Skip to content
Commits on Source (23)
......@@ -14,6 +14,11 @@ if (DEFINED ENV{CHECK_DEPRECATION})
list(APPEND JSS_JAVAC_FLAGS "-Xlint:deprecation")
endif()
if (DEFINED ENV{FIPS_ENABLED})
set(FIPS_ENABLED_ENV TRUE)
endif()
option(FIPS_ENABLED "When enabled, disable certain tests which don't work in FIPS mode. This should only be specified when the host system is in FIPS mode." ${FIPS_ENABLED_ENV})
# Build a debug build by default when no type is specified on the command line
if(NOT (DEFINED CMAKE_BUILD_TYPE))
set(CMAKE_BUILD_TYPE "Debug")
......
......@@ -2,7 +2,7 @@ macro(jss_config)
# Set the current JSS release number. Arguments are:
# MAJOR MINOR PATCH BETA
# When BETA is zero, it isn't a beta release.
jss_config_version(4 6 0 0)
jss_config_version(4 6 1 0)
# Configure output directories
jss_config_outputs()
......@@ -174,6 +174,11 @@ macro(jss_config_ldflags)
list(APPEND JSS_LD_FLAGS "-lpthread")
list(APPEND JSS_LD_FLAGS "-ldl")
separate_arguments(PASSED_LD_FLAGS UNIX_COMMAND "${CMAKE_SHARED_LINKER_FLAGS}")
foreach(PASSED_LD_FLAG ${PASSED_LD_FLAGS})
list(INSERT JSS_LD_FLAGS 0 "${PASSED_LD_FLAG}")
endforeach()
# This set of flags is specific to building the libjss library.
list(APPEND JSS_LIBRARY_FLAGS "-shared")
list(APPEND JSS_LIBRARY_FLAGS "-Wl,-z,defs")
......@@ -181,6 +186,9 @@ macro(jss_config_ldflags)
list(APPEND JSS_LIBRARY_FLAGS "-Wl,${JSS_SO}")
set(JSS_VERSION_SCRIPT "-Wl,--version-script,${PROJECT_SOURCE_DIR}/lib/jss.map")
message(STATUS "JSS LD FLAGS: ${JSS_LD_FLAGS}")
message(STATUS "JSS LIBRARY FLAGS: ${JSS_LIBRARY_FLAGS}")
endmacro()
macro(jss_config_java)
......@@ -235,7 +243,7 @@ macro(jss_config_java)
message(WARNING "Test dependency sfl4j-jdk14.jar not found by find_jar! Tests might not run properly.")
endif()
if(JUINT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
if(JUNIT4_JAR STREQUAL "JUNIT4_JAR-NOTFOUND")
message(FATAL_ERROR "Test dependency junit4.jar not found by find_jar! Tests will not compile.")
endif()
......
......@@ -91,11 +91,6 @@ macro(jss_tests)
NAME "JSS_Test_Buffer"
COMMAND "org.mozilla.jss.tests.TestBuffer"
)
jss_test_java(
NAME "JSS_Test_BufferPRFD"
COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
DEPENDS "List_CA_certs"
)
if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
jss_test_java(
NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
......@@ -180,21 +175,11 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
DEPENDS "List_CA_certs"
)
jss_test_exec(
NAME "TestBufferPRFD"
COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
)
jss_test_java(
NAME "Key_Generation"
COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "Key_Factory"
COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "Digest"
COMMAND "org.mozilla.jss.tests.DigestTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
......@@ -202,12 +187,7 @@ macro(jss_tests)
)
jss_test_java(
NAME "HMAC"
COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "HMAC_Unwrap"
COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
......@@ -250,84 +230,111 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.SymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "Mozilla_JSS_Secret_Key_Generation"
COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "JSSProvider"
COMMAND "org.mozilla.jss.tests.JSSProvider" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "List_CA_certs"
)
# FIPS-related tests
jss_test_java(
NAME "Enable_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
DEPENDS "Setup_FIPS_DBs"
)
jss_test_java(
NAME "check_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "SSLClientAuth_FIPSMODE"
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "HMAC_FIPSMODE"
COMMAND "org.mozilla.jss.tests.HMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "KeyWrapping_FIPSMODE"
COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "JSS_Signature_test_FipsMODE"
COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
if(NOT FIPS_ENABLED)
jss_test_java(
NAME "Key_Factory"
COMMAND "org.mozilla.jss.tests.KeyFactoryTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "HMAC_Unwrap"
COMMAND "org.mozilla.jss.tests.HmacTest" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "Mozilla_JSS_Secret_Key_Generation"
COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
DEPENDS "Setup_DBs"
)
