[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 39 commits: Update version number to 5.1.0-alpha1
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Mar 15 19:57:13 GMT 2022
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss
Commits:
f90a4c34 by Endi S. Dewata at 2021-10-26T14:55:32-05:00
Update version number to 5.1.0-alpha1
- - - - -
54323b75 by Endi S. Dewata at 2021-10-26T16:48:36-05:00
Update log messages
Some log messages have been updated to include the NSS error
message to help troubleshooting.
- - - - -
b15fec7b by Endi S. Dewata at 2021-10-26T17:44:56-05:00
Remove unused PK11TokenCert
- - - - -
66d6f5f4 by Endi S. Dewata at 2021-10-27T16:14:00-05:00
Remove redundant test executions
To reduce redundancy the build.sh has been modified to no longer
execute the unit tests by default. Instead, the tests will only
be executed in the CI. The tests can still be executed locally
by specifying a --with-tests option.
- - - - -
9212faa5 by Endi S. Dewata at 2021-10-28T09:38:16-05:00
Deprecate PK11InternalTokenCert and PK11InternalCert
The constants and methods in PK11InternalTokenCert and
PK11InternalCert have been moved into PK11Cert to make
it easier to use.
JSS will continue to create PK11InternalTokenCert and
PK11InternalCert objects for backward compatibility, but
these classes have been deprecated and will be removed
in the future.
- - - - -
0ce8d65b by Endi S. Dewata at 2021-10-28T12:59:13-05:00
Document PK11TokenCert removal
- - - - -
d66f8f68 by Endi S. Dewata at 2021-10-29T10:54:46-05:00
Consolidate trust flag constants
The trust flag constants in PKCS12 and InternalCertificate
have been consolidated into PK11Cert.
- - - - -
8fde4799 by Endi S. Dewata at 2021-10-29T10:54:46-05:00
Consolidate trust flag methods
The trust flag methods in PKCS12 and PKCS12Util have been
consolidated into PK11Cert.
- - - - -
028060ff by Chris Kelley at 2021-11-04T10:45:56+00:00
Drop org.hamcrest.core from classpath
Not required on F35+
- - - - -
325a259b by Chris Kelley at 2021-11-04T15:53:01+00:00
REmove redundant superinterface from PK11Cert
- - - - -
16ebfb21 by Chris Kelley at 2021-11-04T17:13:18+00:00
Remove redundant type specifications
* Also updates source/target compliance to Java 11
- - - - -
0b61a6dc by Chris Kelley at 2021-11-09T11:20:31+00:00
Deprecated all SHA-1 constants, classes and enum entries.
* Except PKCS11Constants, which is auto-generated.
* These should be replaced with something stronger such as SHA-2
- - - - -
9a757fe4 by Chris Kelley at 2021-11-09T16:56:51+00:00
Fix SHA-1 deprecation version to 5.0.1
- - - - -
893a4a5f by c-dorney at 2021-11-10T16:39:48+00:00
"Fix Bug 2001169 - Audit event 'ACCESS_SESSION_ESTABLISH' is not gener… (#822)
* Fix Bug 2001169 - Audit event 'ACCESS_SESSION_ESTABLISH' is not generating for PKI instances acting as Server [10.2.1]
This fix allows us to actually see ssl connection events in the audit log from the pki /server perspective.
This fill will also require support bug fixes for both pki and tomcatjss.
Based on original code contributed by Alex Ascheel, (cipherboy).
