Commits on Source (23)
-
Alexander Scheel authored
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
731b62d4 -
Alexander Scheel authored
PR_GetErrorText doesn't return useful information all the time; PR_ErrorToName always returns the constant name when possible. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
88fa55a9 -
Alexander Scheel authored
SSL_ConfigServerCert (exposed as jss.nss.SSL.ConfigServerCert) is the more modern form of SSL_ConfigSecureServer. Implement the wrapper with no additional data (i.e., default configuration) and test it. Also test ECDSA signed certificates in both C and Java BufferPRFD test suites. Deprecate SSL_ConfigSecureServer as well. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
de594c30 -
Alexander Scheel authored
GetErrorText() and ErrorToName(...) previously returned byte[]; return String as they're most likely to be used in conjunction with other Strings. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
182add54 -
Alexander Scheel authored
In SSLServerSocket, we use the deprecated form, SSL_ConfigSecureServer. Switch to using the newer form, SSL_ConfigServerCert. This also saves us a call to check the KEA usage. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
e6638fd2 -
Alexander Scheel authored
A CERTCertList is roughly equivalent to a PK11Cert[] array. Add a helper function for wrapping a CERTCertList into a PK11Cert[] jobjectArray item. This largely mirrors the JSS_PK11_wrapCert helper function. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
917c41ef -
Alexander Scheel authored
These two functions are necessary for introspecting the results of a SSL handshake with client authentication and useful for SSLSession support. Adds a test to the TestBufferPRFD method to check their status. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
0b6924d1 -
Alexander Scheel authored
When the handshake fails to complete in a certain number of steps, terminate it. We set this limit as 40 as it should be significantly larger than the number of required steps (since the buffer limit is at 2048, we'd expect no more than 10 steps, even with a large certificate or chain). Signed-off-by: Alexander Scheel <ascheel@redhat.com>
d634b1ee -
Endi S. Dewata authored
The Password class has been modified to store the location where it was created initially. If the Password object is garbage collected without being cleared first, it will display a warning message showing the location of the offending code.
b201d95a -
Endi S. Dewata authoredadc2889a
-
Endi S. Dewata authored
The MacData has been modified to call PBEKeyGenParams.clear() in a finally block to ensure that the password is cleared.
641a0539 -
Alexander Scheel authored
Certain tests are guaranteed to fail in FIPS mode. Add an environment variable, FIPS_ENABLED, to not enable them on CMake. Also support passing it as a CMake option. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
739ed78b -
Alexander Scheel authored
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
2007096b -
Alexander Scheel authored
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
a1de8685 -
Alexander Scheel authored
On systems with case-insensitive file systems, cloning will likely fail as there's two files with the "same" name but different contents: HmacTest.java and HMACTest.java. Rename the latter, which attempts to test different providers, to CrossHMACTest. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
c3c69c08 -
Alexander Scheel authored
Since 4.5.1, we've replaced the test suite runner with a CMake/ctest implementation. At this point, we're preferring SSLEngine over SSLSocket, so keeping the last few remaining test cases in all.pl (that we're not running anyways) doesn't do much. tests/all.pl is tracked in the jss archive for historical reference: https://github.com/dogtagpki/jss-archive/blob/master/org/mozilla/jss/tests/all.pl Signed-off-by: Alexander Scheel <ascheel@redhat.com>
18598df6 -
Alexander Scheel authored
We need to map PKCS11 Constants between their names and their values and also between their values and Algorithm identifiers. To do so, we add PKCS11Algorithm which enumerates identifiers common to both Algorithm and PKCS11Constants. This will let us call into the NSS API with the correct constant identifier from PKCS11, when needed. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
2ff3bbd0 -
Alexander Scheel authored
Also changes the type of Algorithm's fields from short to int to better match the underlying type and the type of oidIndex. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
694614b1 -
Alexander Scheel authored
In SymmetricKey.java, SHA-1 HMAC was defined as PBA_SHA1_HMAC, a version of HMAC for extending a password (using a salt) and turning it into a key. Usually when one requests HMAC, one expects vanilla HMAC; use this instead. We expose the old SHA1_HMAC (with PBA) as PBA_SHA1_HMAC now. Note that later SHA-2 and SHA-3 algorithms lack PBA-based HMACs (in PKCS v2.40 and v3.0 standards). Signed-off-by: Alexander Scheel <ascheel@redhat.com>
b15d9044 -
Alexander Scheel authored
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
68bd9a70 -
Robert Förster authored
Signed-off-by: Robert Förster <Dessa@gmake.de>
f7405a1e -
Alexander Scheel authored
This extends our interfaces to be compatible with the default JDK interfaces whenever possible. In particular: - jss.crypto.SymmetricKey now extends javax.crypto.SecretKey - jss.pkcs11.PK11Key now implements java.security.Key A few clarifying comments have been added where necessary. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
029d0a64 -
Alexander Scheel authored
This version of JSS has a few enhancements over v4.6.0: - Fixed LD_FLAG handling, - Extensions to the unfinished org.mozilla.jss.nss interface, - Better handling of uncleared passwords (by @edewata), - Better test handling in FIPS mode, - Changes to SymmetricKey and HMAC handling, - Fix typo in JUnit CMake variable (by @Dessa). Thanks to everyone who contributed to this release! Signed-off-by: Alexander Scheel <ascheel@redhat.com>
org/mozilla/jss/crypto/PKCS11Algorithm.java
0 → 100644