# Since we need to disable FIPS mode _after_ all FIPS-mode tests have
# run, we have to add a strict dependency from Disable_FipsMODE onto all
# FIPS-related checks.
jss_test_java(
NAME "Disable_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
)
# SSL Engine related tests
jss_test_exec(
NAME "TestBufferPRFD_RSA"
COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_RSA"
DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
)
jss_test_exec(
NAME "TestBufferPRFD_ECDSA"
COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}" "Server_ECDSA"
DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
)
jss_test_java(
NAME "JSS_Test_BufferPRFD"
COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
DEPENDS "List_CA_certs"
)
# FIPS-related tests
jss_test_java(
NAME "Enable_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "enable"
DEPENDS "Setup_FIPS_DBs"
)
jss_test_java(
NAME "check_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "chkfips"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "SSLClientAuth_FIPSMODE"
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH_FIPS}" "60"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "HMAC_FIPSMODE"
COMMAND "org.mozilla.jss.tests.CrossHMACTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "KeyWrapping_FIPSMODE"
COMMAND "org.mozilla.jss.tests.JCAKeyWrap" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "Mozilla_JSS_JCA_Signature_FIPSMODE"
COMMAND "org.mozilla.jss.tests.JCASigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
jss_test_java(
NAME "JSS_Signature_test_FipsMODE"
COMMAND "org.mozilla.jss.tests.SigTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "Enable_FipsMODE"
)
# Since we need to disable FIPS mode _after_ all FIPS-mode tests have
# run, we have to add a strict dependency from Disable_FipsMODE onto all
# FIPS-related checks.
jss_test_java(
NAME "Disable_FipsMODE"
COMMAND "org.mozilla.jss.tests.FipsTest" "${RESULTS_NSSDB_FIPS_OUTPUT_DIR}" "disable"
DEPENDS "check_FipsMODE" "SSLClientAuth_FIPSMODE" "HMAC_FIPSMODE" "KeyWrapping_FIPSMODE" "Mozilla_JSS_JCA_Signature_FIPSMODE" "JSS_Signature_test_FipsMODE"
)
endif()
jss_test_java(
NAME "JUnit_GenericValueConverterTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.GenericValueConverterTest"
DEPENDS "Disable_FipsMODE"
)
jss_test_java(
NAME "JUnit_IA5StringConverterTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.IA5StringConverterTest"
DEPENDS "Disable_FipsMODE"
)
jss_test_java(
NAME "JUnit_PrintableConverterTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.PrintableConverterTest"
DEPENDS "Disable_FipsMODE"
)
# For compliance with several
add_custom_target(
check
DEPENDS test
check
DEPENDS test
)
endmacro()
......
......@@ -6,7 +6,7 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.6.0
Version: 4.6.1
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
......@@ -106,6 +106,9 @@ export BUILD_OPT=1
CFLAGS="-g $RPM_OPT_FLAGS"
export CFLAGS
# Check if we're in FIPS mode
modutil -dbdir /etc/pki/nssdb -chkfips true | grep -q enabled && export FIPS_ENABLED=1
# The Makefile is not thread-safe
rm -rf build && mkdir -p build && cd build
%cmake \
......
......@@ -348,7 +348,8 @@ Java_org_mozilla_jss_nss_PR_NewTCPSocket;
Java_org_mozilla_jss_nss_PR_NewBufferPRFD;
Java_org_mozilla_jss_nss_PR_Shutdown;
Java_org_mozilla_jss_nss_PR_GetError;
Java_org_mozilla_jss_nss_PR_GetErrorText;
Java_org_mozilla_jss_nss_PR_GetErrorTextNative;
Java_org_mozilla_jss_nss_PR_ErrorToNameNative;
Java_org_mozilla_jss_nss_PR_getPRShutdownRcv;
Java_org_mozilla_jss_nss_PR_getPRShutdownSend;
Java_org_mozilla_jss_nss_PR_getPRShutdownBoth;
......@@ -369,7 +370,10 @@ Java_org_mozilla_jss_nss_SSL_SecurityStatus;
Java_org_mozilla_jss_nss_SSL_ResetHandshake;
Java_org_mozilla_jss_nss_SSL_ForceHandshake;
Java_org_mozilla_jss_nss_SSL_ConfigSecureServer;
Java_org_mozilla_jss_nss_SSL_ConfigServerCert;
Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache;
Java_org_mozilla_jss_nss_SSL_PeerCertificate;
Java_org_mozilla_jss_nss_SSL_PeerCertificateChain;
Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate;
Java_org_mozilla_jss_nss_SSL_getSSLRequireCertificate;
Java_org_mozilla_jss_nss_SSL_getSSLSECSuccess;
......
