[Pkg-fedora-ds-maintainers] jss: Changes to 'master'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Wed Dec 20 14:55:13 UTC 2017
debian/changelog | 7
debian/control | 4
debian/patches/jss-HMAC-test-for-AES-encrypt-unwrap.patch | 196
debian/patches/jss-HMAC-unwrap-keywrap-FIPSMODE.patch | 22
debian/patches/jss-ObjectNotFoundException-message.patch | 680
debian/patches/jss-PBE-padded-block-cipher-enhancements.patch | 620
debian/patches/jss-SignatureAlgorithm.patch | 34
debian/patches/jss-fix-PK11Store-getEncryptedPrivateKeyInfo-segfault.patch | 35
debian/patches/pull_coreconf |16056 ----------
debian/patches/series | 7
10 files changed, 1602 insertions(+), 16059 deletions(-)
New commits:
commit 484df1b82fa251e10851f91a372378549c114745
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Dec 20 16:52:42 2017 +0200
releasing package jss version 4.4.2-2
diff --git a/debian/changelog b/debian/changelog
index e0b7933..3e8d97c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-jss (4.4.2-2) UNRELEASED; urgency=medium
+jss (4.4.2-2) unstable; urgency=medium
* patches: Add six patches from Fedora for Dogtag.
* control: Update git urls to point to pkg-freeipa.
- -- Timo Aaltonen <tjaalton at debian.org> Wed, 20 Dec 2017 16:49:40 +0200
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 20 Dec 2017 16:52:36 +0200
jss (4.4.2-1) unstable; urgency=medium
commit bdae5d5b7711a8905d94e95aab03e6cad9d84b6c
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Dec 20 16:51:22 2017 +0200
control: Update git urls to point to pkg-freeipa.
diff --git a/debian/changelog b/debian/changelog
index 58aa62d..e0b7933 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
jss (4.4.2-2) UNRELEASED; urgency=medium
* patches: Add six patches from Fedora for Dogtag.
+ * control: Update git urls to point to pkg-freeipa.
-- Timo Aaltonen <tjaalton at debian.org> Wed, 20 Dec 2017 16:49:40 +0200
diff --git a/debian/control b/debian/control
index dfb35b3..19272c3 100644
--- a/debian/control
+++ b/debian/control
@@ -9,8 +9,8 @@ Build-Depends: debhelper (>= 9),
pkg-config,
quilt,
Standards-Version: 3.9.8
-Vcs-Git: https://anonscm.debian.org/git/pkg-fedora-ds/jss.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-fedora-ds/jss.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-freeipa/jss.git
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-freeipa/jss.git
Homepage: http://www.mozilla.org/projects/security/pki/jss/
Package: libjss-java
commit 6862a74fb924003928497461415ecf356b05f272
Author: Timo Aaltonen <tjaalton at debian.org>
Date: Wed Dec 20 16:49:47 2017 +0200
patches: Add six patches from Fedora for Dogtag.
diff --git a/debian/changelog b/debian/changelog
index 5211cc2..58aa62d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+jss (4.4.2-2) UNRELEASED; urgency=medium
+
+ * patches: Add six patches from Fedora for Dogtag.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Wed, 20 Dec 2017 16:49:40 +0200
+
jss (4.4.2-1) unstable; urgency=medium
* New upstream release. (Closes: #875589)
diff --git a/debian/patches/jss-HMAC-test-for-AES-encrypt-unwrap.patch b/debian/patches/jss-HMAC-test-for-AES-encrypt-unwrap.patch
new file mode 100644
index 0000000..8b5582c
--- /dev/null
+++ b/debian/patches/jss-HMAC-test-for-AES-encrypt-unwrap.patch
@@ -0,0 +1,196 @@
+# HG changeset patch
+# User Jack Magne <jmagne at redhat.com>
+# Date 1504307754 25200
+# Fri Sep 01 16:15:54 2017 -0700
+# Node ID eec15518fd61f1d988c25b4de589555796f9e65f
+# Parent 17d1d7b740ca5777fbcf8ee817a2f26b9c93593a
+unwrapping of HMAC-SHA1 secret keys using AES wrapping and unwrapping
+cfu on behalf of jmagne
+
+diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11KeyWrapper.java
+--- a/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Mon May 01 10:39:50 2017 -0700
