[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 120 commits: Bump tomcatjss, pki-core conflicts due to lang3

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Mon Sep 6 09:36:45 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss


Commits:
a0319329 by Alexander Scheel at 2020-11-05T09:38:44-05:00
Bump tomcatjss, pki-core conflicts due to lang3

This version of JSS requires apache-commons-lang3 and shouldn't be used
with older version of pki-core as a result.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
eb608684 by Alexander Scheel at 2020-11-05T11:36:14-05:00
Only check PKCS11Constants on beta builds

Recent errors with PKCS11Constants have shown that we shouldn't be
running these tests on release builds for backports: only for
pre-release content. Only run them when the beta bit is set.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
d4a53a0c by Alexander Scheel at 2020-11-17T13:54:41-05:00
Add distribution packages to README

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
145f3a73 by Alexander Scheel at 2020-11-19T11:58:24-05:00
Throw better error messages from PK11Signature

Our rawhide sandboxed CI image is currently failing with the cryptic:

    Exception in thread "main" org.mozilla.jss.crypto.TokenException: Unable to create signing context
       at org.mozilla.jss.pkcs11.PK11Signature.initSigContext(Native Method)
       at org.mozilla.jss.pkcs11.PK11Signature.engineInitSign(PK11Signature.java:114)
       at org.mozilla.jss.crypto.Signature.initSign(Signature.java:55)
       at org.mozilla.jss.tests.SigTest.main(SigTest.java:88)

Switch JSS_throwMsg to JSS_throwMsgPrErr so we can get the underlying
error code from these calls.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
bd212d9b by Alexander Scheel at 2020-11-19T11:58:24-05:00
Disable use of MD4/MD5 and SHA-1 algorithms

This only applies to the test suite currently. These algorithms are now
disabled by NSS as of version 3.59.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
03ed1f8c by Alexander Scheel at 2020-11-23T08:30:33-05:00
Replace RSAPrivateKey with RSAKey

Per discussion with Andrew Hughes in #java, JCA takes RSAPrivateKey to
mean that the private exponent is extractable. Because the JCA is
careful to use Key most places, we might get away with making
PK11RSAPrivateKey not implement RSAPrivateKey and instead only
implement RSAKey -- signalling to other providers that the private
exponent isn't extractable.

This patch requires careful testing with SunJSSE and Dogtag PKI to
ensure we don't rely on PK11RSAPrivateKey implementing RSAPrivateKey
somewhere.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
822897c0 by Alexander Scheel at 2020-11-23T08:30:33-05:00
Allow JSSMacSpi to handle external keys

In JSSCipherSpi, if a key from another provider is passed in, we first
attempt to export it and then import it into NSS. Only when this fails
do we raise an exception. This fixes a failure in JDK8 272-b10 when
JSS is used in conjunction with SunJSSE:

    javax.net.ssl.SSLHandshakeException: Could not generate secret
            at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.t13DeriveKey(ECDHKeyExchange.java:479)
            at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.deriveKey(ECDHKeyExchange.java:419)
            at sun.security.ssl.ServerHello$T13ServerHelloProducer.produce(ServerHello.java:596)
            at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
            at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1152)
            at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1088)
            at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:725)
            at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
            at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
            at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
            at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
            at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:955)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:902)
            at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:443)
            at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:507)
            at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:238)
            at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1575)
            at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
            at java.lang.Thread.run(Thread.java:748)
    Caused by: java.security.InvalidKeyException: Must use a key created by JSS! Try exporting the key data and importing it via SecretKeyFactory.
            at org.mozilla.jss.provider.javax.crypto.JSSMacSpi.engineInit(JSSMacSpi.java:58)
            at org.mozilla.jss.provider.javax.crypto.JSSMacSpi$HmacSHA384.engineInit(JSSMacSpi.java:116)
            at javax.crypto.Mac.init(Mac.java:413)
            at sun.security.ssl.HKDF.extract(HKDF.java:91)
            at sun.security.ssl.HKDF.extract(HKDF.java:119)
            at sun.security.ssl.ECDHKeyExchange$ECDHEKAKeyDerivation.t13DeriveKey(ECDHKeyExchange.java:469)

Because JDK recently introduced a new TLS stack for TLS-1.3 support in
JDK 8, most people will find value moving to JSS's SSLEngine instead of
continuing to use SunJSSE with JSS as the crypto provider.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3d913450 by Alexander Scheel at 2020-12-01T13:49:14-05:00
Add RSA/OAEP algorithm identifiers

This adds RSA/OAEP to jss.crypto.Algorithm as a known algorithm and adds
stubs for indicating what type of key is required to use it.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
0b03f831 by Alexander Scheel at 2020-12-01T13:49:14-05:00
Re-add KeyWrapping tests to build

These tests have been updated from using DES/DES3 to AES-256.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
567e792f by Alexander Scheel at 2020-12-01T13:49:14-05:00
Fix FindNSS, FindNSPR to link with sandboxed libs

