[Pkg-freeipa-devel] [Git][freeipa-team/jss][upstream] 79 commits: Fix build.sh --verbose

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Feb 29 14:46:50 GMT 2024



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / jss


Commits:
8e1814e6 by Endi S. Dewata at 2023-04-24T14:01:09-05:00
Fix build.sh --verbose

The build.sh script has been updated to run the tests in verbose
mode if the --verbose option is specified.

- - - - -
46bb69cc by Endi S. Dewata at 2023-04-24T15:05:11-05:00
Update Maven JAR file names

- - - - -
36ee9946 by Endi S. Dewata at 2023-04-24T15:22:51-05:00
Fix tests JAR file

The CMake and Maven scripts have been modified to store the
test classes into jss-tests.jar.

- - - - -
10b5570f by Endi S. Dewata at 2023-04-24T17:21:33-05:00
Do not generate jss-tests.jar by default

- - - - -
1407d2c4 by Endi S. Dewata at 2023-04-25T09:44:15-05:00
Build RPM with Maven

The jss.spec has been modified to build Java code, run Java
tests, and build Javadoc with Maven, then build native code
and run native tests with CMake.

- - - - -
c718fe79 by Endi S. Dewata at 2023-04-26T11:47:12-05:00
Fix COPR build failure

- - - - -
d316a848 by Endi S. Dewata at 2023-04-26T17:22:53-05:00
Install both jss.jar and jss-base.jar

The final location of jss-base.jar can change depending on the
build system (local rpmbuild vs COPR), so it's not possible
to create reliable links to the file.

To fix the problem the RPM spec file has been updated to install
jss.jar (in addition to jss-base.jar) at a more consistent
location so that the links will work properly.

- - - - -
d1ac9db4 by Marco Fargetta at 2023-05-08T10:59:32+02:00
Bug2184930_Fix AIA externsion print

The "Authority Info Access" extension was not included in the oid
extension  map so it was not correctly printed.

This add AIA extension to the oid map.

- - - - -
b02602bf by Marco Fargetta at 2023-05-17T11:07:07+02:00
Update JUnit to version 5

- - - - -
227c5b2f by Marco Fargetta at 2023-05-17T11:07:07+02:00
Convert tests to JUnit5 (PrintableConverterTest)

This is the first junit test converted to junit 5.

In order to run the test also a new runner class is introduced.

Here the migration documentation: https://junit.org/junit5/docs/current/user-guide/#migrating-from-junit4

The remaining tests make use of junit 4 or makes use of a custom  approach. All of them could be converted to junit 5.

At compile time there is a warning with `org.apiguardian.api.API$Status` which seems related to a library problem in junit 5 but it can be ignored according to many post (e.g. https://stackoverflow.com/questions/46702273/warning-unknown-enum-constant-status-stable).

- - - - -
4bbbfc20 by Marco Fargetta at 2023-05-17T15:03:29+02:00
Convert all junit based tests to JUnit5

- - - - -
b41978f3 by Marco Fargetta at 2023-05-17T15:03:29+02:00
Remove junit4 dependencies

- - - - -
129839c9 by Endi S. Dewata at 2023-05-17T15:54:13-05:00
Suppress warnings for deprecated algorithms

Algorithms such as SHA-1 and MD5 are deprecated but they still
have valid uses and in certain cases cannot be replaced easily.
The problem is currently code that uses these algorithms
generates warnings that can undermine user's confidence in the
code. To avoid the problem, the warnings have been converted
into regular debug messages which will only appear in debug mode.

- - - - -
e10b3d80 by Endi S. Dewata at 2023-05-22T15:15:11-05:00
Replace ECCurve_Code.ordinal() with code()

Previously the Enum.ordinal() was used to determine the EC curve
code which is not reliable since the position of the constants
in the enumeration is not guaranteed. A new field has been added
into ECCure_Code to store a permanent curve code regardless of
constant position.

