.travis.yml

@@ -19,7 +19,7 @@ install:
       -v $(pwd):/root/jss
       registry.fedoraproject.org/fedora:$FEDORA
   - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
-  - docker exec container dnf copr -y enable @pki/10.6
+  - docker exec container dnf copr -y enable ${JSS_4_5_REPO:-@pki/10.6}
   - docker exec container dnf builddep -y --spec /root/jss/jss.spec.in
   - docker exec container /root/jss/build.sh --with-timestamp --with-commit-id rpm
 

build.sh

@@ -208,7 +208,7 @@ if [ "$BUILD_TARGET" != "src" ] &&
 fi
 
 if [ "$SPEC_TEMPLATE" = "" ] ; then
-    SPEC_TEMPLATE="$SRC_DIR/$NAME.spec.in"
+    SPEC_TEMPLATE="$SRC_DIR/$NAME.spec"
 fi
 
 VERSION="`rpmspec -P "$SPEC_TEMPLATE" | grep "^Version:" | awk '{print $2;}'`"

build_java.pl

@@ -55,7 +55,6 @@ org.mozilla.jss.SecretDecoderRing.KeyManager
 org.mozilla.jss.ssl.SSLSocket 
 org.mozilla.jss.ssl.SSLServerSocket 
 org.mozilla.jss.ssl.SocketBase 
-org.mozilla.jss.util.Debug
 org.mozilla.jss.util.Password       
 );
 
@@ -153,10 +152,8 @@ sub setup_vars {
     $class_release_dir .= "/$cmdline_vars{SOURCE_RELEASE_CLASSES_DIR}";
     if( $ENV{BUILD_OPT} ) {
         $javac_opt_flag = "-O";
-        $debug_source_file = "org/mozilla/jss/util/Debug_ship.jnot";
     } else {
         $javac_opt_flag = "-g";
-        $debug_source_file = "org/mozilla/jss/util/Debug_debug.jnot";
     }
     $jni_header_dir = "$dist_dir/private/jss/_jni";
 
@@ -198,6 +195,9 @@ sub setup_vars {
     if( ( $ENV{USE_INSTALLED_NSPR} ) && ( $ENV{USE_INSTALLED_NSS} ) ) {
         print "Using the NSPR and NSS installed on the system to build JSS.\n";
 
+        $nss_lib_dir = $ENV{NSS_LIB_DIR};
+        $nss_lib_dir =~ s/^\s+|\s+$//g;  # trim spaces
+
     } else {
         # Verify existence of work area
         if(( ! -d "$work_dir/nspr" ) ||
@@ -260,14 +260,6 @@ sub clean {
 
 sub build {
 
-    #
-    # copy the appropriate debug file
-    #
-    my $debug_target_file = "org/mozilla/jss/util/Debug.java";
-    if( compare($debug_source_file, $debug_target_file) ) {
-        copy($debug_source_file, $debug_target_file) or die "Copying file: $!";
-    }
-
     #
     # generate MANIFEST.MF file in dist dir
     #
@@ -439,9 +431,7 @@ sub javadoc {
 }
 
 sub test {
-    if( ( $ENV{USE_INSTALLED_NSPR} ) && ( $ENV{USE_INSTALLED_NSS} ) ) {
-        die "make test_jss is only available on upstream builds of Linux and MacOS platforms.";
-    } elsif( $os eq 'Linux' || $os eq 'Darwin' ) {
+    if( $os eq 'Linux' || $os eq 'Darwin' ) {
         # Test JSS presuming that it has already been built
 
         if(( -d $dist_dir )  &&

jss.spec.in → jss.spec

@@ -7,8 +7,8 @@ URL:            http://www.dogtagpki.org/wiki/JSS
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
 Version:        4.5.0
-Release:        0.4%{?_timestamp}%{?_commit_id}%{?dist}
-%global         _phase -a4
+Release:        1%{?_timestamp}%{?_commit_id}%{?dist}
+# global         _phase -a1
 
 # To generate the source tarball:
 # $ git clone https://github.com/dogtagpki/jss.git
@@ -35,8 +35,9 @@ Source:         https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phas
 BuildRequires:  git
 
 BuildRequires:  gcc-c++
-BuildRequires:  nss-devel >= 3.28.4-6
 BuildRequires:  nspr-devel >= 4.13.1
+BuildRequires:  nss-devel >= 3.28.4-6
+BuildRequires:  nss-tools >= 3.28.4-6
 BuildRequires:  java-devel
 BuildRequires:  jpackage-utils
 BuildRequires:  slf4j
@@ -64,9 +65,10 @@ Requires:       slf4j-jdk14
 Requires:       apache-commons-lang
 Requires:       apache-commons-codec
 
-Conflicts:      idm-console-framework < 1.1.17-4
-Conflicts:      pki-base < 10.6.3
-Conflicts:      tomcatjss < 7.3.2
+Conflicts:      ldapjdk < 4.20
+Conflicts:      idm-console-framework < 1.2
+Conflicts:      tomcatjss < 7.3.4
+Conflicts:      pki-base < 10.6.5
 