When using `-Wl,-rpath`, the final generated binaries will have a rpath
include to the sandboxed libraries. This is good as it enables binaries
to run from the built directory. However, at link time, we're still
using the system's NSS library. This doesn't work when NSS introduces a
change to its external (public) API; the system's NSS likely doesn't
have this change yet. Include the `-L` flag as well, to use the
sandboxed library at link time as well.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
14193bdc by Alexander Scheel at 2020-12-01T13:49:14-05:00
Add hash algorithms to PK11Algorithm.java

While hash algorithms in JSS currently use the SEC_OID based interface
(rather than PKCS#11), include them in PK11Algorithm because they have
equivalent PKCS#11 constant definitions.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8c89a3e2 by Alexander Scheel at 2020-12-01T13:49:14-05:00
Implement RSA/OAEP key wrapping

This depends on support from NSS for two new function calls,
PK11_PubWrapSymKeyWithMechanism and PK11_PubUnwrapSymKeyWithMechanism.
These enable passing OAEP's mechanism parameters into NSS's high-level
PK11 key wrap/unwrap interface, allowing them to succeed. Otherwise,
previous versions of NSS silently converted OAEP to PKCS#1 v1.5,
allowing the trivial patchset to succeed without any mechanism
parameters.

Introduce a JSSOAEPParameterSpec which can consume a JCA-standard
OAEPParameterSpec instance but which also extends NativeEnclosure to
allow us to call into the JNI layer with a parameter instance.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
52f2f7be by Alexander Scheel at 2020-12-01T13:49:14-05:00
Support running on older versions of NSS

This allows us to detect whether or not NSS supports RSA-OAEP key
wrap/unwrap and if not, disable RSA-OAEP support, gracefully falling
back to the old method for other mechanisms.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
3348034f by Alexander Scheel at 2020-12-01T13:49:14-05:00
Add class documentation about JSSOAEPParameterSpec

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
70aa32b0 by Alexander Scheel at 2020-12-11T09:00:03-05:00
Bump version number before next release

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
51300629 by Alexander Scheel at 2020-12-16T08:59:56-05:00
Add support for CKM_AES_KEY_WRAP_KWP algorithm

This algorithm is the only mechanism supported by certain lines of
nCipher HSMs. Unlike other key-wrapping mechanisms, this one generates a
temporary AES key to encrypt the wrapped key with.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
8ba13f5b by Alexander Scheel at 2020-12-16T08:59:56-05:00
Fix CentOS 8 Dockerfile

Apparently PowerTools moved to powertools; handle both in the Dockerfile
definition.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
4d1a8875 by Alexander Scheel at 2020-12-16T08:59:56-05:00
Watch for bad return from getNetworkInterfaces()

When NetworkInterface.getNetworkInterfaces() returns a null
enumeration, return false instead of raising a NullPointerException.
Generally, this should only happen if the system has no network
interfaces (there should always be a loopback address). However, this
has been failing in GitHub Actions:

    java.lang.NullPointerException
            at org.mozilla.jss.ssl.SocketBase.supportsIPV6(SocketBase.java:474)
            at org.mozilla.jss.ssl.SSLServerSocket.<init>(SSLServerSocket.java:115)
            at org.mozilla.jss.tests.SSLClientAuth.run(SSLClientAuth.java:406)
            at java.lang.Thread.run(Thread.java:748)
    Server exiting
    client about to connect
    Exception in thread "main" java.lang.NullPointerException
            at org.mozilla.jss.ssl.SocketBase.supportsIPV6(SocketBase.java:474)
            at org.mozilla.jss.ssl.SSLSocket.<init>(SSLSocket.java:562)
            at org.mozilla.jss.ssl.SSLSocket.<init>(SSLSocket.java:550)
            at org.mozilla.jss.ssl.SSLSocket.<init>(SSLSocket.java:469)
            at org.mozilla.jss.ssl.SSLSocket.<init>(SSLSocket.java:422)
            at org.mozilla.jss.tests.SSLClientAuth.testConnection(SSLClientAuth.java:332)
            at org.mozilla.jss.tests.SSLClientAuth.doIt(SSLClientAuth.java:156)
            at org.mozilla.jss.tests.SSLClientAuth.main(SSLClientAuth.java:90)

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
912d1ef0 by Alexander Scheel at 2020-12-16T08:59:56-05:00
Switch to JSS_throwMsgPrErr for unwrap errors

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
7ede803d by Alexander Scheel at 2020-12-16T09:24:09-05:00
Update version number in jss.map

OAEP landed in what will be 4.8.1, not 4.8.0.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
1c12fa0f by Alexander Scheel at 2020-12-17T16:07:12-05:00
Use allowed key sizes in KeyFactoryTest

Also remove tests for DSA keys and IBM JVM.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
aab10eee by Alexander Scheel at 2020-12-17T16:07:12-05:00
Allow BadSSL to continue past unknown errors

When BadSSL is expecting _an_ error to occur, but we get an Unknown
Error instead of the actual error, treat it as alright. However, we
still fail later in the BadSSL test suite:

    Enabling leaf and chain policy...
    Dec 17, 2020 8:19:17 PM org.mozilla.jss.CryptoManager initialize
    INFO: JSS CryptoManager: successfully initialized from NSS database at /home/sandbox/jss/build/results/internet
    Testing connection to expired.badssl.com:443
	    ...got expected error message.
    Testing connection to expired.badssl.com:443
    Dec 17, 2020 8:19:17 PM org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl info
    INFO: JSSEngine.unwrap() - Got SSLException: javax.net.ssl.SSLHandshakeException: Error duing SSL.ForceHandshake() :: SEC_ERROR_EXPIRED_CERTIFICATE (-8181)
    Dec 17, 2020 8:19:17 PM org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl info
    INFO: JSSEngine.unwrap() - Got SSLException: javax.net.ssl.SSLException: Unexpected return from PR.Read(): SSL_ERROR_HANDSHAKE_FAILED (-12116)
	    ...got expected error message.
    Testing connection to wrong.host.badssl.com:443
	    ...got unknown error; continuing anyways.
    Testing connection to wrong.host.badssl.com:443
    Dec 17, 2020 8:19:17 PM org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl info
    INFO: JSSEngine.unwrap() - Got SSLException: javax.net.ssl.SSLHandshakeException: Error duing SSL.ForceHandshake() :: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED (-8016)
    Dec 17, 2020 8:19:17 PM org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl info
    INFO: JSSEngine.unwrap() - Got SSLException: javax.net.ssl.SSLException: Unexpected return from PR.Read(): SSL_ERROR_HANDSHAKE_FAILED (-12116)
	    Unexpected error message: unable to unwrap data using sslengine: error duing ssl.forcehandshake() :: sec_error_cert_signature_algorithm_disabled (-8016)
    Exception in thread "main" java.io.IOException: Unable to unwrap data using SSLEngine: Error duing SSL.ForceHandshake() :: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED (-8016)
	    at org.mozilla.jss.ssl.javax.JSSSocketChannel.read(JSSSocketChannel.java:296)
	    at java.base/java.nio.channels.SocketChannel.read(SocketChannel.java:486)
	    at org.mozilla.jss.ssl.javax.JSSSocketChannel.read(JSSSocketChannel.java:235)
	    at org.mozilla.jss.ssl.javax.JSSSocketChannel.finishConnect(JSSSocketChannel.java:146)
	    at org.mozilla.jss.ssl.javax.JSSSocket.doHandshake(JSSSocket.java:297)
	    at org.mozilla.jss.ssl.javax.JSSSocket.startHandshake(JSSSocket.java:445)
	    at org.mozilla.jss.tests.BadSSL.testSiteJavaxSSLSocket(BadSSL.java:257)
	    at org.mozilla.jss.tests.BadSSL.testHelperJavax(BadSSL.java:218)
	    at org.mozilla.jss.tests.BadSSL.testHelper(BadSSL.java:188)
	    at org.mozilla.jss.tests.BadSSL.testWrongHost(BadSSL.java:95)
	    at org.mozilla.jss.tests.BadSSL.main(BadSSL.java:56)
    Caused by: javax.net.ssl.SSLHandshakeException: Error duing SSL.ForceHandshake() :: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED (-8016)
	    at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.updateHandshakeState(JSSEngineReferenceImpl.java:1037)
	    at org.mozilla.jss.ssl.javax.JSSEngineReferenceImpl.unwrap(JSSEngineReferenceImpl.java:1212)
	    at org.mozilla.jss.ssl.javax.JSSSocketChannel.read(JSSSocketChannel.java:274)
	    ... 10 more

In particular, the issue is caused by the following BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1861495

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
ab8f5a54 by Christina Fu at 2020-12-17T20:06:33-05:00
Bug1908541-jss broke SCEP - missing PasswordChallenge class

This patch, together with the fix for Bug1664435 Error instantiating class for challenge_password with SCEP request, addresses the issue where  the class PasswordChallenge cannot be loaded due to Class Loader differences.
      jss is installed in the common CL (/usr/share/pki/server/common/lib/jss4.jar)
      the servlet classes are in webapp CL (/usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cms.jar)

fixes https://bugzilla.redhat.com/show_bug.cgi?id=1664435

- - - - -
e45b5dcc by Alexander Scheel at 2020-12-18T10:47:51-08:00
Set CMake required version to 3.14 (#671)

This includes the LINK_OPTIONS flag to try_compile, allowing us to
detect features of NSS (such as OAEP).

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
86e77630 by Endi S. Dewata at 2021-02-10T18:47:43-05:00
Fix exception handling in Cert.mapCertFromPKCS7()

The Cert.mapCertFromPKCS7() has been modified to chain
the original exception to help troubleshooting.

- - - - -
ea44c697 by Endi S. Dewata at 2021-02-17T14:41:31-06:00
Fix exception handling in PKCS7.encodeSignedData()

- - - - -
2900877f by Endi S. Dewata at 2021-02-17T14:41:31-06:00
Add CertificateChain converters

The CertificateChain class has been modified to support
importing/exporting certificates from/to a series of PEM
certificates or PKCS #7 data.

