[Pkg-freeipa-devel] [Git][freeipa-team/jss][master] 171 commits: Update Tomcat test
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Mon Feb 16 10:47:25 GMT 2026
Timo Aaltonen pushed to branch master at FreeIPA packaging / jss
Commits:
efaac439 by Endi S. Dewata at 2024-03-01T21:32:28-06:00
Update Tomcat test
The Tomcat test has been updated to use packages from Quay.io
and use the correct JSSImplementation.
- - - - -
e63096d6 by Endi S. Dewata at 2024-03-01T21:51:36-06:00
Fix SPDX license
- - - - -
a977b5d4 by Endi S. Dewata at 2024-03-01T21:51:42-06:00
Update version number to 5.6.0-alpha1
- - - - -
ad92c996 by Endi S. Dewata at 2024-03-06T08:20:20-06:00
Update Java dependencies
The RPM spec has been updated to use Java 21 on Fedora 40 or
later and Java 17 on other platforms.
The Dockerfile has been modified to remove any Java packages
pulled by the existing JSS package to ensure that the build
will be done using the correct Java version.
- - - - -
66bd995f by dependabot[bot] at 2024-03-11T12:53:30+01:00
Bump org.apache.tomcat:tomcat-catalina from 9.0.62 to 9.0.83 in /tomcat
Bumps org.apache.tomcat:tomcat-catalina from 9.0.62 to 9.0.83.
---
updated-dependencies:
- dependency-name: org.apache.tomcat:tomcat-catalina
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f94352e0 by Marco Fargetta at 2024-03-14T10:48:24+01:00
Fix missing OID mappings
Pretty print some additional OID:
OCSP No Check - id-pkix-ocsp-nocheck { 1.3.6.1.5.5.7.48.1.5}
Inhibit Any Policy {2.5.29.54}
Extended Key Usage:
- serverAuth {1 3 6 1 5 5 7 3 1}
- clientAuth {1 3 6 1 5 5 7 3 2}
- codeSigning {1 3 6 1 5 5 7 3 3}
- emailProtection {1 3 6 1 5 5 7 3 4}
- id-kp-ipsecIKE {1 3 6 1 5 5 7 3 17}
- iKEIntermediate {1 3 6 1 5 5 8 2 2}
- - - - -
5ecb67d4 by Marco Fargetta at 2024-03-14T10:48:24+01:00
Fix static load of extensions
Static code inside the extension is not loaded by PrettyPrintCert because
only static final values of the class are referenced and these values are
resolved at compile time.
The static initialisation has moved from static block in the extension
to the OIDMap static block which is the class loaded at runtime.
Useless OID string from ExtendedKeyUsageExtension has been removed from previous
commit and existing OIDs (ocsp signing and code signing) have been deprecated.
- - - - -
890916c3 by Endi S. Dewata at 2024-03-14T08:58:31-05:00
Add sslget
The sslget command has been moved from pki-tools to jss-tools.
- - - - -
dfd70662 by Endi S. Dewata at 2024-03-20T09:00:25-05:00
Add p12tool
The p12tool command has been moved from pki-tools to jss-tools.
- - - - -
a76c3fc7 by Endi S. Dewata at 2024-03-21T11:17:16-05:00
Add p7tool
The p7tool command has been moved from pki-tools to jss-tools.
- - - - -
92aa62c9 by Endi S. Dewata at 2024-04-08T12:01:44-05:00
Update exception handling in PFX.verifyAuthSafes()
Previously the PFX.verifyAuthSafes() discarded the original
exception and simply returned a generic error message which
was usually insufficient to determine the cause of the issue.
To help troubleshooting, the PFX.verifyAuthSafes() has been
modified to throw the exception so the original error message
and the stack trace are preserved.
- - - - -
3b7221ef by Marco Fargetta at 2024-04-15T10:24:36+02:00
Enable certification verification using CRL-DP
Currently certificates can be validated only using OCSP with a configured
responder or using the AIA certificate extension. If the responder
cannot be used verification is not possible. This is the case for the
startup certificates of the responder.
The new policy add a verification using the CRL-DP extension defined in
the certificate. If AIA extension is defined it has precedence over the
CRLs and if no other check are performed.
This new method takes place when OCSP is configured without a default
responder and the PKIX verification method is adopted (with the policy
OCSP_LEAF_AND_CHAIN_POLICY).
At least a verification method, defined in the certificate, has to return
success to accept the certificate.
- - - - -
db23733e by Marco Fargetta at 2024-04-15T10:24:36+02:00
Rename enableOCSP to enableRevocationCheck
Since verification with CRL-DP is introduced and it is enabled using
this parameter the name is modified to be not related only to OCSP.
- - - - -
242024a3 by Marco Fargetta at 2024-04-15T10:24:36+02:00
Add revocation check fallback for PKIX based verification
In case of CRLDP and AIA extensions available in the certificate the
PKIX verification flags do not allow to implement a fallback mechanism
because the fallback remain active also for certificate with only one
extension with unexpected behaviour.
A more dynamic approach is introduced verifying the presence of the
CRLDP extension and setting the flags accordingly.
- - - - -
47d766aa by Marco Fargetta at 2024-04-15T10:58:11+02:00
Fix debug log message in TomcatJSS
A log message was reporting an incorrect variable name.
- - - - -
ea793327 by Endi S. Dewata at 2024-05-09T10:13:54-05:00
Fix error handling in JSSTokenKeyManager
The JSSTokenKeyManager.getCertificate() and getCertificateChain()
have been updated to return null if the cert/cert chain does not
exist.
https://docs.oracle.com/en/java/javase/17/docs/api/java.base/javax/net/ssl/X509KeyManager.html#getCertificateChain(java.lang.String)
- - - - -
a1533e46 by Endi S. Dewata at 2024-05-10T11:03:55-05:00
Update PKI tests to check systemd journals and debug logs
- - - - -
f99e10a5 by Endi S. Dewata at 2024-05-10T10:56:50-06:00
Replace IPasswordStore with PasswordStore
The PasswordStore has been added to replace IPasswordStore.
The IPasswordStore has been deprecated and will be removed
in the future.
- - - - -
34a3f9a6 by Endi S. Dewata at 2024-05-10T12:27:38-05:00
Update PostgreSQL test to check CSR and cert extensions
- - - - -
945cb067 by Marco Fargetta at 2024-05-20T10:56:31+02:00
Fix CRL check when CA miss CRLSign key usage
When CRLSign key usage is not present NSS crl check will consider
the CRL source not present and skip the test. This is against the policy
we want to implement.
This change force the need for the information source and the
certificate will be marked as revoked if CRLSign is not present.