......@@ -236,6 +236,10 @@ public final class JSSProvider extends java.security.Provider {
put("Mac.HmacSHA512",
"org.mozilla.jss.provider.javax.crypto.JSSMacSpi$HmacSHA512");
put("Alg.Alias.Mac.Hmac-SHA512", "HmacSHA512");
put("Alg.Alias.Mac.SHA-1-HMAC", "HmacSHA1");
put("Alg.Alias.Mac.SHA-256-HMAC", "HmacSHA256");
put("Alg.Alias.Mac.SHA-384-HMAC", "HmacSHA384");
put("Alg.Alias.Mac.SHA-512-HMAC", "HmacSHA512");
/////////////////////////////////////////////////////////////
......
......@@ -94,8 +94,11 @@ JSS_AlgInfo JSS_AlgTable[NUM_ALGS] = {
/* 64 */ {SEC_OID_AES_256_CBC, SEC_OID_TAG},
/* the CKM_AES_KEY_WRAP_* have different defs than CKM_NSS_AES_KEY_WRAP_* */
/* 65 */ {CKM_AES_KEY_WRAP, PK11_MECH},
/* 66 */ {CKM_AES_KEY_WRAP_PAD, PK11_MECH}
/* REMEMBER TO UPDATE NUM_ALGS!!! */
/* 66 */ {CKM_AES_KEY_WRAP_PAD, PK11_MECH},
/* 67 */ {CKM_SHA256_HMAC, PK11_MECH},
/* 68 */ {CKM_SHA384_HMAC, PK11_MECH},
/* 69 */ {CKM_SHA512_HMAC, PK11_MECH}
/* REMEMBER TO UPDATE NUM_ALGS!!! (in Algorithm.h) */
};
/***********************************************************************
......
......@@ -24,7 +24,7 @@ typedef struct JSS_AlgInfoStr {
JSS_AlgType type;
} JSS_AlgInfo;
#define NUM_ALGS 67
#define NUM_ALGS 70
extern JSS_AlgInfo JSS_AlgTable[];
extern CK_ULONG JSS_symkeyUsage[];
......
......@@ -127,6 +127,10 @@ public class Algorithm {
return false;
}
public PKCS11Algorithm getEnum() {
return PKCS11Algorithm.valueOfIndex(this.oidIndex);
}
/**
* Index into the SECOidTag array in Algorithm.c.
*/
......@@ -144,91 +148,97 @@ public class Algorithm {
new OBJECT_IDENTIFIER( new long[] { 1, 2, 840, 10045 } );
// Algorithm indices. These must be kept in sync with the
// algorithm array in Algorithm.c.
protected static final short SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
protected static final short SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
protected static final short SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
protected static final short SEC_OID_PKCS1_RSA_ENCRYPTION=4;
protected static final short CKM_RSA_PKCS_KEY_PAIR_GEN=5;
protected static final short CKM_DSA_KEY_PAIR_GEN=6;
protected static final short SEC_OID_ANSIX9_DSA_SIGNATURE=7;
protected static final short SEC_OID_RC4=8;
protected static final short SEC_OID_DES_ECB=9;
protected static final short SEC_OID_DES_CBC=10;
protected static final short CKM_DES_CBC_PAD=11;
protected static final short CKM_DES3_ECB=12;
protected static final short SEC_OID_DES_EDE3_CBC=13;
protected static final short CKM_DES3_CBC_PAD=14;
protected static final short CKM_DES_KEY_GEN=15;
protected static final short CKM_DES3_KEY_GEN=16;
protected static final short CKM_RC4_KEY_GEN=17;
protected static final short SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
protected static final short SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
protected static final short SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
protected static final short
// algorithm array in Algorithm.c. Any PKCS11 Algorithms must be added
// to the org.mozilla.jss.crypto.PKCS11Algorithm enum.