- - - - -
08ee5f53 by Endi S. Dewata at 2021-02-24T19:58:37-06:00
Update PKCS11Constants based on NSS 3.60

- - - - -
f4673973 by Endi S. Dewata at 2021-03-03T09:07:19-06:00
Update version number to 4.8.2

- - - - -
f40375bf by Endi S. Dewata at 2021-03-03T19:46:58-06:00
Update version number to 4.9.0-alpha1

- - - - -
0f5d2a2c by Endi S. Dewata at 2021-03-05T10:16:03-06:00
Enable BETA flag

The BETA flag in JSSConfig.cmake has been set to 1 to
enable some pre-release tests.

- - - - -
4c1e208c by Alexander Scheel at 2021-03-12T17:41:51-08:00
Encrypt & unwrap symmetric key in FIPS mode (#678)

NSS doesn't generally allow keys to be imported in FIPS mode. However,
for portability with other JCA providers, we sometimes need to import
keys from byte arrays. Do this in the JNI layer by executing a PKCS#11
encrypt and then unwrap using the same key. This lets us effectively
"import" a key into a token, if the token supports using the given
mechanism for both encryption and unwrapping operations. Some HSMs are
getting stricter about this and forbid using the same key for encrypt
and unwrap operations.

Resolves: #334

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>
- - - - -
a8c4cae2 by Endi S. Dewata at 2021-04-13T18:05:14-05:00
Fix build preference in tools/run_container.sh

Per cipherboy's suggestion the tools/run_container.sh has
been modified to use docker instead of buildah/podman if
available.

- - - - -
8bd6df44 by Endi S. Dewata at 2021-04-14T13:24:45-05:00
Convert KeyPairGeneratorSpi.Usage into enumeration

The KeyPairGeneratorSpi.Usage class has been converted into
an enumeration that defines the same elements. These elements
store the values of the corresponding PKCS #11 constants.

The getVal() method has been deprecated, but it will continue
to work as before for backward compatibility.

The opFlags and opFlagsMask fields in PK11KeyPairGenerator
have been converted to long to match the PKCS #11 constants.
The values will be down-casted to int whenever needed.

The opFlagForUsage array in PK11KeyPairGenerator has become
redundant since the PKCS #11 constants can be obtained from
the enumeration elements, so it has been removed.

- - - - -
a966a84d by Endi S. Dewata at 2021-04-19T16:14:54-05:00
Convert SymmetricKey.Usage into enumeration

The SymmetricKey.Usage class has been converted into an
enumeration that defines the same elements. These elements
store the corresponding PKCS #11 CKF_ and CKA_ values
although the CKA_ values are not actually used.

The getVal() and getPKCS11Constant() method have been
deprecated, but they will continue to work as before for
backward compatibility.

The opFlags field in PK11KeyGenerator has been converted
to long to match the PKCS #11 value. The value will be
downcasted to int whenever needed.

The opFlagForUsage array in PK11KeyGenerator has become
redundant since the PKCS #11 value can be obtained from
the enumeration elements, so it has been removed.

- - - - -
93fdca04 by Endi S. Dewata at 2021-04-30T12:47:22-05:00
Fix missing javax.xml.bind in Eclipse

- - - - -
f01a18be by Endi S. Dewata at 2021-04-30T14:18:17-05:00
Disable failing tests

The CentOS 7 and 8 tests have been disabled since they keep
failing due to a missing dependency.

The optional test workflow have been merged into the required
test workflow. All tests should now pass. This will make it
easier to determine if a commit has broken something.

- - - - -
57b0dd2a by Endi S. Dewata at 2021-05-03T10:17:30-05:00
Drop obsolete Fedora 31 test

- - - - -
83db1c24 by Endi S. Dewata at 2021-05-03T10:48:16-05:00
Split main and test code

The main code and test code have been moved into src/main/java
and src/test/java, respectively. All references to the source
code have been updated accordingly.

- - - - -
cb73984f by Endi S. Dewata at 2021-05-03T11:24:03-05:00
Clean up import statements

- - - - -
8e5a5467 by Endi S. Dewata at 2021-05-03T13:21:40-05:00
Move pkcs11check into Fedora 33 test

Currently the PKCS #11 constants are only tested on Rawhide
and it's failing, but it's actually working fine on Fedora 33.
For now the test has been moved into the Fedora 33 test so the
CI will pass, but later the tests will need to be expanded to
include newer Fedora versions. That way the PKCS #11 constants
will be tested separately on each platform, so it will be
easier to isolate the problem.

- - - - -
a834db6f by Endi S. Dewata at 2021-05-04T13:43:45-05:00
Add CA installation test

A Dockerfile has been added to define the builder image and test
runner image for JSS. The builder image is used to install the
build dependencies and then build JSS. The test runner image is
used to install JSS with its runtime dependencies then run tests.

A new test has been added to install DS and CA with the newly
built JSS packages.

Some scripts have been added to initialize the test runner, to
create and remove DS, and to save the test artifacts.