- - - - -
b2dd53ac by Marco Fargetta at 2024-05-22T16:29:39+02:00
Fix EKU decoding
OIDMap was not correctly mapping EKU when decoding a certificate to an
X509CertImpl object because the name should include the full
path from the Root element
- - - - -
0da84f41 by Marco Fargetta at 2024-05-23T12:12:56+02:00
Include certificate information in SSL session
Certificates are included in the SSL session also in case of handshake
failure. If certificate are not available there are no exception and or
error reported beside the one creating the failure.
Certificate information are needed in case of event audits.
- - - - -
1f26f746 by Marco Fargetta at 2024-06-26T09:59:48+02:00
Fix test 17 error on build
With the nss update to >= 3.101 the nss context gets initialised after
the CryptoManager instance is retrieved so this step is added before
the test.
Additional, the ssl option test for get and set has been modified to
enable/disable ssl cache since the ssl3 option is policy dependent and do not
always work.
- - - - -
e7e56196 by Endi S. Dewata at 2024-07-08T13:50:18-05:00
Reformat pom.xml
- - - - -
e3a059ac by Endi S. Dewata at 2024-07-09T10:22:20-05:00
Publish Maven artifacts to dogtagpki/repo
Previously JSS's Maven artifacts were published to GitHub Packages
which is a private repository so it's difficult to use.
To resolve the problem, the pom.xml has been modified to publish
the artifacts to a publicly accessible dogtagpki/repo instead.
- - - - -
f04ef494 by Endi S. Dewata at 2024-07-09T15:28:07-05:00
Add PK11RSAPrivateKey.getParams()
The PK11RSAPrivateKey.getParams() has been added based on the
same method in PK11ECPrivateKey to resolve build issue with
Java 22.
- - - - -
758327ab by Endi S. Dewata at 2024-07-09T18:13:53-05:00
Replace pki client-cert-import
The CI tests has been updated to use pki nss-cert-import and
pki pkcs12-import commands to import certs and PKCS #12 files.
- - - - -
b933b585 by Endi S. Dewata at 2024-07-11T11:30:32-05:00
Update Eclipse classpath
- - - - -
d0a89ef4 by Endi S. Dewata at 2024-07-11T11:30:32-05:00
Clean up build tests
- - - - -
832022d9 by Endi S. Dewata at 2024-07-23T12:04:49-05:00
Refactor SSLSocket and JSSSocket
SSLSocket is an older code based on the plain Java Socket.
JSSSocket is a newer code based on Java SSLEngine and should
eventually replace SSLSocket.
To help the transition, SSLSocket has been modified to extend
javax.net.ssl.SSLSocket and JSSSocket has been modified to
extend SSLSocket. Once everything is migrated to JSSSocket, the
SSLSocket can be deprecated and eventually dropped.
- - - - -
94b00c54 by Endi S. Dewata at 2024-07-26T17:30:44-05:00
Replace TokenCertificate with PK11Cert
- - - - -
1904b72d by Endi S. Dewata at 2024-07-26T17:36:39-05:00
Replace InternalCertificate with PK11Cert
- - - - -
ce4289be by Endi S. Dewata at 2024-07-29T09:40:53-05:00
Refactor X509Certificate
To improve interoperability with standard Java classes, the
org.mozilla.jss.crypto.X509Certificate interface has been converted
into a class that extends java.security.cert.X509Certificate and
also implements InternalCertificate and TokenCertificate. The
PK11Cert class has been modified to extend this class.
- - - - -
192e87a4 by Endi S. Dewata at 2024-07-29T21:03:34-05:00
Update SSLCertificateApprovalCallback.approve()
The SSLCertificateApprovalCallback.approve() has been updated
to accept java.security.cert.X509Certificate instead of
org.mozilla.jss.crypto.X509Certificate so that it can be used
with certs coming from standard Java library.
- - - - -
6d2cc4b7 by Endi S. Dewata at 2024-07-31T00:00:47-05:00
Update JSSSocket.startHandshake()
The JSSSocket.startHandshake() has been modified to update the
peer hostname and port number in JSSSession.
- - - - -
aafa19fc by Endi S. Dewata at 2024-07-31T10:46:24-05:00
Clean up log messages in JSSTrustManager
- - - - -
c741bb2e by Endi S. Dewata at 2024-07-31T17:36:32-05:00
Clean up exception messages in SSLSocket
- - - - -
37922719 by Endi S. Dewata at 2024-07-31T21:22:59-05:00
Add CertValidationTask.handleCertificateException()
The CertValidationTask.handleCertificateException() has
been added to handle cert validation errors then throw
SSLPeerUnverifiedException.
- - - - -
e3ed4ccf by Endi S. Dewata at 2024-07-31T21:23:05-05:00
Clean up exception messages in JSSSocketChannel
- - - - -
8ca1a83f by Endi S. Dewata at 2024-08-01T08:59:49-05:00
Convert ValidityItem.cert into X509Certificate
- - - - -
39e9480a by Endi S. Dewata at 2024-08-01T09:48:42-05:00
Update CryptoManager.importCertToPerm() to return X509Certificate
- - - - -
666a1fd9 by Endi S. Dewata at 2024-08-01T13:00:19-05:00
Move trust constants and methods from PK11Cert to X509Certificate
- - - - -
0feecc42 by Endi S. Dewata at 2024-08-01T17:18:09-05:00
Remove PK11InternalCert and PK11InternalTokenCert
The PK11InternalCert and PK11InternalTokenCert are no longer
used so they have been removed.
- - - - -
4ddfa3ad by Endi S. Dewata at 2024-08-01T23:34:12-05:00
Add PK11Store.findCert()
The PK11Store.findCert() has been added to find a cert in NSS
token from its binary data.
- - - - -
8248e8ed by Endi S. Dewata at 2024-08-02T10:53:10-05:00
Update test for PKI tools
The test for PKI tools has been updated to test PKI CLI with
AES, RSA, and ECC.
- - - - -
dd6a5d73 by Endi S. Dewata at 2024-08-02T12:35:08-05:00
Add HSM test for PKI tools
- - - - -
6295c6e2 by Endi S. Dewata at 2024-08-02T14:44:56-05:00
Add PK11Store.findCertFromDERCertItem()
The PK11Store.findCertFromDERCertItem() has been added to find
a cert in NSS database using PK11_FindCertFromDERCertItem().
The findCert() has been modified to use this method.
- - - - -
d6741714 by Endi S. Dewata at 2024-08-02T16:38:40-05:00
Fix PK11Store.findCertFromDERCertItem()
The PK11Store.findCertFromDERCertItem() has been updated to
use the proper function to wrap the cert.
- - - - -
21bc2c89 by Endi S. Dewata at 2024-08-05T14:28:30-05:00
Add cert validation test
The PKI CA test has been updated to test server cert validation.