++++ b/jss/org/mozilla/jss/pkcs11/PK11KeyWrapper.java Fri Sep 01 16:15:54 2017 -0700
+@@ -588,6 +588,8 @@
+ return EncryptionAlgorithm.RC4;
+ } else if( type == SymmetricKey.AES ) {
+ return EncryptionAlgorithm.AES_128_ECB;
++ } else if( type == SymmetricKey.SHA1_HMAC) {
++ return HMACAlgorithm.SHA1;
+ } else {
+ Assert._assert( type == SymmetricKey.RC2 );
+ return EncryptionAlgorithm.RC2_CBC;
+diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/pkcs11/PK11MessageDigest.c
+--- a/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c Mon May 01 10:39:50 2017 -0700
++++ b/jss/org/mozilla/jss/pkcs11/PK11MessageDigest.c Fri Sep 01 16:15:54 2017 -0700
+@@ -67,19 +67,19 @@
+ }
+
+ /* copy the key, setting the CKA_SIGN attribute */
+- /*
++
+ newKey = PK11_CopySymKeyForSigning(origKey, mech);
++
++ /* For some key on the hsm, this call could fail, but the key may work anyway */
++
+ if( newKey == NULL ) {
+- JSS_throwMsg(env, DIGEST_EXCEPTION,
+- "Unable to set CKA_SIGN attribute on symmetric key");
+- goto finish;
++ newKey = origKey;
+ }
+- */
+
+ param.data = NULL;
+ param.len = 0;
+
+- context = PK11_CreateContextBySymKey(mech, CKA_SIGN, origKey, ¶m);
++ context = PK11_CreateContextBySymKey(mech, CKA_SIGN, newKey, ¶m);
+ if( context == NULL ) {
+ JSS_throwMsg(env, DIGEST_EXCEPTION,
+ "Unable to initialize digest context");
+@@ -88,7 +88,7 @@
+
+ contextObj = JSS_PK11_wrapCipherContextProxy(env, &context);
+ finish:
+- if(newKey) {
++ if(newKey && (newKey != origKey)) {
+ /* SymKeys are ref counted, and the context will free it's ref
+ * when it is destroyed */
+ PK11_FreeSymKey(newKey);
+diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/HmacTest.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/jss/org/mozilla/jss/tests/HmacTest.java Fri Sep 01 16:15:54 2017 -0700
+@@ -0,0 +1,119 @@
++
++package org.mozilla.jss.tests;
++
++
++import java.security.Key;
++import javax.crypto.Cipher;
++import javax.crypto.KeyGenerator;
++import javax.crypto.Mac;
++import javax.crypto.SecretKey;
++import javax.crypto.spec.IvParameterSpec;
++
++import org.mozilla.jss.CryptoManager;
++import org.mozilla.jss.crypto.CryptoToken;
++import org.mozilla.jss.crypto.SymmetricKey;
++
++
++public class HmacTest {
++
++ private static final String INTERNAL_KEY_STORAGE_TOKEN =
++ new CryptoManager.InitializationValues("").getInternalKeyStorageTokenDescription().trim();
++
++ private static final String NSS_DATABASE_DIR = "sql:data";
++ private static final String PROVIDER = "Mozilla-JSS";
++
++
++ public static void main(String[] args)
++ {
++
++ String algorithm = "hmac-sha1";
++
++ try {
++ configureCrypto(args);
++
++ Mac mac = Mac.getInstance(algorithm, PROVIDER);
++
++ byte[] keyData = new byte[16];
++ Key key = importHmacSha1Key(keyData);
++
++ mac.init(key);
++
++ doHMAC(mac,"Dogtag rules!");
++
++ System.out.println("Done");
++
++ System.exit(0);
++ } catch (Exception e) {
++ System.exit(1);
++ }
++ }
++
++ private static void configureCrypto(String[] args)
++ throws Exception {
++
++ CryptoManager.InitializationValues initializationValues =
++ new CryptoManager.InitializationValues(args[0]);
++
++ CryptoManager.initialize(initializationValues);
++
++ CryptoManager cryptoManager = CryptoManager.getInstance();
++
++ CryptoToken cryptoToken =
++ cryptoManager.getTokenByName(INTERNAL_KEY_STORAGE_TOKEN);
++
++ cryptoManager.setThreadToken(cryptoToken);
++ }
++
++ private static Key importHmacSha1Key(byte[] key)
++ throws Exception {
++
++ final String WRAPPING_ALGORITHM = "AES/CBC/PKCS5Padding";
++
++ Key wrappingKey = getWrappingKey();
++
++ byte[] iv = new byte[16];
++ IvParameterSpec ivParameterSpec = new IvParameterSpec(iv);
++
