[Pkg-fedora-ds-maintainers] jss: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed Jun 27 09:08:46 UTC 2012
debian/changelog | 1
debian/control | 2
debian/patches/jss-ECC-Phase2KeyArchivalRecovery.patch | 437 ++++++++++
debian/patches/jss-HSM-manufacturerID.patch | 62 +
debian/patches/jss-undo-BadPaddingException-deprecation.patch | 13
debian/patches/jss-undo-JCA-deprecations.patch | 163 +++
debian/patches/series | 4
7 files changed, 681 insertions(+), 1 deletion(-)
New commits:
commit 61692a8f9dd6f526da0956927dd6aa7d5e200b07
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 12:06:52 2012 +0300
control: Bump standards to 3.9.3, no changes.
diff --git a/debian/changelog b/debian/changelog
index 2ac2041..312036c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -12,6 +12,7 @@ jss (4.3.1-4) UNRELEASED; urgency=low
* control: Drop jre dependency per current java policy.
* patches: More patches from Fedora.
* rules: Install the library in /usr/lib/jss.
+ * control: Bump standards to 3.9.3, no changes.
-- Timo Aaltonen <tjaalton at ubuntu.com> Tue, 04 Oct 2011 19:45:31 +0300
diff --git a/debian/control b/debian/control
index a7a9ea2..6033931 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 8.0.0),
libnss3-dev,
pkg-config,
quilt,
-Standards-Version: 3.9.1
+Standards-Version: 3.9.3
Vcs-Git: git://git.debian.org/git/pkg-fedora-ds/jss.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-fedora-ds/jss.git
Homepage: http://www.mozilla.org/projects/security/pki/jss/
commit fc28e1f41c44a01b89258857492c9e47c004dcd8
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 12:05:59 2012 +0300
more patches from Fedora
diff --git a/debian/patches/jss-ECC-Phase2KeyArchivalRecovery.patch b/debian/patches/jss-ECC-Phase2KeyArchivalRecovery.patch
new file mode 100644
index 0000000..49063eb
--- /dev/null
+++ b/debian/patches/jss-ECC-Phase2KeyArchivalRecovery.patch
@@ -0,0 +1,437 @@
+--- a/security/jss/build_java.pl
++++ b/security/jss/build_java.pl
+@@ -19,6 +19,7 @@
+ org.mozilla.jss.crypto.EncryptionAlgorithm
+ org.mozilla.jss.crypto.PQGParams
+ org.mozilla.jss.crypto.SecretDecoderRing
++org.mozilla.jss.asn1.ASN1Util
+ org.mozilla.jss.pkcs11.CertProxy
+ org.mozilla.jss.pkcs11.CipherContextProxy
+ org.mozilla.jss.pkcs11.PK11Module
+--- a/security/jss/lib/config.mk
++++ b/security/jss/lib/config.mk
+@@ -44,6 +44,7 @@
+ ../org/mozilla/jss/SecretDecoderRing \
+ ../org/mozilla/jss \
+ ../org/mozilla/jss/pkcs11 \
++ ../org/mozilla/jss/asn1 \
+ ../org/mozilla/jss/ssl \
+ ../org/mozilla/jss/util \
+ ../org/mozilla/jss/provider/java/security \
+--- a/security/jss/lib/jss.def
++++ b/security/jss/lib/jss.def
+@@ -332,6 +332,7 @@
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowCUNative;
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid;
+ ;+ local:
+ ;+ *;
+ ;+};
+--- a/security/jss/lib/rules.mk
++++ b/security/jss/lib/rules.mk
+@@ -41,6 +41,7 @@
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsscrypto$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssmanage$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspkcs11$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssasn1$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jsspolicy$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssssl$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(DLL_PREFIX)jssutil$(DYNAMIC_LIB_EXTENSION)$(DYNAMIC_LIB_SUFFIX)
+@@ -48,6 +49,7 @@
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsscrypto$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssmanage$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspkcs11$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
++ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssasn1$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jsspolicy$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssssl$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+ -rm $(SOURCE_RELEASE_PREFIX)/$(SOURCE_RELEASE_LIB_DIR)/$(IMPORT_LIB_PREFIX)jssutil$(IMPORT_LIB_EXTENSION)$(IMPORT_LIB_SUFFIX)
+--- /dev/null
++++ b/security/jss/org/mozilla/jss/asn1/ASN1Util.c
+@@ -0,0 +1,97 @@
++/* ***** BEGIN LICENSE BLOCK *****
++ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
++ *
++ * The contents of this file are subject to the Mozilla Public License Version
++ * 1.1 (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ * http://www.mozilla.org/MPL/
++ *
++ * Software distributed under the License is distributed on an "AS IS" basis,
++ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++ * for the specific language governing rights and limitations under the
++ * License.
