[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 71 commits: Update version number to 5.3.0-alpha1

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Fri Feb 10 07:12:00 GMT 2023



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss


Commits:
08670a05 by Endi S. Dewata at 2022-05-10T14:24:10-05:00
Update version number to 5.3.0-alpha1

- - - - -
ed63c6a2 by Endi S. Dewata at 2022-05-10T14:49:37-05:00
Update project URL

- - - - -
d26879f3 by Jack Magne at 2022-05-19T16:22:40-07:00
Fix Bug 2013674 - JSS cannot be properly initialized after using another NSS-backed security provider

The solution the the bug is to provide a way to initialize JSS such that the underlying nss system is initialized as a context
instead of a full NSS initialization. This allows jss / nss to create it's own nss init scenario. This could be of use where
the main process has already inited nss with a set of params and properties. Allowing say a library loaded into the man process the ability
to do a context based nss init, allows the library to set it's own nss params and not inherit those from the main process.
For instance if a main process has initialized nss to have a read only database, the context init will allow the library to load an nss
context with a read write database.

This is accomplished in a very simple manner with respect to jss. Right now jss allows one singleton instance to be created for a program.
This fix allows the caller to choose to have the singleton to be inited either as a context or a full init. Theoretically the nss context
concept would allow for multiple contexts to be created,but for simplicity, JSS will only allow one such context or full nss init.

The original behavior of doing a full NSS init beneath JSS persists as the default. In order to do a context init the following sample code will suffice:

CryptoManager.initializeWithContext(databaseDir);

manager = CryptoManager.getInstance();
...
...
manager.shutdown().

Notice that  an explicit call to shutdown is recommended because the NSS context inited must be destroyed at the native code level, in oder to not interfere with the main program's nss instance.

If one wants to explicitly specify the Initialization  values, the following call can be used as well:

InitializationValues vals =
                    new InitializationValues(args[0],
                            "", "", "secmod.db");

CryptoManager.initializeWithContext(vals);
CryptoManager manager = CryptoManager.getIntance();

...
...

manager.shutdwown();

Note: That as of this patch , there is no way to call for a context init when using the JCA provider interface. That can be a future improvement.

- - - - -
86b67074 by Chris Kelley at 2022-05-23T12:51:44+01:00
Tidy up in RevokedCertImpl

* Simplify logic in hasExtensions()
* Remove un-thrown exception from readObject() method signature
- - - - -
184f41af by Chris Kelley at 2022-05-23T12:51:44+01:00
Simplify logic in BOOLEAN with ternary operators.
- - - - -
c460d441 by Chris Kelley at 2022-05-23T12:51:44+01:00
Simplify logic in PrintableCharset.isPrintableChar()
- - - - -
def16ab8 by Endi S. Dewata at 2022-06-07T14:29:52+01:00
Update OpenLDAP clients to use -H option

The latest OpenLDAP clients no longer have the -h option so the
the tests have been updated to use the -H option instead.

- - - - -
ecf8aec1 by Chris Kelley at 2022-06-15T06:39:09+01:00
Tidy up X509CRLImpl

* Reorder modifiers to match the JLS
* Rename static constant to match JLS
* Remove commented out code
* Use pattern matching with instanceof
* Remove unnecessary else clauses
* Use ternary operator where appropriate
* Put array designator on the type not the variable
* Remove unnecessary negation in logic of parse() method

- - - - -
d0c3f522 by Chris Kelley at 2022-06-15T06:39:09+01:00
Require Java 17 for JSS

- - - - -
2b565691 by Endi S. Dewata at 2022-06-15T10:28:03-05:00
Fix incorrect RPM macro

- - - - -
ba42de2e by Marco Fargetta at 2022-06-23T21:04:29+02:00
Fix SSLEngine test failures)

Fix #861 
- - - - -
ff23b1a0 by Marco Fargetta at 2022-06-23T21:10:03+02:00
Sonarcloud token (#866)

* Stop sonar if no secret

* Fix env var name

* Add pull fork analysis
- - - - -
e09488cf by Endi S. Dewata at 2022-07-05T12:49:11-05:00
Update Maven project

The pom.xml files have been updated as follows:

- The JSS version has been updated to match RPM spec version
- The dependency versions have been updated to match the
  packages available on Fedora

- - - - -
a8f5cb16 by Endi S. Dewata at 2022-07-05T12:49:11-05:00
Update Maven build test

The Maven build test in maven-tests.yml has been merged into
build-tests.yml. It has also been updated to compare CMake
build artifacts and Maven build artifacts. The comparison
excludes META-INF/maven/ since that folder is only available
in Maven build artifacts.

