[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 23 commits: Support LD_FLAGS from environment

Timo Aaltonen gitlab at salsa.debian.org
Mon Sep 9 21:48:59 BST 2019



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss


Commits:
731b62d4 by Alexander Scheel at 2019-06-17T13:02:26Z
Support LD_FLAGS from environment

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
88fa55a9 by Alexander Scheel at 2019-06-17T14:13:47Z
Add additional error handling functions

PR_GetErrorText doesn't return useful information all the time;
PR_ErrorToName always returns the constant name when possible.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
de594c30 by Alexander Scheel at 2019-06-19T10:56:22Z
Wrap SSL_ConfigServerCert

SSL_ConfigServerCert (exposed as jss.nss.SSL.ConfigServerCert) is the
more modern form of SSL_ConfigSecureServer. Implement the wrapper with
no additional data (i.e., default configuration) and test it. Also test
ECDSA signed certificates in both C and Java BufferPRFD test suites.

Deprecate SSL_ConfigSecureServer as well.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
182add54 by Alexander Scheel at 2019-06-19T13:38:31Z
Return String in jss.nss.PR error text functions

GetErrorText() and ErrorToName(...) previously returned byte[]; return
String as they're most likely to be used in conjunction with other
Strings.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e6638fd2 by Alexander Scheel at 2019-06-24T12:38:57Z
Switch to SSL_ConfigServerCert

In SSLServerSocket, we use the deprecated form, SSL_ConfigSecureServer.
Switch to using the newer form, SSL_ConfigServerCert. This also saves us
a call to check the KEA usage.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
917c41ef by Alexander Scheel at 2019-06-27T20:10:26Z
Add JSS_PK11_wrapCertChain helper

A CERTCertList is roughly equivalent to a PK11Cert[] array. Add a helper
function for wrapping a CERTCertList into a PK11Cert[] jobjectArray
item. This largely mirrors the JSS_PK11_wrapCert helper function.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0b6924d1 by Alexander Scheel at 2019-06-27T20:10:26Z
Wrap SSL_PeerCertificate, SSL_PeerCertificateChain

These two functions are necessary for introspecting the results of a SSL
handshake with client authentication and useful for SSLSession support.
Adds a test to the TestBufferPRFD method to check their status.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d634b1ee by Alexander Scheel at 2019-07-15T21:05:29Z
Terminate SSL test cases after too many attempts

When the handshake fails to complete in a certain number of steps,
terminate it. We set this limit as 40 as it should be significantly
larger than the number of required steps (since the buffer limit is at
2048, we'd expect no more than 10 steps, even with a large certificate
or chain).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b201d95a by Endi S. Dewata at 2019-07-19T13:07:57Z
Added uncleared password warning

The Password class has been modified to store the location where
it was created initially. If the Password object is garbage
collected without being cleared first, it will display a warning
message showing the location of the offending code.

- - - - -
adc2889a by Endi S. Dewata at 2019-07-19T16:58:16Z
Fixed indentations in MacData constructor.

- - - - -
641a0539 by Endi S. Dewata at 2019-07-19T16:58:16Z
Fixed uncleared password in MacData

The MacData has been modified to call PBEKeyGenParams.clear()
in a finally block to ensure that the password is cleared.

- - - - -
739ed78b by Alexander Scheel at 2019-07-19T18:44:12Z
In FIPS mode, disable non-FIPS tests

Certain tests are guaranteed to fail in FIPS mode. Add an environment
variable, FIPS_ENABLED, to not enable them on CMake. Also support
passing it as a CMake option.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2007096b by Alexander Scheel at 2019-07-19T18:44:12Z
jss.spec: Auto-set FIPS_ENABLED

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a1de8685 by Alexander Scheel at 2019-07-19T22:27:07Z
Add alternative HMAC names for JSSProvider

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
c3c69c08 by Alexander Scheel at 2019-07-22T14:39:40Z
Rename HMACTest -> CrossHMACTest

On systems with case-insensitive file systems, cloning will likely fail
as there's two files with the "same" name but different contents:
HmacTest.java and HMACTest.java. Rename the latter, which attempts to
test different providers, to CrossHMACTest.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
18598df6 by Alexander Scheel at 2019-07-22T17:00:37Z
Remove tests/all.pl - old test suite runner

Since 4.5.1, we've replaced the test suite runner with a CMake/ctest
implementation. At this point, we're preferring SSLEngine over
SSLSocket, so keeping the last few remaining test cases in all.pl (that
we're not running anyways) doesn't do much.

tests/all.pl is tracked in the jss archive for historical reference:

https://github.com/dogtagpki/jss-archive/blob/master/org/mozilla/jss/tests/all.pl

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
2ff3bbd0 by Alexander Scheel at 2019-07-24T19:24:37Z
Add enum for Algorithm's PKCS #11 Constants

We need to map PKCS11 Constants between their names and their values and
also between their values and Algorithm identifiers. To do so, we add
PKCS11Algorithm which enumerates identifiers common to both Algorithm
and PKCS11Constants. This will let us call into the NSS API with the
correct constant identifier from PKCS11, when needed.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
694614b1 by Alexander Scheel at 2019-07-24T19:24:37Z
Expose PKCS11Algorithm enum value from Algorithm

Also changes the type of Algorithm's fields from short to int to better
match the underlying type and the type of oidIndex.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b15d9044 by Alexander Scheel at 2019-07-24T19:36:30Z
Fix SHA1-HMAC in SymmetricKey

In SymmetricKey.java, SHA-1 HMAC was defined as PBA_SHA1_HMAC, a version
of HMAC for extending a password (using a salt) and turning it into a
key. Usually when one requests HMAC, one expects vanilla HMAC; use this
instead. We expose the old SHA1_HMAC (with PBA) as PBA_SHA1_HMAC now.
Note that later SHA-2 and SHA-3 algorithms lack PBA-based HMACs (in PKCS
v2.40 and v3.0 standards).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
68bd9a70 by Alexander Scheel at 2019-07-25T14:23:14Z
Expose SHA-2 HMAC in SymmetricKey

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f7405a1e by Robert Förster at 2019-08-07T17:41:02Z
fix typo in JUnit CMake variable

Signed-off-by: Robert Förster <Dessa at gmake.de>

- - - - -
029d0a64 by Alexander Scheel at 2019-08-08T15:42:01Z
Add a few standard Java interfaces when possible

This extends our interfaces to be compatible with the default JDK
interfaces whenever possible. In particular:

 - jss.crypto.SymmetricKey now extends javax.crypto.SecretKey
 - jss.pkcs11.PK11Key now implements java.security.Key

A few clarifying comments have been added where necessary.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a7786f24 by Alexander Scheel at 2019-08-08T15:45:36Z
Release v4.6.1

This version of JSS has a few enhancements over v4.6.0:

 - Fixed LD_FLAG handling,
 - Extensions to the unfinished org.mozilla.jss.nss interface,
 - Better handling of uncleared passwords (by @edewata),
 - Better test handling in FIPS mode,
 - Changes to SymmetricKey and HMAC handling,
 - Fix typo in JUnit CMake variable (by @Dessa).

Thanks to everyone who contributed to this release!

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -


29 changed files:

- CMakeLists.txt
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- jss.spec
- lib/jss.map
- org/mozilla/jss/JSSProvider.java
- org/mozilla/jss/crypto/Algorithm.c
- org/mozilla/jss/crypto/Algorithm.h
- org/mozilla/jss/crypto/Algorithm.java
- org/mozilla/jss/crypto/Cipher.java
- org/mozilla/jss/crypto/KeyGenAlgorithm.java
- + org/mozilla/jss/crypto/PKCS11Algorithm.java
- org/mozilla/jss/crypto/SymmetricKey.java
- org/mozilla/jss/nss/PR.c
- org/mozilla/jss/nss/PR.java
- org/mozilla/jss/nss/SSL.c
- org/mozilla/jss/nss/SSL.java
- org/mozilla/jss/pkcs11/PK11Cert.c
- org/mozilla/jss/pkcs11/PK11Key.java
- org/mozilla/jss/pkcs11/PK11SymKey.java
- org/mozilla/jss/pkcs11/pk11util.h
- org/mozilla/jss/pkcs12/MacData.java
- org/mozilla/jss/ssl/SSLServerSocket.c
- org/mozilla/jss/tests/HMACTest.java → org/mozilla/jss/tests/CrossHMACTest.java
- org/mozilla/jss/tests/TestBufferPRFD.c
- org/mozilla/jss/tests/TestBufferPRFD.java
- org/mozilla/jss/tests/TestPRFD.java
- − org/mozilla/jss/tests/all.pl
- org/mozilla/jss/util/Password.java


Changes:

=====================================
CMakeLists.txt
=====================================
@@ -14,6 +14,11 @@ if (DEFINED ENV{CHECK_DEPRECATION})
     list(APPEND JSS_JAVAC_FLAGS "-Xlint:deprecation")
 endif()
 
+if (DEFINED ENV{FIPS_ENABLED})
+    set(FIPS_ENABLED_ENV TRUE)
+endif()
+option(FIPS_ENABLED "When enabled, disable certain tests which don't work in FIPS mode. This should only be specified when the host system is in FIPS mode." ${FIPS_ENABLED_ENV})
+
 # Build a debug build by default when no type is specified on the command line
 if(NOT (DEFINED CMAKE_BUILD_TYPE))
     set(CMAKE_BUILD_TYPE "Debug")


=====================================
cmake/JSSConfig.cmake
=====================================
@@ -2,7 +2,7 @@ macro(jss_config)
     # Set the current JSS release number. Arguments are:
     #   MAJOR MINOR PATCH BETA
     # When BETA is zero, it isn't a beta release.
-    jss_config_version(4 6 0 0)
+    jss_config_version(4 6 1 0)
 
     # Configure output directories
     jss_config_outputs()
@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
     list(APPEND JSS_LD_FLAGS "-lpthread")
     list(APPEND JSS_LD_FLAGS "-ldl")
 
+    separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
+    foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
+        list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
+    endforeach()
+
     # This set of flags is specific to building the libjss library.
     list(APPEND JSS_LIBRARY_FLAGS "-shared")
     list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
     list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")
 
     set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
+
+    message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
+    message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
 endmacro()
 
 macro(jss_config_java)
@@ -235,7 +243,7 @@ macro(jss_config_java)
         message(WARNING "Test dependency sfl4j-jdk14.jar not found by find_jar! Tests might not run properly.")
     endif()
 
-    if(JUINT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
+    if(JUNIT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
         message(FATAL_ERROR "Test dependency junit4.jar not found by find_jar! Tests will not compile.")
     endif()
 


=====================================
cmake/JSSTests.cmake
=====================================
@@ -91,11 +91,6 @@ macro(jss_tests)
         NAME "JSS_Test_Buffer"
         COMMAND "org.mozilla.jss.tests.TestBuffer"
     )
-    jss_test_java(
-        NAME "JSS_Test_BufferPRFD"
-        COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs"
-    )
     if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
         jss_test_java(
             NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
@@ -180,21 +175,11 @@ macro(jss_tests)
         COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
         DEPENDS "List_CA_certs"
     )
-    jss_test_exec(
-        NAME "TestBufferPRFD"
-        COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
-        DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
-    )
     jss_test_java(
         NAME "Key_Generation"
         COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
         DEPENDS "Setup_DBs"
     )
-    jss_test_java(
-        NAME "Key_Factory"
-        COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Setup_DBs"
-    )
     jss_test_java(
         NAME "Digest"
         COMMAND "org.mozilla.jss.tests.DigestTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
@@ -202,12 +187,7 @@ macro(jss_tests)
     )
     jss_test_java(
         NAME "HMAC"
-        COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Setup_DBs"
-    )
-    jss_test_java(
-        NAME "HMAC_Unwrap"
-        COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+        COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
         DEPENDS "Setup_DBs"
     )
     jss_test_java(
@@ -250,84 +230,111 @@ macro(jss_tests)
         COMMAND "org.mozilla.jss.tests.SymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
         DEPENDS "Setup_DBs"
     )
-    jss_test_java(
-        NAME "Mozilla_JSS_Secret_Key_Generation"
-        COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
-        DEPENDS "Setup_DBs"
-    )
     jss_test_java(
         NAME "JSSProvider"
         COMMAND "org.mozilla.jss.tests.JSSProvider" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
         DEPENDS "List_CA_certs"
     )
 
