[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 62 commits: Update version number to 5.4.0-alpha1

Tue May 16 14:19:57 BST 2023

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss

Commits:
c8478138 by Endi S. Dewata at 2022-12-05T11:48:06+07:00
Update version number to 5.4.0-alpha1

- - - - -
2830f83a by Marco Fargetta at 2022-12-05T13:31:41+01:00
Modify container cgroup

Systemd has some problem to run in docker container if the host uses
only cgroups2.

This could make the run container failing with the error:

Failed to create /init.scope control group: Read-only file system
Failed to allocate manager object: Read-only file system
[!!!!!!] Failed to allocate manager object.
Exiting PID 1...

Removing the cgroup option and use the default value.

- - - - -
47a95b1d by Marco Fargetta at 2022-12-06T11:07:46+01:00
Fix import .p12 files with sha256 hash

Stop id the algorithm is not manged

Add custom hash algorithm

Add SHA1 HMAC for PBES2

Add sha1 hmac for pbes2

Fix total num of algs

Fis SonarCloud code smell about deprecated comment

Fix missing checks

Add SHA-384 and SHA-512 to MacData and KeyGen

Add SHA-384 and SHA-512 support into native key generation

Move the meck selection logic to the KeyGenerator

Move the key generation to a separate method

Add PBE to the list of provided algorithms

Revert hash algorithm definition and fix SHA1

Convert SHA_[] HMAC algorithms from CKM_* to SEC_OID_*

Convert SHA1 HMAC from CKM_SHA_1_HMAC to SEC_OID_HMAC_SHA1

- - - - -
842f4dd1 by Marco Fargetta at 2022-12-06T11:07:46+01:00
Add ASN1 decoding of PBES2 algorithm in encrypted data

Key generated but  decrypt paramter problem

Decrypt the content without generating the digest

The method doFinal will generate error for the decrypt operation so only
the update is used to parse the encrypted data.

Fix password conversion

The password for PBES2 EncryptedContentInfo needs the default password
converter in the majority of cases. The cusomt password converter as
adding extra bytes which were not managed by nss/openssl p12 code.

Fix optional keyLength parameter in PBKDF2

Fix formatting

- - - - -
486dd851 by Marco Fargetta at 2022-12-07T09:44:49+01:00
Update github-script action

Update github-script action to v6

See https://github.com/actions/github-script

- - - - -
dfb1fb2b by Marco Fargetta at 2022-12-13T15:36:31+10:00
Fix pkcs7 serialisation when no signatures present

According the documentation [1]:

  In the case of external signatures, the
   content being signed is absent from the EncapsulatedContentInfo value
   included

The current implementation always include the content but with length
equela to zero. This is modified to be consistent with the
specification.

1. https://www.rfc-editor.org/rfc/rfc5652#section-5.2

- - - - -
72bafe89 by Endi S. Dewata at 2022-12-14T20:40:24+07:00
Consolidate initialization jobs

- - - - -
0c54ba6e by Endi S. Dewata at 2022-12-15T02:10:07+07:00
Consolidate build jobs

The build jobs in test workflows have been consolidated into
build.yml such that the build will be created just once by the
build workflow, and the test workflows will use the same build
once it's completed.

https://github.com/lewagon/wait-on-check-action

- - - - -
8af83584 by Endi S. Dewata at 2022-12-15T09:31:10+07:00
Fix Eclipse warning due to missing encoding

- - - - -
f5290989 by Endi S. Dewata at 2022-12-16T00:26:07+07:00
Add jss-deps and jss-builder-deps images

The jss-deps and jss-builder-deps images have been added to
store the runtime and build dependencies, respectively.

- - - - -
1188c340 by Endi S. Dewata at 2022-12-16T22:32:14+07:00
Cache jss-deps and jss-builder-deps images

The build job has been modified to cache the runtime and build
dependencies.

- - - - -
4ac1cddb by Endi S. Dewata at 2022-12-20T06:40:35+07:00
Add publish job

A new job has been added to publish JSS images to GH Packages
after the build job in the master branch is complete.