- - - - -
8d851dbe by Alexander Scheel at 2022-07-08T11:02:51-05:00
Move JSS to standard Maven layout

We split JSS into a "base" component and a "native" component in order
to facilitate separate distribution formats for each (.jar vs .so). This
will let us create a parent POM, which builds both .jar and .so, and two
child POMs for each type of distribution. These distributions have
separate subtrees and do not share any common code.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
92f612ef by Alexander Scheel at 2022-07-08T11:02:51-05:00
Make CMake build scripts work with new layout

This enables CMake to build with the new maven layout. This lets
existing build procedures work still, while people migrate to maven if
desired.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
6a3d32fb by Alexander Scheel at 2022-07-08T11:02:51-05:00
Add pom.xml for building under Maven

Currently maven only works to compile JSS and doesn't work to run tests
under.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
619df7b2 by Alexander Scheel at 2022-07-08T11:02:51-05:00
Remove legacy test runners

These test runners quit working once we migrated to the newer CMake
build system from the old Perl-based system.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
a46ee591 by Alexander Scheel at 2022-07-08T11:02:51-05:00
Update pkcs11check to use new source path

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9ae39e30 by Endi S. Dewata at 2022-07-08T11:02:51-05:00
Update CI tests to use new source path

- - - - -
913e9c27 by Endi S. Dewata at 2022-07-08T14:40:26-05:00
Update CA test to use RSNv3

- - - - -
7cdd2cf7 by Endi S. Dewata at 2022-07-11T10:31:00-05:00
Fix missing libjss-symkey.so library links

- - - - -
e61ec147 by Endi S. Dewata at 2022-07-11T10:31:05-05:00
Fix typo in jss_build_globs()

- - - - -
9639778b by Endi S. Dewata at 2022-07-11T16:08:46-05:00
Clean up log messages

- - - - -
565b8db4 by Endi S. Dewata at 2022-07-12T09:28:14-05:00
Fix JSS_PK11_wrapSymKey()

The JSS_PK11_wrapSymKey() in SessionKey.cpp has been modified to
pass the symmetric key's nickname into PK11SymKey's constructor
just like the JSS_PK11_wrapSymKey() in PK11SymKey.c.

Right now these methods belong to different libraries (libjss.so
and libjss-symkey.so), but in the future they should be merged.

- - - - -
a2acda15 by Endi S. Dewata at 2022-07-12T09:28:14-05:00
Fix SessionKey.ListSymmetricKeys()

The SessionKey.ListSymmetricKeys() has been modified to use the
internal token by default if the tokenName is NULL.

- - - - -
0a5a7381 by Marco Fargetta at 2022-07-13T15:36:39+02:00
Fix the compilation error on Sonarclod with maven (#872)

After the PR #869 maven build does not work if the CMake build is not
execute before. This to properly generate the header for the native
code.

Since Sonarcloud is configured with maven build and it does not check c
code for the moment, the native module has been disabled for the code
analysis.
- - - - -
6bafd8e3 by Marco Fargetta at 2022-07-13T16:39:31+02:00
Add doctype tnd missing html tags (#873)

Missing elements identified by Sonarcloud
- - - - -
1b824028 by Marco Fargetta at 2022-07-13T16:51:15+02:00
Sonarclout project name changes (#874)

According to sonarcloud documentation the project id should not go
anumore in the pom.xml but it is derived or can be provided in the
command line.

The definition in the pom.xml generate an error
- - - - -
6356ddf4 by Marco Fargetta at 2022-07-13T17:08:09+02:00
Exclude native module from sonarcloud analysis

- - - - -
7a5b0c11 by Marco Fargetta at 2022-07-14T09:50:06+02:00
Resolve false positive int promotion bug (#875)


- - - - -
86a42dc1 by uplogix-mmcclain at 2022-07-14T17:19:28+02:00
X509Certificate.getSubjectDN()and getIssuerDN() leak memory (#835)


- - - - -
6798b6d2 by Marco Fargetta at 2022-07-15T15:12:17+02:00
Fix UTF-8 conversion (#876)

An if condition was never accessed because equal of a previous one.
- - - - -
07c9781f by Chris Kelley at 2022-07-21T12:35:52+01:00
Run shellcheck in JSS CI
- - - - -
fa746947 by Marco Fargetta at 2022-07-22T09:59:51+02:00
Rebase to master before analyse the pull request (#878)