-    # FIPS-related tests
-    jss_test_java(
-        NAME "Enable_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
-        DEPENDS "Setup_FIPS_DBs"
-    )
-    jss_test_java(
-        NAME "check_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "SSLClientAuth_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "HMAC_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "KeyWrapping_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
-        COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
-    jss_test_java(
-        NAME "JSS_Signature_test_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
-        DEPENDS "Enable_FipsMODE"
-    )
+    if(NOT FIPS_ENABLED)
+        jss_test_java(
+            NAME "Key_Factory"
+            COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Setup_DBs"
+        )
+        jss_test_java(
+            NAME "HMAC_Unwrap"
+            COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Setup_DBs"
+        )
+        jss_test_java(
+            NAME "Mozilla_JSS_Secret_Key_Generation"
+            COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
+            DEPENDS "Setup_DBs"
+        )
 
-    # Since we need to disable FIPS mode _after_ all FIPS-mode tests have
-    # run, we have to add a strict dependency from Disable_FipsMODE onto all
-    # FIPS-related checks.
-    jss_test_java(
-        NAME "Disable_FipsMODE"
-        COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
-        DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
-    )
+        # SSL Engine related tests
+        jss_test_exec(
+            NAME "TestBufferPRFD_RSA"
+            COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_RSA"
+            DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
+        )
+        jss_test_exec(
+            NAME "TestBufferPRFD_ECDSA"
+            COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_ECDSA"
+            DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
+        )
+        jss_test_java(
+            NAME "JSS_Test_BufferPRFD"
+            COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
+            DEPENDS "List_CA_certs"
+        )
+
+        # FIPS-related tests
+        jss_test_java(
+            NAME "Enable_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
+            DEPENDS "Setup_FIPS_DBs"
+        )
+        jss_test_java(
+            NAME "check_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "SSLClientAuth_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "HMAC_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "KeyWrapping_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
+            COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+        jss_test_java(
+            NAME "JSS_Signature_test_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
+            DEPENDS "Enable_FipsMODE"
+        )
+
+        # Since we need to disable FIPS mode _after_ all FIPS-mode tests have
+        # run, we have to add a strict dependency from Disable_FipsMODE onto all
+        # FIPS-related checks.
+        jss_test_java(
+            NAME "Disable_FipsMODE"
+            COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
+            DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
+        )
+    endif()
 
     jss_test_java(
         NAME "JUnit_GenericValueConverterTest"
         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.GenericValueConverterTest"
-        DEPENDS "Disable_FipsMODE"
     )
     jss_test_java(
         NAME "JUnit_IA5StringConverterTest"
         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.IA5StringConverterTest"
-        DEPENDS "Disable_FipsMODE"
     )
     jss_test_java(
         NAME "JUnit_PrintableConverterTest"
         COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.PrintableConverterTest"
-        DEPENDS "Disable_FipsMODE"
     )
 
 
     # For compliance with several
     add_custom_target(
-      check
-      DEPENDS test
+        check
+        DEPENDS test
     )
 endmacro()
 


=====================================
jss.spec
=====================================
@@ -6,7 +6,7 @@ Summary:        Java Security Services (JSS)
 URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-Version:        4.6.0
+Version:        4.6.1
 Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
 # global         _phase -a1
 
@@ -106,6 +106,9 @@ export BUILD_OPT=1
 CFLAGS="-g $RPM_OPT_FLAGS"
 export CFLAGS
 
+# Check if we're in FIPS mode
+modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
+
 # The Makefile is not thread-safe
 rm -rf build && mkdir -p build && cd build
 %cmake \


=====================================
lib/jss.map
=====================================
@@ -348,7 +348,8 @@ Java_org_mozilla_jss_nss_PR_NewTCPSocket;
 Java_org_mozilla_jss_nss_PR_NewBufferPRFD;
 Java_org_mozilla_jss_nss_PR_Shutdown;
 Java_org_mozilla_jss_nss_PR_GetError;
-Java_org_mozilla_jss_nss_PR_GetErrorText;
+Java_org_mozilla_jss_nss_PR_GetErrorTextNative;
+Java_org_mozilla_jss_nss_PR_ErrorToNameNative;
 Java_org_mozilla_jss_nss_PR_getPRShutdownRcv;
 Java_org_mozilla_jss_nss_PR_getPRShutdownSend;
 Java_org_mozilla_jss_nss_PR_getPRShutdownBoth;
@@ -369,7 +370,10 @@ Java_org_mozilla_jss_nss_SSL_SecurityStatus;
 Java_org_mozilla_jss_nss_SSL_ResetHandshake;
 Java_org_mozilla_jss_nss_SSL_ForceHandshake;
 Java_org_mozilla_jss_nss_SSL_ConfigSecureServer;
+Java_org_mozilla_jss_nss_SSL_ConfigServerCert;
 Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache;
+Java_org_mozilla_jss_nss_SSL_PeerCertificate;
+Java_org_mozilla_jss_nss_SSL_PeerCertificateChain;
 Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate;
 Java_org_mozilla_jss_nss_SSL_getSSLRequireCertificate;
 Java_org_mozilla_jss_nss_SSL_getSSLSECSuccess;


=====================================
org/mozilla/jss/JSSProvider.java
=====================================
@@ -236,6 +236,10 @@ public final class JSSProvider extends java.security.Provider {
         put("Mac.HmacSHA512",
             "org.mozilla.jss.provider.javax.crypto.JSSMacSpi$HmacSHA512");
         put("Alg.Alias.Mac.Hmac-SHA512", "HmacSHA512");
+        put("Alg.Alias.Mac.SHA-1-HMAC", "HmacSHA1");
+        put("Alg.Alias.Mac.SHA-256-HMAC", "HmacSHA256");
+        put("Alg.Alias.Mac.SHA-384-HMAC", "HmacSHA384");
+        put("Alg.Alias.Mac.SHA-512-HMAC", "HmacSHA512");
 
 
         /////////////////////////////////////////////////////////////


=====================================
org/mozilla/jss/crypto/Algorithm.c
=====================================
@@ -94,8 +94,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
 /* 64 */    {SEC_OID_AES_256_CBC, SEC_OID_TAG},
 /* the CKM_AES_KEY_WRAP_* have different defs than CKM_NSS_AES_KEY_WRAP_*  */
 /* 65 */    {CKM_AES_KEY_WRAP, PK11_MECH},
-/* 66 */    {CKM_AES_KEY_WRAP_PAD, PK11_MECH}
-/* REMEMBER TO UPDATE NUM_ALGS!!! */
+/* 66 */    {CKM_AES_KEY_WRAP_PAD, PK11_MECH},
+/* 67 */    {CKM_SHA256_HMAC, PK11_MECH},
+/* 68 */    {CKM_SHA384_HMAC, PK11_MECH},
+/* 69 */    {CKM_SHA512_HMAC, PK11_MECH}
+/* REMEMBER TO UPDATE NUM_ALGS!!! (in Algorithm.h) */
 };
 
 /***********************************************************************


=====================================
org/mozilla/jss/crypto/Algorithm.h
=====================================
@@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr {
     JSS_AlgType type;
 } JSS_AlgInfo;
 
-#define NUM_ALGS 67
+#define NUM_ALGS 70
 
 extern JSS_AlgInfo JSS_AlgTable[];
 extern CK_ULONG JSS_symkeyUsage[];


=====================================
org/mozilla/jss/crypto/Algorithm.java
=====================================
@@ -127,6 +127,10 @@ public class Algorithm {
         return false;
     }
 
+    public PKCS11Algorithm getEnum() {
+        return PKCS11Algorithm.valueOfIndex(this.oidIndex);
+    }
+
     /**
      * Index into the SECOidTag array in Algorithm.c.
      */
@@ -144,91 +148,97 @@ public class Algorithm {
         new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045 } );
 
     // Algorithm indices.  These must be kept in sync with the
-    // algorithm array in Algorithm.c.
-    protected static final short SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
-    protected static final short SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
-    protected static final short SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
-    protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
-    protected static final short SEC_OID_PKCS1_RSA_ENCRYPTION=4;
-    protected static final short CKM_RSA_PKCS_KEY_PAIR_GEN=5;
-    protected static final short CKM_DSA_KEY_PAIR_GEN=6;
-    protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE=7;
-    protected static final short SEC_OID_RC4=8;
-    protected static final short SEC_OID_DES_ECB=9;
-    protected static final short SEC_OID_DES_CBC=10;
-    protected static final short CKM_DES_CBC_PAD=11;
-    protected static final short CKM_DES3_ECB=12;
-    protected static final short SEC_OID_DES_EDE3_CBC=13;
-    protected static final short CKM_DES3_CBC_PAD=14;
-    protected static final short CKM_DES_KEY_GEN=15;
-    protected static final short CKM_DES3_KEY_GEN=16;
-    protected static final short CKM_RC4_KEY_GEN=17;
-
-    protected static final short SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
-    protected static final short SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
-    protected static final short SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
-    protected static final short
+    // algorithm array in Algorithm.c. Any PKCS11 Algorithms must be added
+    // to the org.mozilla.jss.crypto.PKCS11Algorithm enum.
+    protected static final int SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
+    protected static final int SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
+    protected static final int SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
+    protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
+    protected static final int SEC_OID_PKCS1_RSA_ENCRYPTION=4;
+    protected static final int CKM_RSA_PKCS_KEY_PAIR_GEN=5;
+    protected static final int CKM_DSA_KEY_PAIR_GEN=6;
+    protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE=7;
+    protected static final int SEC_OID_RC4=8;
+    protected static final int SEC_OID_DES_ECB=9;
+    protected static final int SEC_OID_DES_CBC=10;
+    protected static final int CKM_DES_CBC_PAD=11;
+    protected static final int CKM_DES3_ECB=12;
+    protected static final int SEC_OID_DES_EDE3_CBC=13;
+    protected static final int CKM_DES3_CBC_PAD=14;
+    protected static final int CKM_DES_KEY_GEN=15;
+    protected static final int CKM_DES3_KEY_GEN=16;
+    protected static final int CKM_RC4_KEY_GEN=17;
+
+    protected static final int SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
+    protected static final int SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
+    protected static final int SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
+    protected static final int
         SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4=21;
-    protected static final short
+    protected static final int
         SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4=22;
-    protected static final short
+    protected static final int
         SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC=23;
-    protected static final short SEC_OID_MD2=24;
-    protected static final short SEC_OID_MD5=25;
-    protected static final short SEC_OID_SHA1=26;
-    protected static final short CKM_SHA_1_HMAC=27;
-    protected static final short
+    protected static final int SEC_OID_MD2=24;
+    protected static final int SEC_OID_MD5=25;
+    protected static final int SEC_OID_SHA1=26;
+    protected static final int CKM_SHA_1_HMAC=27;
+    protected static final int
         SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC=28;
-    protected static final short
+    protected static final int
         SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC=29;
-    protected static final short SEC_OID_RC2_CBC=30;
-    protected static final short CKM_PBA_SHA1_WITH_SHA1_HMAC=31;
+    protected static final int SEC_OID_RC2_CBC=30;
+    protected static final int CKM_PBA_SHA1_WITH_SHA1_HMAC=31;
 