- - - - -
961c22bf by Endi S. Dewata at 2024-08-06T10:27:07-05:00
Revert PK11Store.findCert()
The PK11Store.findCert() has been modified to use
CryptoManager.findCertByIssuerAndSerialNumber() since
the findCertFromDERCertItem() seems to have issues in
some cases.
- - - - -
366295f9 by Endi S. Dewata at 2024-08-06T13:03:21-05:00
Split JSSTrustManager.checkCert()
The JSSTrustManager.checkCert() has been split into
checkSignature(), checkValidityDates(), and checkKeyUsage().
- - - - -
4b7c3b55 by Endi S. Dewata at 2024-08-06T15:50:02-05:00
Refactor JSSTrustManager.checkCertChain()
The loop in JSSTrustManager.checkCertChain() has been split
and moved into checkIssuerTrusted(), checkValidityDates(),
and checkKeyUsage().
- - - - -
2e9695e8 by Endi S. Dewata at 2024-08-07T09:26:58-05:00
Update JSSTrustManager to support trusted peers
JSSTrustManager has been updated to mimic NSS cert validation
which supports trusted peers. The checkCertChain() has been
modified to check whether the cert chain has P,, trust flags,
and if that's the case the cert chain is considered trusted
so it's not necessary to check the cert issuer anymore.
- - - - -
89a6e638 by Endi S. Dewata at 2024-08-09T10:27:50-05:00
Add cert approval callback for JSSTrustManager
Previously the JSSTrustManager would throw an exception to
reject a cert if it found an issue in the cert. The code has
been changed to collect all issues, then pass them into an
optional callback object. If the callback approves it, the
cert will be considered trusted. Otherwise, or if there is
no callback, the code will throw an exception based on the
first issue.
- - - - -
13048258 by Endi S. Dewata at 2024-08-09T13:36:07-05:00
Add hostname validation for JSSTrustManager
The JSSTrustManager has been modified to take an optional
hostname attribute. If provided, it will be used to validate
the SAN extension or the cert subject DN.
- - - - -
5eac839d by Jack Magne at 2024-08-13T15:54:25-07:00
Address- Investigate and fix CA installation is failing in exporting the admin certificate at pk12util command in FIPS mode.
https://issues.redhat.com/browse/RHCS-5222
The fix to follow addresses the part of the above issue with respect to how PKI through JSS creates p12 files.
This patch modifies the procedure to include higher rated algs for things such as the MAC of the entire PFX and the HMAC and possible
algs allowed when creating the encrypted private key info blob to place in the private key safe bag.
Currently we support our own version of PK11_ExportEncryptedPrivKeyInfoV2 that , to this point has served two purposes:
1. Allow us to use the new AES key wrap KWP algs.
2. In the case of fips mode, we have added a routine that moves a key between slots when needed, which doesn't currently
work in the current nss routine.
The fix implements changes that alows the routine to support the various AES_CBC enc algs as well as KWP. KWP is called by the pki
kra when creating p12 files, if so configured to do so. Alternatively we have a pkcs12 related comand utility that specifies AES_256_CBC.
The fix to JSS simply upgrades some defaults at this point. If we want to get more involved, we could also modify the cmd line tools to be able
to specify the algs in question through params.
- - - - -
654e706a by Jack Magne at 2024-08-20T10:41:48-07:00
Fix Red Hat Certificate SystemRHCS-5261:
Fix JSS self tests to not use DSA and generate < 2048 bit RSA keys
Remove / modify JSS self test code that previously generated DSA key pairs
and RSA key pairs of < 2048 bit sizes. Also remove tests generating RSA
key pairs with smaller than the minimum exponent sizes.
- - - - -
8122c917 by Endi S. Dewata at 2024-08-21T08:59:40-05:00
Clean up exception messages in JSSSignatureSpi
- - - - -
c194dd8a by Endi S. Dewata at 2024-08-21T08:59:48-05:00
Clean up exception messages in PKCS10
- - - - -
1999e32b by Endi S. Dewata at 2024-08-21T10:41:47-05:00
Update PKI CA test
Previously if a client tries to connect to a server but it does
not have the CA signing cert installed and trusted it will get
an UNTRUSTED_ISSUER error from NSS. In the latest NSS the error
has changed to UNKNOWN_ISSUER, so the test has been updated
accordingly.
- - - - -
6ee1d084 by Endi S. Dewata at 2024-08-21T11:05:17-05:00
Update lewagon/wait-on-check-action
- - - - -
a576bf16 by Endi S. Dewata at 2024-08-21T14:55:24-05:00
Update JSSTrustManager
The JSSTrustManager has been updated to generate UNKNOWN_ISSUER
instead of UNTRUSTED_ISSUER to match the latest NSS.
- - - - -
308a87ad by Endi S. Dewata at 2024-08-26T20:18:25-05:00
Update runner-init.sh
- - - - -
9e39f0ce by Endi S. Dewata at 2024-08-27T09:58:52-05:00
Add test for self-signed user cert validation
The PKI CA test has been updated to run PKI CLI using blocking
and non-blocking socket factories to perform cert validations
for variety of cases including self-signed user cert.
Currently there are inconsistencies in the SSL alerts generated
by these factories. They will be investigated separately later.
- - - - -
0f352ecb by Endi S. Dewata at 2024-08-28T13:37:40-05:00
Update SSLFDProxy to implement SSLSocketListener
Previously SSLFDProxy.c was accessing the fields in SSLFDProxy
class directly using JNI to update handshakeComplete and add SSL
alert events into inboundAlerts and outboundAlerts.
To make it easier to investigate SSL alert issues, SSLFDProxy has
been updated to implement SSLSocketListener then SSLFDProxy.c will
call SSLSocketListener methods to perform the above operations.
- - - - -
848846da by Andrew Hughes at 2024-08-28T14:12:10-05:00
Use Java 21 on RHEL 10
- - - - -
1753b744 by Endi S. Dewata at 2024-08-30T16:33:04-05:00
Reorganize Tomcat 9.0 files
- - - - -
8f0b1a7f by Endi S. Dewata at 2024-08-30T22:37:44-05:00
Update PKI tests to run DS in separate container
- - - - -
27530d97 by Endi S. Dewata at 2024-08-30T23:28:19-05:00
Update DS test scripts
- - - - -
cecc9b84 by Endi S. Dewata at 2024-09-04T10:13:47-05:00
Fix TPS test failure
PKI CA and TPS tests have been updated to use DS container
from Quay instead of DS packages from Fedora to avoid JSS
issue #994.