- - - - -
16bdbfec by Chris Kelley at 2022-07-22T15:39:15+01:00
Fix shellcheck issues in build.sh and tomcat-start-wait.sh

Set severity to only trigger failure on warnings or higher.
- - - - -
9dd6a192 by Chris Kelley at 2022-07-26T07:54:18+01:00
Fix test failure introduced by efforts to fix shellcheck warnings
- - - - -
42b94cea by Marco Fargetta at 2022-07-26T10:38:30+02:00
Make the base branch generic (#880)


- - - - -
f3d26b46 by Endi S. Dewata at 2022-07-26T12:31:10-05:00
Workaround for NSS 3.81 issues

JSS doesn't seem to be working well with NSS 3.81:
https://github.com/dogtagpki/jss/issues/882

As a temporary workaround the RPM spec has been updated to
require an older NSS version. Once the issues are resolved
this limitation should be removed.

- - - - -
2f6d1c08 by Chris Kelley at 2022-07-27T13:29:10+01:00
Fix BuildRequires typos so fix Fedora JSS build issues

- - - - -
ebe5c9aa by Endi S. Dewata at 2022-07-27T10:26:02-05:00
Revert workaround for NSS 3.81 due to COPR issues

The workaround has been reverted since it was causing
build issues in COPR:

Error:
 Problem 1: cannot install both nss-tools-3.81.0-1.fc36.x86_64 and nss-tools-3.77.0-1.fc36.x86_64
  - cannot install the best candidate for the job
  - conflicting requests
 Problem 2: cannot install both nss-devel-3.81.0-1.fc36.x86_64 and nss-devel-3.77.0-1.fc36.x86_64
  - cannot install the best candidate for the job

- - - - -
d99200ca by Chris Kelley at 2022-07-28T16:22:14+01:00
Replace exclusion of i686 with new %{java_arches} macro

- - - - -
3286a925 by Chris Kelley at 2022-08-02T07:40:50+01:00
Update README.md
- - - - -
11433014 by uplogix-mmcclain at 2022-08-03T09:03:52+02:00
Socket timeout on large post (#865)

* Increase default SSLEngine BUFFER_SIZE

This constant sizes read and write internal ring buffers for the
JSSEngine reference implementation. If these buffers are too small to
fit a well-formed packet, this could cause issues with applications
sizing their source and destination ByteBuffers. This constant
is also reused (and exposed to the applications) by JSSSession,
whose getPacketBufferSize(...) and getApplicationBufferSize(...)
calls expose its value.

Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>

* Size buffers to send full-sized TLS records.

This also gets rid of this annoying Tomcat message going to standard error:
org.apache.tomcat.util.net.SecureNioChannel.processSNI Expanding network output buffer to [18713] bytes

Co-authored-by: Alexander Scheel <alexander.m.scheel at gmail.com>
- - - - -
d050aefb by Marco Fargetta at 2022-08-08T17:13:24+02:00
Tidyup SSLClient and SSLServer (#890)


- - - - -
0e6caf55 by Marco Fargetta at 2022-08-10T12:07:34+02:00
Fix missed syncronized (#887)

Some overrided methods do not keep the synchronized mechanism of the
parent class.
- - - - -
7c65da73 by Chris Kelley at 2022-08-11T06:57:37+01:00
Code simplification in X509CertInfo

* Simplify equals() with pattern-matching instanceof and removing
unnecessary Boolean literal.
* Combine identical catch clauses
* Use switch expressions and ternary operators where appropriate

- - - - -
b9760b49 by Marco Fargetta at 2022-08-11T11:31:53+02:00
Tidyup ExtensionsRequested (#892)


- - - - -
d3c91fd3 by Jack Magne at 2022-08-29T16:22:05-07:00
Fix Bug 2100807 - pki-tomcat/kra unable to decrypt when using RSA-OAEP padding in RHEL9 with FIPS enabled.

Remove the cmake test for OAEP since we can assume from this point forward nss has OAEP support.
The compile test was failing in a false negative fashion and it was determined to be more efficient to
simply remove the test completely instead of fixing it.

- - - - -
ec91a17d by Endi S. Dewata at 2022-09-02T09:53:24-05:00
Use ExcludeArch on older platforms

java_arches macro is only available on newer platforms, so
the spec file has been modified to use ExcludeArch on older
platforms.