Co-authored-by: Jack Magne <jmagne at redhat.com>
- - - - -
ac7aca61 by Chris Kelley at 2021-11-10T17:17:00+00:00
Override Provider.getService() to log use of deprecated algorithms
* Start by deprecating "SHA, "SHA-1", "SHA_1" and SHA1"
- - - - -
c6ee7d1b by Chris Kelley at 2021-11-11T16:12:36+00:00
Add MD2, MD4 and MD5 to JSSProvider DEPRECATED_ALGORITHMS
* These algorithms are weak/deprecated and their use should be
discontinued in favour of more secure algorithms such as SHA-256
* Modify isAlgorithmDeprecated() to use regex, so we can match examples
like "withSHA1"
- - - - -
eb0b49ea by Endi S. Dewata at 2021-11-23T00:15:04+07:00
Fix Javadoc issues
- - - - -
fd30551c by Endi S. Dewata at 2021-11-23T18:49:03+07:00
Switch to Java 17
- - - - -
fd8e8c56 by Endi S. Dewata at 2021-11-23T20:18:21+07:00
Fix Azure pipelines
The build tests in Azure pipelines have been updated to provide
docker in the container for installing the dependencies as root,
so it's no longer necessary to use sudo.
- - - - -
cdf76596 by Chris Kelley at 2021-11-26T14:56:34+00:00
Update version number to 5.1.0-alpha2
- - - - -
35d1c2bf by Endi S. Dewata at 2021-12-01T07:25:30+07:00
Add JSS symkey library
To consolidate Java API for NSS the PKI symkey library has been
imported into JSS with the following changes:
- the package name has been renamed to org.mozilla.jss.symkey
- the JAR file has been renamed to jss-symkey.jar
- the shared library file has been renamed to libjss-symkey.so
The code loading the library in SessionKey has been simplified
as well. In the future the JAR file and the shared library file
might be merged into jss.jar and libjss.so.
https://github.com/dogtagpki/pki/issues/1368
- - - - -
ab6e3a01 by Endi S. Dewata at 2021-12-03T10:52:12+07:00
Update exception messages in CryptoManager.findPrivKeyByCert()
- - - - -
d8541776 by Endi S. Dewata at 2021-12-14T09:29:39+07:00
Fix CA test
- - - - -
752cbef2 by Endi S. Dewata at 2021-12-14T09:45:09+07:00
Drop redundant Python 2 test
- - - - -
82848de2 by Jack Magne at 2022-01-18T14:22:57-08:00
Related: Bug 1964176 - KRA PKCS12 support for nCipher sw v12.72+
Found an issue which was causing the need to add the "explicitness" flag
to the cknfracstrc file.
With this fix that flag will no longer be required.
- - - - -
da79270d by Alexander Scheel at 2022-01-28T09:31:36-06:00
Fix symkey/jss parallel build issues
The symkey library includes dependencies into JSS; this requires that
the JSS classes have already been built (which occurs during the
generate_java build target). However, because there was no dependency
between symkey and jss projects, a highly parallel CMake backend like
ninja (or make, given enough cores) would fail to build JSS with import
errors due to missing JSS classes. Adding a dependency on the
generate_java build target fixes the ordering.
Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>
- - - - -
b2bde0c8 by Matthew McClain at 2022-01-28T09:35:22-06:00
Don't hold onto threads after they're gone
If threads are dynamically created and destroyed and
CryptoManager.setThreadToken() is called, a Hashtable will hold onto
references of Threads long after they should be garbage collected.
- - - - -
7cc222a0 by Matthew McClain at 2022-01-28T09:35:22-06:00
address feedback from sonarcloud
- - - - -
f9d83e27 by Chris Kelley at 2022-02-01T18:08:40+00:00
Remove SHA-1 from allowed RSA/EC signing algorithms
- - - - -
5a8b97a5 by Endi S. Dewata at 2022-02-02T12:47:41-06:00
Bump RPM release number to match Fedora
- - - - -
67afb356 by Endi S. Dewata at 2022-02-03T14:22:02-06:00
Merge JAVA_LIB_DIR and JAVA_LIB_INSTALL_DIR into JNI_DIR
- - - - -
0964cf50 by Endi S. Dewata at 2022-02-03T14:22:06-06:00
Merge JSS_LIB_DIR and JSS_LIB_INSTALL_DIR into LIB_DIR
- - - - -
038a3a5b by Chris Kelley at 2022-02-04T06:26:17+00:00
Drop SHA-1 references from JSSProvider
* Also modify constructor to use non-deprecated superclass constructor.