++ *
++ * The Original Code is the Netscape Security Services for Java.
++ *
++ * The Initial Developer of the Original Code is
++ * Netscape Communications Corporation.
++ * Portions created by the Initial Developer are Copyright (C) 1998-2000
++ * the Initial Developer. All Rights Reserved.
++ *
++ * Contributor(s):
++ *
++ * Alternatively, the contents of this file may be used under the terms of
++ * either the GNU General Public License Version 2 or later (the "GPL"), or
++ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++ * in which case the provisions of the GPL or the LGPL are applicable instead
++ * of those above. If you wish to allow use of your version of this file only
++ * under the terms of either the GPL or the LGPL, and not to allow others to
++ * use your version of this file under the terms of the MPL, indicate your
++ * decision by deleting the provisions above and replace them with the notice
++ * and other provisions required by the GPL or the LGPL. If you do not delete
++ * the provisions above, a recipient may use your version of this file under
++ * the terms of any one of the MPL, the GPL or the LGPL.
++ *
++ * ***** END LICENSE BLOCK ***** */
++#include "_jni/org_mozilla_jss_asn1_ASN1Util.h"
++#include <pk11func.h>
++#include <nspr.h>
++#include <seccomon.h>
++#include <key.h>
++#include <secitem.h>
++
++#include <jssutil.h>
++#include <java_ids.h>
++#include <jss_exceptions.h>
++#include <Algorithm.h>
++
++/***********************************************************************
++ *
++ * Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid
++ * retrieves OID description by NSS's OID Tag identifier
++ * the OID byte array is expected to be without the OID Tag (6) and size
++ * (together 2 bytes)
++ */
++JNIEXPORT jstring JNICALL
++Java_org_mozilla_jss_asn1_ASN1Util_getTagDescriptionByOid(JNIEnv *env, jobject this, jbyteArray oidBA)
++{
++ SECItem *oid = NULL;
++ SECOidTag oidTag = SEC_OID_UNKNOWN;
++ char *oidDesc = NULL;
++ jstring description= "";
++
++ if (oidBA == NULL) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: oidBA null");
++ goto finish;
++ } else {
++ /**************************************************
++ * Setup the parameters
++ *************************************************/
++ oid = JSS_ByteArrayToSECItem(env, oidBA);
++ if (oid == NULL) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: JSS_ByteArrayToSECItem failed");
++ goto finish;
++ }
++
++ /*
++ * SECOID_FindOIDTag() returns SEC_OID_UNKNOWN if no match
++ */
++ oidTag = SECOID_FindOIDTag(oid);
++ if (oidTag == SEC_OID_UNKNOWN) {
++ JSS_throwMsg(env, INVALID_PARAMETER_EXCEPTION,
++ "JSS getTagDescriptionByOid: OID UNKNOWN");
++ goto finish;
++ }
++
++ oidDesc = SECOID_FindOIDTagDescription(oidTag);
++ if (oidDesc == NULL) {
++ oidDesc = "";
++ }
++ description = (*env)->NewStringUTF(env, oidDesc);
++ }
++
++finish:
++ return description;
++}
+--- a/security/jss/org/mozilla/jss/asn1/ASN1Util.java
++++ b/security/jss/org/mozilla/jss/asn1/ASN1Util.java
+@@ -36,6 +36,8 @@
+ package org.mozilla.jss.asn1;
+
+ import java.io.*;
++import java.util.Arrays;
++
+ import org.mozilla.jss.asn1.InvalidBERException;
+ import org.mozilla.jss.util.Assert;
+
+@@ -114,4 +116,71 @@
+ numRead += nr;
+ }
+ }
++
++ /**
++ * returns the ECC curve byte array given the X509 public key byte array
++ *
++ * @param X509PubKeyBytes byte array of an X509PubKey
++ * @param withHeader tells if the return byes should inclulde the tag and size header or not
++ */
++ public static byte[] getECCurveBytesByX509PublicKeyBytes(byte[] X509PubKeyBytes,