- - - - -
62b4ea90 by Chris Kelley at 2022-09-20T23:35:49+01:00
Allow other build tests to continue if one fails

Currently if a build job fails on e.g. Fedora, the Ubuntu job will
cancel. This makes it hard to see whether the other jobs are afflicted
with a similar issue, so add continue-on-error so all jobs run to
completion.
- - - - -
ae6340f3 by Marco Fargetta at 2022-09-27T09:00:55+02:00
Tidy up X500Name (#898)

The class shows 8 bugs on Sonarcloud mainly related to a potential
NullPointerException with getString. A chack has been added and other
few fixes
- - - - -
9e31149f by Chris Kelley at 2022-09-28T06:52:29+01:00
Replace deprecated getPackage() call with call to System classloader
- - - - -
a1d9cce3 by Endi S. Dewata at 2022-09-28T16:43:50-05:00
Fix RPM build warnings due to absolute links

RPM build warnings:
    absolute symlink: /usr/lib64/jss/jss-symkey.jar -> /usr/lib/java/jss-symkey.jar
    absolute symlink: /usr/lib64/jss/jss.jar -> /usr/lib/java/jss.jar

- - - - -
82c7bb14 by Endi S. Dewata at 2022-09-30T17:13:06-05:00
Replace OS_VERSION with BASE_IMAGE

The OS_VERSION variable has been replaced with BASE_IMAGE
to support non-Fedora images.

- - - - -
9e128840 by Chris Kelley at 2022-10-03T14:08:48+01:00
Remove unnecessary else clauses from various classes

* Where appropriate check-and-cast and ternary operators were used
* Some logic was also simplified by removing Boolean literals

- - - - -
74420784 by Endi S. Dewata at 2022-10-03T11:29:33-05:00
Fix Azure pipelines

Due to recent changes in Azure or Fedora it's no longer possible
to run tests in Azure with the standard Fedora image.

To fix the problem, the Dockerfile has been updated to define a
new Fedora/CentOS image that provides a systemd service. The test
job in Azure has been split into two jobs: one for Fedora/CentOS
and one for Debian/Ubuntu. The Fedora/CentOS job will build the
image, create a container with the image, then run the tests with
it, whereas the Debian/Ubuntu job is basically unchanged.

- - - - -
3a569e0c by Chris Kelley at 2022-10-31T07:35:03+00:00
Introduce new scripts to automate the build process

A new script update_version.sh is introduced, to start to reduce some
of the manual burden of building packages. Usage is as:

./update_version.sh <major> <minor> <update> <phase>

...where phase is optional.

In this first iteration, it does the following:

* Updates the spec version to the new version provided
* Commits that change
* Creates a tag based on the new version provided
* Creates a source tarball based on the new version provided

A companion script is also included to revert the version update, if
required.

- - - - -
802a66c0 by Marco Fargetta at 2022-11-11T10:15:32+01:00
Fix certificate signature algorithm not valid (#904)


- - - - -
b67ebd68 by Alexander Scheel at 2022-11-14T09:21:48+01:00
Only provision OAEP parameters when non-NULL (#674)

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a52080ff by Marco Fargetta at 2022-11-14T09:25:42+01:00
Move socket creation to try-with-resources (#905)

This solve SonarClpoud critical issue in the SSLTest class.
- - - - -
18a7cd6c by Chris Kelley at 2022-11-14T11:40:26+00:00
Run RPMInspect in JSS CLI

- - - - -
d324e696 by Endi S. Dewata at 2022-11-29T23:56:44+07:00
Update version number to 5.3.0-beta1

- - - - -
2543d948 by Marco Fargetta at 2022-12-02T13:19:03+01:00
Update workflows to use not deeprecated actions

- - - - -
55f8618b by Marco Fargetta at 2022-12-06T02:32:47+07:00
Modify container cgroup

Systemd has some problem to run in docker container if the host uses
only cgroups2.

This could make the run container failing with the error:

Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

Removing the cgroup option and use the default value.

- - - - -
6ed71565 by Endi S. Dewata at 2022-12-06T08:55:29+07:00
Update COPR repo to @pki/11.3

- - - - -
53845392 by Marco Fargetta at 2022-12-15T09:30:24+01:00
Fix import .p12 files with sha256 hash

Stop id the algorithm is not manged

Add custom hash algorithm

Add SHA1 HMAC for PBES2

Add sha1 hmac for pbes2

Fix total num of algs

Fis SonarCloud code smell about deprecated comment

Fix missing checks

Add SHA-384 and SHA-512 to MacData and KeyGen

Add SHA-384 and SHA-512 support into native key generation

Move the meck selection logic to the KeyGenerator

Move the key generation to a separate method

Add PBE to the list of provided algorithms

Revert hash algorithm definition and fix SHA1

Convert SHA_[] HMAC algorithms from CKM_* to SEC_OID_*

Convert SHA1 HMAC from CKM_SHA_1_HMAC to SEC_OID_HMAC_SHA1

- - - - -
75556e93 by Marco Fargetta at 2022-12-15T09:30:24+01:00
Add ASN1 decoding of PBES2 algorithm in encrypted data

Key generated but  decrypt paramter problem

Decrypt the content without generating the digest

The method doFinal will generate error for the decrypt operation so only
the update is used to parse the encrypted data.