- - - - -
4d78d5e3 by Endi S. Dewata at 2021-05-05T19:46:07-05:00
Add build.sh --without-test option

- - - - -
fce6bb5a by Endi S. Dewata at 2021-05-10T17:44:57-05:00
Reorganize broken tests

The non-functional DirStrConverterTest and
GenericASN1ExtensionTest have been moved into
src/broken_test.

- - - - -
774a63a7 by Alexander Scheel at 2021-05-12T16:54:28-04:00
Fix -sourcepath for java test compilation

man javac has the following to say about sourcepath:

> Specifies the source code path to search for class or interface
> definitions.

In particular, the way the CMake step is constructed, the test paths are
specified via file (hence @${JAVA_TEST_SOURCES_FILE} as an argument to
javac), but the compiling the tests still needs knowledge of the main
JSS source.

In this case, sourcepath (for test compilation) was incorrectly updated
to point back at the list of sources we already provided (or, the
directory containing the sources we already provided) instead of
pointing at the path of the main JSS code.

Prior to this change, compilation depended on order steps were executed
and could fail with the following error (if tests were attempted to be
built prior to main sources finishing building):

    ...snip...
    /home/cipherboy/GitHub/cipherboy/jss/src/test/java/org/mozilla/jss/tests/IA5StringTest.java:7: error: package org.mozilla.jss.netscape.security.util does not exist
    import org.mozilla.jss.netscape.security.util.DerValue;
                                                 ^
    ...snip...
    Note: Some input files use or override a deprecated API.
    Note: Recompile with -Xlint:deprecation for details.
    Note: Some messages have been simplified; recompile with -Xdiags:verbose to get full output
    100 errors
    11 warnings

Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>

- - - - -
fa61a128 by Endi S. Dewata at 2021-05-13T10:07:44-05:00
Add pom.xml and test for Maven

- - - - -
cb72cc42 by Chris Kelley at 2021-05-13T16:46:38+01:00
Make GitHub workflow use F34, drop EOL F32
- - - - -
9823e099 by Chris Kelley at 2021-05-18T22:17:34+01:00
Enable SonarCloud checking of new code

Create a new CI job called "build" which builds from source using Maven,
then runs the Sonar analysis job. The quality gate is set to be advisory
only so it never fails, to prevent error fatigue. The intended use is
"free robotic review" of code quality, rather than any enforcement.
- - - - -
94d0bc00 by Chris Kelley at 2021-05-18T22:46:06+01:00
Rename Build job to Code Analysis to be more descriptive
- - - - -
502a9a4b by Chris Kelley at 2021-05-20T21:47:00+01:00
Replace deprecated Integer constructors
- - - - -
69910f33 by Chris Kelley at 2021-05-20T21:51:41+01:00
Access static fields/methods statically, not via instances
- - - - -
3ada0a11 by Chris Kelley at 2021-05-21T15:39:44+01:00
Add missing annotations to org.mozilla.jss.tests
- - - - -
407b178d by Chris Kelley at 2021-05-21T15:40:14+01:00
Add missing annotations to org.mozilla.jss.pkix.cms
- - - - -
76e9efcd by Chris Kelley at 2021-05-21T15:46:01+01:00
Add missing annotations in org.mozilla.jss.provider.javax.net
- - - - -
e9cb03ce by Chris Kelley at 2021-05-21T15:46:38+01:00
Add missing annotations to org.mozilla.jss.provider.java.security
- - - - -
a4657c33 by Chris Kelley at 2021-05-21T15:47:13+01:00
Add missing annotations to org.mozilla.jss.pkix.primitive
- - - - -
3b224bfc by Chris Kelley at 2021-05-21T15:47:33+01:00
Add missing annotations to org.mozilla.jss.provider.javax.crypto
- - - - -
6c752a31 by Chris Kelley at 2021-05-21T15:48:54+01:00
Add missing annotations for org.mozilla.jss.netscape.security.util
- - - - -
36909e05 by Chris Kelley at 2021-05-21T15:49:29+01:00
Add missing annotations in org.mozilla.jss.SecretDecoderRing
- - - - -
c0830ae9 by Chris Kelley at 2021-05-21T15:52:14+01:00
Add missing annotations to org.mozilla.jss.pkix.cmmf
- - - - -
012a71e8 by Chris Kelley at 2021-05-21T15:53:13+01:00
Add missing annotations to org.mozilla.jss.netscape.security.pkcs
- - - - -
8cae78fb by Chris Kelley at 2021-05-21T15:53:47+01:00
Add missing annotations to org.mozilla.jss.netscape.security.provider
- - - - -
5c96fb93 by Chris Kelley at 2021-05-21T16:19:28+01:00
Add missing annotations to org.mozilla.jss.pkcs7
- - - - -
44b67c22 by Chris Kelley at 2021-05-21T16:19:49+01:00
Add missing annotations to org.mozilla.jss.pkix.cmc
- - - - -
78f519ff by Chris Kelley at 2021-05-21T16:22:18+01:00
Add missing annotations to org.mozilla.jss.pkcs12
- - - - -
e3e9cea9 by Chris Kelley at 2021-05-21T16:24:57+01:00
Add missing annotations to org.mozilla.jss.pkix.crmf
- - - - -
7a0caf10 by Chris Kelley at 2021-05-21T16:38:13+01:00
Add missing annotations to org.mozilla.jss.netscape.security.extensions
- - - - -
9b8f4cb9 by Chris Kelley at 2021-05-21T17:03:02+01:00
Add missing annotations in org.mozilla.jss.pkcs11.attrs
- - - - -
f7750374 by Chris Kelley at 2021-05-21T17:08:34+01:00
Add missing annotations in org.mozilla.jss.pkcs10
- - - - -
d3776922 by Chris Kelley at 2021-05-21T17:09:03+01:00
Add missing annotations to org.mozilla.jss.pkix.cert
- - - - -
5e788d41 by Chris Kelley at 2021-05-21T21:03:11+01:00
Add missing annotations to org.mozilla.jss.asn1
- - - - -
b16e8e42 by Chris Kelley at 2021-05-21T21:03:33+01:00
Add missing annotations in org.mozilla.jss.netscape.security.x509
- - - - -
93e1761e by Chris Kelley at 2021-05-21T21:49:52+01:00
Add missing annotations to org.mozilla.jss.nss
- - - - -
3914f86e by Alexander Scheel at 2021-05-21T17:07:54-04:00
Add missing synchronized keywords to Sockets