++ Cipher wrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER);
++ wrappingCipher.init(Cipher.ENCRYPT_MODE, wrappingKey, ivParameterSpec);
++
++ byte[] wrappedKeyData = wrappingCipher.doFinal(key);
++
++ Cipher unwrappingCipher = Cipher.getInstance(WRAPPING_ALGORITHM, PROVIDER);
++ unwrappingCipher.init(Cipher.UNWRAP_MODE, wrappingKey, ivParameterSpec);
++
++ return (SecretKey) unwrappingCipher.unwrap(wrappedKeyData,
++ SymmetricKey.SHA1_HMAC.toString(),
++ Cipher.SECRET_KEY);
++ }
++
++ private static synchronized Key getWrappingKey()
++ throws Exception {
++
++ final String keyGenAlgorithm = "AES";
++ final int wrappingKeyLength = 256;
++
++ KeyGenerator keyGen = KeyGenerator.getInstance(keyGenAlgorithm, PROVIDER);
++ keyGen.init(wrappingKeyLength);
++ return keyGen.generateKey();
++ }
++
++ public static void doHMAC(Mac mozillaHmac, String clearText)
++ throws Exception {
++ byte[] mozillaHmacOut;
++
++ //Get the Mozilla HMAC
++ mozillaHmacOut = mozillaHmac.doFinal(clearText.getBytes());
++
++ if (mozillaHmacOut.length == mozillaHmac.getMacLength()) {
++ System.out.println(PROVIDER + " supports " +
++ mozillaHmac.getAlgorithm() + " and the output size is " + mozillaHmac.getMacLength());
++ } else {
++ throw new Exception("ERROR: hmac output size is " +
++ mozillaHmacOut.length + ", should be " +
++ mozillaHmac.getMacLength());
++ }
++ }
++
++
++}
+diff -r 17d1d7b740ca -r eec15518fd61 org/mozilla/jss/tests/all.pl
+--- a/jss/org/mozilla/jss/tests/all.pl Mon May 01 10:39:50 2017 -0700
++++ b/jss/org/mozilla/jss/tests/all.pl Fri Sep 01 16:15:54 2017 -0700
+@@ -492,6 +492,10 @@
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.HMACTest $testdir $pwfile";
+ run_test($testname, $command);
+
++$testname = "HMAC Unwrap";
++$command = "$java -cp $jss_classpath org.mozilla.jss.tests.HmacTest $testdir $pwfile";
++run_test($testname, $command);
++
+ $testname = "KeyWrapping ";
+ $command = "$java -cp $jss_classpath org.mozilla.jss.tests.JCAKeyWrap $testdir $pwfile";
+ run_test($testname, $command);
diff --git a/debian/patches/jss-HMAC-unwrap-keywrap-FIPSMODE.patch b/debian/patches/jss-HMAC-unwrap-keywrap-FIPSMODE.patch
new file mode 100644
index 0000000..3ccc6d6
--- /dev/null
+++ b/debian/patches/jss-HMAC-unwrap-keywrap-FIPSMODE.patch
@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Jack Magne <jmagne at redhat.com>
+# Date 1506640850 25200
+# Thu Sep 28 16:20:50 2017 -0700
+# Node ID 252c10f448971b7ae087bde259505abd5dc5a03a
+# Parent 3e9a5ae2149d04877dc19b117a8917c22854f8eb
+Fix: Bug 1400884 - new JSS failures: HMAC Unwrap and KeyWrapping FIPSMODE.
+
+diff --git a/org/mozilla/jss/pkcs11/KeyType.java b/org/mozilla/jss/pkcs11/KeyType.java
+--- a/jss/org/mozilla/jss/pkcs11/KeyType.java
++++ b/jss/org/mozilla/jss/pkcs11/KeyType.java
+@@ -204,9 +204,7 @@
+ EncryptionAlgorithm.AES_192_CBC,
+ EncryptionAlgorithm.AES_256_ECB,
+ EncryptionAlgorithm.AES_256_CBC,
+- /* AES CBC PAD is the same as AES_256_CBC_PAD */
+- /* shouldn't break backward compatibility 313798*/
+- //EncryptionAlgorithm.AES_CBC_PAD,
++ EncryptionAlgorithm.AES_CBC_PAD,
+ EncryptionAlgorithm.AES_128_CBC_PAD,
+ EncryptionAlgorithm.AES_192_CBC_PAD,
+ EncryptionAlgorithm.AES_256_CBC_PAD
diff --git a/debian/patches/jss-ObjectNotFoundException-message.patch b/debian/patches/jss-ObjectNotFoundException-message.patch
new file mode 100644
index 0000000..b560b91
--- /dev/null
+++ b/debian/patches/jss-ObjectNotFoundException-message.patch
@@ -0,0 +1,680 @@
+# HG changeset patch
+# User "Endi S. Dewata" <edewata at redhat.com>
+# Date 1509154719 -7200
+# Sat Oct 28 03:38:39 2017 +0200
+# Node ID 19a0e2146a929173757e6ccbb61a035ec9426f43
+# Parent b1a3c3cc6b3584948d251d3bfcfe6630d8970db5
+Added certificate nickname into ObjectNotFoundException message.