- - - - -
821dbbf6 by Endi S. Dewata at 2022-12-22T00:56:56+07:00
Drop default COPR repo

The GitHub workflows have been modified to no longer use a COPR
repo by default. Instead, it will install packages from GitHub
Packages. The Azure Pipelines still have a dependency on COPR.
It will be removed separately later.

- - - - -
61da19e6 by Endi S. Dewata at 2022-12-22T17:37:11+07:00
Add jss-dist image

The CI has been modified to store the RPMs in an Alpine-based
image and publish it to GH Packages to reduce the size of the
distribution.

- - - - -
4c93da7f by Endi S. Dewata at 2022-12-23T01:16:01+07:00
Remove obsolete references to builder images

The CI has been updated to no longer use *-builder images and
use *-dist images instead.

- - - - -
5e1b1bd0 by Marco Fargetta at 2022-12-22T19:44:49+01:00
Remove ot modify expression which always evaluate the same

Following SonarCloud indications some expressions always verify the same
so they have been removed of modified

- - - - -
b0ab5cec by Endi S. Dewata at 2023-01-05T20:34:51+07:00
Replace BASE64_MATRIX with BASE64_OS

Previously the BASE64_MATRIX parameter provided a mechanism
to test against multiple Fedora versions at once. However,
since the test resources are limited and only one of the
versions is eventually published, the parameter has been
replaced with a new BASE64_OS parameter which only supports
a single Fedora version.

https://github.com/dogtagpki/pki/wiki/Configuring-Test-OS

- - - - -
61bad4ff by Endi S. Dewata at 2023-01-06T07:02:09+07:00
Update publish workflow

The publish workflow has been modified to wait for the build
using lewagon/wait-on-check-action instead of on.workflow_run
such that it can be customized to publish the images with the
proper tag for the branch.

- - - - -
623cdc42 by Chris Kelley at 2023-01-06T13:09:35+00:00
Make update_version script update jss_config_version

In JSS there is an extra step required for updating where the
value of jss_config_version must be bumped in sync with the
version and phase. Currently this does not happen, which will
lead to irregularities in testing and potentially incompatible
config.

- - - - -
028573c0 by Endi S. Dewata at 2023-01-06T23:34:37+07:00
Convert sandbox test into GH job

Previously the sandbox test was written as a Dockerfile.
To make it easier to see the logs and for consistency with
other tests, it has been converted into a GH job.

- - - - -
c7a04aec by Marco Fargetta at 2023-01-10T11:58:35+01:00
Fix several issues identified by SonarCloud

This commit will solve some of the most critical problem identified by
SonarCloud. In more details they are:

- buried exceptions: some `finally` clause where thrown exception hiding
  the exceptions thrown in the try block. The code has been modified so
  the finally exception is thrown only if the try block has not
  exception, preserving the order of appearance;
- some conditions where always (or never) verified;
- possible NullPointerException in several points.

This whould also allow the code quality to go from "D" to "C" level.

- - - - -
3700e730 by Matthew McClain at 2023-01-10T12:01:38+01:00
fix small memory leak with every open socket

- - - - -
f304f509 by Marco Fargetta at 2023-01-11T17:37:21+01:00
Fix potential problem identifid by Covscan

For the error see:
https://cov01.lab.eng.brq2.redhat.com/covscanhub/task/269948//log/added.err

- - - - -
2c715d2d by Marco Fargetta at 2023-01-17T09:37:24+01:00
Add test with postgresql

Add a new workflow testing ACME with postgresql. The connection to the
DB  uses SSL and it is managed through JSS so this verify it is working with a third party applications.