++ boolean withHeader)
++ throws IllegalArgumentException, ArrayIndexOutOfBoundsException,
++ NullPointerException
++ {
++ if ((X509PubKeyBytes == null) || (X509PubKeyBytes.length == 0)) {
++ throw new IllegalArgumentException("X509PubKeyBytes null");
++ }
++
++ /* EC public key OID complete with tag and size */
++ byte[] EC_PubOIDBytes_full =
++ ASN1Util.encode(OBJECT_IDENTIFIER.EC_PUBKEY_OID);
++
++ /* EC public key OID without tag and size */
++ byte[] EC_PubOIDBytes =
++ Arrays.copyOfRange(EC_PubOIDBytes_full, 2, EC_PubOIDBytes_full.length);
++
++ int curveBeginIndex = 0;
++ for (int idx = 0; idx<= X509PubKeyBytes.length; idx++) {
++ byte[] tmp =
++ Arrays.copyOfRange(X509PubKeyBytes, idx, idx+EC_PubOIDBytes.length);
++ if (Arrays.equals(tmp, EC_PubOIDBytes)) {
++ curveBeginIndex = idx+ EC_PubOIDBytes.length;
++ break;
++ }
++ }
++
++ int curveByteArraySize = (int) X509PubKeyBytes[curveBeginIndex+ 1];
++
++ if (withHeader) {
++ /* actual curve with tag and size */
++ byte curve[] = Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex, curveBeginIndex + curveByteArraySize + 2);
++ return curve;
++ } else {
++ /* actual curve without tag and size */
++ byte curve[] =
++ Arrays.copyOfRange(X509PubKeyBytes, curveBeginIndex + 2,
++ curveBeginIndex + 2 + curveByteArraySize);
++ return curve;
++ }
++ }
++
++ /**
++ * getOIDdescription() returns a text description of the OID
++ * from OID byte array
++ * the OID byte array is expected to be without the OID Tag (6) and size
++ * (together 2 bytes)
++ */
++ public static String
++ getOIDdescription(byte[] oidBA) {
++ return getTagDescriptionByOid(oidBA);
++ }
++
++ /**
++ * get OID description JNI method
++ */
++ private native static String
++ getTagDescriptionByOid(byte[] oidBA);
++
++
+ }
+--- a/security/jss/org/mozilla/jss/asn1/Makefile
++++ b/security/jss/org/mozilla/jss/asn1/Makefile
+@@ -57,7 +57,7 @@
+ #######################################################################
+ # (4) Include "local" platform-dependent assignments (OPTIONAL). #
+ #######################################################################
+-#include config.mk
++include config.mk
+
+
+ #######################################################################
+--- a/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
++++ b/security/jss/org/mozilla/jss/asn1/OBJECT_IDENTIFIER.java
+@@ -52,6 +52,12 @@
+ ///////////////////////////////////////////////////////////////////////
+
+ /**
++ * The OID space for EC
++ */
++ public static final OBJECT_IDENTIFIER EC_PUBKEY_OID =
++ new OBJECT_IDENTIFIER( new long[]{1, 2, 840, 10045, 2, 1} );
++
++ /**
+ * The OID space for RSA Data Security, Inc.
+ */
+ public static final OBJECT_IDENTIFIER RSADSI =
+--- /dev/null
++++ b/security/jss/org/mozilla/jss/asn1/config.mk
+@@ -0,0 +1,41 @@
++#
++# ***** BEGIN LICENSE BLOCK *****
++# Version: MPL 1.1/GPL 2.0/LGPL 2.1
++#
++# The contents of this file are subject to the Mozilla Public License Version
++# 1.1 (the "License"); you may not use this file except in compliance with
++# the License. You may obtain a copy of the License at
++# http://www.mozilla.org/MPL/
++#
++# Software distributed under the License is distributed on an "AS IS" basis,
++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++# for the specific language governing rights and limitations under the
++# License.
++#
++# The Original Code is the Netscape Security Services for Java.
++#
++# The Initial Developer of the Original Code is
++# Netscape Communications Corporation.