Due to the new @Override method, Sonar has caught missing synchronized
keywords on several JSSSocket and JSSServerSocket methods.

> Make this method "synchronized" to match the parent class
> implementation.
>
> When @Overrides of synchronized methods are not themselves
> synchronized, the result can be improper synchronization as callers
> rely on the thread-safety promised by the parent class.

Signed-off-by: Alexander Scheel <alex.scheel at canonical.com>

- - - - -
6fa0c116 by Alexander Scheel at 2021-05-21T17:08:11-04:00
Fix return from finally in JSSSocketChannel

Sonar reports the following on the (now removed) return statement:

> Remove this return statement from this finally block.
>
> Using return, break, throw, and so on from a finally block suppresses
> the propagation of any unhandled Throwable which was thrown in the
> try or catch block.

Re-do the logic to fix this bug.

Signed-off-by: Alexander Scheel <alex.scheel at canonical.com>

- - - - -
2eb7d69d by Chris Kelley at 2021-05-24T20:06:00+01:00
Deprecate constants in NativeErrcodes

A comment here declares Fortezza deprecated, but the Javadoc deprecation
only applies to the first constant, so deprecate the rest too.
- - - - -
a6e2ddfd by Chris Kelley at 2021-05-24T20:24:51+01:00
Add missing annotations to org.mozilla.jss.crypto
- - - - -
40187feb by Chris Kelley at 2021-05-24T20:24:51+01:00
Run Eclipse autoformatting on some files
- - - - -
1027b03a by Chris Kelley at 2021-05-25T09:35:01+01:00
Add missing annotations in org.mozilla.jss.ssl
- - - - -
d8f2b3a3 by Chris Kelley at 2021-05-25T09:35:01+01:00
Eclipse auto-formatting of some files

Largely to fix indentation/mixing tabs and space
- - - - -
cd62b416 by Endi S. Dewata at 2021-05-25T10:49:18-05:00
Remove obsolete Fedora tests

- - - - -
58508d8f by Chris Kelley at 2021-05-25T21:11:36+01:00
Bump ubuntu_jdk8 -> 11 in github CI workflows
- - - - -
b37ae620 by Chris Kelley at 2021-05-25T21:16:46+01:00
Add missing annotations to org.mozilla.jss.util
- - - - -
289e43d7 by Chris Kelley at 2021-05-25T21:16:46+01:00
Run Eclipse autoformatting against some files

Principally to get rid of some tabs/spaces mixing
- - - - -
6f70b925 by Chris Kelley at 2021-06-11T13:43:13-05:00
Add missing annotations in org.mozilla.jss
- - - - -
ae7963f5 by emaldona at 2021-06-11T13:43:13-05:00
Capabilities (#704)

Co-authored-by: Alexander Scheel <alexander.m.scheel at gmail.com>
- - - - -
52683252 by Endi S. Dewata at 2021-06-11T13:43:13-05:00
Add logger for build_pkcs11_constants.py

The build_pkcs11_constants.py has been modified to
send log messages to the screen instead of storing
them in the output file. This way the output file
will remain constant regardless how the tool was
executed, and the log messages can be viewed without
having to open the output file which will make it
easier to troubleshoot issues.

- - - - -
2a74dd63 by Endi S. Dewata at 2021-06-11T13:43:13-05:00
Add PKCS11Constants test for Fedora 34

The CI test for Fedora 34 has been modified to
execute the PKCS11Constants test.