See issue #610

- - - - -
cd7d932b by Endi S. Dewata at 2023-01-18T20:31:19+07:00
Add support for container registry configuration

The publish job has been modified to support container registry
configuration and will only run if the registry is configured.
The job will also no longer publish the runner image since it's
only used internally.

https://github.com/dogtagpki/pki/wiki/Configuring-Container-Registry

- - - - -
b9c099e4 by Endi S. Dewata at 2023-01-18T08:48:46-06:00
Remove default container registry

- - - - -
9dfa9797 by Endi S. Dewata at 2023-01-19T21:01:10+07:00
Switch to Quay.io

- - - - -
084a4e16 by Endi S. Dewata at 2023-01-20T10:02:31-06:00
Clean up publish job

- - - - -
ca437800 by Marco Fargetta at 2023-02-23T14:58:34+01:00
Fix warning for accessing `-Werror=maybe-uninitialized`

The error stop the building only with debug enabled and all warning
enabled. This is not a problem but it blocks the `sandbox-test` which
exit with error.

The error is arise only in fedora rawhide and not in fedora 37.

The current logic of the application does not change.

- - - - -
f5aa7b25 by Marco Fargetta at 2023-02-23T19:14:21+01:00
Add test for connection with postgresql

- - - - -
0c4012e6 by Marco Fargetta at 2023-02-27T15:38:04+01:00
Remove Postgrsql test using ACME

- - - - -
c8340502 by Marco Fargetta at 2023-03-13T10:38:49+01:00
Fix some Sonar Cloud issues

The method `toString()` does never return `null` and the subclasses should
maintain its original behaviour. Similarly, some syncronized methods were
overrided without the `syncronize` modifier.

Finally, some conditions were not possible.

- - - - -
ae20a54c by Marco Fargetta at 2023-03-20T19:02:30+01:00
Fix decrypt for PBKDF1

Passwords for PBKDF1 and PBKDF2 in JSS have to be in different format
because they are handled by different nss libraries which work with
different data encoding.

Fix Bug 2115765

- - - - -
419944ed by Marco Fargetta at 2023-03-27T17:24:14+02:00
Removde printStackTrace()

The `printStackTrace()` output should not be used in production because
it can leak information and cannot be disabled.

The method is deleted or converted to log.

Note: some tests and client code still use the method

- - - - -
ae94d977 by Marco Fargetta at 2023-03-28T18:29:58+02:00
Fix switch issue

Some `switch` cases are not closed by a break.
Actually, it is not a problem because following cases are safe or not
possible but `break` is added and exception in case of not reachable
case.

- - - - -
1cf9fcc5 by Marco Fargetta at 2023-03-31T20:30:59+02:00
Tidy up some classes in provider crypto package

The change are
- remove some assertions which are already verified in conditions;
- move instance variable to local;
- clean up if else conditions;
- using instanceof with assignment;
- fix signature to java recommendation.

- - - - -
b9565b35 by Marco Fargetta at 2023-04-03T15:12:58+02:00
Fix some SonarCloud major bugs

Removed a block of code performing no operations.
Add back the interrupted flag in case of a sleep operation get
interrupted so the JVM behaviour is preserved.

- - - - -
413615d6 by Marco Fargetta at 2023-04-03T17:16:33+02:00
Deprecate RSAParameterSpec.getKeySize

The class RSAParameterSpec has been modified to extend the standard `java.security.spec.RSAKeyGenParameterSpec` but the method `getKeySize()` has a different capitalisation in the superclass so this was kept for compatibility.

However, all the *JSS* code has been updated to use the superclass method
and there is no use in other *PKI* tools so the old method is not used
and can be removed in the future.

The commit modifying the RSAParameterSpec extending the standard class
is:

https://github.com/dogtagpki/jss/commit/b995847206e21b696c697f1551b0ee61e17f9497

- - - - -
6132a478 by Endi S. Dewata at 2023-04-10T12:57:44-05:00
Update version numbers in pom.xml and build test

- - - - -
53c00362 by Endi S. Dewata at 2023-04-10T14:08:32-05:00
Convert WITHOUT_JAVADOC into WITH_JAVADOC

The WITHOUT_JAVADOC variable in build.sh has been converted
into WITH_JAVADOC for clarity.