 %description
 Java Security Services (JSS) is a java native interface which provides a bridge
@@ -131,6 +133,7 @@ export USE_64
 make -C coreconf
 make
 make javadoc
+make test_jss
 
 ################################################################################
 %install
@@ -172,7 +175,6 @@ cp -p *.txt $RPM_BUILD_ROOT%{_javadocdir}/%{name}-%{version}
 
 ################################################################################
 %changelog
-
 * Tue May 29 2018 Dogtag PKI Team <pki-devel@redhat.com> 4.5.0-0
 - To list changes in <branch> since <tag>:
   $ git log --pretty=oneline --abbrev-commit --no-decorate <tag>..<branch>

lib/jss.def

@@ -177,7 +177,6 @@ Java_org_mozilla_jss_ssl_SocketBase_setSSLOption;
 Java_org_mozilla_jss_ssl_SocketBase_socketBind;
 Java_org_mozilla_jss_ssl_SocketBase_socketClose;
 Java_org_mozilla_jss_ssl_SocketBase_socketCreate;
-Java_org_mozilla_jss_util_Debug_setNativeLevel;
 Java_org_mozilla_jss_util_Password_readPasswordFromConsole;
 ;+#
 ;+# Data objects (NONE)
@@ -337,6 +336,7 @@ Java_org_mozilla_jss_pkcs11_PK11Token_importPublicKey;
 Java_org_mozilla_jss_pkcs11_PK11Store_loadPrivateKeys;
 Java_org_mozilla_jss_pkcs11_PK11Store_loadPublicKeys;
 Java_org_mozilla_jss_pkcs11_PK11Store_deletePublicKey;
+Java_org_mozilla_jss_ssl_SSLSocket_boundSSLVersionRange;
 ;+    local:
 ;+       *;
 ;+};

org/mozilla/jss/CryptoManager.java

@@ -467,6 +467,9 @@ public final class CryptoManager implements TokenSupplier
                     "Must set ocspResponderCertNickname");
             }
         }
+
+        logger.info("CryptoManager: initializing NSS database at " + values.configDir);
+
         initializeAllNative2(values.configDir,
                             values.certPrefix,
                             values.keyPrefix,

org/mozilla/jss/netscape/security/extensions/NSCertTypeExtension.java

@@ -231,7 +231,7 @@ public class NSCertTypeExtension extends Extension implements CertAttrSet {
             throws IOException {
 
         /**
-         * Debug.trace("NSCertTypeExtension");
+         * logger.trace("NSCertTypeExtension");
          * this.mBitString = new byte[1];
          * this.mBitString[0] = (byte)0x00;
          * return;

org/mozilla/jss/ssl/CipherPolicy.java

+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package org.mozilla.jss.ssl;
+
+public class CipherPolicy {
+
+    public static final CipherPolicy DOMESTIC =
+        new CipherPolicy(SocketBase.SSL_POLICY_DOMESTIC);
+
+    public static final CipherPolicy EXPORT =
+        new CipherPolicy(SocketBase.SSL_POLICY_EXPORT);
+
+    public static final CipherPolicy FRANCE =
+        new CipherPolicy(SocketBase.SSL_POLICY_FRANCE);
+
+    private int _enum;
+
+    private CipherPolicy(int _enum) { }
+
+    int getEnum() { return _enum; }
+}

org/mozilla/jss/ssl/SSLCipher.java

@@ -304,7 +304,20 @@ public enum SSLCipher {
     TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256       (0xc02D, true),
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256        (0xc02F, true),
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384        (0xc030, true),
-    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256         (0xc031, true);
+    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256         (0xc031, true),
+
+    /*
+     * TLS 1.3
+     */
+    /* draft-ietf-tls-chacha20-poly1305-04 */
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   (0xCCA8, true),
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xCCA9, true),
+    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     (0xCCAA),
+
+    /* Special TLS 1.3 cipher suites that really just specify AEAD */
+    TLS_AES_128_GCM_SHA256                        (0x1301),
+    TLS_AES_256_GCM_SHA384                        (0x1302),
+    TLS_CHACHA20_POLY1305_SHA256                  (0x1303);
 
     private int id;
     private boolean ecc;

org/mozilla/jss/ssl/SSLProtocolVariant.java

+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package org.mozilla.jss.ssl;
+
+public class SSLProtocolVariant {
+
+    public static final SSLProtocolVariant STREAM =
+        new SSLProtocolVariant(SocketBase.SSL_Variant_Stream);
+
+    public static final SSLProtocolVariant DATA_GRAM =
+        new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram);
+
+    private int _enum;
+
+    private SSLProtocolVariant(int val) { _enum = val; }
+
+    int getEnum() { return _enum; }
+}

org/mozilla/jss/ssl/SSLSocket.c

@@ -13,7 +13,7 @@
 #include <pk11util.h>
 #include "_jni/org_mozilla_jss_ssl_SSLSocket.h"
 #include "jssl.h"
-
+#include <sys/param.h>
 