- - - - -
75e0be5c by Chris Kelley at 2023-05-23T11:40:09+01:00
Code clean up in CertTemplate

* Use ternary operator where appropriate
* Document empty constructor
* Put array designator on the type
* Remove unused indent variable, and subsequently unused vars/args
* Remove exception that cannot be thrown from print()
* Use pattern-matching instanceof
- - - - -
8b21cb9a by Chris Kelley at 2023-05-23T13:55:54+01:00
Code clean up in ObjectIdentifier

* Flatten logic in getObjectIdentifier()
* Use pattern-matching instanceof and ternary operators
* Remove unnecessary Boolean literals
* Reorder modifiers to match the JLS
* Rename variables to match the JLS naming conventions
* Move array designator to the type
* Declare each var on its own line
* Catch Exception instead of Throwable
* Declare mOIDs with a generic type, use HashMap, lower visibility
* Prefer StringBuilder to StringBuffer
* Remove exceptions that cannot be thrown
- - - - -
348ac1d8 by Endi S. Dewata at 2023-05-23T09:12:37-05:00
Refactor PK11KeyPairGenerator.getCurveCodeByName()

The PK11KeyPairGenerator.getCurveCodeByName() has been modified
to use ECCurve_Code.valueOf() to translate the curve name into
the curve code instead of using a separate Hashtable. If the
curve name is not defined in ECCurve_Code, the valueOf() will
throw an IllegalArgumentException.

- - - - -
48f10a56 by Endi S. Dewata at 2023-05-23T11:20:26-05:00
Refactor PK11KeyPairGenerator.getECCurve()

Previously the PK11KeyPairGenerator.getECCurve() was using a
separate Hashtable to store the OIDs of EC curves. To simplify
the code the OIDs have been moved into the ECCurve_Code enum
and the getECCurve() has been modified to get the OID from the
enum.

- - - - -
7a3c2ac5 by Endi S. Dewata at 2023-05-23T14:04:23-05:00
Consolidate EC curve OIDs

The EC curve OID constants in PK11KeyPairGenerator have been
consolidated into ECOIDs.

- - - - -
8f596e2d by Endi S. Dewata at 2023-05-23T15:48:01-05:00
Update version number to 5.5.0-alpha1

- - - - -
11327498 by Endi S. Dewata at 2023-05-24T16:50:20-05:00
Drop legacy CSR header/footer

The PK11Token.generateCertRequest() has been modified to generate
a CSR with the header and footer described in RFC 7468.

- - - - -
ce652a95 by Marco Fargetta at 2023-05-25T11:56:06+02:00
Fix SIA extension

The "Subject Info Access" extension was not included in the oid
extension  map so it was not correctly printed.

This add SIA extension to the oid map.

- - - - -
8f9d596d by Endi S. Dewata at 2023-05-26T18:18:44-05:00
Disable debug messages in SessionKey.cpp

- - - - -
593ca513 by Endi S. Dewata at 2023-05-26T18:37:33-05:00
Disable debug messages in SymKey.cpp

- - - - -
bc8e2e6a by Marco Fargetta at 2023-05-30T11:54:30+02:00
Fix OoM in JSSEngineReferenceImpl object

If TLS connection is terminated by the server with a `close_notify`
tomcat will call the `closeOutbound()` method but the `closeInbound()`
is never called so the cleanup cannot be done at the end.

It is possible to test the problem with a tomcat instance. If the option
`-H 'Connection: close'` is present only the `closeoutbound()` is called.

- - - - -
fcce4f09 by Marco Fargetta at 2023-06-09T11:23:14+02:00
Fix AVA class bugs

Solve:
- remove not possible `throws` exception
- check number of byte read from InputStream
- Use UTF8 standard charset

- - - - -
60ef42cb by Marco Fargetta at 2023-06-09T11:23:14+02:00
Fix PK11Token class bugs

Sonar bugs solved:

- Override `hashCode()` since `equals()` is override
- Remove useless assignment
- Refactor method `generateRequest(String, int, String, byte[], byte[], byte[])`
- Removed `catch` without logic
- Remove `throws` exception of subclasses when the parent is thrown

- - - - -
770390de by Chris Kelley at 2023-06-27T14:52:09+01:00
Introduce Packit configuration for jss

- - - - -
c2739861 by Chris Kelley at 2023-06-27T14:52:22+01:00
Upstream spec file changes to reduce diffs

- - - - -
f00dda73 by Chris Kelley at 2023-06-27T14:53:39+01:00
Add on-commit packit COPR builds

- - - - -
6c8ed4a2 by Endi S. Dewata at 2023-07-05T18:03:29-05:00
Replace BASE64_REPO secret with COPR_REPO variable

The BASE64_REPO secret has been replaced with COPR_REPO variable
since it's easier to configure.

https://github.com/dogtagpki/pki/wiki/Configuring-Test-Repository

- - - - -
5479038f by Endi S. Dewata at 2023-07-05T19:27:32-05:00
Add maven-surefire-plugin

The maven-surefire-plugin has been added to run JUnit 5 tests
properly.