Resolves: https://github.com/dogtagpki/jss/issues/994
- - - - -
fa696637 by Marco Fargetta at 2024-10-15T10:00:16+02:00
Remove the unused method JSS_NSS_getEventArrayList()
The method was used to get SSLSoecketEvent but the mechanism has been
modified in the following commit and this is method is not used.
Update SSLFDProxy to implement SSLSocketListener (0f352ecb0848ff549cf6bc255d102e1077bb1eaa)
- - - - -
98ee16d5 by Endi S. Dewata at 2024-11-04T18:14:35-06:00
Fix JAVA_HOME on Fedora 42
- - - - -
7de8bfc4 by Marco Fargetta at 2025-01-17T22:52:51+01:00
Make sbin install dir configurable
Required in Fedora 42.
https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin
- - - - -
8d9c3977 by Marco Fargetta at 2025-01-17T22:52:51+01:00
Fix dnf localinstall
dnf5 drops support `localinstall` but just `install`.
- - - - -
b05fd401 by Endi S. Dewata at 2025-02-11T15:37:05-06:00
Update version number to 5.6.0
- - - - -
2f516c6e by Marco Fargetta at 2025-02-12T18:37:12+01:00
Fix missing SSL Alert
When trust manager fails to validate the certificate the generated
SSL exception does not trigger any alert. To fix the problem the SSL alert are always verified during the wrap operation.
- - - - -
0be511e4 by Endi S. Dewata at 2025-02-13T08:11:12-06:00
Update PKCS11Constants.java
The build_pkcs11_constants.py has been updated to no longer
exclude constants introduced in NSS 3.97 since newer NSS
versions are available on all supported platforms.
- - - - -
b98c6b57 by Marco Fargetta at 2025-02-13T15:22:47+01:00
Fix tomcat CI
The TLS 1.2 is supported and enabled in the crypto policy so it is
enabled in tomcat by default.
- - - - -
e6dcb650 by Endi S. Dewata at 2025-02-13T17:38:32+00:00
Update jss.spec
- - - - -
4907684a by Endi S. Dewata at 2025-02-14T11:11:30-06:00
Use Maven with OpenJDK 17 on RHEL 9
- - - - -
644cf0c8 by Endi S. Dewata at 2025-02-20T22:05:14+00:00
Use Tomcat 9 on RHEL 10
- - - - -
69b48307 by Marco Fargetta at 2025-02-25T13:16:26+01:00
Add nss cert verify to JSSTrustManager
Currently, JSSTrustManager does not verify if a certificate has been
revoked using OCSP or CRLDP specified in the certificate. To include
this verification an additional check is include to enable verification
using NSS.
- - - - -
666a14f7 by Marco Fargetta at 2025-02-25T13:16:26+01:00
Fix pki version in workflows
- - - - -
18e97f6f by Endi S. Dewata at 2025-02-25T10:10:08-06:00
Add test for HTTPS with TLS 1.3 in Tomcat
The current test for HTTPS with default settings has been
moved into a new GH workflow. A new test has been added for
HTTPS with TLS 1.3.
- - - - -
8655098a by Marco Fargetta at 2025-02-26T10:37:07+01:00
JSSTrustManager check revokation only if trusted issuer
If the certificate is a trusted peer there is not check of the issuer
and/or the certificate.
If the issuer is not available, or it is a trusted peer, the revocation
is not verified because it cannot verify the full chain in any case.
The issue is already reported.
- - - - -
31699ded by Endi S. Dewata at 2025-02-26T10:19:00-06:00
Add test for HTTPS with specific ciphers
A new GH workflow has been added to test HTTPS in Tomcat with
specific ciphers.
- - - - -
7545ede2 by Marco Fargetta at 2025-02-27T18:50:11+01:00
Add test for reveked check in JSSTrustManager
- - - - -
867f0323 by Timo Aaltonen at 2025-03-04T08:50:30+02:00
Merge branch 'upstream'
- - - - -
c2359119 by Timo Aaltonen at 2025-03-04T08:50:52+02:00
version bump
- - - - -
e2861c2f by Marco Fargetta at 2025-03-05T11:45:11+01:00
Add test for JSSTrutManager ignoring revocation
- - - - -
e8a8c492 by Endi S. Dewata at 2025-03-06T19:05:19-06:00
Update version number to JSS 5.7.0-alpha1
- - - - -
d6b84eac by Marco Fargetta at 2025-03-07T10:10:55+01:00
Add CI for OCSP fails in JSSTrustManger
- - - - -
9e4a82e2 by Marco Fargetta at 2025-03-13T13:36:01+01:00
Add stale CI
- - - - -
55fde5ff by Endi S. Dewata at 2025-03-13T10:31:34-05:00
Downgrade dependency to NSS 3.90 to support RHEL 8
- - - - -
4b587c70 by Endi S. Dewata at 2025-03-17T10:12:49-05:00
Fix token enrollment failure in TPS test
The TPS test has been updated to configure the new TPS param
added recently which is required for token enrollment:
https://github.com/dogtagpki/pki/commit/847ddbc9e146603d11e917609411fde03e301778
- - - - -
bd6dea2a by Endi S. Dewata at 2025-03-18T09:50:45-05:00
Update CA test to ignore PKI version number
The CA test has been updated to no longer expect a specific PKI
version number to make it more reliable.
- - - - -
6bcca131 by Marco Fargetta at 2025-03-20T15:13:20+01:00
Fix write problem with blocking channel
JSSSocket can be used with blocking and non blocking channel.
When used with blocking channel the write has to send all data in a
single request but if the sending buffer is full only that is
sent and the remaining data will be send in following write operations.
This commit fix the write adding consecutive operations if the buffer is full
in order to send all application data.
- - - - -
12957843 by Marco Fargetta at 2025-03-24T11:44:49+01:00
Make JSSSocket close() idempotent
Invoking multiple times the close() method generate an exception because
it calls the init() which tries to access closed channels.
The close() method is defined in Closeable interface and it has to be
idempotent so it should be possible to call again without errors.
This is a problem with third party libraries not checking if the socket
has been closed but call multiple times the close() method generating
error.
- - - - -
4b8b37d0 by Marco Fargetta at 2025-03-24T11:44:49+01:00
Update CI error message check for JSSSocket client
With idempotent close some error have changed because the close is not
creating error and the real problem get visible
- - - - -
26cced2e by Endi S. Dewata at 2025-03-26T18:05:51-05:00
Update log messages in TomcatJSS
- - - - -
b885cf79 by Endi S. Dewata at 2025-07-01T09:00:39-04:00
Use OpenJDK 21 on Debian
- - - - -
f3b33684 by Endi S. Dewata at 2025-07-01T09:00:42-04:00
Remove obsolete test for blocking socket factory
- - - - -
e5214928 by Endi S. Dewata at 2025-07-01T09:02:39-04:00
Fix PKI build failure
- - - - -
7fdbbdd5 by Endi S. Dewata at 2025-07-01T09:02:46-04:00
Update version number to 5.7.0-beta1
- - - - -
f32fe3eb by Marco Fargetta at 2025-07-01T13:50:24-04:00
Add EC public key generation from spec
Public key generation has been updated to allow the creation of ECPublicKey
from the ECPublicKeySpec.