protected static final int SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION=0;
protected static final int SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION=1;
protected static final int SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION=2;
protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST=3;
protected static final int SEC_OID_PKCS1_RSA_ENCRYPTION=4;
protected static final int CKM_RSA_PKCS_KEY_PAIR_GEN=5;
protected static final int CKM_DSA_KEY_PAIR_GEN=6;
protected static final int SEC_OID_ANSIX9_DSA_SIGNATURE=7;
protected static final int SEC_OID_RC4=8;
protected static final int SEC_OID_DES_ECB=9;
protected static final int SEC_OID_DES_CBC=10;
protected static final int CKM_DES_CBC_PAD=11;
protected static final int CKM_DES3_ECB=12;
protected static final int SEC_OID_DES_EDE3_CBC=13;
protected static final int CKM_DES3_CBC_PAD=14;
protected static final int CKM_DES_KEY_GEN=15;
protected static final int CKM_DES3_KEY_GEN=16;
protected static final int CKM_RC4_KEY_GEN=17;
protected static final int SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC=18;
protected static final int SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC=19;
protected static final int SEC_OID_PKCS5_PBE_WITH_SHA1_AND_DES_CBC=20;
protected static final int
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC4=21;
protected static final short
protected static final int
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4=22;
protected static final short
protected static final int
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC=23;
protected static final short SEC_OID_MD2=24;
protected static final short SEC_OID_MD5=25;
protected static final short SEC_OID_SHA1=26;
protected static final short CKM_SHA_1_HMAC=27;
protected static final short
protected static final int SEC_OID_MD2=24;
protected static final int SEC_OID_MD5=25;
protected static final int SEC_OID_SHA1=26;
protected static final int CKM_SHA_1_HMAC=27;
protected static final int
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC=28;
protected static final short
protected static final int
SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC=29;
protected static final short SEC_OID_RC2_CBC=30;
protected static final short CKM_PBA_SHA1_WITH_SHA1_HMAC=31;
protected static final int SEC_OID_RC2_CBC=30;
protected static final int CKM_PBA_SHA1_WITH_SHA1_HMAC=31;
// AES
protected static final short CKM_AES_KEY_GEN=32;
protected static final short CKM_AES_ECB=33;
protected static final short CKM_AES_CBC=34;
protected static final short CKM_AES_CBC_PAD=35;
protected static final short CKM_RC2_CBC_PAD=36;
protected static final short CKM_RC2_KEY_GEN=37;
protected static final int CKM_AES_KEY_GEN=32;
protected static final int CKM_AES_ECB=33;
protected static final int CKM_AES_CBC=34;
protected static final int CKM_AES_CBC_PAD=35;
protected static final int CKM_RC2_CBC_PAD=36;
protected static final int CKM_RC2_KEY_GEN=37;
//FIPS 180-2
protected static final short SEC_OID_SHA256=38;
protected static final short SEC_OID_SHA384=39;
protected static final short SEC_OID_SHA512=40;
protected static final short SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
protected static final short SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
protected static final short SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
protected static final short SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
protected static final short CKM_EC_KEY_PAIR_GEN=46;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
protected static final short SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
protected static final short SEC_OID_HMAC_SHA256=50;
protected static final short SEC_OID_HMAC_SHA384=51;
protected static final short SEC_OID_HMAC_SHA512=52;
protected static final int SEC_OID_SHA256=38;
protected static final int SEC_OID_SHA384=39;
protected static final int SEC_OID_SHA512=40;
protected static final int SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION=41;
protected static final int SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION=42;
protected static final int SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION=43;
protected static final int SEC_OID_ANSIX962_EC_PUBLIC_KEY=44;
protected static final int SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE=45;
protected static final int CKM_EC_KEY_PAIR_GEN=46;
protected static final int SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE=47;
protected static final int SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE=48;
protected static final int SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE=49;
protected static final int SEC_OID_HMAC_SHA256=50;
protected static final int SEC_OID_HMAC_SHA384=51;
protected static final int SEC_OID_HMAC_SHA512=52;
//PKCS5 V2
protected static final short SEC_OID_PKCS5_PBKDF2=53;
protected static final short SEC_OID_PKCS5_PBES2=54;
protected static final short SEC_OID_PKCS5_PBMAC1=55;
protected static final short SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
protected static final int SEC_OID_PKCS5_PBKDF2=53;
protected static final int SEC_OID_PKCS5_PBES2=54;
protected static final int SEC_OID_PKCS5_PBMAC1=55;
protected static final int SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST=56;
// NSS AES KeyWrap
protected static final short CKM_NSS_AES_KEY_WRAP=57;
protected static final short CKM_NSS_AES_KEY_WRAP_PAD=58;
protected static final int CKM_NSS_AES_KEY_WRAP=57;
protected static final int CKM_NSS_AES_KEY_WRAP_PAD=58;
// AES Encryption Algorithms
protected static final short SEC_OID_AES_128_ECB = 59;
protected static final short SEC_OID_AES_128_CBC = 60;
protected static final short SEC_OID_AES_192_ECB = 61;
protected static final short SEC_OID_AES_192_CBC = 62;
protected static final short SEC_OID_AES_256_ECB = 63;
protected static final short SEC_OID_AES_256_CBC = 64;
protected static final int SEC_OID_AES_128_ECB = 59;
protected static final int SEC_OID_AES_128_CBC = 60;
protected static final int SEC_OID_AES_192_ECB = 61;
protected static final int SEC_OID_AES_192_CBC = 62;
protected static final int SEC_OID_AES_256_ECB = 63;
protected static final int SEC_OID_AES_256_CBC = 64;
// PKCS#11 AES KeyWrap
// These underlying defs are currently different from the NSS AES KeyWrap
protected static final short CKM_AES_KEY_WRAP=65;
protected static final short CKM_AES_KEY_WRAP_PAD=66;
protected static final int CKM_AES_KEY_WRAP=65;
protected static final int CKM_AES_KEY_WRAP_PAD=66;
// PKCS#11 SHA2 HMAC
protected static final int CKM_SHA256_HMAC=67;
protected static final int CKM_SHA384_HMAC=68;
protected static final int CKM_SHA512_HMAC=69;
}
......@@ -22,6 +22,11 @@ import org.mozilla.jss.util.Assert;
* call to <code>doFinal</code>.