- - - - -
3677abe5 by Chris Kelley at 2023-07-10T15:18:24+01:00
Add get_current_version to Packit build job

- - - - -
e2220220 by Chris Kelley at 2023-07-11T15:44:26+01:00
Simplify Packit copr_build config

- - - - -
b96e33be by Marco Fargetta at 2023-07-13T19:04:56+02:00
Add IPs address to the session

The SSLEngine session "JSSSession" has been extended to container the IP
addresses of the client and the server. These are used for the audit and
have not other use in the protocol. By design the SSLEngine should be
unaware of the underlying communication but this is need to keep the
original audit format required for the certification.

- - - - -
7be60d69 by Marco Fargetta at 2023-07-13T19:04:56+02:00
Fix missing ACCESS_SESSION_ESTABLISH failure event

When the handshake failure event fails it should fire an audit event for
ACCESS_SESSION_ESTABLISH with the details (IPs, outcome, description,
...).

These event were never fired because in case of handshake error the
input stream is unwrapped until the end and output stream is wrapped
and data sent to the peer, then closed together. All this without
checking if TLS event were present in the stream.

The code is fixed and now the check for event is done on any error and
the first one is reported.

- - - - -
1ae1dfa3 by Endi S. Dewata at 2023-07-13T13:32:45-05:00
Clean up GH workflows

- - - - -
5f7fd3bc by Endi S. Dewata at 2023-07-18T09:32:54-05:00
Hard-code version number in pom.xml

Some build systems require hard-coding the version number in
pom.xml, so the revision property has been replaced with the
actual version number. Updating the version number can be
done with the following commands:

$ mvn versions:set -DnewVersion=<version>
$ mvn versions:commit

The .gitignore has been updated to ignore the backup files
created by this command.

- - - - -
14754b42 by Chris Kelley at 2023-07-26T13:55:07+01:00
spec: set ExclusiveArch on any OS with java_arches

Fedora builds are not the only ones which no longer build Java for ix86;
Fedora ELN and RHEL 10 are following that as well.  This will avoid
builds landing on Java-less architecture builders and thereby failing.

Original patch by Yaakov Selkowitz <yselkowi at redhat.com>
https://github.com/dogtagpki/ldap-sdk/pull/53

- - - - -
b0052eb4 by Endi S. Dewata at 2023-07-31T19:19:09-05:00
Import Tomcat JSS project

To simplify package maintenance, the code from Tomcat JSS master
branch has been imported into tomcat and tomcat-9.0 modules which
will be distributed as jss-tomcat RPM package.

Later PKI will need to be updated to depend on jss-tomcat instead
of tomcatjss, then tomcatjss can be deprecated.

- - - - -
4ec4b811 by Marco Fargetta at 2023-08-01T09:52:38+02:00
Remove Sonar identified potential bugs in ssl (#974)

Remove identified potential bugs from the package
`org.mozilla.jss.ssl.javax`. These were generated by missing primitive
type cast from int to long, and missing check on read operation.

Additional, a couple of variable names have been modified to be Java
compliant and other minor fixes.
- - - - -
fa39cfcf by Chris Kelley at 2023-08-02T14:59:52+01:00
Code cleanup in X509CertImpl

* Override equals/hashCode as we add fields and the superclass overrides
equals
* Extract constants to reduce string duplication
* Don't create vars just to return them
* Invert some negated logic for readability, remove unnecessary else
clauses and use ternary operator where appropriate
* Remove declared exception that cannot be thrown
* Delete commented out code
* Put array designators on the type
* Use try-with-resources
* Combine identical catch clauses
* Remove unnecessary Boolean literal and semicolons

- - - - -
32541161 by Endi S. Dewata at 2023-08-07T09:22:37-05:00
Remove references to Tomcat JSS

The tests have been updated to remove references to Tomcat JSS.
The spec file has been updated to remove installed Tomcat JSS
packages.

- - - - -
99a927c9 by Endi S. Dewata at 2023-08-08T12:07:10-05:00
Update test for Tomcat connector with NSS database

The test for Tomcat connector with NSS database has been
updated to validate the SSL connection using sslscan.

- - - - -
38ce380f by Endi S. Dewata at 2023-08-09T09:13:08-05:00
Update RPM test

The RPM test has been updated to compare JAR files from RPM
packages (which were built using XMvn) against JAR files
built directly using Maven.

- - - - -
149d909a by Endi S. Dewata at 2023-08-09T09:16:40-05:00
Add SONAR_ORGANIZATION

The SONAR_ORGANIZATION variable has been added to support
the use of personal organization for analysis.