+The code that generates ObjectNotFoundException has been modified
+to include the certificate nickname to help troubleshooting.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
+
+diff --git a/org/mozilla/jss/PK11Finder.c b/org/mozilla/jss/PK11Finder.c
+--- a/jss/org/mozilla/jss/PK11Finder.c
++++ b/jss/org/mozilla/jss/PK11Finder.c
+@@ -54,7 +54,9 @@
+ cert = JSS_PK11_findCertAndSlotFromNickname(nick, NULL, &slot);
+
+ if(cert == NULL) {
+- JSS_nativeThrow(env, OBJECT_NOT_FOUND_EXCEPTION);
++ char *message = PR_smprintf("Certificate not found: %s", nick);
++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
++ PR_smprintf_free(message);
+ goto finish;
+ }
+
+@@ -1577,7 +1579,9 @@
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+ if (cert == NULL) {
+- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++ char *message = PR_smprintf("Certificate not found: %s", nickname);
++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
++ PR_smprintf_free(message);
+ goto finish;
+ } else {
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
+@@ -1640,7 +1644,9 @@
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+ if (cert == NULL) {
+- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++ char *message = PR_smprintf("Certificate not found: %s", nickname);
++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
++ PR_smprintf_free(message);
+ goto finish;
+ } else {
+ /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
+@@ -1801,7 +1807,9 @@
+ cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
+
+ if (cert == NULL) {
+- JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++ char *message = PR_smprintf("Certificate not found: %s", nickname);
++ JSS_throwMsg(env, OBJECT_NOT_FOUND_EXCEPTION, message);
++ PR_smprintf_free(message);
+ goto finish;
+ } else {
+ rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
+# HG changeset patch
+# User "Endi S. Dewata" <edewata at redhat.com>
+# Date 1509154819 -7200
+# Sat Oct 28 03:40:19 2017 +0200
+# Node ID 837c79476110ecd4bf6b507faad50edb9eed7e7e
+# Parent 19a0e2146a929173757e6ccbb61a035ec9426f43
+Reformatted SocketBase.java.
+The SocketBase.java has been auto-formatted using Eclipse to
+simplify further changes on the file.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
+
+diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
+--- a/jss/org/mozilla/jss/ssl/SocketBase.java
++++ b/jss/org/mozilla/jss/ssl/SocketBase.java
+@@ -27,6 +27,7 @@
+ int getTimeout() {
+ return timeout;
+ }
++
+ void setTimeout(int timeout) {
+ this.timeout = timeout;
+ }
+@@ -36,18 +37,17 @@
+ }
+
+ native byte[] socketCreate(Object socketObject,
+- SSLCertificateApprovalCallback certApprovalCallback,
+- SSLClientCertificateSelectionCallback clientCertSelectionCallback,
+- java.net.Socket javaSock, String host,int family)
++ SSLCertificateApprovalCallback certApprovalCallback,
++ SSLClientCertificateSelectionCallback clientCertSelectionCallback,
++ java.net.Socket javaSock, String host, int family)
+ throws SocketException;
+
+ byte[] socketCreate(Object socketObject,
+- SSLCertificateApprovalCallback certApprovalCallback,
+- SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family)
+- throws SocketException
+- {
++ SSLCertificateApprovalCallback certApprovalCallback,
++ SSLClientCertificateSelectionCallback clientCertSelectionCallback, int family)
++ throws SocketException {
+ return socketCreate(socketObject, certApprovalCallback,
+- clientCertSelectionCallback, null, null, family);
++ clientCertSelectionCallback, null, null, family);
+ }
+
+ native void socketBind(byte[] addrBA, int port) throws SocketException;
+@@ -57,7 +57,7 @@
+ * safer than copying the values of the C constants, which are subject
+ * to change, into Java code.
+ * Note to developer these constants are not all related! i.e. you cannot
+- * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage
++ * pass in PR_SHUTDOWN_RCV to setSSLOption etc! Check their usage
+ * in NSS and NSPR before using.