*/
public abstract class Cipher {
// Note: Cipher can't extend javax.crypto.Cipher because it is part of the
// provider mechanism. In particular, it isn't an abstract class, many of
// the methods are marked final, and it expects to instantiate a CipherSpi
// class instead of be directly created like things which override our
// Cipher class expect (e.g., PK11Cipher). This is why JSSCipherSpi exists.
/**
* Initializes a encryption context with a symmetric key.
......
......@@ -108,6 +108,30 @@ public class KeyGenAlgorithm extends Algorithm {
"PBA/SHA1/HMAC", new FixedKeyStrengthValidator(160),
null, PBEKeyGenParams.class );
public static final KeyGenAlgorithm
SHA1_HMAC = new KeyGenAlgorithm(
CKM_SHA_1_HMAC,
"SHA1/HMAC", new FixedKeyStrengthValidator(160),
null, null );
public static final KeyGenAlgorithm
SHA256_HMAC = new KeyGenAlgorithm(
CKM_SHA256_HMAC,
"SHA256/HMAC", new FixedKeyStrengthValidator(256),
null, null );
public static final KeyGenAlgorithm
SHA384_HMAC = new KeyGenAlgorithm(
CKM_SHA384_HMAC,
"SHA384/HMAC", new FixedKeyStrengthValidator(384),
null, null );
public static final KeyGenAlgorithm
SHA512_HMAC = new KeyGenAlgorithm(
CKM_SHA512_HMAC,
"SHA512/HMAC", new FixedKeyStrengthValidator(512),
null, null );
//////////////////////////////////////////////////////////////
public static final KeyGenAlgorithm
AES = new KeyGenAlgorithm(CKM_AES_KEY_GEN, "AES",
......
package org.mozilla.jss.crypto;
import org.mozilla.jss.pkcs11.PKCS11Constants;
import org.mozilla.jss.crypto.Algorithm;
public enum PKCS11Algorithm {
CKM_AES_CBC (Algorithm.CKM_AES_CBC, PKCS11Constants.CKM_AES_CBC),
CKM_AES_CBC_PAD (Algorithm.CKM_AES_CBC_PAD, PKCS11Constants.CKM_AES_CBC_PAD),
CKM_AES_ECB (Algorithm.CKM_AES_ECB, PKCS11Constants.CKM_AES_ECB),
CKM_AES_KEY_GEN (Algorithm.CKM_AES_KEY_GEN, PKCS11Constants.CKM_AES_KEY_GEN),
CKM_DES3_CBC_PAD (Algorithm.CKM_DES3_CBC_PAD, PKCS11Constants.CKM_DES3_CBC_PAD),
CKM_DES3_ECB (Algorithm.CKM_DES3_ECB, PKCS11Constants.CKM_DES3_ECB),
CKM_DES3_KEY_GEN (Algorithm.CKM_DES3_KEY_GEN, PKCS11Constants.CKM_DES3_KEY_GEN),
CKM_DES_CBC_PAD (Algorithm.CKM_DES_CBC_PAD, PKCS11Constants.CKM_DES_CBC_PAD),
CKM_DES_KEY_GEN (Algorithm.CKM_DES_KEY_GEN, PKCS11Constants.CKM_DES_KEY_GEN),
CKM_DSA_KEY_PAIR_GEN (Algorithm.CKM_DSA_KEY_PAIR_GEN, PKCS11Constants.CKM_DSA_KEY_PAIR_GEN),
CKM_EC_KEY_PAIR_GEN (Algorithm.CKM_EC_KEY_PAIR_GEN, PKCS11Constants.CKM_EC_KEY_PAIR_GEN),
CKM_NSS_AES_KEY_WRAP (Algorithm.CKM_NSS_AES_KEY_WRAP, PKCS11Constants.CKM_NSS_AES_KEY_WRAP),