     // AES
-    protected static final short CKM_AES_KEY_GEN=32;
-    protected static final short CKM_AES_ECB=33;
-    protected static final short CKM_AES_CBC=34;
-    protected static final short CKM_AES_CBC_PAD=35;
-    protected static final short CKM_RC2_CBC_PAD=36;
-    protected static final short CKM_RC2_KEY_GEN=37;
+    protected static final int CKM_AES_KEY_GEN=32;
+    protected static final int CKM_AES_ECB=33;
+    protected static final int CKM_AES_CBC=34;
+    protected static final int CKM_AES_CBC_PAD=35;
+    protected static final int CKM_RC2_CBC_PAD=36;
+    protected static final int CKM_RC2_KEY_GEN=37;
     //FIPS 180-2
-    protected static final short SEC_OID_SHA256=38;
-    protected static final short SEC_OID_SHA384=39;
-    protected static final short SEC_OID_SHA512=40;
-    protected static final short SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
-    protected static final short SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
-    protected static final short SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
-    protected static final short SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
-    protected static final short CKM_EC_KEY_PAIR_GEN=46;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
-
-    protected static final short SEC_OID_HMAC_SHA256=50;
-    protected static final short SEC_OID_HMAC_SHA384=51;
-    protected static final short SEC_OID_HMAC_SHA512=52;
+    protected static final int SEC_OID_SHA256=38;
+    protected static final int SEC_OID_SHA384=39;
+    protected static final int SEC_OID_SHA512=40;
+    protected static final int SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
+    protected static final int SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
+    protected static final int SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
+    protected static final int SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
+    protected static final int CKM_EC_KEY_PAIR_GEN=46;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
+
+    protected static final int SEC_OID_HMAC_SHA256=50;
+    protected static final int SEC_OID_HMAC_SHA384=51;
+    protected static final int SEC_OID_HMAC_SHA512=52;
 
     //PKCS5 V2
-    protected static final short SEC_OID_PKCS5_PBKDF2=53;
-    protected static final short SEC_OID_PKCS5_PBES2=54;
-    protected static final short SEC_OID_PKCS5_PBMAC1=55;
-    protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
+    protected static final int SEC_OID_PKCS5_PBKDF2=53;
+    protected static final int SEC_OID_PKCS5_PBES2=54;
+    protected static final int SEC_OID_PKCS5_PBMAC1=55;
+    protected static final int SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
 
     // NSS AES KeyWrap
-    protected static final short CKM_NSS_AES_KEY_WRAP=57;
-    protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
+    protected static final int CKM_NSS_AES_KEY_WRAP=57;
+    protected static final int CKM_NSS_AES_KEY_WRAP_PAD=58;
 
     // AES Encryption Algorithms
-    protected static final short SEC_OID_AES_128_ECB = 59;
-    protected static final short SEC_OID_AES_128_CBC = 60;
-    protected static final short SEC_OID_AES_192_ECB = 61;
-    protected static final short SEC_OID_AES_192_CBC = 62;
-    protected static final short SEC_OID_AES_256_ECB = 63;
-    protected static final short SEC_OID_AES_256_CBC = 64;
+    protected static final int SEC_OID_AES_128_ECB = 59;
+    protected static final int SEC_OID_AES_128_CBC = 60;
+    protected static final int SEC_OID_AES_192_ECB = 61;
+    protected static final int SEC_OID_AES_192_CBC = 62;
+    protected static final int SEC_OID_AES_256_ECB = 63;
+    protected static final int SEC_OID_AES_256_CBC = 64;
 
     // PKCS#11 AES KeyWrap
     // These underlying defs are currently different from the NSS AES KeyWrap
-    protected static final short CKM_AES_KEY_WRAP=65;
-    protected static final short CKM_AES_KEY_WRAP_PAD=66;
+    protected static final int CKM_AES_KEY_WRAP=65;
+    protected static final int CKM_AES_KEY_WRAP_PAD=66;
+
+    // PKCS#11 SHA2 HMAC
+    protected static final int CKM_SHA256_HMAC=67;
+    protected static final int CKM_SHA384_HMAC=68;
+    protected static final int CKM_SHA512_HMAC=69;
 }


=====================================
org/mozilla/jss/crypto/Cipher.java
=====================================
@@ -22,6 +22,11 @@ import org.mozilla.jss.util.Assert;
  * call to <code>doFinal</code>.
  */
 public abstract class Cipher {
+    // Note: Cipher can't extend javax.crypto.Cipher because it is part of the
+    // provider mechanism. In particular, it isn't an abstract class, many of
+    // the methods are marked final, and it expects to instantiate a CipherSpi
+    // class instead of be directly created like things which override our
+    // Cipher class expect (e.g., PK11Cipher). This is why JSSCipherSpi exists.
 
     /**
      * Initializes a encryption context with a symmetric key.


=====================================
org/mozilla/jss/crypto/KeyGenAlgorithm.java
=====================================
@@ -108,6 +108,30 @@ public class KeyGenAlgorithm extends Algorithm {
             "PBA/SHA1/HMAC", new FixedKeyStrengthValidator(160),
             null, PBEKeyGenParams.class );
 
+    public static final KeyGenAlgorithm
+    SHA1_HMAC = new KeyGenAlgorithm(
+        CKM_SHA_1_HMAC,
+            "SHA1/HMAC", new FixedKeyStrengthValidator(160),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA256_HMAC = new KeyGenAlgorithm(
+        CKM_SHA256_HMAC,
+            "SHA256/HMAC", new FixedKeyStrengthValidator(256),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA384_HMAC = new KeyGenAlgorithm(
+        CKM_SHA384_HMAC,
+            "SHA384/HMAC", new FixedKeyStrengthValidator(384),
+            null, null );
+
+    public static final KeyGenAlgorithm
+    SHA512_HMAC = new KeyGenAlgorithm(
+        CKM_SHA512_HMAC,
+            "SHA512/HMAC", new FixedKeyStrengthValidator(512),
+            null, null );
+
     //////////////////////////////////////////////////////////////
     public static final KeyGenAlgorithm
     AES = new KeyGenAlgorithm(CKM_AES_KEY_GEN, "AES",


=====================================
org/mozilla/jss/crypto/PKCS11Algorithm.java
=====================================
@@ -0,0 +1,64 @@
+package org.mozilla.jss.crypto;
+
+import org.mozilla.jss.pkcs11.PKCS11Constants;
+import org.mozilla.jss.crypto.Algorithm;
+
+public enum PKCS11Algorithm {
+    CKM_AES_CBC (Algorithm.CKM_AES_CBC, PKCS11Constants.CKM_AES_CBC),
+    CKM_AES_CBC_PAD (Algorithm.CKM_AES_CBC_PAD, PKCS11Constants.CKM_AES_CBC_PAD),
+    CKM_AES_ECB (Algorithm.CKM_AES_ECB, PKCS11Constants.CKM_AES_ECB),
+    CKM_AES_KEY_GEN (Algorithm.CKM_AES_KEY_GEN, PKCS11Constants.CKM_AES_KEY_GEN),
+    CKM_DES3_CBC_PAD (Algorithm.CKM_DES3_CBC_PAD, PKCS11Constants.CKM_DES3_CBC_PAD),
+    CKM_DES3_ECB (Algorithm.CKM_DES3_ECB, PKCS11Constants.CKM_DES3_ECB),
+    CKM_DES3_KEY_GEN (Algorithm.CKM_DES3_KEY_GEN, PKCS11Constants.CKM_DES3_KEY_GEN),
+    CKM_DES_CBC_PAD (Algorithm.CKM_DES_CBC_PAD, PKCS11Constants.CKM_DES_CBC_PAD),
+    CKM_DES_KEY_GEN (Algorithm.CKM_DES_KEY_GEN, PKCS11Constants.CKM_DES_KEY_GEN),
+    CKM_DSA_KEY_PAIR_GEN (Algorithm.CKM_DSA_KEY_PAIR_GEN, PKCS11Constants.CKM_DSA_KEY_PAIR_GEN),
+    CKM_EC_KEY_PAIR_GEN (Algorithm.CKM_EC_KEY_PAIR_GEN, PKCS11Constants.CKM_EC_KEY_PAIR_GEN),
+    CKM_NSS_AES_KEY_WRAP (Algorithm.CKM_NSS_AES_KEY_WRAP, PKCS11Constants.CKM_NSS_AES_KEY_WRAP),
+    CKM_NSS_AES_KEY_WRAP_PAD (Algorithm.CKM_NSS_AES_KEY_WRAP_PAD, PKCS11Constants.CKM_NSS_AES_KEY_WRAP_PAD),
+    CKM_PBA_SHA1_WITH_SHA1_HMAC (Algorithm.CKM_PBA_SHA1_WITH_SHA1_HMAC, PKCS11Constants.CKM_PBA_SHA1_WITH_SHA1_HMAC),
+    CKM_RC2_CBC_PAD (Algorithm.CKM_RC2_CBC_PAD, PKCS11Constants.CKM_RC2_CBC_PAD),
+    CKM_RC2_KEY_GEN (Algorithm.CKM_RC2_KEY_GEN, PKCS11Constants.CKM_RC2_KEY_GEN),
+    CKM_RC4_KEY_GEN (Algorithm.CKM_RC4_KEY_GEN, PKCS11Constants.CKM_RC4_KEY_GEN),
+    CKM_RSA_PKCS_KEY_PAIR_GEN (Algorithm.CKM_RSA_PKCS_KEY_PAIR_GEN, PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN),
+    CKM_SHA_1_HMAC (Algorithm.CKM_SHA_1_HMAC, PKCS11Constants.CKM_SHA_1_HMAC);
+
+    // Value from Algorithm's constant -- this is an index into Algorithm's
+    // table.
+    private int alg_index;
+
+    // Value from PKCS11Constants -- this is a constant defined in PKCS #11.
+    private long pk11_value;
+
+    private PKCS11Algorithm(int alg_index, long pk11_value) {
+        this.alg_index = alg_index;
+        this.pk11_value = pk11_value;
+    }
+
+    public int getIndex() {
+        return alg_index;
+    }
+
+    public long getValue() {
+        return pk11_value;
+    }
+
+    public static PKCS11Algorithm valueOfIndex(int index) {
+        for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
+            if (alg.alg_index == index) {
+                return alg;
+            }
+        }
+        return null;
+    }
+
+    public static PKCS11Algorithm valueOfConstant(long constant) {
+        for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
+            if (alg.pk11_value == constant) {
+                return alg;
+            }
+        }
+        return null;
+    }
+}


=====================================
org/mozilla/jss/crypto/SymmetricKey.java
=====================================
@@ -6,7 +6,7 @@ package org.mozilla.jss.crypto;
 import java.security.NoSuchAlgorithmException;
 import java.util.Hashtable;
 
-public interface SymmetricKey {
+public interface SymmetricKey extends javax.crypto.SecretKey {
 
     public static final Type DES = Type.DES;
     public static final Type DES3 = Type.DES3;
@@ -63,6 +63,14 @@ public interface SymmetricKey {
         public static final Type RC4 = new Type("RC4", KeyGenAlgorithm.RC4);
         public static final Type RC2 = new Type("RC2", KeyGenAlgorithm.RC2);
         public static final Type SHA1_HMAC = new Type("SHA1_HMAC",
+            KeyGenAlgorithm.SHA1_HMAC);
+        public static final Type SHA256_HMAC = new Type("SHA256_HMAC",
+            KeyGenAlgorithm.SHA256_HMAC);
+        public static final Type SHA384_HMAC = new Type("SHA384_HMAC",
+            KeyGenAlgorithm.SHA384_HMAC);
+        public static final Type SHA512_HMAC = new Type("SHA512_HMAC",
+            KeyGenAlgorithm.SHA512_HMAC);
+        public static final Type PBA_SHA1_HMAC = new Type("PBA_SHA1_HMAC",
             KeyGenAlgorithm.PBA_SHA1_HMAC);
         public static final Type AES = new Type("AES", KeyGenAlgorithm.AES);
 