The check_output() has been modified to define
NSS_PKCS11_2_0_COMPAT due to NSS changes:
https://fedoraproject.org/wiki/Changes/NssGCMParams

- - - - -
413f3ebe by Chris Kelley at 2021-06-11T13:43:13-05:00
Refactor SSLCLient.cmp() to not check for string equivalence twice

The object refences where being checked, as well as the object reference
values. The latter is what we actually care about, we don't care if the
objects are identical only that he values are. Also, this code is only
ever called through isInvalid whch checks for null, so we don't require
the null check so we can simplify even further.
- - - - -
d6c66442 by Chris Kelley at 2021-06-11T13:43:13-05:00
Clean up Sonar-discovered issues in various files
- - - - -
d932dc03 by Chris Kelley at 2021-06-11T13:43:13-05:00
Simplify equals() impl in Password class

Instanceof checks for null, so no need to explicitly do so.
- - - - -
06c7ae8e by Chris Kelley at 2021-06-11T13:43:13-05:00
Implement hashCode() in Password class

Password overrides equals(), so it should override hashCode() too
- - - - -
3f78c49d by Chris Kelley at 2021-06-11T14:44:12-05:00
Add missing annotations to org.mozilla.jss.ssl.javax
- - - - -
df196d26 by Chris Kelley at 2021-06-11T14:44:12-05:00
Remove deprecated Integer constructor from IPAddressName
- - - - -
1cc93e78 by Endi S. Dewata at 2021-06-11T14:44:12-05:00
Reorganize examples

The examples have been converted to become
a sample Maven project that depends on JSS.

The Maven group ID for JSS has been changed
such that it doesn't include the artifact
ID itself.

- - - - -
33948b78 by Endi S. Dewata at 2021-06-11T14:44:12-05:00
Drop git dependency

The jss.spec has been modified to drop git dependency so
it's no longer required for building the official binaries,
but git is still needed during development to call build.sh
--with-commit-id.

- - - - -
b53693b7 by Chris Kelley at 2021-06-11T14:44:12-05:00
Add missing annotations in org.mozilla.jss.pkcs11
- - - - -
8a80a679 by Endi S. Dewata at 2021-06-11T14:44:12-05:00
Fix F33 and F34 tests

- - - - -
adc23111 by Chris Kelley at 2021-06-11T14:44:12-05:00
Autoformat .java and .c files in org.mozilla.jss.asn1
- - - - -
d2bb8a4e by Endi S. Dewata at 2021-06-11T23:41:36-05:00
Update Java dependency

The spec file has been modified to use Java 1.8.0 for
Fedora 32 and RHEL 8, and Java 11 for other platforms.

- - - - -
a2f680cc by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Update contact information

- - - - -
1ebd67ae by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Convert RPM install script into CMake script

- - - - -
107e47d2 by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Update build.sh --without-test option

The build.sh --without-test option has been modified
to convert the %bcond_without into %bcond_with such
that the condition can be checked using %{with test}.

- - - - -
2d9b305b by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Add jss.jar and libjss.so symlinks

- - - - -
16f8cd16 by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Clean up jss.spec

- - - - -
ea93b1bf by Endi S. Dewata at 2021-06-11T23:41:59-05:00
Update version number to 4.9.0-alpha2

- - - - -
a3805f74 by Endi S. Dewata at 2021-06-18T20:38:06-05:00
Add configurable test matrix

The test workflow have been modified to load the test
matrix from MATRIX secret variable. If the secret is
not defined, it will use the latest Fedora version
and the previous version.

- - - - -
d72b8afe by Endi S. Dewata at 2021-06-18T20:45:43-05:00
Clean up Dockerfile

- - - - -
d05364fb by Endi S. Dewata at 2021-06-18T22:00:26-05:00
Update COPR repository

- - - - -
8317de4b by Endi S. Dewata at 2021-07-02T12:21:06-05:00
Fix HAMCREST_JAR for Rawhide

- - - - -
a377d917 by Endi S. Dewata at 2021-07-16T17:26:10-05:00
Add GitLab synchronization job

The .gitlab-ci.yml has been added to define a job to
synchronize a branch from an upstream repository to a
GitLab repository.

- - - - -
eb450369 by Endi S. Dewata at 2021-07-20T13:38:11-05:00
Update PKCS11Constants

The PKCS11Constants class has been updated to include
the new constants introduced in NSS 3.66. The NSPR
dependency has been dropped since it's already required
by NSS.

https://bugzilla.mozilla.org/show_bug.cgi?id=1710773

- - - - -
b1346ee6 by Endi S. Dewata at 2021-07-20T13:38:11-05:00
Update version number to 4.9.0

- - - - -
72d23baf by Endi S. Dewata at 2021-07-26T21:40:47-05:00
Fix minimum NSS version

- - - - -
6a0ef5df by Endi S. Dewata at 2021-07-27T16:15:17-05:00
Rename build.yml to code-analysis.yml

- - - - -
a2e36714 by Endi S. Dewata at 2021-08-11T12:32:09-05:00
Fix warnings in JSSEngine.queryEnabledCipherSuites()

The JSSEngine.queryEnabledCipherSuites() has been modified
to check whether a cipher is supported by NSS before getting
its default preference.

The SSLCipher constructor has been modified to always call
checkSupportedStatus() to determine whether the cipher is
supported by NSS.