- - - - -
44f6a14d by Chris Kelley at 2022-02-04T06:26:17+00:00
Tidy up JSSProvider version code
- - - - -
fae56862 by Chris Kelley at 2022-02-04T06:26:17+00:00
Tidy up logic in CryptoManager
- - - - -
eae2ec90 by Chris Kelley at 2022-02-09T17:34:28+00:00
Update version to v5.1.0
- - - - -
457c43ad by Chris Kelley at 2022-02-09T17:39:53+00:00
Update jss_config_version to 5 1 0 0
- - - - -
adca2a09 by Matthew McClain at 2022-02-11T20:44:06+00:00
Fix memory leak on each TLS connection
Each TLS connection is leaking a bunch of data that isn't in the heap
and so after 25k requests Tomcat uses about 2.5GB resident memory.
There are large number of relationships that point at each other and we
need to break the cycle so JSSEngineReferenceImpl's finalizer can run
and clear all the native resources these point at.
The lowest impact place to break the cycle was at SSLAlertEvent.engine.
This relationship doesn't seem to be used anywhere. Once the cycle is
broken, JSSEngineReferenceImpl can be garbage collected and the
finalizer can run.
Signed-off-by: Chris Kelley <ckelley at redhat.com>
- - - - -
6472faa9 by Chris Kelley at 2022-02-14T10:52:37+00:00
Additional fix for TLS connection I missed from original patch
- - - - -
30 changed files:
- .classpath
- .github/workflows/build-tests.yml
- .github/workflows/pkcs11-tests.yml
- .github/workflows/pki-tests.yml
- CMakeLists.txt
- azure-pipelines.yml
- build.sh
- cmake/JSSConfig.cmake
- + cmake/Java.cmake
- + cmake/JavaFileList.cmake
- + docs/changes/v5.1.0/API-Changes.adoc
- jss.spec
- src/broken_test/java/org/mozilla/jss/tests/GenericASN1ExtensionTest.java
- src/main/java/org/mozilla/jss/CryptoManager.java
- src/main/java/org/mozilla/jss/JSSProvider.java
- src/main/java/org/mozilla/jss/PK11Finder.c
- src/main/java/org/mozilla/jss/crypto/Algorithm.java
- src/main/java/org/mozilla/jss/crypto/DigestAlgorithm.java
- src/main/java/org/mozilla/jss/crypto/HMACAlgorithm.java
- src/main/java/org/mozilla/jss/crypto/InternalCertificate.java
- src/main/java/org/mozilla/jss/crypto/KBKDFDerivedKey.java
- src/main/java/org/mozilla/jss/crypto/KBKDFParameterSpec.java
- src/main/java/org/mozilla/jss/crypto/KeyGenAlgorithm.java
- src/main/java/org/mozilla/jss/crypto/PBEAlgorithm.java
- src/main/java/org/mozilla/jss/crypto/PKCS11Algorithm.java
- src/main/java/org/mozilla/jss/crypto/SignatureAlgorithm.java
- src/main/java/org/mozilla/jss/crypto/SymmetricKey.java
- src/main/java/org/mozilla/jss/netscape/security/extensions/AuthInfoAccessExtension.java
- src/main/java/org/mozilla/jss/netscape/security/extensions/CertificateScopeOfUseExtension.java
- src/main/java/org/mozilla/jss/netscape/security/extensions/ExtendedKeyUsageExtension.java
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/21af2aaec9e8948019e5189fa3fa5d2417f9eafa...6472faa92930120fff9d350d04343a5a8fbc9d91
--
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/21af2aaec9e8948019e5189fa3fa5d2417f9eafa...6472faa92930120fff9d350d04343a5a8fbc9d91
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220315/d7ca1eef/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list