easy (using Send/Recv).
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
6d799786 by Alexander Scheel at 2019-08-22T18:52:18Z
CMake fix foreach loop
CMake's foreach() construct doesn't use "in" as a separator between the
iterated variable and the list.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d722d809 by Alexander Scheel at 2019-08-23T13:58:56Z
Re-add X509CertTest
This test exercises the ECPublicKey and ECPrivateKey interfaces that are
newly added to the public/private key classes in org.mozilla.jss.pkcs11.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
1e86c108 by Alexander Scheel at 2019-08-23T13:58:56Z
Introduce initial CurveDB: jss.util.ECCurve
The JDK internally maintains a database of curves (called the CurveDB);
only some of these curves are used by the Sun provider and are
internally called "named" curves. However, this curve database isn't
exposed to the public.
Unlike the JDK, we expose our curve database for other providers to use.
Currently we only maintain a mapping between names, oids, and curve
parameters. We should eventually extend it to replace all curve usages
in PK11KeyPairGenerator; this will likely involve moving the contents of
ECCurve_Code over as well.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
54d471da by Alexander Scheel at 2019-08-23T13:58:56Z
Introduce NSS/EC related helpers
We introduce the jss.util.EC class for helper functions for decoding NSS
EC key information. This includes a point decoder helper and an OID to
curve parameters helper.
Future work includes expending decodeNSSPoint to handle compressed and
hybrid point encoding forms.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
41d1e64b by Alexander Scheel at 2019-08-23T13:58:56Z
Implement ECPublicKey with PK11ECPublicKey
With the new curve database and the NSS helpers, we can now implement
the standard ECPublicKey interface from our PK11ECPublicKey class,
bringing JSS into compliance.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
cfd0ff74 by Alexander Scheel at 2019-08-23T13:58:56Z
Implement ECPrivateKey with PK11ECPrivateKey
Since NSS exposes SECKEY_ConvertToPublicKey(...), we can convert our
private key pointer to a public key pointer and re-wrap it as a
PK11PubKey instance (of the correct subtype). This lets us implement
ECPrivateKey's getParams() interface via ECPublicKey's implementation.
Note that getS() won't be supported due to limitations in NSS. Futher
work will need to be done to expose the private key values to the caller
for this (and the interfaces for other key types) to function.
Additionally, returning the private key data might not always be
possible, e.g., when the key lives on an HSM.
This means that we're still restricted to working only with JSS-based
encryption methods for the large part.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
fd988bb6 by Alexander Scheel at 2019-08-23T16:49:44Z
Support ECGenParameterSpec in PK11KeyPairGenerator
The standard Java interface for EC key pair generation only includes a
name. Use the ECCurve enum to resolve this to an OID for use by NSS.
A similar patch was initially proposed by Andrew Helgeson (@ZuluForce)
in upstream issue https://github.com/dogtagpki/jss/issues/226.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e65d0e48 by Stanislav Levin at 2019-08-27T14:16:27Z
Fix javadoc build
- The names of outdated parameters were corrected or removed.
- Code blocks were escaped with {@code text} and {@literal text}.
- Missing html tags were added.
Fixes: https://github.com/dogtagpki/jss/issues/246
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
f398b886 by Alexander Scheel at 2019-08-27T16:03:52Z
Two minor javadoc improvements
One documents parameters that were removed from a previous PR because
they didn't match the function signature. I've readded those. The other
re-adds two placeholders for clarity, using @literal this time.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
61dc5609 by Alexander Scheel at 2019-09-03T20:20:14Z
Fix indentation and bracing in ssl/callbacks.c
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a52de916 by Alexander Scheel at 2019-09-12T21:30:03Z
Fix build order: tests depend on a built JAR
When building JSS, our test suite requires the rest of the JSS JAR to be
built. Previously however, our build system didn't reflect that
dependency correctly, causing the build to fail on some platforms.
Related: #254
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
fc67cf34 by Alexander Scheel at 2019-09-16T14:27:25Z
Add KeyStoreTest back to test suite
Per report by Magnus Karlsson on pki-devel at redhat.com, KeyStoreTest is
bad example code because it doesn't actually work. In particular, it
fails to initialize a KeyStore instance correctly (passing only the name
of the provider and not the name of the KeyStore type we want).