++# Portions created by the Initial Developer are Copyright (C) 1998-2000
++# the Initial Developer. All Rights Reserved.
++#
++# Contributor(s):
++#
++# Alternatively, the contents of this file may be used under the terms of
++# either the GNU General Public License Version 2 or later (the "GPL"), or
++# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++# in which case the provisions of the GPL or the LGPL are applicable instead
++# of those above. If you wish to allow use of your version of this file only
++# under the terms of either the GPL or the LGPL, and not to allow others to
++# use your version of this file under the terms of the MPL, indicate your
++# decision by deleting the provisions above and replace them with the notice
++# and other provisions required by the GPL or the LGPL. If you do not delete
++# the provisions above, a recipient may use your version of this file under
++# the terms of any one of the MPL, the GPL or the LGPL.
++#
++# ***** END LICENSE BLOCK *****
++TARGETS=$(LIBRARY)
++SHARED_LIBRARY=
++IMPORT_LIBRARY=
++
++NO_MD_RELEASE = 1
+--- a/security/jss/org/mozilla/jss/asn1/manifest.mn
++++ b/security/jss/org/mozilla/jss/asn1/manifest.mn
+@@ -41,6 +41,8 @@
+
+ NS_USE_JDK = 1
+
++REQUIRES = nspr20 nss
++
+ PACKAGE = org/mozilla/jss/asn1
+
+ CLASSES = \
+@@ -112,3 +114,9 @@
+ UTCTime.java \
+ UTF8String.java \
+ $(NULL)
++
++CSRCS = \
++ ASN1Util.c \
++ $(NULL)
++
++LIBRARY_NAME = jssasn1
+--- a/security/jss/org/mozilla/jss/manifest.mn
++++ b/security/jss/org/mozilla/jss/manifest.mn
+@@ -48,6 +48,7 @@
+ crypto \
+ SecretDecoderRing \
+ pkcs11 \
++ asn1 \
+ ssl \
+ provider \
+ $(NULL)
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11ECPublicKey.java
+@@ -61,15 +61,29 @@
+ // }
+ // }
+ //
+-// public BigInteger getW() {
+-// try {
+-// return new BigInteger( getWByteArray() );
+-// } catch(NumberFormatException e) {
+-// Assert.notReached("Unable to decode DSA public value");
+-// return null;
+-// }
+-// }
+-//
+-// private native byte[] getCurveByteArray();
+-// private native byte[] getWByteArray();
++
++ public BigInteger getCurve() {
++ try {
++ return new BigInteger( getCurveByteArray() );
++ } catch(NumberFormatException e) {
++ Assert.notReached("Unable to decode EC curve");
++ return null;
++ }
++ }
++
++ public byte[] getCurveBA() {
++ return getCurveByteArray();
++ }
++
++ public BigInteger getW() {
++ try {
++ return new BigInteger( getWByteArray() );
++ } catch(NumberFormatException e) {
++ Assert.notReached("Unable to decode EC public value");
++ return null;
++ }
++ }
++
++ private native byte[] getCurveByteArray();
++ private native byte[] getWByteArray();
+ }
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+@@ -450,6 +450,14 @@
+ numAttribs = 4;
+ }
+ break;
++ case CKK_EC:
++ numAttribs = 1;
++ attribs[0] = CKA_SIGN;
++ if (isExtractable) {
++ attribs[1] = CKA_EXTRACTABLE;
++ numAttribs = 2;
++ }
++ break;
+ case CKK_DSA:
+ attribs[0] = CKA_SIGN;
+ numAttribs = 1;
+@@ -460,11 +468,6 @@
+ attribs[0] = CKA_DERIVE;
+ numAttribs = 1;
+ break;
+- case CKK_EC:
+- attribs[0] = CKA_SIGN;
+- attribs[1] = CKA_DERIVE;
+- numAttribs = 2;
+- break;
+ default:
+ /* unknown key type */
+ PR_ASSERT(PR_FALSE);
+@@ -479,7 +482,7 @@
+ attribs, numAttribs, NULL /*wincx*/);
+ if( privk == NULL ) {
+ char err[256] = {0};
+- PR_snprintf(err, 256, "Key Unwrap failed on token:%d", PR_GetError());
++ PR_snprintf(err, 256, "Key Unwrap failed on token:error=%d, keyType=%d", PR_GetError(), keyType);
+ JSS_throwMsg(env, TOKEN_EXCEPTION, err);
+ goto finish;
+ }
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+@@ -459,13 +459,19 @@
+ if( type == PrivateKey.RSA ) {
+ if( !(publicKey instanceof RSAPublicKey)) {
+ throw new InvalidKeyException("Type of public key does not "+
+- "match type of private key");
++ "match type of private key which is RSA");
+ }