=====================================
org/mozilla/jss/nss/PR.c
=====================================
@@ -268,7 +268,7 @@ Java_org_mozilla_jss_nss_PR_GetError(JNIEnv *env, jclass clazz)
 }
 
 JNIEXPORT jbyteArray JNICALL
-Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
+Java_org_mozilla_jss_nss_PR_GetErrorTextNative(JNIEnv *env, jclass clazz)
 {
     ssize_t error_size;
     char *error_text = NULL;
@@ -292,6 +292,25 @@ Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
     return result;
 }
 
+JNIEXPORT jbyteArray JNICALL
+Java_org_mozilla_jss_nss_PR_ErrorToNameNative(JNIEnv *env, jclass clazz, jint error_code)
+{
+    size_t error_size;
+    const char *error_name = NULL;
+    jbyteArray result = NULL;
+
+    PR_ASSERT(env != NULL);
+
+    error_name = PR_ErrorToName(error_code);
+    if (error_name == NULL) {
+        return NULL;
+    }
+
+    error_size = strlen(error_name);
+    result = JSS_ToByteArray(env, error_name, error_size);
+    return result;
+}
+
 JNIEXPORT int JNICALL
 Java_org_mozilla_jss_nss_PR_getPRShutdownRcv(JNIEnv *env, jclass clazz)
 {


=====================================
org/mozilla/jss/nss/PR.java
=====================================
@@ -129,7 +129,31 @@ public class PR {
      *
      * See also: PR_GetErrorText in /usr/include/nspr4/prio.h
      */
-    public static native byte[] GetErrorText();
+    public static String GetErrorText() {
+        byte[] text = GetErrorTextNative();
+        if (text == null) {
+            return "";
+        }
+
+        return new String(text);
+    }
+    private static native byte[] GetErrorTextNative();
+
+    /**
+     * Get the constant name of the current PR error. This is cleared on each
+     * NSPR call.
+     *
+     * See also: PR_ErrorToName in /usr/include/nspr4/prio.h
+     */
+    public static String ErrorToName(int code) {
+        byte[] name = ErrorToNameNative(code);
+        if (name == null) {
+            return "";
+        }
+
+        return new String(name);
+    }
+    private static native byte[] ErrorToNameNative(int code);
 
     /* Internal methods for querying constants. */
     private static native int getPRShutdownRcv();


=====================================
org/mozilla/jss/nss/SSL.c
=====================================
@@ -1,6 +1,7 @@
 #include <nspr.h>
 #include <nss.h>
 #include <ssl.h>
+#include <sslerr.h>
 #include <limits.h>
 #include <stdint.h>
 #include <jni.h>
@@ -318,6 +319,31 @@ Java_org_mozilla_jss_nss_SSL_ConfigSecureServer(JNIEnv *env, jclass clazz,
     return SSL_ConfigSecureServer(real_fd, real_cert, real_key, kea);
 }
 
+JNIEXPORT int JNICALL
+Java_org_mozilla_jss_nss_SSL_ConfigServerCert(JNIEnv *env, jclass clazz,
+    jobject fd, jobject cert, jobject key)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertificate *real_cert = NULL;
+    SECKEYPrivateKey *real_key = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    if (JSS_PK11_getCertPtr(env, cert, &real_cert) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    if (JSS_PK11_getPrivKeyPtr(env, key, &real_key) != PR_SUCCESS) {
+        return SECFailure;
+    }
+
+    return SSL_ConfigServerCert(real_fd, real_cert, real_key, NULL, 0);
+}
+
 JNIEXPORT int JNICALL
 Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass clazz,
     jint maxCacheEntries, jlong timeout, jlong ssl3_timeout, jstring directory)
@@ -336,6 +362,54 @@ Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass claz
     return ret;
 }
 
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_nss_SSL_PeerCertificate(JNIEnv *env, jclass clazz,
+    jobject fd)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertificate *cert = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return NULL;
+    }
+
+    cert = SSL_PeerCertificate(real_fd);
+    if (cert == NULL) {
+        return NULL;
+    }
+
+    return JSS_PK11_wrapCert(env, &cert);
+}
+
+JNIEXPORT jobjectArray JNICALL
+Java_org_mozilla_jss_nss_SSL_PeerCertificateChain(JNIEnv *env, jclass clazz,
+    jobject fd)
+{
+    PRFileDesc *real_fd = NULL;
+    CERTCertList *chain = NULL;
+
+    PR_ASSERT(env != NULL && fd != NULL);
+
+    if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
+        return NULL;
+    }
+
+    chain = SSL_PeerCertificateChain(real_fd);
+    int error = PORT_GetError();
+
+    if (chain == NULL && error == SSL_ERROR_NO_CERTIFICATE) {
+        return NULL;
+    } else if (chain == NULL /* && error != SSL_ERROR_NO_CERTIFICATE */) {
+        JSS_throwMsgPrErrArg(env, SECURITY_EXCEPTION,
+            "Unable to construct peer certificate chain.", error);
+        return NULL;
+    }
+
+    return JSS_PK11_wrapCertChain(env, &chain);
+}
+
 JNIEXPORT jint JNICALL
 Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate(JNIEnv *env, jclass clazz)
 {


=====================================
org/mozilla/jss/nss/SSL.java
=====================================
@@ -142,11 +142,22 @@ public class SSL {
     /**
      * Configure the certificate and private key for a server socket.
      *
+     * @deprecated replaced with ConfigServerCert
      * See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.h
      */
+    @Deprecated
     public static native int ConfigSecureServer(PRFDProxy fd, PK11Cert cert,
         PK11PrivKey key, int kea);
 
+    /**
+     * Configure the certificate and private key for a server socket. This
+     * form assumes no additional data is passed.
+     *
+     * See also: SSL_ConfigServerCert in /usr/include/nss3/ssl.h
+     */
+    public static native int ConfigServerCert(PRFDProxy fd, PK11Cert cert,
+        PK11PrivKey key);
+
     /**
      * Configure the server's session cache.
      *
@@ -155,6 +166,20 @@ public class SSL {
     public static native int ConfigServerSessionIDCache(int maxCacheEntries,
         long timeout, long ssl3_timeout, String directory);
 
+    /**
+     * Introspect the peer's certificate.
+     *
+     * See also: SSL_PeerCertificate in /usr/include/nss3/ssl.h
+     */
+    public static native PK11Cert PeerCertificate(PRFDProxy fd);
+
+    /**
+     * Introspect the peer's certificate chain.
+     *
+     * See also: SSL_PeerCertificateChain in /usr/include/nss3/ssl.h
+     */
+    public static native PK11Cert[] PeerCertificateChain(PRFDProxy fd) throws Exception;
+
     /* Internal methods for querying constants. */
     private static native int getSSLRequestCertificate();
     private static native int getSSLRequireCertificate();


=====================================
org/mozilla/jss/pkcs11/PK11Cert.c
=====================================
@@ -467,6 +467,80 @@ JSS_PK11_wrapCert(JNIEnv *env, CERTCertificate **cert)
 	return JSS_PK11_wrapCertAndSlot(env, cert, &slot);
 }
 
+static ssize_t
+CERT_LIST_COUNT(CERTCertList *chain) {
+    ssize_t count = -1;
+    CERTCertListNode *node = NULL;
+
+    if (chain == NULL) {
+        return count;
+    }
+
+    for (node = CERT_LIST_HEAD(chain);
+            !CERT_LIST_END(node, chain);
+            node = CERT_LIST_NEXT(node)) {
+        count += 1;
+    }
+
+    return count + 1;
+}
+
+/****************************************************************
+ *
+ * J S S _ P K 1 1 _ w r a p C e r t C h a i n
+ *
+ * Builds an array of PK11Cert objects from a CERTCertList.
+ * ppChain: Pointer to pointer to CERTCertList.  The CERTCertList
+ *      will be wrapped in a Java certificate.  If this fails, it
+ *      will be deleted.  In any case, the caller should never worry about,
+ *      or use, this CERTCertList again. To enforce this, *ppChain
+ *      will be set to NULL whether the functions fails or succeeds.
+ * Returns: a new Java PK11Cert[] object, or NULL if an exception was thrown.
+ */
+jobjectArray
+JSS_PK11_wrapCertChain(JNIEnv *env, CERTCertList **chain)
+{
+    jobjectArray result = NULL;
+    jobject wrappedCert = NULL;
+    CERTCertListNode *node = NULL;
+    ssize_t count = 0;
+
+    if (chain == NULL || *chain == NULL) {
+        goto done;
+    }
+
+    // Since we can't easily resize our jobjectArray once created, walk the
+    // chain and count its length.
+    count = CERT_LIST_COUNT(*chain);
+    if (count <= 0) {
+        goto done;
+    }
+
+    // Allocate our result structure.
+    result = (*env)->NewObjectArray(env, count,
+                                    (*env)->FindClass(env, CERT_CLASS_NAME),
+                                    NULL);
+    count = 0;
+
+    for (node = CERT_LIST_HEAD((*chain));
+            !CERT_LIST_END(node, (*chain));
+            node = CERT_LIST_NEXT(node)) {
+        // Wrap the certificate and insert it into the array.
+        wrappedCert = JSS_PK11_wrapCert(env, &node->cert);
+        (*env)->SetObjectArrayElement(env, result, count, wrappedCert);
+        count += 1;
+    }
+
+
+done:
+    if (chain) {
+        CERT_DestroyCertList(*chain);
+        *chain = NULL;
+    }
+
+    return result;
+}
+
 /**********************************************************************
  * PK11Cert.getOwningToken
  */


=====================================
org/mozilla/jss/pkcs11/PK11Key.java
=====================================
@@ -10,7 +10,7 @@ import java.io.ObjectOutputStream;
 import java.io.IOException;
 
 
-abstract class PK11Key {
+abstract class PK11Key implements java.security.Key {
 
     //////////////////////////////////////////////////////////
     // Public Interface


=====================================
org/mozilla/jss/pkcs11/PK11SymKey.java
=====================================
@@ -8,6 +8,8 @@ import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.util.Assert;
 
+// We've updated jss.crypto.SymmetricKey to extend javax.crypto.SecretKey, so
+// PK11SymKey implements that interface as well.
 public final class PK11SymKey implements SymmetricKey {
 
     protected PK11SymKey(byte[] pointer) {


=====================================
org/mozilla/jss/pkcs11/pk11util.h
=====================================
@@ -265,6 +265,22 @@ jobject
 JSS_PK11_wrapCert(JNIEnv *env, CERTCertificate **ppCert);
 
 
+/****************************************************************
+ *
+ * J S S _ P K 1 1 _ w r a p C e r t C h a i n
+ *
+ * Builds an array of PK11Cert objects from a CERTCertList.
+ * ppChain: Pointer to pointer to CERTCertList.  The CERTCertList
+ *      will be wrapped in a Java certificate.  If this fails, it
+ *      will be deleted.  In any case, the caller should never worry about,
+ *      or use, this CERTCertList again. To enforce this, *ppChain
+ *      will be set to NULL whether the functions fails or succeeds.
+ * Returns: a new Java PK11Cert[] object, or NULL if an exception was thrown.
+ */
+jobjectArray
+JSS_PK11_wrapCertChain(JNIEnv *env, CERTCertList **ppChain);
+
+
 /*=====================================================================
                             S T O R E S
 =====================================================================*/