CKM_NSS_AES_KEY_WRAP_PAD (Algorithm.CKM_NSS_AES_KEY_WRAP_PAD, PKCS11Constants.CKM_NSS_AES_KEY_WRAP_PAD),
CKM_PBA_SHA1_WITH_SHA1_HMAC (Algorithm.CKM_PBA_SHA1_WITH_SHA1_HMAC, PKCS11Constants.CKM_PBA_SHA1_WITH_SHA1_HMAC),
CKM_RC2_CBC_PAD (Algorithm.CKM_RC2_CBC_PAD, PKCS11Constants.CKM_RC2_CBC_PAD),
CKM_RC2_KEY_GEN (Algorithm.CKM_RC2_KEY_GEN, PKCS11Constants.CKM_RC2_KEY_GEN),
CKM_RC4_KEY_GEN (Algorithm.CKM_RC4_KEY_GEN, PKCS11Constants.CKM_RC4_KEY_GEN),
CKM_RSA_PKCS_KEY_PAIR_GEN (Algorithm.CKM_RSA_PKCS_KEY_PAIR_GEN, PKCS11Constants.CKM_RSA_PKCS_KEY_PAIR_GEN),
CKM_SHA_1_HMAC (Algorithm.CKM_SHA_1_HMAC, PKCS11Constants.CKM_SHA_1_HMAC);
// Value from Algorithm's constant -- this is an index into Algorithm's
// table.
private int alg_index;
// Value from PKCS11Constants -- this is a constant defined in PKCS #11.
private long pk11_value;
private PKCS11Algorithm(int alg_index, long pk11_value) {
this.alg_index = alg_index;
this.pk11_value = pk11_value;
}
public int getIndex() {
return alg_index;
}
public long getValue() {
return pk11_value;
}
public static PKCS11Algorithm valueOfIndex(int index) {
for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
if (alg.alg_index == index) {
return alg;
}
}
return null;
}
public static PKCS11Algorithm valueOfConstant(long constant) {
for (PKCS11Algorithm alg : PKCS11Algorithm.values()) {
if (alg.pk11_value == constant) {
return alg;
}
}
return null;
}
}
......@@ -6,7 +6,7 @@ package org.mozilla.jss.crypto;
import java.security.NoSuchAlgorithmException;
import java.util.Hashtable;
public interface SymmetricKey {
public interface SymmetricKey extends javax.crypto.SecretKey {
public static final Type DES = Type.DES;
public static final Type DES3 = Type.DES3;
......@@ -63,6 +63,14 @@ public interface SymmetricKey {
public static final Type RC4 = new Type("RC4", KeyGenAlgorithm.RC4);
public static final Type RC2 = new Type("RC2", KeyGenAlgorithm.RC2);
public static final Type SHA1_HMAC = new Type("SHA1_HMAC",
KeyGenAlgorithm.SHA1_HMAC);
public static final Type SHA256_HMAC = new Type("SHA256_HMAC",
KeyGenAlgorithm.SHA256_HMAC);
public static final Type SHA384_HMAC = new Type("SHA384_HMAC",
KeyGenAlgorithm.SHA384_HMAC);
public static final Type SHA512_HMAC = new Type("SHA512_HMAC",
KeyGenAlgorithm.SHA512_HMAC);
public static final Type PBA_SHA1_HMAC = new Type("PBA_SHA1_HMAC",
KeyGenAlgorithm.PBA_SHA1_HMAC);
public static final Type AES = new Type("AES", KeyGenAlgorithm.AES);
......