+ */
+ static final int SSL_ENABLE_SSL2 = 0;
+@@ -73,7 +73,7 @@
+ static final int SSL_POLICY_DOMESTIC = 10;
+ static final int SSL_POLICY_EXPORT = 11;
+ static final int SSL_POLICY_FRANCE = 12;
+- static final int SSL_ROLLBACK_DETECTION = 13;
++ static final int SSL_ROLLBACK_DETECTION = 13;
+ static final int SSL_NO_STEP_DOWN = 14;
+ static final int SSL_ENABLE_FDX = 15;
+ static final int SSL_V2_COMPATIBLE_HELLO = 16;
+@@ -98,7 +98,7 @@
+ static final int SSL_Variant_Stream = 33;
+ static final int SSL_Variant_Datagram = 34;
+
+- static final int SSL_AF_INET = 50;
++ static final int SSL_AF_INET = 50;
+ static final int SSL_AF_INET6 = 51;
+
+ void close() throws IOException {
+@@ -106,7 +106,7 @@
+ }
+
+ // SSLServerSocket and SSLSocket close methods
+- // have their own synchronization control that
++ // have their own synchronization control that
+ // protects SocketBase.socketClose.
+ native void socketClose() throws IOException;
+
+@@ -118,14 +118,13 @@
+ }
+
+ public void requestClientAuthNoExpiryCheck(boolean b)
+- throws SocketException
+- {
++ throws SocketException {
+ requestingClientAuth = b;
+ requestClientAuthNoExpiryCheckNative(b);
+ }
+
+ private native void requestClientAuthNoExpiryCheckNative(boolean b)
+- throws SocketException;
++ throws SocketException;
+
+ void enableSSL2(boolean enable) throws SocketException {
+ setSSLOption(SSL_ENABLE_SSL2, enable);
+@@ -144,8 +143,7 @@
+ }
+
+ void enableRenegotiation(int mode)
+- throws SocketException
+- {
++ throws SocketException {
+ setSSLOptionMode(SocketBase.SSL_ENABLE_RENEGOTIATION, mode);
+ }
+
+@@ -168,23 +166,21 @@
+ void enableV2CompatibleHello(boolean enable) throws SocketException {
+ setSSLOption(SSL_V2_COMPATIBLE_HELLO, enable);
+ }
+-
++
+ void setSSLOption(int option, boolean on)
+- throws SocketException
+- {
++ throws SocketException {
+ setSSLOption(option, on ? 1 : 0);
+ }
+
+- /**
+- * Sets SSL options for this socket that have simple
++ /**
++ * Sets SSL options for this socket that have simple
+ * enable/disable values.
+ */
+ native void setSSLOption(int option, int on)
+- throws SocketException;
++ throws SocketException;
+
+ void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
+- throws SocketException
+- {
++ throws SocketException {
+ setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
+ }
+
+@@ -192,93 +188,101 @@
+ * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
+ */
+ native void setSSLVersionRange(int min, int max)
+- throws SocketException;
++ throws SocketException;
+
+- /**
++ /**
+ * Sets the SSL option setting mode value use for options
+ * that have more values than just enable/disable.
+ */
+ native void setSSLOptionMode(int option, int option2)
+- throws SocketException;
++ throws SocketException;
+
+-
+ /* return 0 for option disabled 1 for option enabled. */
+ native int getSSLOption(int option)
+- throws SocketException;
+-
++ throws SocketException;
++
+ public String getSSLOptions() {
+ StringBuffer buf = new StringBuffer();
+ try {
+ buf.append("SSL Options configured for this SSLSocket:");
+- buf.append("\nSSL_ENABLE_SSL2" +
+- ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_SSL3" +
+- ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_TLS" +
+- ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_REQUIRE_CERTIFICATE");
++ buf.append("\nSSL_ENABLE_SSL2" +
++ ((getSSLOption(SocketBase.SSL_ENABLE_SSL2) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_ENABLE_SSL3" +
++ ((getSSLOption(SocketBase.SSL_ENABLE_SSL3) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_ENABLE_TLS" +
++ ((getSSLOption(SocketBase.SSL_ENABLE_TLS) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_REQUIRE_CERTIFICATE");
+ switch (getSSLOption(SocketBase.SSL_REQUIRE_CERTIFICATE)) {
+- case 0:
+- buf.append("=Never");
+- break;
+- case 1:
+- buf.append("=Always");
+- break;
+- case 2:
+- buf.append("=First Handshake");
+- break;
+- case 3:
+- buf.append("=No Error");
+- break;
+- default:
+- buf.append("=Report JSS Bug this option has a status.");
+- break;
++ case 0:
++ buf.append("=Never");
++ break;
++ case 1:
++ buf.append("=Always");
++ break;
++ case 2:
++ buf.append("=First Handshake");
++ break;
++ case 3:
++ buf.append("=No Error");
++ break;
++ default:
++ buf.append("=Report JSS Bug this option has a status.");
++ break;
+ } //end switch
+- buf.append("\nSSL_REQUEST_CERTIFICATE" +
+- ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_NO_CACHE" +
+- ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_ROLLBACK_DETECTION" +
+- ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_NO_STEP_DOWN" +
+- ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_FDX" +
+- ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
+- ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
+- ? "=on" : "=off"));
+- buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
+- ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS)
+- != 0) ? "=on" : "=off"));
++ buf.append("\nSSL_REQUEST_CERTIFICATE" +
++ ((getSSLOption(SocketBase.SSL_REQUEST_CERTIFICATE) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_NO_CACHE" +
++ ((getSSLOption(SocketBase.SSL_NO_CACHE) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_ROLLBACK_DETECTION" +
++ ((getSSLOption(SocketBase.SSL_ROLLBACK_DETECTION) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_NO_STEP_DOWN" +
++ ((getSSLOption(SocketBase.SSL_NO_STEP_DOWN) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_ENABLE_FDX" +
++ ((getSSLOption(SocketBase.SSL_ENABLE_FDX) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_V2_COMPATIBLE_HELLO" +
++ ((getSSLOption(SocketBase.SSL_V2_COMPATIBLE_HELLO) != 0)
++ ? "=on"
++ : "=off"));
++ buf.append("\nSSL_ENABLE_SESSION_TICKETS" +
++ ((getSSLOption(SocketBase.SSL_ENABLE_SESSION_TICKETS) != 0) ? "=on" : "=off"));
+ buf.append("\nSSL_ENABLE_RENEGOTIATION");
+ switch (getSSLOption(SocketBase.SSL_ENABLE_RENEGOTIATION)) {
+- case 0:
+- buf.append("=SSL_RENEGOTIATE_NEVER");
+- break;
+- case 1:
+- buf.append("=SSL_RENEGOTIATE_UNRESTRICTED");
+- break;
+- case 2:
+- buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN");
+- break;
+- case 3:
+- buf.append("=SSL_RENEGOTIATE_TRANSITIONAL");
+- break;
+- default:
+- buf.append("=Report JSS Bug this option has a status.");
+- break;
++ case 0:
++ buf.append("=SSL_RENEGOTIATE_NEVER");
++ break;
++ case 1:
++ buf.append("=SSL_RENEGOTIATE_UNRESTRICTED");
++ break;
++ case 2:
++ buf.append("=SSL_RENEGOTIATE_REQUIRES_XTN");
++ break;
++ case 3:
++ buf.append("=SSL_RENEGOTIATE_TRANSITIONAL");
++ break;
++ default:
++ buf.append("=Report JSS Bug this option has a status.");
++ break;
+ } //end switch
+- buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" +
+- ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0)
+- ? "=on" : "=off"));
++ buf.append("\nSSL_REQUIRE_SAFE_NEGOTIATION" +
++ ((getSSLOption(SocketBase.SSL_REQUIRE_SAFE_NEGOTIATION) != 0)
++ ? "=on"
++ : "=off"));
+
+ } catch (SocketException e) {
+ buf.append("\ngetSSLOptions exception " + e.getMessage());
+@@ -292,19 +296,18 @@
+ * of construction than getByName(), and it is final.
+ *
+ * @return The InetAddress corresponding to the given integer,
+- * or <tt>null</tt> if the InetAddress could not be constructed.
++ * or <tt>null</tt> if the InetAddress could not be constructed.
+ */
+- private static InetAddress
+- convertIntToInetAddress(int intAddr) {
++ private static InetAddress convertIntToInetAddress(int intAddr) {
+ InetAddress in;
+ int[] addr = new int[4];
+ addr[0] = ((intAddr >>> 24) & 0xff);
+ addr[1] = ((intAddr >>> 16) & 0xff);
+- addr[2] = ((intAddr >>> 8) & 0xff);
+- addr[3] = ((intAddr ) & 0xff);
++ addr[2] = ((intAddr >>> 8) & 0xff);
++ addr[3] = ((intAddr) & 0xff);
+ try {
+ in = InetAddress.getByName(
+- addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3] );
++ addr[0] + "." + addr[1] + "." + addr[2] + "." + addr[3]);
+ } catch (java.net.UnknownHostException e) {
+ in = null;
+ }
+@@ -312,12 +315,13 @@
+ }
+
+ private native byte[] getLocalAddressByteArrayNative() throws SocketException;
++
+ private native byte[] getPeerAddressByteArrayNative() throws SocketException;
++
+ /**
+ * @return the InetAddress of the peer end of the socket.