- - - - -
fe756992 by Chris Kelley at 2023-08-11T08:47:53+01:00
Code clean up in SET

* Invert some negated logic for readability/use ternary operators
* Put array designator on the type
- - - - -
47422719 by Chris Kelley at 2023-08-11T08:47:53+01:00
Pull rawhide image from quay.io instead of the Docker registry

The quay.io image is updated from every successful rawhide compose,
whereas the Docker registry is less frequent. We are seeing issues
because we are out of sync with latest rawhide (the dnf/dnf5 revert) and
this shoudl give us some immunity to that in the future.
- - - - -
ac5a2a2a by Marco Fargetta at 2023-08-29T13:09:42+02:00
Push IPs address to SSLEngine session

**SSLEngine** is by design unaware of the underlying communication channel.
In tomcat the communication channel is started by the classes
`NioEndpoint` and it is maintained in `SecureNioChannel` which will
create the buffer used with the SSLEngine in order to wrap and unwrap
the messages.

To allow the audit of TLS messages to include IP addresses of the client
and server, the above classed have been extended in order to store the
IPs in the SSLEngine session after its creation.

Replace the tomcatJSS PR#73
(https://github.com/dogtagpki/tomcatjss/pull/73)

- - - - -
a9b35eb5 by Marco Fargetta at 2023-09-05T19:05:00+02:00
Bug_2233740 Fix wrong port number in log and audit

If the connection is created from a java socket the port number was
reported incorrectly because a conversion from host to network format
was missed.

- - - - -
3ad5bb6b by Endi S. Dewata at 2023-09-06T13:13:38-05:00
Replace BASE64_OS with BASE_IMAGE

- - - - -
fc34a1ad by Marco Fargetta at 2023-09-07T18:51:40+02:00
Fix null exception in RevocationReason

- - - - -
1c2d2045 by Endi S. Dewata at 2023-09-07T15:16:13-05:00
Update PostgreSQL test

The PostgreSQL test has been updated to use LDAP SDK and PKI
packages from Quay instead of COPR since it is generally more
reliable and older packages will not expire.

- - - - -
ce1ad008 by Endi S. Dewata at 2023-09-08T16:12:21-05:00
Update log messages in X509CRLImpl

- - - - -
9a9fcd9f by Endi S. Dewata at 2023-09-13T19:30:05-05:00
Update version number to 5.5.0-alpha2

- - - - -
4971cb9a by Endi S. Dewata at 2023-10-10T12:35:12-05:00
Fix dependency scope for opentest4j

- - - - -
5a5e4144 by Endi S. Dewata at 2023-10-11T11:37:32-05:00
Update dependency on Tomcat

- - - - -
2a27e959 by Endi S. Dewata at 2023-10-11T12:46:34-05:00
Update pom.xml and Dockerfile

- - - - -
24f810e5 by Endi S. Dewata at 2023-10-13T09:48:17-05:00
Add jss-tests package

A new package has been added for distributing test scripts and
binaries.

- - - - -
87a29ea2 by Endi S. Dewata at 2023-10-18T17:49:27-05:00
Remove unused init-workflow.sh

- - - - -
7d3b0b86 by Endi S. Dewata at 2023-10-23T17:22:46-05:00
Update RPM spec file

The RPM spec file has been updated to install/distribute
Maven artifacts in the proper locations/packages.

- - - - -
9c333dff by Endi S. Dewata at 2023-10-24T16:53:24-05:00
Fix build.sh --without-tests

The CMake files have been updated such that the build can be
done without building and running the tests.

- - - - -
167cdf8e by Endi S. Dewata at 2023-11-02T09:30:45-05:00
Add PK11Store.importCert()

Currently none of the cert import methods provided by JSS works
like certutil -A since they call different NSS functions so in
some cases it's necessary to call this external command from Java
which could be problematic and does not work well with HSM.

To address the problem the PK11Store.importCert() has been added
to call the same NSS functions used by certutil -A so it's no
longer necessary to call this external command from Java.

- - - - -
95765862 by Endi S. Dewata at 2023-11-13T13:52:11-06:00
Update version number to 5.5.0-alpha3

- - - - -
80cc9baa by Endi S. Dewata at 2023-11-27T07:41:39+07:00
Fix NPE in TomcatJSS.loadTomcatConfig()

- - - - -
864fb437 by Endi S. Dewata at 2024-02-05T12:37:32-06:00
Update wait-on-check-action

- - - - -
68a0df25 by Endi S. Dewata at 2024-02-07T22:41:15+07:00
Fix BASE_IMAGE param

The tests in GitHub and Azure DevOps have been modified
to run using the latest Fedora by default, but it can be
changed using the BASE_IMAGE param.