......@@ -268,7 +268,7 @@ Java_org_mozilla_jss_nss_PR_GetError(JNIEnv *env, jclass clazz)
}
JNIEXPORT jbyteArray JNICALL
Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
Java_org_mozilla_jss_nss_PR_GetErrorTextNative(JNIEnv *env, jclass clazz)
{
ssize_t error_size;
char *error_text = NULL;
......@@ -292,6 +292,25 @@ Java_org_mozilla_jss_nss_PR_GetErrorText(JNIEnv *env, jclass clazz)
return result;
}
JNIEXPORT jbyteArray JNICALL
Java_org_mozilla_jss_nss_PR_ErrorToNameNative(JNIEnv *env, jclass clazz, jint error_code)
{
size_t error_size;
const char *error_name = NULL;
jbyteArray result = NULL;
PR_ASSERT(env != NULL);
error_name = PR_ErrorToName(error_code);
if (error_name == NULL) {
return NULL;
}
error_size = strlen(error_name);
result = JSS_ToByteArray(env, error_name, error_size);
return result;
}
JNIEXPORT int JNICALL
Java_org_mozilla_jss_nss_PR_getPRShutdownRcv(JNIEnv *env, jclass clazz)
{
......
......@@ -129,7 +129,31 @@ public class PR {
*
* See also: PR_GetErrorText in /usr/include/nspr4/prio.h
*/
public static native byte[] GetErrorText();
public static String GetErrorText() {
byte[] text = GetErrorTextNative();
if (text == null) {
return "";
}
return new String(text);
}
private static native byte[] GetErrorTextNative();
/**
* Get the constant name of the current PR error. This is cleared on each
* NSPR call.
*
* See also: PR_ErrorToName in /usr/include/nspr4/prio.h
*/
public static String ErrorToName(int code) {
byte[] name = ErrorToNameNative(code);
if (name == null) {
return "";
}
return new String(name);
}
private static native byte[] ErrorToNameNative(int code);
/* Internal methods for querying constants. */
private static native int getPRShutdownRcv();
......
#include <nspr.h>
#include <nss.h>
#include <ssl.h>
#include <sslerr.h>
#include <limits.h>
#include <stdint.h>
#include <jni.h>
......@@ -318,6 +319,31 @@ Java_org_mozilla_jss_nss_SSL_ConfigSecureServer(JNIEnv *env, jclass clazz,
return SSL_ConfigSecureServer(real_fd, real_cert, real_key, kea);
}
JNIEXPORT int JNICALL
Java_org_mozilla_jss_nss_SSL_ConfigServerCert(JNIEnv *env, jclass clazz,
jobject fd, jobject cert, jobject key)
{
PRFileDesc *real_fd = NULL;
CERTCertificate *real_cert = NULL;
SECKEYPrivateKey *real_key = NULL;
PR_ASSERT(env != NULL && fd != NULL);
if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
return SECFailure;
}
if (JSS_PK11_getCertPtr(env, cert, &real_cert) != PR_SUCCESS) {
return SECFailure;
}
if (JSS_PK11_getPrivKeyPtr(env, key, &real_key) != PR_SUCCESS) {
return SECFailure;
}
return SSL_ConfigServerCert(real_fd, real_cert, real_key, NULL, 0);
}
JNIEXPORT int JNICALL
Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass clazz,
jint maxCacheEntries, jlong timeout, jlong ssl3_timeout, jstring directory)
......@@ -336,6 +362,54 @@ Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache(JNIEnv *env, jclass claz
return ret;
}
JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_nss_SSL_PeerCertificate(JNIEnv *env, jclass clazz,
jobject fd)
{
PRFileDesc *real_fd = NULL;
CERTCertificate *cert = NULL;
PR_ASSERT(env != NULL && fd != NULL);
if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
return NULL;
}
cert = SSL_PeerCertificate(real_fd);
if (cert == NULL) {
return NULL;
}
return JSS_PK11_wrapCert(env, &cert);
}
JNIEXPORT jobjectArray JNICALL
Java_org_mozilla_jss_nss_SSL_PeerCertificateChain(JNIEnv *env, jclass clazz,
jobject fd)
{
PRFileDesc *real_fd = NULL;
CERTCertList *chain = NULL;
PR_ASSERT(env != NULL && fd != NULL);
if (JSS_PR_getPRFileDesc(env, fd, &real_fd) != PR_SUCCESS) {
return NULL;
}
chain = SSL_PeerCertificateChain(real_fd);
int error = PORT_GetError();
if (chain == NULL && error == SSL_ERROR_NO_CERTIFICATE) {
return NULL;
} else if (chain == NULL /* && error != SSL_ERROR_NO_CERTIFICATE */) {
JSS_throwMsgPrErrArg(env, SECURITY_EXCEPTION,
"Unable to construct peer certificate chain.", error);
return NULL;
}
return JSS_PK11_wrapCertChain(env, &chain);
}
JNIEXPORT jint JNICALL
Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate(JNIEnv *env, jclass clazz)
{
......