=====================================
org/mozilla/jss/pkcs12/MacData.java
=====================================
@@ -102,49 +102,51 @@ public class MacData implements ASN1Value {
         throws NotInitializedException,
             DigestException, TokenException, CharConversionException
     {
-      try {
-
         CryptoManager cm = CryptoManager.getInstance();
         CryptoToken token = cm.getInternalCryptoToken();
 
-        if(macSalt == null) {
+        if (macSalt == null) {
             JSSSecureRandom rand = cm.createPseudoRandomNumberGenerator();
-            macSalt = new byte[ SALT_LENGTH ];
+            macSalt = new byte[SALT_LENGTH];
             rand.nextBytes(macSalt);
         }
 
-        // generate key from password and salt
-        KeyGenerator kg = token.getKeyGenerator( KeyGenAlgorithm.PBA_SHA1_HMAC);
-        PBEKeyGenParams params = new PBEKeyGenParams(password, macSalt,
-            iterations);
-        kg.setCharToByteConverter(new PasswordConverter());
-        kg.initialize(params);
-        SymmetricKey key = kg.generate();
-
-
-        // perform the digesting
-        JSSMessageDigest digest = token.getDigestContext(HMACAlgorithm.SHA1);
-        digest.initHMAC(key);
-        byte[] digestBytes = digest.digest(toBeMACed);
-
-
-        // put everything into a DigestInfo
-        AlgorithmIdentifier algID = new AlgorithmIdentifier(
-                            DigestAlgorithm.SHA1.toOID() );
-        this.mac = new DigestInfo( algID, new OCTET_STRING(digestBytes));
-        this.macSalt = new OCTET_STRING(macSalt);
-        this.macIterationCount = new INTEGER(iterations);
-
-      } catch( NoSuchAlgorithmException e ) {
-          throw new RuntimeException("SHA-1 HMAC algorithm not found on internal " +
-            "token: " + e.getMessage(), e);
-      } catch( InvalidAlgorithmParameterException e ) {
-          throw new RuntimeException("Invalid PBE algorithm parameters: " + e.getMessage(), e);
-      } catch( java.lang.IllegalStateException e ) {
-          throw new RuntimeException("Illegal state: " + e.getMessage(), e);
-      } catch( InvalidKeyException e ) {
-          throw new RuntimeException("Invalid key: " + e.getMessage(), e);
-      }
+        PBEKeyGenParams params = new PBEKeyGenParams(password, macSalt, iterations);
+
+        try {
+            // generate key from password and salt
+            KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.PBA_SHA1_HMAC);
+            kg.setCharToByteConverter(new PasswordConverter());
+            kg.initialize(params);
+            SymmetricKey key = kg.generate();
+
+            // perform the digesting
+            JSSMessageDigest digest = token.getDigestContext(HMACAlgorithm.SHA1);
+            digest.initHMAC(key);
+            byte[] digestBytes = digest.digest(toBeMACed);
+
+            // put everything into a DigestInfo
+            AlgorithmIdentifier algID = new AlgorithmIdentifier(DigestAlgorithm.SHA1.toOID());
+            this.mac = new DigestInfo(algID, new OCTET_STRING(digestBytes));
+            this.macSalt = new OCTET_STRING(macSalt);
+            this.macIterationCount = new INTEGER(iterations);
+
+        } catch (NoSuchAlgorithmException e) {
+            throw new RuntimeException("SHA-1 HMAC algorithm not found on internal " +
+                    "token: " + e.getMessage(), e);
+
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new RuntimeException("Invalid PBE algorithm parameters: " + e.getMessage(), e);
+
+        } catch (java.lang.IllegalStateException e) {
+            throw new RuntimeException("Illegal state: " + e.getMessage(), e);
+
+        } catch (InvalidKeyException e) {
+            throw new RuntimeException("Invalid key: " + e.getMessage(), e);
+
+        } finally {
+            params.clear();
+        }
     }
 
     ///////////////////////////////////////////////////////////////////////


=====================================
org/mozilla/jss/ssl/SSLServerSocket.c
=====================================
@@ -216,7 +216,6 @@ Java_org_mozilla_jss_ssl_SSLServerSocket_setServerCert(
     CERTCertificate* cert=NULL;
     PK11SlotInfo* slot=NULL;
     SECKEYPrivateKey* privKey=NULL;
-    SSLKEAType certKEA;
     SECStatus status;
 
     if( certObj == NULL ) {
@@ -237,8 +236,7 @@ Java_org_mozilla_jss_ssl_SSLServerSocket_setServerCert(
 
     privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
     if (privKey != NULL) {
-        certKEA = NSS_FindCertKEAType(cert);
-        status = SSL_ConfigSecureServer(sock->fd, cert, privKey, certKEA); 
+        status = SSL_ConfigServerCert(sock->fd, cert, privKey, NULL, 0);
         if( status != SECSuccess) {
             JSSL_throwSSLSocketException(env,
                 "Failed to configure secure server certificate and key");


=====================================
org/mozilla/jss/tests/HMACTest.java → org/mozilla/jss/tests/CrossHMACTest.java
=====================================
@@ -15,12 +15,12 @@ import org.mozilla.jss.util.PasswordCallback;
 
 /**
  * HMAC is a hash function based message authentication code.
- * HMACTest compares the HMAC created by Mozilla, IBM and Sun JCE.
+ * CrossHMACTest compares the HMAC created by Mozilla, IBM and Sun JCE.
  *
  * @author  Sandeep.Konchady at Sun.COM
  * @version 1.0
  */
-public class HMACTest {
+public class CrossHMACTest {
 
     private CryptoManager cm;
     /**
@@ -34,10 +34,10 @@ public class HMACTest {
         "HmacSHA384", "HmacSHA512"
     };
 
-    public HMACTest(String[] argv) throws Exception {
+    public CrossHMACTest(String[] argv) throws Exception {
         if (argv.length < 1) {
             System.out.println(
-                    "Usage: java org.mozilla.jss.tests.HMACTest " +
+                    "Usage: java org.mozilla.jss.tests.CrossHMACTest " +
                     "<dbdir> [password file only needed in FIPS mode]");
             System.exit(1);
         }
@@ -127,7 +127,7 @@ public class HMACTest {
     public static void main(String[] argv) {
 
         try {
-            HMACTest hmacTest = new HMACTest(argv);
+            CrossHMACTest hmacTest = new CrossHMACTest(argv);
 
             //The secret key must be a JSS key. That is, it must be an 
             //instanceof org.mozilla.jss.crypto.SecretKeyFacade.


=====================================
org/mozilla/jss/tests/TestBufferPRFD.c
=====================================
@@ -180,11 +180,11 @@ static SECKEYPrivateKey *get_privkey(CERTCertificate *cert, char *password)
     return PK11_FindPrivateKeyFromCert(slot, cert, NULL);
 }
 
-static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *password)
+static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *password, char *nickname)
 {
     /* Set up the server end of the SSL connection and find certificates. */
     /* Adapted from aforementioned Fedora developer guide and mod_nss. */
-    CERTCertificate *cert = get_cert("Server_RSA");
+    CERTCertificate *cert = get_cert(nickname);
     if (cert == NULL) {
         printf("Failed to find certificate for host: %s\n", host);
         exit(1);
@@ -221,9 +221,9 @@ static PRFileDesc *setup_nss_server(PRFileDesc *s_nspr, char *host, char *passwo
 
     /* This part differs from the client side: set the certificate and
      * private key we're using. */
-    if (SSL_ConfigSecureServer(s_nspr, cert, priv_key, kt_rsa) != SECSuccess) {
+    if (SSL_ConfigServerCert(s_nspr, cert, priv_key, NULL, 0) != SECSuccess) {
         const PRErrorCode err = PR_GetError();
-        fprintf(stderr, "error: SSL_ResetHandshake error %d: %s\n",
+        fprintf(stderr, "error: SSL_ConfigServerCert error %d: %s\n",
             err, PR_ErrorToName(err));
         exit(1);
     }
@@ -277,8 +277,8 @@ bool is_finished(PRFileDesc *c_nspr, PRFileDesc *s_nspr)
 
 int main(int argc, char** argv)
 {
-    if (argc != 3) {
-        fprintf(stderr, "usage: %s /path/to/nssdb password\n", argv[0]);
+    if (argc != 4) {
+        fprintf(stderr, "usage: %s /path/to/nssdb password cert-nickname\n", argv[0]);
         exit(1);
     }
 
@@ -305,7 +305,7 @@ int main(int argc, char** argv)
     /* Set up client and server sockets with NSSL */
     char *host = "localhost";
     c_nspr = setup_nss_client(c_nspr, host);
-    s_nspr = setup_nss_server(s_nspr, host, argv[2]);
+    s_nspr = setup_nss_server(s_nspr, host, argv[2], argv[3]);
 
     /* In the handshake step, we blindly try to step both the client and
      * server ends of the handshake. As NSS stores the contents of what we're
@@ -313,6 +313,8 @@ int main(int argc, char** argv)
      * size, we'll be able to step one of the two sides until something useful
      * happens. */
     printf("Trying handshake...\n");
+
+    int count = 0;
     while (!is_finished(c_nspr, s_nspr)) {
         printf("Client Handshake:\n");
         if (SSL_ForceHandshake(c_nspr) != SECSuccess) {
@@ -335,6 +337,10 @@ int main(int argc, char** argv)
         }
 
         printf("\n\n");
+        count += 1;
+        if (count >= 40) {
+            fprintf(stderr, "error: unable to make progress after %d steps!\n", count);
+        }
     }
 
     /* Send a test message from client -> server to ensure that the connection


=====================================
org/mozilla/jss/tests/TestBufferPRFD.java
=====================================
@@ -44,23 +44,25 @@ public class TestBufferPRFD {
         Buffer.Free(right_read);
     }
 
-    public synchronized static PRFDProxy Setup_NSS_Client(PRFDProxy fd, String host) {
+    public static PRFDProxy Setup_NSS_Client(PRFDProxy fd, String host) throws Exception {
         fd = SSL.ImportFD(null, fd);
         assert(fd != null);
 
         assert(SSL.ResetHandshake(fd, false) == 0);
         assert(SSL.SetURL(fd, host) == 0);
 
+        TestSSLVersionGetSet(fd);
+
         return fd;
     }
 
-    public synchronized static PRFDProxy Setup_NSS_Server(PRFDProxy fd, String host,
+    public static PRFDProxy Setup_NSS_Server(PRFDProxy fd, String host,
         PK11Cert cert, PK11PrivKey key) throws Exception
     {
         fd = SSL.ImportFD(null, fd);
         assert(fd != null);
 
-        assert(SSL.ConfigSecureServer(fd, cert, key, 1) == 0);
+        assert(SSL.ConfigServerCert(fd, cert, key) == 0);
         assert(SSL.ConfigServerSessionIDCache(1, 100, 100, null) == 0);
         assert(SSL.ResetHandshake(fd, true) == 0);
         assert(SSL.SetURL(fd, host) == 0);
@@ -70,7 +72,7 @@ public class TestBufferPRFD {
         return fd;
     }
 
-    public synchronized static boolean IsHandshakeFinished(PRFDProxy c_nspr, PRFDProxy s_nspr) {
+    public static boolean IsHandshakeFinished(PRFDProxy c_nspr, PRFDProxy s_nspr) {
         SecurityStatusResult c_result = SSL.SecurityStatus(c_nspr);
         SecurityStatusResult s_result = SSL.SecurityStatus(s_nspr);
 
@@ -79,7 +81,7 @@ public class TestBufferPRFD {
         return c_result.on == 1 && s_result.on == 1;
     }
 