+ */
+- InetAddress getInetAddress()
+- {
++ InetAddress getInetAddress() {
+ try {
+ byte[] address = getPeerAddressByteArrayNative();
+
+@@ -326,14 +330,15 @@
+ try {
+
+ iAddr = InetAddress.getByAddress(address);
+- } catch(UnknownHostException e) {
++ } catch (UnknownHostException e) {
+ }
+
+ return iAddr;
+- } catch(SocketException e) {
++ } catch (SocketException e) {
+ return null;
+ }
+ }
++
+ private native int getPeerAddressNative() throws SocketException;
+
+ /**
+@@ -348,20 +353,21 @@
+ try {
+
+ lAddr = InetAddress.getByAddress(address);
+- } catch(UnknownHostException e) {
++ } catch (UnknownHostException e) {
+ }
+
+ return lAddr;
+- } catch(SocketException e) {
++ } catch (SocketException e) {
+ return null;
+ }
+ }
++
+ private native int getLocalAddressNative() throws SocketException;
+
+ public int getLocalPort() {
+ try {
+ return getLocalPortNative();
+- } catch(SocketException e) {
++ } catch (SocketException e) {
+ return 0;
+ }
+ }
+@@ -369,18 +375,16 @@
+ private native int getLocalPortNative() throws SocketException;
+
+ void requireClientAuth(boolean require, boolean onRedo)
+- throws SocketException
+- {
+- if( require && !requestingClientAuth ) {
++ throws SocketException {
++ if (require && !requestingClientAuth) {
+ requestClientAuth(true);
+ }
+ setSSLOption(SSL_REQUIRE_CERTIFICATE, require ? (onRedo ? 1 : 2) : 0);
+ }
+
+ void requireClientAuth(int mode)
+- throws SocketException
+- {
+- if(mode > 0 && !requestingClientAuth ) {
++ throws SocketException {
++ if (mode > 0 && !requestingClientAuth) {
+ requestClientAuth(true);
+ }
+ setSSLOptionMode(SocketBase.SSL_REQUIRE_CERTIFICATE, mode);
+@@ -390,52 +394,52 @@
+ * Sets the nickname of the certificate to use for client authentication.
+ */
+ public void setClientCertNickname(String nick) throws SocketException {
+- try {
+- setClientCert( CryptoManager.getInstance().findCertByNickname(nick) );
+- } catch(CryptoManager.NotInitializedException nie) {
+- throw new SocketException("CryptoManager not initialized");
+- } catch(ObjectNotFoundException onfe) {
+- throw new SocketException("Object not found: " + onfe);
+- } catch(TokenException te) {
+- throw new SocketException("Token Exception: " + te);
+- }
++ try {
++ setClientCert(CryptoManager.getInstance().findCertByNickname(nick));
++ } catch (CryptoManager.NotInitializedException nie) {
++ throw new SocketException("CryptoManager not initialized");
++ } catch (ObjectNotFoundException onfe) {
++ throw new SocketException("Object not found: " + onfe);
++ } catch (TokenException te) {
++ throw new SocketException("Token Exception: " + te);
++ }
+ }
+
+ native void setClientCert(org.mozilla.jss.crypto.X509Certificate cert)
+- throws SocketException;
++ throws SocketException;
+
+ void useCache(boolean b) throws SocketException {
+ setSSLOption(SSL_NO_CACHE, !b);
+ }
+
+ static Throwable processExceptions(Throwable topException,
+- Throwable bottomException)
+- {
+- try {
+- StringBuffer strBuf;
+- strBuf = new StringBuffer( topException.toString() );
++ Throwable bottomException) {
++ try {
++ StringBuffer strBuf;
++ strBuf = new StringBuffer(topException.toString());
+
+- if( bottomException != null ) {
+- strBuf.append(" --> ");
+- strBuf.append( bottomException.toString() );
++ if (bottomException != null) {
++ strBuf.append(" --> ");
++ strBuf.append(bottomException.toString());
++ }
++
++ Class excepClass = topException.getClass();
++ Class stringClass = java.lang.String.class;
++ Constructor cons = excepClass.getConstructor(new Class[] { stringClass });
++
++ return (Throwable) cons.newInstance(new Object[] { strBuf.toString() });
++ } catch (Exception e) {
++ Assert.notReached("Problem constructing exception container");
++ return topException;
+ }
+-
+- Class excepClass = topException.getClass();
+- Class stringClass = java.lang.String.class;
+- Constructor cons = excepClass.getConstructor(new Class[] {stringClass});
+-
+- return (Throwable) cons.newInstance(new Object[] { strBuf.toString() });