- - - - -
6d7fb1c6 by Endi S. Dewata at 2023-04-10T15:19:42-05:00
Update Java.cmake

The javac(), jar(), javadoc(), and link() functions in Java.cmake
have been updated to no longer add targets into CMake's default
build target automatically to provide more control on the build
process.

- - - - -
40c9f222 by Endi S. Dewata at 2023-04-11T09:54:33-05:00
Update javac() to support HEADER_DIR

The javac() function in CMake has been modified to provide an
option to specify where to generate the native header files.
The symkey module has been modified to use this option.

- - - - -
724c7bbb by Marco Fargetta at 2023-04-11T17:06:40+02:00
Clean ASN1 packages

Removed some bugs/code smells from the `org.mozilla.jss.asn1` package.
These include:
- convert `Vector` to `ArrayList`
- remove or convert to real check some `assert` conditions

There are several layout changes made by eclipse but they are in the
javadoc comments.

- - - - -
9872c134 by Endi S. Dewata at 2023-04-11T14:29:02-05:00
Move PKI build test into separate file

- - - - -
261d9808 by Endi S. Dewata at 2023-04-11T14:29:02-05:00
Move CA test into separate file

- - - - -
c533fb7b by Endi S. Dewata at 2023-04-11T16:52:28-05:00
Add PKI tools test

A new test has been added to test AES key using PKI tools which
can be used to validate JSS symmetric key library. Tests for
other types of key may be added later.

- - - - -
97d928ee by Endi S. Dewata at 2023-04-11T17:20:12-05:00
Update CA test to use the latest builds

- - - - -
a2786510 by Endi S. Dewata at 2023-04-12T09:01:17-05:00
Add TPS test

A new test has been added to validate TPS token enrollment
which will expand the test coverage for JSS symmetric key
library.

- - - - -
11ecabc9 by Marco Fargetta at 2023-04-12T16:56:38+02:00
Reintroduce SHA1 algorithm

SHA1 algorithms were removed with the commit
f9d83e27ff6d22c9cefe4a7d1f651498782bb8cb but this generate problem when
dogtag is used on RHEL8 based systems. To solve the problem they are put back in place.

Fix Bug 2182085

- - - - -
427c10e7 by Endi S. Dewata at 2023-04-12T10:13:10-05:00
Update jss.spec to use Maven dependencies

- - - - -
e218f8e7 by Endi S. Dewata at 2023-04-12T10:13:10-05:00
Add Maven module for symkey

A pom.xml has been added to define Maven module for symkey.
The build test has been added to compare the jss-symkey.jar
created by CMake and by Maven to ensure that they contain
the same files.

For now Maven will only build symkey Java code and SonarCloud
will ignore symkey native code.

- - - - -
8fa6df62 by Marco Fargetta at 2023-04-12T18:42:09+02:00
Fix native filename

Running `mvn install` generate error for messing package name.
Investigating and checking the code the artificatId has to be the same
of the library generated.

https://stackoverflow.com/questions/25138413/java-jni-maven-native-maven-plugin-how-to-set-shared-library-final-name
https://github.com/mojohaus/maven-native/blob/master/native-maven-plugin/src/main/java/org/codehaus/mojo/natives/plugin/NativeInitializeMojo.java

The install phase is relevant to deploy in the artificat in the local
database and use the artifact as dependency

- - - - -
db58e214 by Endi S. Dewata at 2023-04-12T13:34:43-05:00
Move symkey native code to symkey/src/main/native

- - - - -
733ec27a by Marco Fargetta at 2023-04-13T16:11:52+02:00
Make maven artifcat usabale

When parent version is managed with a `revision` property in the submodules the
generated artificats will have the `version` field not updated do they
cannot be consumed by other projects. The solution is to add a
plugin transforming the `pom.xml` for the artifact.