- - - - -
51d16477 by Endi S. Dewata at 2021-08-23T10:14:37-05:00
Deprecate RevocationReasonAdapter

- - - - -
70ad3935 by Jack Magne at 2021-08-25T18:59:31-07:00
Fix: Bug 1964176 - KRA PKCS12 support for nCipher sw v12.60+.

Note much of this work is based on original work by Alex Scheel.
aka, cipherboy : alexander.m.scheel at gmail.com

This bug has it's jss portion reflected here. The gist of this fix
is to register 3 new secoids into nss in a dynamic fashion. The 3
new algs are 128, 192, and 256 bit variants of the machanism,
CKM_AES_KEY_WRAP_KWP.

We have to provide support for these algs because we need a common algorithm
that works the same in the nss software db as well as in the hsm.

The key jss method that is failing is one that is reponsible for creating the
so called EncryptedPrivateKeyInfo blob, which is packaged in the final p12 file.

In order to accomplish we have had to create our own version of the nss routine,
PK11_ExportEncryptedPrivateKeyInfo, which is able to use one of the 3 new encryptiion
algs to wrap the private key in the final blob. Jss is also implemting a new version of the
routine in nss which is reponsible for performing a key exchange of a session key between
the softeare db and the hsm. This code will use the oaep wrapping alg on the hsm to do the
heavy lifting, while creating a temp private key on the hsm to unwrap the session key from
the nss software db to the hsm. As a final step the p12 code will encode one of the 3 new oids
to indicate that one of the 3 new algorithms have been used.

Here are the declarations of the 3 new algs:

 public static final EncryptionAlgorithm
   AES_128_KEY_WRAP_KWP = new EncryptionAlgorithm(SEC_OID_AES_128_KEY_WRAP_KWP,
        Alg.AES,Mode.NONE,
        Padding.PKCS5, IVParameterSpecClasses, 16,
        AES_ROOT_OID.subBranch(8), 128,"AES/None/PKCS5Padding/Kwp/128");

  public static final EncryptionAlgorithm
   AES_192_KEY_WRAP_KWP = new EncryptionAlgorithm(SEC_OID_AES_192_KEY_WRAP_KWP,
        Alg.AES,Mode.NONE,
        Padding.PKCS5, IVParameterSpecClasses, 16,
        AES_ROOT_OID.subBranch(28), 192,"AES/None/PKCSPadding/Kwp/192");

  public static final EncryptionAlgorithm
   AES_256_KEY_WRAP_KWP = new EncryptionAlgorithm(SEC_OID_AES_256_KEY_WRAP_KWP,
        Alg.AES,Mode.NONE,
        Padding.PKCS5, IVParameterSpecClasses, 16,
        AES_ROOT_OID.subBranch(48), 256,"AES/None/PKCS5Padding/Kwp/256");

Note that we have to provide kind of a custom name for each of these algs, to differentiate
between the 3 variants. When actually referring to these algs from jss, we can use that name
to look up the proper alg. Also note the 3 new SEC_OID values. Since these are not yet in nss,
we have dynamically added these 3 sec oids into jss for use.

The rest of this code is devoted to the support for adding dynmic oids into nss on behalf of jss.

Note that in the routine JSS_KeyExchange, we explain that the isPerm param is not currently observed
since the nss unwrap function we need has no permanent variant and defaults to false or temporary.

- - - - -
3e1a9080 by Endi S. Dewata at 2021-08-26T11:18:11-05:00
Update version number to 4.9.1

- - - - -
3807b295 by Endi S. Dewata at 2021-08-26T14:32:19-05:00
Remove since/forRemoval from @Deprecation

The attributes are not available in Java 1.8.

- - - - -


30 changed files:

- .classpath
- + .github/workflows/code-analysis.yml
- .github/workflows/informational.yml
- + .github/workflows/maven-tests.yml
- − .github/workflows/optional.yml
- + .github/workflows/pki-tests.yml
- .github/workflows/required.yml
- .gitignore
- + .gitlab-ci.yml
- CMakeLists.txt
- + Dockerfile
- README.md
- build.sh
- cmake/FindNSPR.cmake
- cmake/FindNSS.cmake
- cmake/JSSCommon.cmake
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- + docs/changes/v4.9.1/API-Changes.adoc
- docs/contributing.md
- + docs/development/Synchronizing-GitLab-Branch.adoc
- + docs/usage/capabilities_list.md
- + examples/README.adoc
- + examples/pom.xml
- samples/PQGGen.java → examples/src/main/java/examples/PQGGen.java
- samples/pkcs12.java → examples/src/main/java/examples/pkcs12.java
- samples/inputfile.pfx → examples/src/main/resources/inputfile.pfx
- jss.spec
- lib/jss.map
- − org/mozilla/jss/asn1/CHOICE.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/9502efb6a8f97f3dc5c4b9830c30b95f0ca760d6...3807b29576fb382e262108057988bf883e939451

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/9502efb6a8f97f3dc5c4b9830c30b95f0ca760d6...3807b29576fb382e262108057988bf883e939451
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20210906/49dedc84/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list