+- } catch(Exception e ) {
+- Assert.notReached("Problem constructing exception container");
+- return topException;
+- }
+ }
+
+ static private int supportsIPV6 = -1;
++
+ static boolean supportsIPV6() {
+
+- if(supportsIPV6 >= 0) {
+- if(supportsIPV6 > 0) {
++ if (supportsIPV6 >= 0) {
++ if (supportsIPV6 > 0) {
+ return true;
+ } else {
+ return false;
+@@ -444,28 +448,25 @@
+
+ Enumeration netInter;
+ try {
+- netInter = NetworkInterface.getNetworkInterfaces();
+- } catch (SocketException e) {
++ netInter = NetworkInterface.getNetworkInterfaces();
++ } catch (SocketException e) {
+
+- return false;
++ return false;
+ }
+- while ( netInter.hasMoreElements() )
+- {
+- NetworkInterface ni = (NetworkInterface)netInter.nextElement();
++ while (netInter.hasMoreElements()) {
++ NetworkInterface ni = (NetworkInterface) netInter.nextElement();
+ Enumeration addrs = ni.getInetAddresses();
+- while ( addrs.hasMoreElements() )
+- {
+- Object o = addrs.nextElement();
+- if ( o.getClass() == InetAddress.class ||
+- o.getClass() == Inet4Address.class ||
+- o.getClass() == Inet6Address.class )
+- {
+- InetAddress iaddr = (InetAddress) o;
+- if(o.getClass() == Inet6Address.class) {
+- supportsIPV6 = 1;
+- return true;
+- }
+- }
++ while (addrs.hasMoreElements()) {
++ Object o = addrs.nextElement();
++ if (o.getClass() == InetAddress.class ||
++ o.getClass() == Inet4Address.class ||
++ o.getClass() == Inet6Address.class) {
++ InetAddress iaddr = (InetAddress) o;
++ if (o.getClass() == Inet6Address.class) {
++ supportsIPV6 = 1;
++ return true;
++ }
++ }
+ }
+ }
+ supportsIPV6 = 0;
+# HG changeset patch
+# User "Endi S. Dewata" <edewata at redhat.com>
+# Date 1509154824 -7200
+# Sat Oct 28 03:40:24 2017 +0200
+# Node ID ca2c2fcfaf207f87c3c69e493f2b30fd0a088e95
+# Parent 837c79476110ecd4bf6b507faad50edb9eed7e7e
+Fixed SocketBase.setClientCertNickname() exception handling.
+Previously the SocketBase.setClientCertNickname() would catch
+the original exception and throw a SocketException instead.
+The original stack trace was lost since SocketException does not
+support chaining.
+
+The code has been modified to throw a RuntimeException instead
+and chain the original exception. This way the original stack
+trace can be preserved to help troubleshooting.
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=1408057
+
+diff --git a/org/mozilla/jss/ssl/SocketBase.java b/org/mozilla/jss/ssl/SocketBase.java
+--- a/jss/org/mozilla/jss/ssl/SocketBase.java
++++ b/jss/org/mozilla/jss/ssl/SocketBase.java
+@@ -4,17 +4,21 @@
+
+ package org.mozilla.jss.ssl;
+
+-import java.net.*;
++import java.io.IOException;
++import java.lang.reflect.Constructor;
++import java.net.Inet4Address;
++import java.net.Inet6Address;
++import java.net.InetAddress;
++import java.net.NetworkInterface;
+ import java.net.SocketException;
+-import java.io.*;
+-import java.io.IOException;
+-import java.util.Vector;
++import java.net.UnknownHostException;
+ import java.util.Enumeration;
+-import java.lang.reflect.Constructor;
+-import org.mozilla.jss.util.Assert;
++
+ import org.mozilla.jss.CryptoManager;
+ import org.mozilla.jss.crypto.ObjectNotFoundException;
+ import org.mozilla.jss.crypto.TokenException;
++import org.mozilla.jss.crypto.X509Certificate;
++import org.mozilla.jss.util.Assert;
+
+ class SocketBase {
+
+@@ -395,13 +399,18 @@
+ */
+ public void setClientCertNickname(String nick) throws SocketException {
+ try {
+- setClientCert(CryptoManager.getInstance().findCertByNickname(nick));
++ CryptoManager cm = CryptoManager.getInstance();
++ X509Certificate cert = cm.findCertByNickname(nick);
++ setClientCert(cert);
++
+ } catch (CryptoManager.NotInitializedException nie) {
+- throw new SocketException("CryptoManager not initialized");
++ throw new RuntimeException(nie);
++
+ } catch (ObjectNotFoundException onfe) {
+- throw new SocketException("Object not found: " + onfe);
++ throw new RuntimeException(onfe);
++
More information about the Pkg-fedora-ds-maintainers
mailing list