References:

- https://maven.apache.org/maven-ci-friendly.html#install-deploy
- https://jeanchristophegay.com/en/posts/maven-unique-version-multi-modules-build/

- - - - -
f339d700 by Endi S. Dewata at 2023-04-13T09:54:47-05:00
Merge jss-symkey.jar into jss.jar

The symkey Java library in jss-symkey.jar has been merged
into jss.jar. The symkey native library will remain in
libjss-symkey.so for now.

The symkey CMake project has been updated to no longer build
the Java library but it will continue the native library. The
symkey Maven module has been updated to build the native
library instead of the Java library.

For now the build.sh will continue to use CMake, but later it
might be changed to use Maven.

- - - - -
52be7df4 by Endi S. Dewata at 2023-04-13T12:03:45-05:00
Ignore .flattened-pom.xml

- - - - -
de36feca by Endi S. Dewata at 2023-04-13T12:49:54-05:00
Remove obsolete reference to jss-symkey.jar

- - - - -
69eee026 by Endi S. Dewata at 2023-04-13T17:36:12-05:00
Consolidate top level CMake targets

The top level CMake targets have been consolidated into "java"
and "native" in order to support building Java binaries and
native binaries separately.

- - - - -
7e5ac0ff by Endi S. Dewata at 2023-04-14T09:41:19-05:00
Add build.sh --without-java and --without-native

New options have been added into build.sh to support building
Java and native binaries separately.

- - - - -
45dbc154 by Marco Fargetta at 2023-04-18T11:35:53+02:00
Fix some bugs in org.mozilla.jss.pkix

The main issuees fixed are:

- override of equals and and hash code, (they should be done both)
- check byde read from stream
- removed not possible exceptions
- syntax compliant to Java best practice

- - - - -
a887db72 by Endi S. Dewata at 2023-04-19T12:09:14-05:00
Publish to GitHub Maven registry

A new job has been added to build JSS with Maven and publish
the artifacts to GitHub Maven registry. Currently the native
and symkey modules have to be disabled due to a build issue.
The group ID and artifact ID have been renamed to follow the
more commonly used pattern.

- - - - -
808f4276 by Chris Kelley at 2023-04-20T10:47:44+01:00
Updating version to v5.4.0

- - - - -

30 changed files:

- .classpath
- + .dockerignore
- .github/workflows/build-tests.yml
- + .github/workflows/build.yml
- .github/workflows/code-analysis-pull.yml
- .github/workflows/code-analysis.yml
- + .github/workflows/external-application-connection-tests.yml
- + .github/workflows/init.yml
- .github/workflows/known_failures.yml
- .github/workflows/pkcs11-tests.yml
- + .github/workflows/pki-build-test.yml
- + .github/workflows/pki-ca-test.yml
- .github/workflows/pki-tests.yml
- + .github/workflows/pki-tools-test.yml
- + .github/workflows/pki-tps-test.yml
- + .github/workflows/publish.yml
- .github/workflows/tomcat-tests.yml
- .gitignore
- + .settings/org.eclipse.core.resources.prefs
- CMakeLists.txt
- Dockerfile
- base/pom.xml
- base/src/main/java/org/mozilla/jss/CryptoManager.java
- base/src/main/java/org/mozilla/jss/JSSProvider.java
- base/src/main/java/org/mozilla/jss/asn1/ASN1Header.java
- base/src/main/java/org/mozilla/jss/asn1/BIT_STRING.java
- base/src/main/java/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
- base/src/main/java/org/mozilla/jss/asn1/SEQUENCE.java
- base/src/main/java/org/mozilla/jss/crypto/Algorithm.java
- base/src/main/java/org/mozilla/jss/crypto/EncryptionAlgorithm.java

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/09bccbb8a2c8613b8782c7d9dab55fdbd723a838...808f42762bb63442ed3adfd5bd6346665db5f94f

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/09bccbb8a2c8613b8782c7d9dab55fdbd723a838...808f42762bb63442ed3adfd5bd6346665db5f94f
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230516/2eea0c99/attachment-0001.htm>