+ return ((RSAPublicKey)publicKey).getModulus().toByteArray();
++ } else if(type == PrivateKey.EC) {
++ if( !(publicKey instanceof PK11ECPublicKey) ) {
++ throw new InvalidKeyException("Type of public key does not "+
++ "match type of private key which is EC");
++ }
++ return ((PK11ECPublicKey)publicKey).getW().toByteArray();
+ } else if(type == PrivateKey.DSA) {
+ if( !(publicKey instanceof DSAPublicKey) ) {
+ throw new InvalidKeyException("Type of public key does not "+
+- "match type of private key");
++ "match type of private key which is DSA");
+ }
+ return ((DSAPublicKey)publicKey).getY().toByteArray();
+ } else {
diff --git a/debian/patches/jss-HSM-manufacturerID.patch b/debian/patches/jss-HSM-manufacturerID.patch
new file mode 100644
index 0000000..12ec713
--- /dev/null
+++ b/debian/patches/jss-HSM-manufacturerID.patch
@@ -0,0 +1,62 @@
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c.cfu 2011-11-10 17:18:02.706421000 -0800
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11KeyPairGenerator.c 2011-11-10 17:18:23.370442000 -0800
+@@ -195,7 +195,8 @@ JSS_PK11_generateKeyPairWithOpFlags(JNIE
+ }
+ PR_GetErrorText(errBuf);
+ }
+- msgBuf = PR_smprintf("Keypair Generation failed on token: %s",
++ msgBuf = PR_smprintf("Keypair Generation failed on token with error: %d : %s",
++ PR_GetError(),
+ errLength>0? errBuf : "");
+ if(errLength>0) {
+ PR_Free(errBuf);
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu jss-4.2.6/mozilla/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c
+--- a/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c.cfu 2011-11-10 17:18:10.767429000 -0800
++++ b/security/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.c 2011-11-10 17:52:34.703491000 -0800
+@@ -334,32 +334,36 @@ Java_org_mozilla_jss_pkcs11_PK11KeyWrapp
+ PRBool isExtractable = PR_FALSE;
+
+ /* special case nethsm and lunasa*/
+- CK_UTF8CHAR nethsmLabel[4] = {'N','H','S','M'};
+- CK_UTF8CHAR lunasaLabel[4] = {'l','u','n','a'};
++ const int numManufacturerIDchars = 7;
++ CK_UTF8CHAR nethsmManufacturerID[] = {'n','C','i','p','h','e','r'};
++ CK_UTF8CHAR lunasaManufacturerID[] = {'S','a','f','e','n','e','t'};
+ PRBool isNethsm = PR_TRUE;
+ PRBool isLunasa = PR_TRUE;
+
++ tokenInfo.manufacturerID[0] = 0;
++
+ if( JSS_PK11_getTokenSlotPtr(env, tokenObj, &slot) != PR_SUCCESS) {
+ /* exception was thrown */
+ goto finish;
+ }
+
+- if ( PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) {
++ if ( (PK11_GetTokenInfo(slot, &tokenInfo) == PR_SUCCESS) &&
++ (tokenInfo.manufacturerID[0] != 0)) {
+ int ix = 0;
+- for(ix=0; ix < 4; ix++) {
+- if (tokenInfo.label[ix] != nethsmLabel[ix]) {
++
++ for(ix=0; ix < numManufacturerIDchars; ix++) {
++ if (tokenInfo.manufacturerID[ix] != nethsmManufacturerID[ix]) {
+ isNethsm = PR_FALSE;
+ break;
+ }
+ }
+- ix = 0;
+- for(ix=0; ix < 4; ix++) {
+- if (tokenInfo.label[ix] != lunasaLabel[ix]) {
++
++ for(ix=0; ix < numManufacturerIDchars; ix++) {
++ if (tokenInfo.manufacturerID[ix] != lunasaManufacturerID[ix]) {
+ isLunasa = PR_FALSE;
+ break;
+ }
+ }
+-
+ } else {
+ isNethsm = PR_FALSE;
+ isLunasa = PR_FALSE;
diff --git a/debian/patches/jss-undo-BadPaddingException-deprecation.patch b/debian/patches/jss-undo-BadPaddingException-deprecation.patch
new file mode 100644
index 0000000..a9f97cf
--- /dev/null
+++ b/debian/patches/jss-undo-BadPaddingException-deprecation.patch
@@ -0,0 +1,13 @@
+diff -rupN jss-4.2.6.orig/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java jss-4.2.6/mozilla/security/jss/org/mozilla/jss/crypto/BadPaddingException.java
+--- a/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2004-04-25 08:02:21.000000000 -0700
++++ b/security/jss/org/mozilla/jss/crypto/BadPaddingException.java 2012-03-30 16:17:30.748371000 -0700
+@@ -35,9 +35,6 @@
+ * ***** END LICENSE BLOCK ***** */
+ package org.mozilla.jss.crypto;
+
+-/**
+- * @deprecated Use javax.crypto.BadPaddingException.