The code was requiring the encoded public key to generate a new key to use
for signing verification but this is a limitation when the encoded key is
not available, as for JWS validation using ES256 algorithm.
- - - - -
99568a07 by Endi S. Dewata at 2025-07-01T13:50:46-04:00
Update version number to 5.8.0-beta1
- - - - -
76bd1e95 by Super User at 2025-07-01T17:17:28-04:00
Update NSS dependency
- - - - -
1565b322 by Endi S. Dewata at 2025-07-04T00:50:01-04:00
Update COPR repo and container images
- - - - -
011b303c by Endi S. Dewata at 2025-07-07T10:54:55-05:00
Fix version number for CMake
- - - - -
df724c03 by Endi S. Dewata at 2025-07-07T11:13:17-05:00
Fix version number for CMake
- - - - -
c6f21d92 by Marco Fargetta at 2025-07-07T20:38:36+02:00
Cleanup EC public key generation
EC key size has been moved into the ECCurve Enum. The key byte arrays
are handled with System.arraycopy instead of custom for loops.
New private method to convert BigInteger to byte array has been
documented.
- - - - -
e164c37b by jmagne at 2025-07-07T14:07:18-07:00
Fix: Red Hat Certificate SystemRHCS-5663
Dogtag on f43 / tomcat 10 - pki - Get current rest easy 3.x working under the CA - phase 2.
JSS modifications needed to make dogtag work under tomcat10.
Restore tomcat-9.0 directory to original master contents.
Update to 5.8.0 in tomcat-10.1/pom.xml.
Update speec file to require correct tomcat10.1 version.
- - - - -
40064732 by Endi S. Dewata at 2025-07-08T12:40:38-05:00
Update version number to 5.9.0-alpha1
The build scripts have been modified to generate RPM version
numbers more compliant with Fedora Packaging Guidelines.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Versioning
- - - - -
80674ead by Timo Aaltonen at 2025-07-09T14:28:43+03:00
Merge branch 'upstream'
- - - - -
cfd108c5 by Timo Aaltonen at 2025-07-09T14:29:37+03:00
version bump
- - - - -
e69f1b29 by Timo Aaltonen at 2025-07-09T14:40:29+03:00
control: Bump libnss3-dev dependency.
- - - - -
4dea5bab by Endi S. Dewata at 2025-07-15T12:29:29-05:00
Update Azure pipeline
The Azure pipeline has been updated to use the proper COPR
repository.
- - - - -
9c3b0716 by Christina Fu at 2025-07-17T13:20:14-07:00
fix build failure in dist-git centos caused by udpated NSS version with new pqc defs int auth_alg_defs[] (#1052)
jss.spec changes will be needed for dist-git.
For reference, this change corresponds to an NSS patch that currently exists on CentOS 10 only:
https://gitlab.com/redhat/centos-stream/rpms/nss/-/blob/c10s/nss-3.112-add-ml-dsa-ssl-support.patch?ref_type=heads#L965
- - - - -
06d9d210 by Christina Fu at 2025-07-18T14:28:39-07:00
Adding option for ENABLE_NSS_VERSION_PQC_DEF (#1053)
Note that we still need jss.spec to differentiate NSS versions to decide whether to set ENABLE_NSS_VERSION_PQC_DEF to on or off.
Fix as part of the build task:
https://issues.redhat.com/browse/IDM-2360
- - - - -
d9b5bee9 by Endi S. Dewata at 2025-07-21T18:04:52-05:00
Add basic Tomcat test
A new test has been added to check Tomcat files and perform
basic operations with Tomcat instances.
- - - - -
b0780bab by Christina Fu at 2025-07-25T08:49:39-07:00
addi matching PQC algs to auth_alg_defs[] with NSS (#1055)
Fix build failure caused by udpated NSS version with new pqc defs int auth_alg_defs[]
This requires the previous two commits:
commit 9c3b07160f6d685581216a1227953281d051ac94
commit 06d9d21048fadfd49ec6fe010615cbed9982fcd1
This patch makes cognizant of the os version.
fixes https://issues.redhat.com/browse/IDM-2428
- - - - -
82b869ea by Marco Fargetta at 2025-09-19T20:08:13+02:00
Update PKCS11 constants
NSS has deprecated some constants and modified their values.
The macro used to deprecate the value generate problem with the constant
generator implemented in JSS so it has been fixed and a new file with
updated values has been generated.
The constants creating problem where:
- CKT_NSS_UNTRUSTED
- CKT_NSS_VALID
- CKT_NSS_MUST_VERIFY
The new definition is in
https://github.com/nss-dev/nss/blob/bb3335174cfdf764cfe3b6806c3ad45c1b3d8d0b/lib/util/pkcs11n.h#L621-L632
Note: The script has been modified with the help of Claude Code
(https://claude.com/product/claude-code).
- - - - -
87456313 by Marco Fargetta at 2025-09-19T20:08:13+02:00
Update list of cipher in tomcat test
Update the list of ciphers reported by tomcat configured with JSS.
Some ciphers have changed their evaluation and a new one has been added making
the test failing.
- - - - -
9a924534 by Marco Fargetta at 2025-09-30T19:11:46+02:00
Add ML-DSA key pair generation
Add Mozilla-JSS provider include ML-DSA key generator.
It follow JEP-497 interface {1}. If "ML-DSA" is requested and not
initialisation is provided then "ML-DSA-65" keys are generated.
Alternatively, it is possible to specify the generator with "ML-DSA-44",
"ML-DSA-65" or "ML-DSA-87".
For the generic case the initialisation is note done with named parameter spec but with the value since a value is requested by NSS.
1. https://openjdk.org/jeps/497
- - - - -
c1844db0 by Marco Fargetta at 2025-09-30T19:11:46+02:00
Add ML-DSA signing operation
The ML-DSA signing algorithm is included in Mopzilla-JSS.
Currently, the signature size will depend on the key size and there is
not possibility to force the size as indicated in the JEP 497 [1] because
currently not supported in available NSS.
1. https://openjdk.org/jeps/497
- - - - -
28e84a94 by Marco Fargetta at 2025-09-30T19:11:46+02:00
Add ML-DSA-* algorithm IDs
Add the OID for ML-DSA so the certificate can be printed correctly.