The GitHub tests have also been updated to reuse the
images created by the build workflow. The build workflow
has also been modified to store the images in a single
cache instead of separate caches.

The runner-init.sh has been modified to use a positional
argument to specify the container name and use jss-runner
image by default.

https://github.com/dogtagpki/pki/wiki/Configuring-Test-OS

- - - - -
130d543f by Endi S. Dewata at 2024-02-08T21:16:15+07:00
Update kea_alg_defs to match NSS 3.97

The kea_alg_defs array in SSLCipher.c has been updated to match
the one defined in NSS 3.97. The assertion that compares the size
of the array with ssl_kea_size has also been removed. These
changes will allow JSS to work with the newer NSS 3.97 on Fedora
Rawhide as well as the older NSS versions on other platforms.

Resolves: https://github.com/dogtagpki/jss/issues/991

- - - - -
ad842a55 by Endi S. Dewata at 2024-02-15T15:20:11-06:00
Update actions/checkout

- - - - -
1e1cec91 by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update actions/cache

- - - - -
8903fa7c by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update actions/setup-java

- - - - -
3b84d028 by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update actions/upload-artifact

- - - - -
4a8cb1c7 by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update docker/setup-buildx-action

- - - - -
1a817478 by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update docker/build-push-action

- - - - -
3347bb16 by Endi S. Dewata at 2024-02-15T16:09:49-06:00
Update docker/login-action

- - - - -
da2508eb by Endi S. Dewata at 2024-02-16T10:21:05-06:00
Fix PKCS #11 constants test

The PKCS #11 constants test failed on Fedora 40 since it
uses NSS 3.97 that provides some new PKCS #11 constants.
As a workaround the new constants need to be excluded until
NSS 3.97 becomes available on all supported platforms.

The test has also been modified to reuse the jss-builder
image which already has the build dependencies.

Resolves: https://github.com/dogtagpki/jss/issues/993

- - - - -
2ac7624a by Endi S. Dewata at 2024-02-19T15:56:54-06:00
Fix REGISTRY_NAMESPACE param

The CI has been updated to install packages from the specified
REGISTRY_NAMESPACE.

- - - - -
d2a28847 by Endi S. Dewata at 2024-02-20T14:54:49-06:00
Fix REGISTRY_NAMESPACE default values

- - - - -
959bb3ce by Endi S. Dewata at 2024-02-21T11:25:11-06:00
Update version number to 5.5.0

- - - - -


30 changed files:

- .classpath
- .github/workflows/build-tests.yml
- .github/workflows/build.yml
- .github/workflows/code-analysis-pull.yml
- .github/workflows/code-analysis.yml
- .github/workflows/external-application-connection-tests.yml
- − .github/workflows/init.yml
- .github/workflows/known_failures.yml
- .github/workflows/pkcs11-tests.yml
- .github/workflows/pki-build-test.yml
- .github/workflows/pki-ca-test.yml
- .github/workflows/pki-tests.yml
- .github/workflows/pki-tools-test.yml
- .github/workflows/pki-tps-test.yml
- .github/workflows/publish.yml
- .github/workflows/tomcat-tests.yml
- .gitignore
- + .packit.yaml
- CMakeLists.txt
- Dockerfile
- README.md
- azure-pipelines.yml
- base/pom.xml
- base/src/broken_test/java/org/mozilla/jss/tests/DirStrConverterTest.java
- base/src/broken_test/java/org/mozilla/jss/tests/GenericASN1ExtensionTest.java
- base/src/main/java/org/mozilla/jss/JSSProvider.java
- base/src/main/java/org/mozilla/jss/asn1/SET.java
- base/src/main/java/org/mozilla/jss/crypto/CryptoStore.java
- base/src/main/java/org/mozilla/jss/netscape/security/util/ObjectIdentifier.java
- base/src/main/java/org/mozilla/jss/netscape/security/x509/AVA.java


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/7e99d7e747d64ce93372afd7dd6c3ec252fb4cec...959bb3ceb299ab1ab113b07c702178df090de5fe

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/7e99d7e747d64ce93372afd7dd6c3ec252fb4cec...959bb3ceb299ab1ab113b07c702178df090de5fe
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240229/e0c72b2b/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list