+- */
+ public class BadPaddingException extends Exception {
+ public BadPaddingException() {
+ super();
diff --git a/debian/patches/jss-undo-JCA-deprecations.patch b/debian/patches/jss-undo-JCA-deprecations.patch
new file mode 100644
index 0000000..fd644f5
--- /dev/null
+++ b/debian/patches/jss-undo-JCA-deprecations.patch
@@ -0,0 +1,163 @@
+--- a/security/jss/org/mozilla/jss/crypto/Cipher.java
++++ b/security/jss/org/mozilla/jss/crypto/Cipher.java
+@@ -49,7 +49,6 @@
+ * it is not necessary to call <code>update</code> if all of the data is
+ * available at once. In this case, all of the input can be processed with one
+ * call to <code>doFinal</code>.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+ */
+ public abstract class Cipher {
+
+--- a/security/jss/org/mozilla/jss/crypto/CryptoToken.java
++++ b/security/jss/org/mozilla/jss/crypto/CryptoToken.java
+@@ -60,7 +60,6 @@
+ * @param algorithm The algorithm used for the signing/verification.
+ * @exception java.security.NoSuchAlgorithmException If the given
+ * algorithm is not supported by this provider.
+- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+ */
+ public abstract org.mozilla.jss.crypto.Signature
+ getSignatureContext(SignatureAlgorithm algorithm)
+@@ -73,7 +72,6 @@
+ * @param algorithm The algorithm used for digesting.
+ * @exception java.security.NoSuchAlgorithmException If this provider
+ * does not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+ */
+ public abstract JSSMessageDigest
+ getDigestContext(DigestAlgorithm algorithm)
+@@ -89,15 +87,11 @@
+ * @param algorithm The algorithm used for encryption/decryption.
+ * @exception java.security.NoSuchAlgorithmException If this provider
+ * does not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+ */
+ public abstract Cipher
+ getCipherContext(EncryptionAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+
+- /**
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+- */
+ public abstract KeyWrapper
+ getKeyWrapper(KeyWrapAlgorithm algorithm)
+ throws java.security.NoSuchAlgorithmException, TokenException;
+@@ -123,7 +117,6 @@
+ * @param algorithm The algorithm that the keys will be used with.
+ * @exception java.security.NoSuchAlgorithmException If this token does not
+ * support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+ */
+ public abstract KeyGenerator
+ getKeyGenerator(KeyGenAlgorithm algorithm)
+@@ -136,7 +129,6 @@
+ * cannot be extracted from the current token.
+ * @exception InvalidKeyException If the owning token cannot process
+ * the key to be cloned.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.SecretKeyFactory})
+ */
+ public SymmetricKey cloneKey(SymmetricKey key)
+ throws SymmetricKey.NotExtractableException,
+@@ -151,7 +143,6 @@
+ * DSA, EC, etc.)
+ * @exception java.security.NoSuchAlgorithmException If this token does
+ * not support the given algorithm.
+- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+ */
+ public abstract KeyPairGenerator
+ getKeyPairGenerator(KeyPairAlgorithm algorithm)
+--- a/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
++++ b/security/jss/org/mozilla/jss/crypto/JSSMessageDigest.java
+@@ -41,7 +41,6 @@
+
+ /**
+ * A class for performing message digesting (hashing) and MAC operations.