- - - - -
724b844d by Marco Fargetta at 2025-09-30T19:11:46+02:00
Limit ML-DSA to RHEL-10.1
Currently, NSS is supporting ML-DSA only in RHEL-10.1 so the new ML-DSA
algorithm can be built and tested only in that platform.
- - - - -
7afd50f9 by Marco Fargetta at 2025-09-30T19:11:46+02:00
Add PQC to new RHEL-9.x version
The PQC enabled nss version has been ported to CentOS 9 stream for
future releases of RHEL-9.x so PQC has been enabled for those
versions.
Done with Claude Code support.
- - - - -
e536f641 by jmagne at 2025-10-08T15:42:35-07:00
Fix: Red Hat Certificate SystemRHCS-5663 Dogtag on f43 / tomcat 10 - pki - Get current rest easy 3.x working under the CA - phase 2.
JSS modifications needed to make dogtag work under tomcat10.
Restore tomcat-9.0 directory to original master contents.
Update to 5.8.0 in tomcat-10.1/pom.xml. Update speec file to require correct tomcat10.1 version.
Update to build and run on >= f41.
Address review comments.
- - - - -
23df74fc by jmagne at 2025-10-10T09:38:35-07:00
Try to get CentOs /Rhel to build in copr.
Simplify if block that determines java jdk version.
- - - - -
fe64a781 by Marco Fargetta at 2025-10-14T10:38:59+02:00
Add test for SSL connection using ML-DSA certificates
These test require a NSS version fully enabled to PQC
- - - - -
c0afd4d5 by Marco Fargetta at 2025-10-14T10:38:59+02:00
iUpdate PKCS11 constants
- - - - -
5a27a535 by Marco Fargetta at 2025-10-14T10:38:59+02:00
Add cahnge doc for ML-DSA
- - - - -
375623a7 by Marco Fargetta at 2025-10-14T10:38:59+02:00
Remove rhel-9 from packit
- - - - -
25942f0c by Marco Fargetta at 2025-10-14T10:38:59+02:00
Update NSS requirement to 3.112
- - - - -
e36794e4 by Marco Fargetta at 2025-10-22T19:48:21+02:00
Add support for multiple server certificates
Introduce support for multiple certificates in the server SSL configuration.
Tomcat configuration support multiple `Certificate` elements in `SSLHostConfig` of different type [1].
This functionality is supported by NSS which will select the most
appropriate certificate as result of the negotiation.
1. https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig
- - - - -
c5566fc2 by Marco Fargetta at 2025-10-22T19:48:21+02:00
Add CI test for multiple server certificates
- - - - -
d8e6a562 by jmagne at 2025-10-28T09:22:32-07:00
Fix [Dev] intermittent SSL alert received: HANDSHAKE_FAILURE - error 552 - phase 2
This JSS code workaround takes steps to make sure ONLY SSL Server Cert private keys are marked
as NOT temporary. We have a case on a certain HSM where NSS makes a copy of the SSL Server private key on the token and
hands it to our JSS SSLEngine implementation. After serveral separate incoming SSL connections, the Java GC
attempts to clean up the private key references periodically. Since the SSL Server private key copy is marked as temporary,
the normal call to clean up a private key reference has been known to delete the key from the token. Since NSS uses this copy
over a long perid of time, any early deletion of this key will make subsequent SSL connections to fail, until the server is reset.
This fix makes sure the private key refernces kept inour java objects are NOT set to temporary. When the GC runs all calls to clean
up the private key reference will not accidentally remove the key from the token.
Fixed to adust to the fact that JSSEngineImpl no longer has a cert and key object, instead some ArrayList.
- - - - -
6ec53553 by Marco Fargetta at 2025-10-28T19:21:13+01:00
Add all ML-DSA variants algorithms
PKI code requires to explicitly specify the signature algorithms so the
generic "ML-DSA" algorithm is replaces with its variants and this is
just a link to the default "ML-DSA-65".
Additionally, KeyType and Cert have been modified to handle ML-DSA
variants so certificates can be generated in JSS using NSS code only for
the signature.
- - - - -
ad48effd by Marco Fargetta at 2025-11-10T17:54:22+01:00
Fix PKCS12 import with ML-DSA keys
- - - - -
15d4e4fe by Marco Fargetta at 2025-11-10T17:54:22+01:00
Update PKCS11Constant
- - - - -
1b4e40f1 by Marco Fargetta at 2025-11-10T17:54:22+01:00
Fix workflow error for F43
- - - - -
e4588e3f by Endi S. Dewata at 2025-11-11T12:15:09-06:00
Update PKCS12Util.storeCertIntoNSS()
The PKCS12Util.storeCertIntoNSS() has been modified to store
the cert using CryptoStore.importCert() so that the nickname
will be preserved.
- - - - -
f2638d98 by Marco Fargetta at 2025-12-01T18:03:07+01:00
Update NSS requirement and enable PQC in Fedora
- - - - -
676f1167 by Marco Fargetta at 2025-12-01T18:03:07+01:00
Enable PQC when build with cmake
Fix cipher output in some tests to match with the update version.
- - - - -
4638de89 by Endi S. Dewata at 2025-12-04T10:14:42+07:00
Clean up log messages in PKCS12Util.getKeyInfo()
- - - - -
3bb41c5f by Endi S. Dewata at 2026-01-06T23:44:26+07:00
Fix build failure on Fedora 42
- - - - -
98365645 by Endi S. Dewata at 2026-01-08T08:30:23+07:00
Fix NSS runtime dependency
- - - - -
c07b0e61 by Marco Fargetta at 2026-01-15T16:19:27+01:00
Update COPR repo and container images
- - - - -
3585e289 by Marco Fargetta at 2026-01-15T16:22:47+01:00
Update version number to 5.9.0-beta1
- - - - -
bf243d4c by Marco Fargetta at 2026-01-15T16:53:24+01:00
Update Dockerfile references
- - - - -
959a4233 by Endi S. Dewata at 2026-01-22T00:30:15-06:00
Clean up RPM spec
- - - - -
33e60e6f by Endi S. Dewata at 2026-01-22T00:30:15-06:00
Fix CI for Fedora 42
- - - - -
f64c3d7a by Endi S. Dewata at 2026-01-22T17:21:01-06:00
Fix typos
- - - - -
cf79c68f by Endi S. Dewata at 2026-01-26T11:27:20-06:00
Fix Tomcat tests
The Tomcat tests have been updated to work with the latest
Tomcat and OpenSSL on Fedora 42 and 43.
- - - - -
26b5ab31 by Endi S. Dewata at 2026-01-26T11:27:20-06:00
Fix Azure pipeline
- - - - -
19261ac1 by Jack Magne at 2026-01-28T11:52:01-08:00
Fix inconsistent template for lunasa when generating tempoary private key as part of recovering private key for the kra.