Fix password conversion

The password for PBES2 EncryptedContentInfo needs the default password
converter in the majority of cases. The cusomt password converter as
adding extra bytes which were not managed by nss/openssl p12 code.

Fix optional keyLength parameter in PBKDF2

Fix formatting

- - - - -
201bbf67 by Chris Kelley at 2023-01-05T20:57:59+00:00
Updating version to v5.3.0-beta2

- - - - -
5d1333f4 by Chris Kelley at 2023-01-06T14:00:01+00:00
Make update_version script update jss_config_version

In JSS there is an extra step required for updating where the
value of jss_config_version must be bumped in sync with the
version and phase. Currently this does not happen, which will
lead to irregularities in testing and potentially incompatible
config.

- - - - -
09bccbb8 by Endi S. Dewata at 2023-02-07T13:11:54-06:00
Updating version to v5.3.0

- - - - -


30 changed files:

- .classpath
- .github/workflows/build-tests.yml
- + .github/workflows/code-analysis-pull.yml
- .github/workflows/code-analysis.yml
- .github/workflows/known_failures.yml
- − .github/workflows/maven-tests.yml
- .github/workflows/pkcs11-tests.yml
- .github/workflows/pki-tests.yml
- .github/workflows/tomcat-tests.yml
- .gitignore
- CMakeLists.txt
- Dockerfile
- README.md
- azure-pipelines.yml
- + base/pom.xml
- src/broken_test/java/org/mozilla/jss/tests/DirStrConverterTest.java → base/src/broken_test/java/org/mozilla/jss/tests/DirStrConverterTest.java
- src/broken_test/java/org/mozilla/jss/tests/GenericASN1ExtensionTest.java → base/src/broken_test/java/org/mozilla/jss/tests/GenericASN1ExtensionTest.java
- src/main/java/org/mozilla/jss/CRLImportException.java → base/src/main/java/org/mozilla/jss/CRLImportException.java
- src/main/java/org/mozilla/jss/CertDatabaseException.java → base/src/main/java/org/mozilla/jss/CertDatabaseException.java
- src/main/java/org/mozilla/jss/CertificateUsage.java → base/src/main/java/org/mozilla/jss/CertificateUsage.java
- src/main/java/org/mozilla/jss/CryptoManager.java → base/src/main/java/org/mozilla/jss/CryptoManager.java
- src/main/java/org/mozilla/jss/DatabaseCloser.java → base/src/main/java/org/mozilla/jss/DatabaseCloser.java
- src/main/java/org/mozilla/jss/InitializationValues.java → base/src/main/java/org/mozilla/jss/InitializationValues.java
- src/main/java/org/mozilla/jss/InvalidLengthException.java → base/src/main/java/org/mozilla/jss/InvalidLengthException.java
- src/main/java/org/mozilla/jss/JSSLoader.java → base/src/main/java/org/mozilla/jss/JSSLoader.java
- src/main/java/org/mozilla/jss/JSSProvider.java → base/src/main/java/org/mozilla/jss/JSSProvider.java
- src/main/java/org/mozilla/jss/KeyDatabaseException.java → base/src/main/java/org/mozilla/jss/KeyDatabaseException.java
- src/main/java/org/mozilla/jss/NicknameConflictException.java → base/src/main/java/org/mozilla/jss/NicknameConflictException.java
- src/main/java/org/mozilla/jss/NoSuchTokenException.java → base/src/main/java/org/mozilla/jss/NoSuchTokenException.java
- src/main/java/org/mozilla/jss/NotInitializedException.java → base/src/main/java/org/mozilla/jss/NotInitializedException.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/2077be079e37bc5c5e86cf15df1ed7daa2efe8c0...09bccbb8a2c8613b8782c7d9dab55fdbd723a838

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/2077be079e37bc5c5e86cf15df1ed7daa2efe8c0...09bccbb8a2c8613b8782c7d9dab55fdbd723a838
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230210/de370226/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list