Fix the test and re-add it to the test suite.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
056f7404 by Alexander Scheel at 2019-09-18T14:15:29Z
Add additional PCKS11 Constants
This includes the new CKM_AES_CMAC and CKM_AES_CMAC_GENERAL constants.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
bc316ec7 by Alexander Scheel at 2019-09-18T20:24:22Z
Add Fedora rawhide based sandbox builds
This tests the latest upstream NSPR and NSS from Mozilla, on the latest
Fedora rawhide container, and ensures that we can build and pass our
current test suite.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e23ebb0f by Alexander Scheel at 2019-09-18T20:24:22Z
Add sandbox build as required in Travis
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
98d333ea by Alexander Scheel at 2019-09-19T15:54:23Z
Add helper to run a single test case
run_test.sh.in is templated by CMake to build/run_test.sh, fully
configured to your test execution environment. In particular, it writes
the classpath and loads the JSS native library.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d314d859 by Alexander Scheel at 2019-09-19T15:54:23Z
Add script to add common root CAs
When given an NSS DB, common_roots.sh uses the trust command to extract
the root CAs trusted by the local system and add them to said NSS DB.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f71281b6 by Alexander Scheel at 2019-09-25T13:46:54Z
Finish adding SHA2 variants
When the SHA-2 variants were initially added (SHA2-256, SHA2-384, and
SHA2-512), they weren't added to either SymmetricKey or PKCS11Algorithm.
This fixes that, allowing Algorithm identifiers to be mapped to
PKCS11Constant values, and also to be used as symmetric keys.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
72217a3a by Alexander Scheel at 2019-09-25T13:46:54Z
Map SymmetricKey.Usages to PKCS11Constants
Each usage in SymmetricKey.Usages maps to a specific PKCS11Constant with
prefix "CKA_" (which is of type CK_ATTRIBUTE_TYPE). These constants can
be directly used with the underlying PKCS#11 interface via JNI.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
6b1cc24b by Alexander Scheel at 2019-09-25T13:46:54Z
Support multiple names for HMAC keys
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
e791542e by Alexander Scheel at 2019-09-25T13:46:54Z
Update HMAC test to use SecretKeyFactory
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
647dfd95 by Alexander Scheel at 2019-09-26T15:08:41Z
Revert "Fix build order: tests depend on a built JAR"
This reverts commit a52de916344cfc6f67b8b1178699ca5b6b559d41. This
commit isn't necessary: while the tests depend on the rest of JSS, javac
will detect the necessary files (because of -sourcepath) and continue
with the build.
In fact, build order is a red herring: the real issue is that the
org.mozilla.jss.pkix package namespace is empty, so:
import org.mozilla.jss.pkix.*;
won't have any classes to import.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3887fa82 by Alexander Scheel at 2019-09-26T15:08:41Z
Remove excessive import
Under the javac shipped in RHEL 7, we see the following error when
building the test suite:
jss/org/mozilla/jss/tests/TestBufferPRFD.java:8: error: package org.mozilla.jss.pkix does not exist
import org.mozilla.jss.pkix.*;
^
This is because the org.mozilla.jss.pkix namespace doesn't include any
classes; it only contains sub-packages.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d4d079e4 by Alexander Scheel at 2019-09-26T16:32:01Z
Add SSL Storage class, SSLFDProxy
Off of a SSL-enabled PRFileDesc created by NSS's SSL_ImportFD, we might
want to store various information which would be helpful (and, necessary
to free at the end):
- Any TrustManagers we're using on this connection,
- Whether or not the handshake has finished,
- The client certificate, or
- Additional parameters required for NSS callbacks.
Some of these will be Java-backed values, in which case they should be
added directly to SSLFDProxy. Others will be C-backed values, in which
case they should be freed once the SSL Socket is closed.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
abb3ecf4 by Alexander Scheel at 2019-09-26T16:32:01Z
Retype existing methods to SSLFDProxy
In org.mozilla.jss.nss.SSL, we've retyped all methods to take SSLFDProxy
instead of PRFDProxy where appropriate. This will let future native
methods access any fields we place on the SSLFDProxy. We've also updated
the existing tests to use SSLFDProxy instead of PRFDProxy where
appropriate.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
b95ab143 by Alexander Scheel at 2019-09-26T16:32:01Z
Update TestBufferPRFD to use SSL.SECSuccess
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
2c63127d by Alexander Scheel at 2019-09-26T16:33:13Z
Support favoring other Cryptographic Providers
We're previously given the option to either install the JSS provider or
not, and optionally to remove the Sun Provider. Users can re-order the
providers later if they want, but the most common other option will be
to only use JSS for specified operations. To achieve this, we put JSS as
the very last provider. Hence, add:
installJSSProviderFirst = true
as a new value in InitializationValues.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3e071122 by Alexander Scheel at 2019-09-26T21:08:47Z
Wrap a certificate with chain to jobjectArray
Sometimes we have only a single CERTCertificate but wish to inquire
about as much of its chain as we can, and return the result as a
jobjectArray to pass back to Java. This is helpful when we've gotten a
CERTCertificate from NSS and we need to check it against a TrustManager
instance.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
cb44b54b by Alexander Scheel at 2019-09-27T16:10:44Z
Capture PRErrorCode <-> Exception mappings
Often we'll need to take a PRErrorCode and raise it as a Java Exception
(via the JNI interface) of the proper type. Other times, we'll need to
take a raised Java Exception and return it as the correct
(SECStatus, PRErrorCode) pair.