-    public synchronized static void TestSSLVersionGetSet(PRFDProxy s_nspr) throws Exception {
+    public static void TestSSLVersionGetSet(PRFDProxy s_nspr) throws Exception {
         SSLVersionRange initial = SSL.VersionRangeGet(s_nspr);
         System.out.println("Initial: (" + initial.getMinVersion() + ":" + initial.getMinEnum() + ", " + initial.getMaxVersion() + ":" + initial.getMaxEnum() + ")");
 
@@ -93,19 +95,22 @@ public class TestBufferPRFD {
         assert(SSLVersion.TLS_1_2.value() <= actual.getMaxEnum());
     }
 
-    public synchronized static void TestSSLHandshake(String database, String password) throws Exception {
-        /* Constants */
-        String host = "localhost";
-        byte[] peer_info = host.getBytes();
-
-        /* Find SSL Certificate */
+    public static void InitializeCM(String database, String password) throws Exception {
         CryptoManager manager;
         CryptoManager.initialize(database);
         manager = CryptoManager.getInstance();
         manager.setPasswordCallback(new Password(password.toCharArray()));
-        CryptoToken token = manager.getInternalKeyStorageToken();
+    }
+
+    public static void TestSSLHandshake(String nickname) throws Exception
+    {
+        /* Constants */
+        String host = "localhost";
+        byte[] peer_info = host.getBytes();
 
-        PK11Cert server_cert = (PK11Cert) manager.findCertByNickname("Server_RSA");
+        /* Find SSL Certificate */
+        CryptoManager manager = CryptoManager.getInstance();
+        PK11Cert server_cert = (PK11Cert) manager.findCertByNickname(nickname);
         PK11PrivKey server_key = (PK11PrivKey) manager.findPrivKeyByCert(server_cert);
 
         assert(server_cert != null);
@@ -135,12 +140,13 @@ public class TestBufferPRFD {
         assert(!IsHandshakeFinished(c_nspr, s_nspr));
 
         /* Try a handshake */
+        int count = 0;
         while(!IsHandshakeFinished(c_nspr, s_nspr)) {
             if (SSL.ForceHandshake(c_nspr) != SSL.SECSuccess) {
                 int error = PR.GetError();
 
                 if (error != PRErrors.WOULD_BLOCK_ERROR) {
-                    System.out.println("Unexpected error: " + error);
+                    System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
                     System.exit(1);
                 }
             }
@@ -148,14 +154,26 @@ public class TestBufferPRFD {
                 int error = PR.GetError();
 
                 if (error != PRErrors.WOULD_BLOCK_ERROR) {
-                    System.out.println("Unexpected error: " + error);
+                    System.out.println("Unexpected error: " + new String(PR.ErrorToName(error)) + " (" + error + ")");
                     System.exit(1);
                 }
             }
+
+            count += 1;
+            if (count >= 40) {
+                System.err.println("Error: unable to make progress after " + count + " steps!");
+                System.exit(1);
+            }
         }
         System.out.println("Handshake completed successfully!\n");
         assert(IsHandshakeFinished(c_nspr, s_nspr));
 
+        /* Test peer data */
+        assert(SSL.PeerCertificate(c_nspr) != null);
+        assert(SSL.PeerCertificateChain(c_nspr) != null);
+        assert(SSL.PeerCertificate(s_nspr) == null);
+        assert(SSL.PeerCertificateChain(s_nspr) == null);
+
         /* Send data from client -> server */
         byte[] client_message = "Cooking MCs".getBytes();
 
@@ -212,7 +230,13 @@ public class TestBufferPRFD {
         System.out.println("Calling TestCreateClose()...");
         TestCreateClose();
 
-        System.out.println("Calling TestSSLHandshake()...");
-        TestSSLHandshake(args[0], args[1]);
+        System.out.println("Initializing CryptoManager...");
+        InitializeCM(args[0], args[1]);
+
+        System.out.println("Calling TestSSLHandshake(Server_RSA)...");
+        TestSSLHandshake("Server_RSA");
+
+        System.out.println("Calling TestSSLHandshake(Server_ECDSA)...");
+        TestSSLHandshake("Server_ECDSA");
     }
 }


=====================================
org/mozilla/jss/tests/TestPRFD.java
=====================================
@@ -1,6 +1,7 @@
 package org.mozilla.jss.tests;
 
 import org.mozilla.jss.nss.PR;
+import org.mozilla.jss.nss.PRErrors;
 import org.mozilla.jss.nss.PRFDProxy;
 
 public class TestPRFD {
@@ -75,6 +76,8 @@ public class TestPRFD {
         System.out.println("PR.SHUTDOWN_RCV: " + PR.SHUTDOWN_RCV);
         System.out.println("PR.SHUTDOWN_SEND: " + PR.SHUTDOWN_SEND);
         System.out.println("PR.SHUTDOWN_BOTH: " + PR.SHUTDOWN_BOTH);
+
+        assert(PR.ErrorToName(PRErrors.WOULD_BLOCK_ERROR).equals("PR_WOULD_BLOCK_ERROR"));
     }
 