- - - - -
d0d8a099 by Marco Fargetta at 2026-02-04T09:35:56+01:00
Customisable SSL buffer size
Buffer size for RSA and EC could be too small for PQC algorithms with
problem to read SSL packets.
The buffer size has been made customisable using the java option
`jdk.tls.maxHandshakeMessageSize` but the default value has not been
modified.
Additionally, in case the buffer become full and the communication
is not working because the packet cannot stay in the buffer, an SSL
exception is raised with a proper message so the admin can modify
the configuration.
Assisted-by: Claude
- - - - -
1d3aa310 by Marco Fargetta at 2026-02-06T18:53:41+01:00
Updating version to v5.9.0-beta2
- - - - -
932e1cc8 by Endi S. Dewata at 2026-02-09T14:11:23-06:00
Add test-init.sh
The test-init.sh has been added to initialize the default
values of some environment variables in several branches.
This way the same code can be used in multiple branches
which simplifies the branching process.
- - - - -
5a0a68bc by Endi S. Dewata at 2026-02-09T23:03:37+00:00
Update version number to 5.9.0-beta3
- - - - -
6c36d8bb by Timo Aaltonen at 2026-02-16T12:25:37+02:00
control, rules: Build with javahelper.
- - - - -
568f7ca3 by Timo Aaltonen at 2026-02-16T12:26:23+02:00
control: Add libtomcat10-java to build-depends.
- - - - -
e06304a0 by Timo Aaltonen at 2026-02-16T12:26:58+02:00
Merge tag 'v5.8.0-beta1' into m
- - - - -
7b4a1bd0 by Timo Aaltonen at 2026-02-16T12:27:02+02:00
Merge branch 'master' into m
- - - - -
aba35a19 by Timo Aaltonen at 2026-02-16T12:30:27+02:00
version bump
- - - - -
4f6c4abf by Timo Aaltonen at 2026-02-16T12:35:10+02:00
control: Add libjss-tools.
- - - - -
d7e6ba37 by Timo Aaltonen at 2026-02-16T12:36:03+02:00
add maven files
- - - - -
a73d88bf by Timo Aaltonen at 2026-02-16T12:40:42+02:00
watch: Migrate to version 5.
- - - - -
81e90d96 by Timo Aaltonen at 2026-02-16T12:46:15+02:00
control: Add libjss-tools, disabled for now.
- - - - -
87356df5 by Timo Aaltonen at 2026-02-16T12:46:58+02:00
releasing package jss version 5.9.0~beta3-1
- - - - -
171 changed files:
- .classpath
- .github/workflows/build-tests.yml
- .github/workflows/build.yml
- .github/workflows/external-application-connection-tests.yml
- .github/workflows/pkcs11-tests.yml
- .github/workflows/pki-build-test.yml
- .github/workflows/pki-ca-test.yml
- .github/workflows/pki-tests.yml
- .github/workflows/pki-tools-test.yml
- .github/workflows/pki-tps-test.yml
- .github/workflows/publish.yml
- + .github/workflows/stale.yml
- + .github/workflows/tomcat-basic-test.yml
- + .github/workflows/tomcat-https-ciphers-test.yml
- + .github/workflows/tomcat-https-default-test.yml
- + .github/workflows/tomcat-https-multi-certificate-test.yml
- + .github/workflows/tomcat-https-tls13-test.yml
- .github/workflows/tomcat-tests.yml
- .packit.yaml
- CMakeLists.txt
- Dockerfile
- azure-pipelines.yml
- base/pom.xml
- base/src/main/java/org/mozilla/jss/CryptoManager.java
- base/src/main/java/org/mozilla/jss/JSSProvider.java
- base/src/main/java/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
- base/src/main/java/org/mozilla/jss/crypto/Algorithm.java
- base/src/main/java/org/mozilla/jss/crypto/CryptoStore.java
- base/src/main/java/org/mozilla/jss/crypto/InternalCertificate.java
- base/src/main/java/org/mozilla/jss/crypto/KeyPairAlgorithm.java
- base/src/main/java/org/mozilla/jss/crypto/PrivateKey.java
- base/src/main/java/org/mozilla/jss/crypto/SignatureAlgorithm.java
- base/src/main/java/org/mozilla/jss/crypto/TokenCertificate.java
- base/src/main/java/org/mozilla/jss/crypto/X509Certificate.java
- base/src/main/java/org/mozilla/jss/netscape/security/extensions/ExtendedKeyUsageExtension.java
- base/src/main/java/org/mozilla/jss/netscape/security/extensions/InhibitAnyPolicyExtension.java
- base/src/main/java/org/mozilla/jss/netscape/security/extensions/OCSPNoCheckExtension.java
- base/src/main/java/org/mozilla/jss/netscape/security/pkcs/PKCS10.java
- base/src/main/java/org/mozilla/jss/netscape/security/pkcs/PKCS12Util.java
- base/src/main/java/org/mozilla/jss/netscape/security/util/Cert.java
- base/src/main/java/org/mozilla/jss/netscape/security/util/ExtPrettyPrint.java
- base/src/main/java/org/mozilla/jss/netscape/security/x509/AlgorithmId.java
- base/src/main/java/org/mozilla/jss/netscape/security/x509/OIDMap.java
- base/src/main/java/org/mozilla/jss/nss/SSLFDProxy.java
- base/src/main/java/org/mozilla/jss/pkcs11/KeyType.java
- base/src/main/java/org/mozilla/jss/pkcs11/PK11Cert.java
- − base/src/main/java/org/mozilla/jss/pkcs11/PK11InternalTokenCert.java
- base/src/main/java/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.java
- base/src/main/java/org/mozilla/jss/pkcs11/PK11PrivKey.java
- base/src/main/java/org/mozilla/jss/pkcs11/PK11RSAPrivateKey.java
- base/src/main/java/org/mozilla/jss/pkcs11/PK11Store.java
- base/src/main/java/org/mozilla/jss/pkcs11/PKCS11Constants.java
- base/src/main/java/org/mozilla/jss/pkcs12/PFX.java
- base/src/main/java/org/mozilla/jss/provider/java/security/JSSKeyPairGeneratorSpi.java
- base/src/main/java/org/mozilla/jss/provider/java/security/JSSKeyStoreSpi.java
- base/src/main/java/org/mozilla/jss/provider/java/security/JSSSignatureSpi.java
- base/src/main/java/org/mozilla/jss/provider/java/security/KeyFactorySpi1_2.java
- base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTokenKeyManager.java
- base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
- base/src/main/java/org/mozilla/jss/ssl/SSLCertificateApprovalCallback.java
- base/src/main/java/org/mozilla/jss/ssl/SSLHandshakeCompletedEvent.java
- base/src/main/java/org/mozilla/jss/ssl/SSLSocket.java
- base/src/main/java/org/mozilla/jss/ssl/TestCertApprovalCallback.java
- base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngine.java
- base/src/main/java/org/mozilla/jss/ssl/javax/JSSEngineReferenceImpl.java