+- * @deprecated Use the JCA interface instead ({@link java.security.MessageDigest})
+ */
+ public abstract class JSSMessageDigest {
+
+--- a/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
++++ b/security/jss/org/mozilla/jss/crypto/JSSSecureRandom.java
+@@ -38,7 +38,6 @@
+
+ /**
+ * An interface for secure random numbers.
+- * @deprecated Use the JCA interface instead ({@link java.security.SecureRandom})
+ */
+ public interface JSSSecureRandom {
+
+--- a/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
++++ b/security/jss/org/mozilla/jss/crypto/KeyGenerator.java
+@@ -43,7 +43,6 @@
+
+ /**
+ * Generates symmetric keys for encryption and decryption.
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.KeyGenerator})
+ */
+ public interface KeyGenerator {
+
+--- a/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
++++ b/security/jss/org/mozilla/jss/crypto/KeyPairGenerator.java
+@@ -49,7 +49,6 @@
+ * <code>keygenOnInternalToken</code> to find out if this is happening.
+ *
+ * @see org.mozilla.jss.crypto.CryptoToken#getKeyPairGenerator
+- * @deprecated Use the JCA interface instead ({@link java.security.KeyPairGenerator})
+ */
+ public class KeyPairGenerator {
+
+--- a/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
++++ b/security/jss/org/mozilla/jss/crypto/KeyWrapper.java
+@@ -40,9 +40,6 @@
+ import java.security.PublicKey;
+ import java.security.InvalidKeyException;
+
+-/**
+- * @deprecated Use the JCA interface instead ({@link javax.crypto.Cipher})
+- */
+ public interface KeyWrapper {
+
+ public void initWrap(SymmetricKey wrappingKey,
+--- a/security/jss/org/mozilla/jss/crypto/Signature.java
++++ b/security/jss/org/mozilla/jss/crypto/Signature.java
+@@ -44,7 +44,6 @@
+ * Instances of this class can be obtain from <code>CryptoToken</code>s.
+ *
+ * @see org.mozilla.jss.crypto.CryptoToken#getSignatureContext
+- * @deprecated Use the JCA interface instead ({@link java.security.Signature})
+ */
+ public class Signature {
+
+--- a/security/jss/org/mozilla/jss/tests/SigTest.java
++++ b/security/jss/org/mozilla/jss/tests/SigTest.java
+@@ -35,8 +35,6 @@
+ * ***** END LICENSE BLOCK ***** */
+ /* This program demonstrates how to sign data with keys from JSS
+ *
+- * Most of this code is deprecated look at JCASigTest.java
+- *
+ * java -cp ./jss4.jar org.mozilla.jss.tests.SigTest .
+ * passwords "Internal Key Storage Token"
+ *
+@@ -45,8 +43,6 @@
+ * Internal Crypto Services Token
+ * Internal Key Storage Token (keys stored in key4.db)
+ *
+- * @see org.mozilla.jss.tests.JCASigTest
+- * @deprecated Use the JCA interface instead
+ */
+ package org.mozilla.jss.tests;
+
+--- a/security/jss/org/mozilla/jss/tests/all.pl
++++ b/security/jss/org/mozilla/jss/tests/all.pl
+@@ -541,6 +541,10 @@
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
+ run_test($testname, $command);
+
++$testname = "Mozilla-JSS NSS Signature ";
++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.SigTest $testdir $pwfile";
++run_test($testname, $command);
++
+ $testname = "Secret Decoder Ring";
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.TestSDR $testdir $pwfile";
+ run_test($testname, $command);
diff --git a/debian/patches/series b/debian/patches/series
index 1a08706..9447325 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,7 @@ jss-PKCS12-FIPS.patch
jss-eliminate-native-coverity-defects.patch
jss-PBE-PKCS5-V2-secure-P12.patch
jss-wrapInToken.patch
+jss-HSM-manufacturerID.patch
+jss-ECC-Phase2KeyArchivalRecovery.patch
+jss-undo-JCA-deprecations.patch
+jss-undo-BadPaddingException-deprecation.patch
More information about the Pkg-fedora-ds-maintainers
mailing list