......@@ -142,11 +142,22 @@ public class SSL {
/**
* Configure the certificate and private key for a server socket.
*
* @deprecated replaced with ConfigServerCert
* See also: SSL_ConfigSecureServer in /usr/include/nss3/ssl.h
*/
@Deprecated
public static native int ConfigSecureServer(PRFDProxy fd, PK11Cert cert,
PK11PrivKey key, int kea);
/**
* Configure the certificate and private key for a server socket. This
* form assumes no additional data is passed.
*
* See also: SSL_ConfigServerCert in /usr/include/nss3/ssl.h
*/
public static native int ConfigServerCert(PRFDProxy fd, PK11Cert cert,
PK11PrivKey key);
/**
* Configure the server's session cache.
*
......@@ -155,6 +166,20 @@ public class SSL {
public static native int ConfigServerSessionIDCache(int maxCacheEntries,
long timeout, long ssl3_timeout, String directory);
/**
* Introspect the peer's certificate.
*
* See also: SSL_PeerCertificate in /usr/include/nss3/ssl.h
*/
public static native PK11Cert PeerCertificate(PRFDProxy fd);
/**
* Introspect the peer's certificate chain.
*
* See also: SSL_PeerCertificateChain in /usr/include/nss3/ssl.h
*/
public static native PK11Cert[] PeerCertificateChain(PRFDProxy fd) throws Exception;
/* Internal methods for querying constants. */
private static native int getSSLRequestCertificate();
private static native int getSSLRequireCertificate();
......
......@@ -467,6 +467,80 @@ JSS_PK11_wrapCert(JNIEnv *env, CERTCertificate **cert)
return JSS_PK11_wrapCertAndSlot(env, cert, &slot);
}
static ssize_t
CERT_LIST_COUNT(CERTCertList *chain) {
ssize_t count = -1;
CERTCertListNode *node = NULL;
if (chain == NULL) {
return count;
}
for (node = CERT_LIST_HEAD(chain);
!CERT_LIST_END(node, chain);
node = CERT_LIST_NEXT(node)) {
count += 1;
}
return count + 1;
}
/****************************************************************
*
* J S S _ P K 1 1 _ w r a p C e r t C h a i n
*
* Builds an array of PK11Cert objects from a CERTCertList.
* ppChain: Pointer to pointer to CERTCertList. The CERTCertList
* will be wrapped in a Java certificate. If this fails, it
* will be deleted. In any case, the caller should never worry about,
* or use, this CERTCertList again. To enforce this, *ppChain
* will be set to NULL whether the functions fails or succeeds.
* Returns: a new Java PK11Cert[] object, or NULL if an exception was thrown.
*/
jobjectArray
JSS_PK11_wrapCertChain(JNIEnv *env, CERTCertList **chain)
{
jobjectArray result = NULL;
jobject wrappedCert = NULL;
CERTCertListNode *node = NULL;
ssize_t count = 0;
if (chain == NULL || *chain == NULL) {
goto done;
}
// Since we can't easily resize our jobjectArray once created, walk the
// chain and count its length.
count = CERT_LIST_COUNT(*chain);
if (count <= 0) {
goto done;
}
// Allocate our result structure.
result = (*env)->NewObjectArray(env, count,
(*env)->FindClass(env, CERT_CLASS_NAME),
NULL);
count = 0;
for (node = CERT_LIST_HEAD((*chain));
!CERT_LIST_END(node, (*chain));
node = CERT_LIST_NEXT(node)) {
// Wrap the certificate and insert it into the array.
wrappedCert = JSS_PK11_wrapCert(env, &node->cert);
(*env)->SetObjectArrayElement(env, result, count, wrappedCert);
count += 1;
}
done:
if (chain) {
CERT_DestroyCertList(*chain);
*chain = NULL;
}
return result;
}
/**********************************************************************
* PK11Cert.getOwningToken
*/
......
......@@ -10,7 +10,7 @@ import java.io.ObjectOutputStream;
import java.io.IOException;
abstract class PK11Key {
abstract class PK11Key implements java.security.Key {
//////////////////////////////////////////////////////////
// Public Interface
......
......@@ -8,6 +8,8 @@ import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.crypto.SymmetricKey;
import org.mozilla.jss.util.Assert;
// We've updated jss.crypto.SymmetricKey to extend javax.crypto.SecretKey, so
// PK11SymKey implements that interface as well.
public final class PK11SymKey implements SymmetricKey {
protected PK11SymKey(byte[] pointer) {
......