- base/src/main/java/org/mozilla/jss/ssl/javax/JSSParameters.java
- base/src/main/java/org/mozilla/jss/ssl/javax/JSSSocket.java
- base/src/main/java/org/mozilla/jss/ssl/javax/JSSSocketChannel.java
- base/src/main/java/org/mozilla/jss/util/ECCurve.java
- base/src/test/java/org/mozilla/jss/tests/GenerateTestCert.java
- base/src/test/java/org/mozilla/jss/tests/JCASigTest.java
- base/src/test/java/org/mozilla/jss/tests/KeyFactoryTest.java
- base/src/test/java/org/mozilla/jss/tests/ListCACerts.java
- base/src/test/java/org/mozilla/jss/tests/SSLClientAuth.java
- base/src/test/java/org/mozilla/jss/tests/TestCertificateApprovalCallback.java
- base/src/test/java/org/mozilla/jss/tests/TestKeyGen.java
- base/src/test/java/org/mozilla/jss/tests/TestRawSSL.java
- base/src/test/java/org/mozilla/jss/tests/TestSSLEngine.java
- build.sh
- cmake/JSSConfig.cmake
- cmake/JSSTests.cmake
- debian/changelog
- debian/control
- + debian/libjss-tools.install
- + debian/maven.ignoreRules
- + debian/maven.properties
- debian/rules
- debian/watch
- + docs/changes/v5.6.0/API-Changes.adoc
- + docs/changes/v5.6.0/Packaging-Changes.adoc
- + docs/changes/v5.6.0/Parameter-Changes.adoc
- + docs/changes/v5.9.0/Algorithm-Changes.adoc
- docs/pkcs11_constants.md
- examples/pom.xml
- jss.spec
- lib/jss.map
- native/pom.xml
- native/src/main/native/org/mozilla/jss/crypto/Algorithm.c
- native/src/main/native/org/mozilla/jss/crypto/Algorithm.h
- native/src/main/native/org/mozilla/jss/nss/SSLFDProxy.c
- native/src/main/native/org/mozilla/jss/nss/SSLFDProxy.h
- native/src/main/native/org/mozilla/jss/pkcs11/PK11Cert.c
- native/src/main/native/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
- native/src/main/native/org/mozilla/jss/pkcs11/PK11PrivKey.c
- native/src/main/native/org/mozilla/jss/pkcs11/PK11PubKey.c
- native/src/main/native/org/mozilla/jss/pkcs11/PK11Store.c
- + native/src/main/native/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.c
- native/src/main/native/org/mozilla/jss/ssl/SSLCipher.c
- native/src/main/native/org/mozilla/jss/ssl/common.c
- native/src/main/native/org/mozilla/jss/util/java_ids.h
- native/src/main/native/org/mozilla/jss/util/jssutil.c
- pom.xml
- symkey/pom.xml
- tests/bin/ds-create.sh
- tests/bin/ds-remove.sh
- + tests/bin/ds-start.sh
- + tests/bin/ds-stop.sh
- tests/bin/runner-init.sh
- + tests/bin/test-init.sh
- + tomcat-10.1/pom.xml
- + tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/Http11NioProtocol.java
- + tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSContext.java
- + tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSImplementation.java
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/JSSListener.java → tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSListener.java
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/JSSNioEndpoint.java → tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSNioEndpoint.java
- + tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSSecureNioChannel.java
- + tomcat-10.1/src/main/java/org/dogtagpki/jss/tomcat/JSSUtil.java
- tomcat-9.0/pom.xml
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/Http11NioProtocol.java → tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/Http11NioProtocol.java
- tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSContext.java
- + tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSListener.java
- + tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSNioEndpoint.java
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/JSSSecureNioChannel.java → tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSSecureNioChannel.java
- tomcat-9.0/src/main/java/org/dogtagpki/jss/tomcat/JSSUtil.java
- tomcat/pom.xml
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/IPasswordStore.java
- + tomcat/src/main/java/org/dogtagpki/jss/tomcat/PasswordStore.java
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/PlainPasswordFile.java
- tomcat/src/main/java/org/dogtagpki/jss/tomcat/TomcatJSS.java
- + tools/CMakeLists.txt
- tools/build_pkcs11_constants.py
- + tools/src/main/native/p12tool/CMakeLists.txt
- + tools/src/main/native/p12tool/basicutil.c
- + tools/src/main/native/p12tool/basicutil.h
- + tools/src/main/native/p12tool/berparse.c
- + tools/src/main/native/p12tool/derprint.c
- base/src/main/java/org/mozilla/jss/pkcs11/PK11InternalCert.java → tools/src/main/native/p12tool/ffs.c
- + tools/src/main/native/p12tool/moreoids.c
- + tools/src/main/native/p12tool/p12tool.c
- + tools/src/main/native/p12tool/p12tool.h
- + tools/src/main/native/p12tool/pk11table.c
- + tools/src/main/native/p12tool/pk11table.h
- + tools/src/main/native/p12tool/pppolicy.c
- + tools/src/main/native/p12tool/secpwd.c
- + tools/src/main/native/p12tool/secutil.c
- + tools/src/main/native/p12tool/secutil.h
- + tools/src/main/native/p7tool/CMakeLists.txt
- + tools/src/main/native/p7tool/NSPRerrs.h
- + tools/src/main/native/p7tool/SECerrs.h
- + tools/src/main/native/p7tool/SSLerrs.h
- + tools/src/main/native/p7tool/p7tool.c
- + tools/src/main/native/p7tool/pppolicy.c
- + tools/src/main/native/p7tool/secerror.c
- + tools/src/main/native/p7tool/secerror.h
- + tools/src/main/native/p7tool/secpwd.c
- + tools/src/main/native/p7tool/secutil.c
- + tools/src/main/native/p7tool/secutil.h
- + tools/src/main/native/sslget/CMakeLists.txt
- + tools/src/main/native/sslget/getopt.c
- + tools/src/main/native/sslget/sslget.c
- update_version.sh
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/45983d36c18b9c4ca9e6e896762f356511dc0692...87356df575467b5162dcce8cefc51cc9035cb32c
--
View it on GitLab: https://salsa.debian.org/freeipa-team/jss/-/compare/45983d36c18b9c4ca9e6e896762f356511dc0692...87356df575467b5162dcce8cefc51cc9035cb32c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20260216/356d0bdb/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list