     public static void main(String[] args) {


=====================================
org/mozilla/jss/tests/all.pl deleted
=====================================
@@ -1,742 +0,0 @@
-#!/usr/bin/perl
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-use strict;
-use warnings;
-use warnings FATAL => 'all';
-
-use Socket;
-use File::Basename;
-use Cwd qw(abs_path);
-use POSIX 'uname';
-
-# change the line below if we reorganize the code; must
-# point to the location with Common.pm
-use lib dirname(dirname abs_path $0) . '/../../../lib';
-
-use Common qw(get_jar_files);
-
-# dist <dist_dir> <NSS bin dir> <NSS lib dir> <JSS lib dir>
-# release <java release dir> <nss release dir> <nspr release dir>
-# auto   (test the current build directory)
-
-sub usage {
-    print "Usage:\n";
-    print "$0 dist <dist_dir> <NSS bin_dir> <NSS lib dir> <JSS lib dir> <jss jar>\n";
-    print "$0 release <jss release dir> <nss release dir> "
-        . "<nspr release dir> <jss jar>\n";
-    print "$0 auto\n";
-    exit(1);
-}
-
-# Force Perl to do unbuffered output
-# to avoid having Java and Perl output out of sync.
-$| = 1;
-
-# Global variables
-my $java           = "";
-my $java_version   = "";
-my $testdir        = "";
-my $testrun        = 0;
-my $testpass       = 0;
-my $nss_lib_dir    = "";
-my $jss_lib_dir    = "";
-my $pathsep        = ":";
-my $scriptext      = "sh";
-my $exe_suffix     = "";
-my $lib_suffix     = ".so";
-my $lib_jss        = "libjss";
-my $jss_rel_dir    = "";
-my $jss_classpath  = "";
-my $serverPort     = 2876;
-my $localhost      = "localhost";
-my $hostname       = $localhost;
-my $dbPwd          = "m1oZilla";
-my $configfile     = "";
-my $keystore       = "";
-my $certSN_file    = "";
-my $certSN         = 0;
-my $osname         = "";
-my $host           = "";
-my $release        = "";
-($osname,$host,$release)    = uname;
-
-# checkPort will return a free Port number
-# otherwise it will die after trying 10 times.
-sub checkPort {
-   my ($p) = @_;
-   my $localhost = inet_aton("localhost");
-   my $max = $p + 20; # try to find a port 10 times
-   my $port = sockaddr_in($p, $localhost);
-
-   #create a socket
-   socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp'))
-   || die "Unable to create socket: $!\n";
-
-   #loop until you find a free port
-   while (connect(SOCKET, $port) && $p < $max) {
-         print "$p is in use trying to find another port.\n";
-         $p = $p + 1;
-         $port = sockaddr_in($p, $localhost);
-   }
-   close SOCKET || die "Unable to close socket: $!\n";
-   if ($p == $max) {
-      die "Unable to find a free port..\n";
-   }
-
-   return $p;
-}
-
-
-# used in all test invocations
-my $run_shell    = "";
-my $pwfile       = "";
-my $nss_bin_dir  = "";
-my $classpath    = "";
-my $ld_lib_path  = "";
-my $nspr_lib_dir = "";
-
-sub setup_vars {
-    my $argv = shift;
-
-    my $truncate_lib_path = 1;
-    $run_shell = "";
-    if( $osname =~ /HP/ ) {
-        $ld_lib_path = "SHLIB_PATH";
-        $scriptext = "sh";
-        $lib_suffix = ".sl";
-    } elsif( $osname =~ /Darwin/) {
-        $ld_lib_path = "DYLD_LIBRARY_PATH";
-        $lib_suffix = ".jnilib";
-    } elsif( $osname =~ /mingw/i ) {
-    	print "We are mingw\n";
-        $ld_lib_path = "PATH";
-        $truncate_lib_path = 0;
-        $pathsep = ":";
-        $exe_suffix = ".exe";
-        $lib_suffix = ".dll";
-        $lib_jss    = "jss";
-        $scriptext = "sh";
-        $run_shell = "sh.exe";
-    } elsif( $osname =~ /win/i ) {
-        $ld_lib_path = "PATH";
-        $truncate_lib_path = 0;
-        $pathsep = ";";
-        $exe_suffix = ".exe";
-        $lib_suffix = ".dll";
-        $lib_jss    = "jss";
-        $run_shell = "sh.exe";
-    } else {
-        $ld_lib_path = "LD_LIBRARY_PATH";
-        $scriptext = "sh";
-    }
-
-    $ENV{$ld_lib_path} = "" if $truncate_lib_path;
-
-    if( $$argv[0] eq "dist" ) {
-        shift @$argv;
-
-        if (scalar @$argv != 5) {
-            usage("incorrect dist parameters");
-        }
-
-        my $dist_dir = shift @$argv;
-        $nss_bin_dir = shift @$argv;
-        $nss_lib_dir = shift @$argv;
-        $jss_lib_dir = shift @$argv;
-        $jss_classpath = shift @$argv;
-
-        $jss_rel_dir   = "$dist_dir/classes/org";
-
-        ( -f $jss_classpath ) or die "$jss_classpath does not exist";
-
-        $ENV{$ld_lib_path} = $ENV{$ld_lib_path} . $pathsep . "$nss_lib_dir";
-
-    } elsif( $$argv[0] eq "auto" ) {
-        my $dist_dir = `make dist_dir`;
-        my $obj_dir = `make obj_dir`;
-        chomp($dist_dir);
-        chomp($obj_dir);
-        chomp( $dist_dir = `(cd $dist_dir ; pwd)`);
-        chomp( $obj_dir = `(cd $obj_dir ; pwd)`);
-
-        $nss_bin_dir   = "$obj_dir/bin";
-        $nss_lib_dir   = "$obj_dir/lib";
-        $jss_lib_dir   = "$obj_dir/lib";
-        $jss_rel_dir   = "$dist_dir/classes/org";
-        $jss_classpath = "$dist_dir/xpclass.jar";
-
-        ( -f $jss_classpath ) or die "$jss_classpath does not exist";
-
-        #$ENV{$ld_lib_path} = $ENV{$ld_lib_path} . $pathsep . "$nss_lib_dir";
-        $ENV{$ld_lib_path} = "$nss_lib_dir";
-
-    } elsif( $$argv[0] eq "release" ) {
-        shift @$argv;
-
-        $jss_rel_dir     = shift @$argv or usage();
-        my $nss_rel_dir  = shift @$argv or usage();
-        my $nspr_rel_dir = shift @$argv or usage();
-        $jss_classpath   = shift @$argv or usage();
-
-        $nspr_lib_dir = "$nspr_rel_dir/lib";
-        $nss_bin_dir = "$nss_rel_dir/bin";
-        $nss_lib_dir = "$nss_rel_dir/lib";
-        $jss_lib_dir = "$jss_rel_dir/lib";
-
-        $ENV{$ld_lib_path} =
-                "$jss_lib_dir" . $pathsep .
-                "$nss_lib_dir" . $pathsep .
-                "$nspr_lib_dir" . $pathsep .
-                $ENV{$ld_lib_path};
-
-    } else {
-        usage();
-    }
-
-    if (defined $ENV{PORT_JSSE_SERVER} && $ENV{PORT_JSSE_SERVER}) {
-       $serverPort = $ENV{PORT_JSSE_SERVER};
-    }
-
-    if (defined $ENV{PORT_JSS_SERVER} && $ENV{PORT_JSS_SERVER}) {
-       $serverPort = $ENV{PORT_JSS_SERVER};
-    }
-
-    unless( $ENV{JAVA_HOME} ) {
-        print "Must set JAVA_HOME environment variable\n";
-        exit(1);
-    }
-
-    if ($osname =~ /Darwin/) {
-        $java = "$ENV{JAVA_HOME}/bin/java";
-    } else {
-        $java = "$ENV{JAVA_HOME}/bin/java$exe_suffix";
-    }
-
-    #
-    # Use 64-bit Java on AMD64.
-    #
-
-    my $java_64bit = 0;
-    if ($osname eq "SunOS") {
-        if ($ENV{USE_64}) {
-            my $cpu = `/usr/bin/isainfo -n`;
-            chomp $cpu;
-            if ($cpu eq "amd64") {
-                $java = "$ENV{JAVA_HOME}/jre/bin/amd64/java$exe_suffix";
-                $java_64bit = 1;
-            }
-        }
-    }
-
-    if ( $osname =~ /_NT/i ) {
-       $java_64bit = 1;
-    }
-
-    (-f $java) or die "'$java' does not exist\n";
-
-    #MAC OS X have the -Djava.library.path for the JSS JNI library
-    if ($osname =~ /Darwin/ || $osname =~ /Linux/) {
-        $java = $java . " -Djava.library.path=$jss_lib_dir";
-    }
-
-    # Check the java version
-    $java_version = `$java -version 2>&1`;
-
-    my $jarFiles = Common::get_jar_files;
-    $jarFiles = "$jarFiles:" . Common::detect_jar_file "slf4j-jdk14.jar", "slf4j/jdk14.jar";
-    $classpath = "$jarFiles:$jss_classpath";
-
-    $pwfile = "passwords";
-
-    # testdir = /<ws>/mozilla/tests_results/jss/<hostname>.<version>
-    # $all_dir = Directory where all.pl is
-    my $all_dir = dirname($0);
-    # Find where mozilla directory is
-    my $base_mozilla = $all_dir . "/../../../../..";
-    my $abs_base_mozilla = abs_path($base_mozilla);
-    # $result_dir = Directory where the results are (mozilla/tests_results/jss)
-    # First check the one above
-    my $result_dir =  $abs_base_mozilla . "/tests_results";
-    if (! -d $result_dir) {
-       mkdir( $result_dir, 0755 ) or die;
-    }
-    # Now the one for jss
-    $result_dir =  $abs_base_mozilla . "/tests_results/jss";
-    if( ! -d $result_dir ) {
-      mkdir( $result_dir, 0755 ) or die;
-    }
-    # $host = hostname
-    # $version = test run number (first = 1). Stored in $result_dir/$host
-    my $version = "";
-    my $version_file = $result_dir ."/" . $host;
-    if ( -f $version_file) {
-      open (VERSION, "< $version_file") || die "couldn't open " . $version_file . " for read";
-      $version = <VERSION>;
-      close (VERSION);
-      chomp $version;
-      $version = $version + 1;
-    } else {
-      $version = 1;
-    }
-    # write the version in the file
-    open (VERSION, "> $version_file")  || die "couldn't open " . $version_file . " for write";
-    print VERSION $version . "\n";
-    close (VERSION);
-    # Finally, set $testdir
-    $testdir = $result_dir . "/" . $host . "." . $version;
-
-    #in case multiple tests are being run on the same machine increase
-    #the port numbers with version number * 10
-
-    $serverPort = $serverPort + ($version * 10);
-
-    outputEnv();
-}
-
-sub updateCertSN() {
-
-    # $certSN = certificate serial number (first = 100). Stored in $testdir/cert-SN
-    $certSN_file = $testdir ."/" . "cert-SN";
-    if ( -f $certSN_file) {
-      open (CERT_SN, "< $certSN_file") || die "couldn't open " . $certSN_file . " for read";
-      $certSN = <CERT_SN>;
-      close (CERT_SN);
-      chomp $certSN;
-      $certSN = $certSN + 10;
-    } else {
-      $certSN = 100;
-    }
-
-    # write the version in the file
-    open (CERT_SN, "> $certSN_file")  || die "couldn't open " . $certSN_file . " for write";
-    print CERT_SN $certSN . "\n";
-    close (CERT_SN);
-
-}
-
-sub outputEnv {
-
-   print "*****ENVIRONMENT*****\n";
-   print "java=$java\n";
-   print "$ld_lib_path=$ENV{$ld_lib_path}\n";
-   print "CLASSPATH=$classpath\n";
-   if (defined $ENV{BUILD_OPT}) {
-      print "BUILD_OPT=$ENV{BUILD_OPT}\n";
-   }
-   if (defined $ENV{USE_64}) {
-      print "USE_64=$ENV{USE_64}\n";
-   }
-   print "testdir=$testdir\n";
-   print "serverPort=$serverPort\n";
-   print "LIB_SUFFIX=$lib_suffix\n";
-   print "osname=$osname\n";
-   print "release=$release\n";
-   print "which perl=";
-   system ("which perl");
-   system ("perl -version | grep \"This is perl\"");
-   system ("$java -version");
-}
-
-sub createpkcs11_cfg {
-
-    $configfile = $testdir . "/" . "nsspkcs11.cfg";
-    $keystore = $testdir . "/" . "keystore";
-    if ( -f $configfile ) {
-        print "configfile all ready exists";
-       return;
-    }
-
-    my $nsslibdir = $nss_lib_dir;
-    my $tdir = $testdir;
-
-    #On windows make sure the path starts with c:
-    if ($osname =~ /_NT/i) {
-       substr($nsslibdir, 0, 2) = 'c:';
-       substr($tdir, 0, 2) = 'c:';
-    }
-    #the test for java 1.5 or 1.6 relies on the JAVA_HOME path to have the version
-    #this is the case for all the build machines and tinderboxes.
-    if ( $java_version =~ /1.6/i) {
-       # java 6
-       # http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html
-       # note some OS can read the 1.5 configuration but not all can.
-       open (CONFIG, "> $configfile")  || die "couldn't open " . $configfile . " for write";
-       print CONFIG "name=NSS\n";
-       print CONFIG "nssLibraryDirectory=" . "$nsslibdir\n";
-       print CONFIG "nssSecmodDirectory=$tdir\n";
-       print CONFIG "nssDbMode=readWrite\n";
-       print CONFIG "nssModule=keystore\n";
-       close (CONFIG);
-
-    } else { # default
-
-       # java 5
-       #http://java.sun.com/j2se/1.5.0/docs/guide/security/p11guide.html
-       open (CONFIG, "> $configfile")  || die "couldn't open " . $configfile . " for write";
-       print CONFIG "name=NSS\n";
-       if ($lib_suffix eq ".jnilib") {
-           print CONFIG "library=" . $nsslibdir  . "/libsoftokn3.dylib\n";
-       } else {
-           print CONFIG "library=" . $nsslibdir  . "/libsoftokn3$lib_suffix\n";
-       }
-       print CONFIG "nssArgs=\"configdir=\'". $tdir . "\' ";
-       print CONFIG "certPrefix=\'\' keyPrefix=\'\' secmod=\'secmod.db\'\"\n";
-       print CONFIG "slot=2\n";
-       close (CONFIG);
-
-    }
-    print "nsspkcs11=$configfile\n";
-}
-
-sub run_ssl_test {
-    my $testname = shift;
-    my $serverCommand = shift;
-    my $clientCommand = shift;
-
-    print "\n============= $testname \n";
-    print "$serverCommand \n";
-    my $result = system("$serverCommand");
-    if ($result != 0) {
-        print "launching server FAILED with return value $result\n";
-        return;
-    }
-    sleep 5;
-    print "\nSSL Server is invoked using port $serverPort \n" ;
-    print "$clientCommand \n";
-    $result = system("$clientCommand");
-    $result >>=8;
-    print_case_result ($result, $testname);
-
-    $serverPort=$serverPort+1;
-    $serverPort = checkPort($serverPort);
-}
-
-sub run_test {
-    my $testname = shift;
-    my $command = shift;
-
-    print "\n============= $testname \n";
-    print "$command \n";
-    my $result = system("$command");
-    $result >>=8;
-    print_case_result ($result, $testname);
-}
-
-sub print_case_result {
-    my $result = shift;
-    my $testname = shift;
-
-    $testrun++;
-    if ($result == 0) {
-        $testpass++;
-        print "JSSTEST_CASE $testrun ($testname): PASS\n";
-    } else {
-        print "JSSTEST_CASE $testrun ($testname): FAILED return value $result\n";
-    }
-}
-
-setup_vars(\@ARGV);
-
-my $signingToken = "Internal Key Storage Token";
-
-
-print "*********************\n";
-
-#
-# Make the test database directory
-#
-if( ! -d $testdir ) {
-    mkdir( $testdir, 0755 ) or die;
-}
-{
-    my @dbfiles =
-        ("$testdir/cert8.db", "$testdir/key3.db", "$testdir/secmod.db", "$testdir/rsa.pfx");
-    (grep{ -f } @dbfiles)  and die "There is already an old database in $testdir";
-    my $result = system("cp $nss_lib_dir/*nssckbi* $testdir");
-    $result >>= 8;
-    # $result and die "Failed to copy built-ins library";
-}
-
-print "creating pkcs11config file\n";
-createpkcs11_cfg;
-
-my $serverCommand;
-
-my $pk12util = "pk12util$exe_suffix";
-if ($nss_bin_dir) {
-    $pk12util = "$nss_bin_dir/$pk12util";
-}
-
-my $testname = "";
-my $command  = "";
-
-$testname = "Test UTF-8 Converter";
-$command = "$java -ea -cp $classpath org.mozilla.jss.tests.UTF8ConverterTest";
-run_test($testname, $command);
-
-$testname = "Setup DBs";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SetupDBs $testdir $pwfile";
-run_test($testname, $command);
-
-updateCertSN();
-$testname = "Generate known RSA cert pair";
-$command = "$java -cp $classpath org.mozilla.jss.tests.GenerateTestCert $testdir $pwfile $certSN localhost SHA-256/RSA CA_RSA Server_RSA Client_RSA";
-run_test($testname, $command);
-
-updateCertSN();
-$testname = "Generate known ECDSA cert pair";
-$command = "$java -cp $classpath org.mozilla.jss.tests.GenerateTestCert $testdir $pwfile $certSN localhost SHA-256/EC CA_ECDSA Server_ECDSA Client_ECDSA";
-run_test($testname, $command);
-
-updateCertSN();
-$testname = "Generate known DSS cert pair";
-$command = "$java -cp $classpath org.mozilla.jss.tests.GenerateTestCert $testdir $pwfile $certSN localhost SHA-1/DSA CA_DSS Server_DSS Client_DSS";
-run_test($testname, $command);
-
-$testname = "Create PKCS11 cert to PKCS12 rsa.pfx";
-$command = "$pk12util -o $testdir/rsa.pfx -n CA_RSA -d $testdir -K $dbPwd -W $dbPwd";
-run_test($testname, $command);
-
-$testname = "Create PKCS11 cert to PKCS12 ecdsa.pfx";
-$command = "$pk12util -o $testdir/ecdsa.pfx -n CA_ECDSA -d $testdir -K $dbPwd -W $dbPwd";
-run_test($testname, $command);
-
-$testname = "Create PKCS11 cert to PKCS12 dss.pfx";
-$command = "$pk12util -o $testdir/dss.pfx -n CA_DSS -d $testdir -K $dbPwd -W $dbPwd";
-run_test($testname, $command);
-
-#$testname = "Convert nss db  to Java keystore";
-#$command = "$java -cp $classpath org.mozilla.jss.tests.NSS2JKS $keystore $dbPwd $configfile $dbPwd";
-#run_test($testname, $command);
-
-
-$testname = "List CA certs";
-$command = "$java -cp $classpath org.mozilla.jss.tests.ListCACerts $testdir";
-run_test($testname, $command);
-
-updateCertSN();
-$serverPort = checkPort($serverPort);
-$testname = "SSLClientAuth";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SSLClientAuth $testdir $pwfile $serverPort $certSN";
-run_test($testname, $command);
-
-
-$testname = "Key Generation";
-$command = "$java -ea -cp $classpath org.mozilla.jss.tests.TestKeyGen $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Key Factory";
-$command = "$java -cp $classpath org.mozilla.jss.tests.KeyFactoryTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Digest";
-$command = "$java -cp $classpath org.mozilla.jss.tests.DigestTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "HMAC ";
-$command = "$java -cp $classpath org.mozilla.jss.tests.HMACTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "HMAC Unwrap";
-$command = "$java -cp $classpath org.mozilla.jss.tests.HmacTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "KeyWrapping ";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JCAKeyWrap $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Mozilla-JSS JCA Signature ";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Mozilla-JSS NSS Signature ";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "JSS Signature test";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Secret Decoder Ring";
-$command = "$java -cp $classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "List cert by certnick";
-$command = "$java -cp $classpath org.mozilla.jss.tests.ListCerts $testdir Server_RSA";
-run_test($testname, $command);
-
-$testname = "Verify cert by certnick";
-$command = "$java -cp $classpath org.mozilla.jss.tests.VerifyCert $testdir $pwfile Server_RSA";
-run_test($testname, $command);
-
-$testname = "Secret Key Generation";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SymKeyGen $testdir";
-run_test($testname, $command);
-
-$testname = "Mozilla-JSS Secret Key Generation";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JCASymKeyGen $testdir";
-run_test($testname, $command);
-
-
-#
-# SSLServer and SSLClient Ciphersuite tests
-#
-# Servers are kicked off by the shell script and are told to shutdown by the client test
-#
-
-$serverPort = checkPort($serverPort);
-$testname = "SSL Ciphersuite JSS Server and JSS client both";
-$serverCommand = "$run_shell ./startJssSelfServ.$scriptext $classpath $testdir $hostname $serverPort  $java";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort verboseoff JSS";
-# To be restored when bug 1321594 is fixed
-# run_ssl_test($testname, $serverCommand, $command);
-
-
-$serverPort = checkPort($serverPort);
-$testname = "SSL Ciphersuite JSS Server and JSSE client";
-$serverCommand = "$run_shell ./startJssSelfServ.$scriptext $classpath $testdir $hostname $serverPort $java";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSSE_SSLClient $testdir $serverPort $hostname JSS";
-# To be restored when bug 1321594 is fixed
-#run_ssl_test($testname, $serverCommand, $command);
-
-
-$serverPort = checkPort($serverPort);
-$testname = "SSL Ciphersuite JSSE Server using default provider and JSS client";
-$serverCommand = "$run_shell ./startJsseServ.$scriptext $classpath $serverPort false $testdir rsa.pfx default $configfile $pwfile $java";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort  verboseoff JSSE";
-# To be restored when bug 1321594 is fixed
-#run_ssl_test($testname, $serverCommand, $command);
-
-
-if ($java_version =~ /1.4/i || $osname =~ /HP/ || ( ($osname =~ /Linux/)  && $java_version =~ /1.5/i && ($ENV{USE_64}) )) {
-    print "don't run the SunJSSE with Mozilla-JSS provider with Java4 need java5 or higher";
-    print "don't run the JSSE Server tests on HP or Linux  64 bit with java5.\n";
-    print "Java 5 on HP does not have SunPKCS11 class\n";
-} else {
-#with JSS is being build with JDK 1.5 add the Sunpkcs11-NSS support back in!
-#$serverPort = checkPort($serverPort);
-#$testname = "SSL Ciphersuite JSSE Server using Sunpkcs11-NSS provider and JSS client";
-#$serverCommand = "./startJsseServ.$scriptext $classpath $serverPort false $testdir rsa.pfx Sunpkcs11 $configfile $pwfile $java";
-#$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort  verboseoff JSSE";
-#run_ssl_test($testname, $serverCommand, $command);
-
-#$serverPort = checkPort($serverPort);
-#$testname = "SSL Ciphersuite JSSE Server using Sunpkcs11-NSS provider and JSS client";
-#$serverCommand = "./startJsseServ.$scriptext $classpath $serverPort false $testdir rsa.pfx Sunpkcs11 $configfile $pwfile $java";
-#$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort verboseoff JSSE";
-#run_ssl_test($testname, $serverCommand, $command);
-
-#Mozilla-JSS only works with JDK 1.5 or higher when used as provider for SunJSSE
-$serverPort = checkPort($serverPort);
-$testname = "SSL Ciphersuite JSSE Server using Mozilla-JSS provider and JSS client";
-$serverCommand = "$run_shell ./startJsseServ.$scriptext $classpath $serverPort false $testdir rsa.pfx Mozilla-JSS $configfile $pwfile $java";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort verboseoff Mozilla-JSS";
-# To be restored when bug 1321594 is fixed
-#run_ssl_test($testname, $serverCommand, $command);
-
-
-}
-
-#
-# FIPSMODE tests
-#
-
-$testname = "Enable FipsMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.FipsTest $testdir enable";
-run_test($testname, $command);
-
-$testname = "check FipsMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.FipsTest $testdir chkfips";
-run_test($testname, $command);
-
-updateCertSN();
-$testname = "SSLClientAuth FIPSMODE";
-$serverPort = checkPort(++$serverPort);
-$command = "$java -cp $classpath org.mozilla.jss.tests.SSLClientAuth $testdir $pwfile $serverPort $certSN";
-run_test($testname, $command);
-
-$testname = "HMAC FIPSMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.HMACTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "KeyWrapping FIPSMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JCAKeyWrap $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "Mozilla-JSS JCA Signature FIPSMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JCASigTest $testdir $pwfile";
-run_test($testname, $command);
-
-$testname = "JSS Signature test FipsMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
-run_test($testname, $command);
-
-$serverPort = checkPort($serverPort);
-$testname = "SSL Ciphersuite FIPSMODE JSS Server and JSS client both";
-$serverCommand = "$run_shell ./startJssSelfServ.$scriptext $classpath $testdir $hostname $serverPort  $java";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSS_SelfServClient 2 -1 $testdir $pwfile $hostname $serverPort  verboseoff JSS";
-# To be restored when bug 1321594 is fixed
-#run_ssl_test($testname, $serverCommand, $command);
-
-$testname = "Disable FipsMODE";
-$command = "$java -cp $classpath org.mozilla.jss.tests.FipsTest $testdir disable";
-run_test($testname, $command);
-
-if ($java_version =~ /1.8/i) {
-    # Only run the PKCS11Constants test on JDK 8. Newer versions do not
-    # expose the interface we are testing against.
-    $testname = "Test PKCS11Constants.java for compatibility with Sun's interface";
-    $command = "$java -ea -cp $classpath org.mozilla.jss.tests.TestPKCS11Constants";
-    run_test($testname, $command);
-}
-
-$testname = "JSS DER Encoding of Enumeration regression test";
-$command = "$java -cp $classpath org.mozilla.jss.tests.EnumerationZeroTest";
-run_test($testname, $command);
-
-$testname = "JSS Test DER Encoding Functionality";
-$command = "$java -ea -cp $classpath org.mozilla.jss.tests.DEROutputStreamTests";
-run_test($testname, $command);
-
-#
-# Test for JSS jar and library revision
-#
-$testname = "Check JSS jar version";
-$command = "$java -cp $classpath org.mozilla.jss.tests.JSSPackageTest $testdir";
-run_test($testname, $command);
-
-my $LIB = "$lib_jss"."4"."$lib_suffix";
-my $strings_exist = `which strings`;
-chomp($strings_exist);
-my $result = 0;
-if ($strings_exist ne "") {
-    (-f "$jss_lib_dir/$LIB") or die "$jss_lib_dir/$LIB does not exist\n";
-    my $jsslibver = `strings $jss_lib_dir/$LIB | grep Header`;
-    chomp($jsslibver);
-    if ($jsslibver ne "") {
-        print "$LIB = $jsslibver\n";
-    } else {
-        print "Could not fetch Header information from $jss_lib_dir/$LIB\n";
-    }
-} else {
-    print "Could not fetch Header information from $jss_lib_dir/$LIB\n";
-    $result = 1;
-}
-
-print "\n================= Test Results\n";
-print "JSSTEST_SUITE: $testpass / $testrun\n";
-my $rate = $testpass / $testrun * 100;
-printf "JSSTEST_RATE: %.0f %%\n",$rate;
-
-if ($testpass ne $testrun) {
-    printf "Test Status: FAILURE\n";
-    printf "to test failed tests set the classpath and run the command(s)\n";
-    outputEnv();
-    exit 1;
-} else {
-    printf "Test Status: SUCCESS\n";
-    exit 0;
-}