We introduce JSS_ExceptionToSECStatus and JSS_SECStatusToException to
handle this. The latter has a *Message form, which takes an error
message to raise with the exception.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a8fab7fd by Alexander Scheel at 2019-09-27T16:12:01Z
Add CryptoManager.ImportDERCert(...)
ImportDERCert differs from other calls in that it allows importing a
certificate temporarily, without putting it in the permanent trust
store. This lets you import (and trust) an intermediate CA certificate
without permanently storing it, and use it to validate a leaf
certificate.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
028ec6f4 by Alexander Scheel at 2019-09-27T16:40:22Z
Validate X509Certificates from CryptoManager
We extend the existing VerifyCertificate logic to include support for
validating a certificate by reference (e.g., an instance of
X509Certificate) instead of purely by nickname.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5b729f09 by Alexander Scheel at 2019-09-27T16:40:22Z
Support getting the current OCSP policy enum
By exposing the value of ocspPolicy from the CryptoManager (instead
of the ordinal, which we'd have to convert back to an enum for most
calls), we can more easily support save/restore operations for the value
of OCSP policy.
This will enable, in combination with the previous patch, explicit OCSP
checks on certificates and their chains, restoring the current policy
afterwards.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
0672294c by Alexander Scheel at 2019-09-27T19:29:13Z
Fix callback alert handling
In 871231d20f6e6956134c670d57087f121ffe0563 I incorrectly handled an
unused variable warning, where rc is unused when compiling outside of
debug mode. As part of this fix, I incorrectly returned based on the
same values we were asserting -- for 3 of the 4 values. Instead, I
should've returned when these conditionals were negated.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5147c4e1 by Alexander Scheel at 2019-09-27T20:01:42Z
Make sandbox build fully debug
Since we're building NSS in debug mode by default, we should also build
JSS in debug mode here. This will be our only build with CMake release
type DEBUG and debug CFLAGS.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
69cefe1e by Alexander Scheel at 2019-09-30T12:22:13Z
Add CMAC algorithm to JSSProvider
CMAC is a form of MAC that utilizes a block cipher instead of a hash
function. Support for CMAC via PKCS#11 was recently introduced to NSS
allowing us to add support for it here.
Related: https://bugzilla.mozilla.org/show_bug.cgi?id=1570501
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
bf65e0f8 by Alexander Scheel at 2019-09-30T12:22:13Z
Add tests for CMAC via JSS Provider
These tests are from NIST's Examples with Intermediate Values page:
https://csrc.nist.gov/projects/cryptographic-standards-and-guidelines/example-values
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
83f14529 by Alexander Scheel at 2019-09-30T12:22:23Z
Support using SymmetricKey in JSSMacSpi
JSSMacSpi differs from JSSCipherSpi in that it requires the caller to
pass a SecretKeyFacade instance (which merely wraps a SymmetricKey) and
are typically created by SecretKeyFactory. However, the caller might
have an existing SymmetricKey and wish to use that with JSSMacSpi; check
for that case and handle it gracefully. Unlike JSSCipherSpi, we don't
use the SecretKeyFactory to clone the underlying key.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
370415e2 by Alexander Scheel at 2019-10-01T16:37:31Z
Add Client Certificate support to NSS wrapper
We add support for handling the client certificate callback via a fixed
client certificate. This lets us specify ahead of time which client
certificate we wish to use and return it when asked by NSS. Setting the
client certificate on the SSLFDProxy is done via:
SSLFDProxy.SetClientCert(...)
And telling NSS to use this certificate is done via:
SSL.EnableClientAuthentication(...)
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
28fda7c6 by Alexander Scheel at 2019-10-01T16:37:31Z
Test Client Authentication in TestBufferPRFD
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c1c71083 by Alexander Scheel at 2019-10-01T20:46:38Z
Add python-unversioned-command to fedora_sandbox
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
eb5df010 by Alexander Scheel at 2019-10-01T21:59:41Z
Make NativeProxy AutoCloseable
We extend the default NativeProxy implementation in three directions:
- Make it AutoCloseable,
- Add a clear() method which supports clearing the value of the
pointer without calling releaseNativeResources(...), and
- Save a stack trace when assertions are enabled.
By implementing AutoCloseable, we enable the common Java pattern of
try-with-resources:
try (NativeProxy item = ...) {
...
}
and have the item automatically be closed (in our case, finalized(...))
at the end of its life cycle. We've added additional logic to prevent
double-free bugs.