=====================================
org/mozilla/jss/util/Password.java
=====================================
@@ -6,6 +6,8 @@ package org.mozilla.jss.util;
 
 import java.io.CharConversionException;
 import java.io.Console;
+import java.io.PrintWriter;
+import java.io.StringWriter;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -25,6 +27,9 @@ public class Password implements PasswordCallback, Cloneable,
 
     public static Logger logger = LoggerFactory.getLogger(Password.class);
 
+    // store the location where the Password object was created
+    private StackTraceElement[] stackTrace = new Throwable().getStackTrace();
+
     /**
      * Don't use this if you aren't Password.
      */
@@ -172,10 +177,36 @@ public class Password implements PasswordCallback, Cloneable,
      */
     @Deprecated
     protected void finalize() throws Throwable {
-        if(!cleared) {
-            logger.warn("Password was garbage collected before it was cleared.");
-        }
+
+        if (cleared) return;
+
+        // clear the password first
         clear();
+
+        StringWriter sw = new StringWriter();
+        PrintWriter out = new PrintWriter(sw, true);
+        int i = 0;
+
+        // show where the password was created
+        for (; i < stackTrace.length; i++) {
+            StackTraceElement ste = stackTrace[i];
+            String className = ste.getClassName();
+            if (Password.class.getName().equals(className)) continue;
+
+            out.println("Uncleared Password object created at " + ste);
+            i++;
+            break;
+        }
+
+        // show who called the code
+        for (; i < stackTrace.length; i++) {
+            StackTraceElement ste = stackTrace[i];
+            out.println("        called by " + ste);
+        }
+
+        out.println("Please report the above trace to your software vendors.");
+
+        logger.warn(sw.toString());
     }
 
 	/**



View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/58c8fb81ca48153ec144a0742e146e56301ab835...a7786f2481411988a025f7ca6b4f2b81abd8a71a

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/compare/58c8fb81ca48153ec144a0742e146e56301ab835...a7786f2481411988a025f7ca6b4f2b81abd8a71a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190909/2e9dd568/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list