Additionally, by adding clear(...), we both add protection from
double-free bugs and enable resource cleanup from native handlers that
removes entries in NativeProxy's internal tracking.
Lastly, we save stack traces when assertions are enabled in the JVM and
JSS is built in DEBUG mode (with DEBUG defined).
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
7833095b by Alexander Scheel at 2019-10-01T21:59:41Z
Use new NativeProxy.clean in BufferProxy
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
dd566770 by Alexander Scheel at 2019-10-02T13:32:33Z
Fix build on older CMake versions
On CMake versions less than 3.12.0 (shipped July 17, 2018), the
list(...) helper lacks the JOIN subcommand. We use this for joining the
C compiler flags into CMAKE_REQUIRED_FLAGS for symbol detection.
This introduces a shim for older systems lacking these useful macros,
including RHEL 8.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
0fd96ddd by Alexander Scheel at 2019-10-02T15:55:38Z
Remove unnecessary assert in PK11MessageDigest.c
This ASSERT_OUTOFMEM(env) is incorrect for two reasons:
1. When JSS_RefByteArray detects a zero-length result, it returns
false but doesn't throw an exception. It is up to the caller to
handle that as they wish. In our case, we can safely skip the
PK11_DigestOp call.
2. When length < offset+len (and JSS_RefByteArray exits
successfully), we won't have thrown an exception.
This only shows up in debug builds; release builds aren't affected.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
3b9572b8 by Alexander Scheel at 2019-10-15T13:31:00Z
Fix root certificate validation
When the Leaf and Chain OCSP checking policy is enabled in
CryptoManager, JSS will switch to alternative certificate verification
logic in JSSL_DefaultCertAuthCallback. In this method, the root
certificate was incorrectly trusted without being verified to exist in
the trust store.
This patch cleans up the logic in JSSL_verifyCertPKIX and makes it
more explicit in addition to fixing the error.
Fixes CVE-2019-14823
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5ebd1568 by Alexander Scheel at 2019-10-15T14:46:18Z
Add optional test case against badssl.com
badssl.com maintains a number of subdomains with valid and invalid TLS
configurations. A number of these test certificates which fail in
certain scenarios (revoked, expired, etc). Add a test runner which
validates SSLSocket's implementation against badssl.com.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d0bbd641 by Alexander Scheel at 2019-10-15T19:11:14Z
Release v4.6.2
This version of JSS has a security fix:
- CVE-2019-14823: Fix root certificate validation when using Leaf and
Chain OCSP mode
This version of JSS also has a few enhancements over v4.6.1:
- Fixing JSS internal deprecation warnings by @emaldona
- Fixing javadoc builds by @stanislavlevin
- Introduce a new InitializationValue, installJSSProviderFirst, to
support favoring other cryptographic providers.
- Add support for CMAC as a Mac algorithm from JSSProvider; note that
this requires JSS to be compiled with a NSS release which also
supports CMAC (3.47+).
- Various improvements to the Key APIs.
Thanks to everyone who contributed to this release!
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
30 changed files:
- .travis.yml
- CMakeLists.txt
- cmake/FindNSPR.cmake
- cmake/FindNSS.cmake
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- + cmake/Shims.cmake
- docs/build_system.md
- jss.spec
- lib/jss.map
- org/mozilla/jss/CertificateUsage.java
- org/mozilla/jss/CryptoManager.c
- org/mozilla/jss/CryptoManager.java
- org/mozilla/jss/InitializationValues.java
- org/mozilla/jss/JSSProvider.java
- org/mozilla/jss/PK11Finder.c
- org/mozilla/jss/asn1/ANY.java
- org/mozilla/jss/asn1/ASN1Header.java
- org/mozilla/jss/asn1/BIT_STRING.java
- org/mozilla/jss/asn1/CHOICE.java
- org/mozilla/jss/asn1/EXPLICIT.java
- org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
- org/mozilla/jss/asn1/SEQUENCE.java
- org/mozilla/jss/asn1/SET.java
- org/mozilla/jss/asn1/TimeBase.java
- org/mozilla/jss/crypto/Algorithm.c
- org/mozilla/jss/crypto/Algorithm.h
- org/mozilla/jss/crypto/Algorithm.java
- + org/mozilla/jss/crypto/CMACAlgorithm.java
- org/mozilla/jss/crypto/Cipher.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/a7786f2481411988a025f7ca6b4f2b81abd8a71a...d0bbd641d313b1b95daa9be4cd9db7917a9a0a05
--
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/a7786f2481411988a025f7ca6b4f2b81abd8a71a...d0bbd641d313b1b95daa9be4cd9db7917a9a0a05
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20191017/1938be7a/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list