 #ifdef WINNT
 #include <private/pprio.h>
@@ -27,7 +27,87 @@
 
 
 /*
- * support TLS v1.1 and v1.2
+ * support TLS v1.1, v1.2, and v1.3
+ * returns SSL version range bound by the version range provided by the system.
+ * Doesn't change the defaults.
+ */
+JNIEXPORT jobject JNICALL
+Java_org_mozilla_jss_ssl_SSLSocket_boundSSLVersionRange(JNIEnv *env,
+    jclass clazz, jint ssl_variant, jint min, jint max)
+{
+    SECStatus status;
+    SSLVersionRange vrange;
+    SSLVersionRange supported_range;
+    jobject versionRange = NULL;
+    jclass versionRangeClass;
+    jmethodID versionRangeCons;
+
+    if (ssl_variant <0 || ssl_variant >= JSSL_enums_size||
+            min <0 || min >= JSSL_enums_size ||
+            max <0 || max >= JSSL_enums_size) {
+        char buf[128];
+        PR_snprintf(buf, 128, "JSS checkSSLVersionRangeDefault(): for variant=%d min=%d max=%d failed - out of range for array JSSL_enums size: %d", JSSL_enums[ssl_variant], min, max, JSSL_enums_size);
+        JSSL_throwSSLSocketException(env, buf);
+        goto finish;
+    }
+
+    vrange.min = JSSL_enums[min];
+    vrange.max = JSSL_enums[max];
+
+    /* get supported range */
+    status = SSL_VersionRangeGetSupported(JSSL_enums[ssl_variant],
+                &supported_range);
+    if( status != SECSuccess ) {
+        char buf[128];
+        PR_snprintf(buf, 128, "SSL_VersionRangeGetSupported() for variant=%d failed: %d", JSSL_enums[ssl_variant], PR_GetError());
+        JSSL_throwSSLSocketException(env, buf);
+        goto finish;
+    }
+
+    /* bind the min and max */
+    supported_range.min = MAX(supported_range.min, vrange.min);
+    supported_range.max = MIN(supported_range.max, vrange.max);
+
+    /* convert new min/max values back to the JSSL_enums indexes */
+    for (int i = 0; i < JSSL_enums_size; i++) {
+        if (JSSL_enums[i] == supported_range.min) {
+            supported_range.min = i;
+            break;
+        }
+    }
+    for (int i = 0; i < JSSL_enums_size; i++) {
+        if (JSSL_enums[i] == supported_range.max) {
+            supported_range.max = i;
+            break;
+        }
+    }
+
+    /*
+     * package the status into a new SSLVersionRange object
+     */
+    versionRangeClass = (*env)->FindClass(env, SSL_VERSION_RANGE_CLASS_NAME);
+    PR_ASSERT(versionRangeClass != NULL);
+    if( versionRangeClass == NULL ) {
+        /* exception was thrown */
+        goto finish;
+    }
+
+    versionRangeCons = (*env)->GetMethodID(env, versionRangeClass,
+                            SSL_VERSION_RANGE_CONSTRUCTOR_NAME,
+                            SSL_VERSION_RANGE_CONSTRUCTOR_SIG);
+    PR_ASSERT(versionRangeCons != NULL);
+    if(versionRangeCons == NULL ) {
+        /* exception was thrown */
+        goto finish;
+    }
+    versionRange = (*env)->NewObject(env, versionRangeClass, versionRangeCons,
+            supported_range.min, supported_range.max);
+finish:
+    return versionRange;
+}
+
+/*
+ * support TLS v1.1, v1.2, and v1.3
  *   sets default SSL version range for sockets created after this call
  */
 JNIEXPORT void JNICALL
@@ -59,11 +139,12 @@ Java_org_mozilla_jss_ssl_SSLSocket_setSSLVersionRangeDefault(JNIEnv *env,
         JSSL_throwSSLSocketException(env, buf);
         goto finish;
     }
+
     /* now check the min and max */
     if (vrange.min < supported_range.min  ||
                 vrange.max > supported_range.max) {
         char buf[128];
-        PR_snprintf(buf, 128, "SSL_VersionRangeSetDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError());
+        PR_snprintf(buf, 128, "JSS setSSLVersionRangeDefault() for variant=%d with min=%d max=%d out of range (%d:%d): %d", JSSL_enums[ssl_variant], vrange.min, vrange.max, supported_range.min, supported_range.max, PR_GetError());
         JSSL_throwSSLSocketException(env, buf);
         goto finish;
     }
@@ -83,7 +164,7 @@ finish:
 }
 
 /*
- * support TLS v1.1 and v1.2
+ * support TLS v1.1, v1.2, and v1.3
  * sets SSL version range for this socket
  */
 JNIEXPORT void JNICALL

org/mozilla/jss/ssl/SSLSocket.java

@@ -316,6 +316,16 @@ public class SSLSocket extends java.net.Socket {
     public final static int TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384       = 0xc030;
     public final static int TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256         = 0xc031;
 
+    /* draft-ietf-tls-chacha20-poly1305-04 */
+    public final static int TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = 0xCCA8;
+    public final static int TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA9;
+    public final static int TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     = 0xCCAA;
+
+    /* Special TLS 1.3 cipher suites that really just specify AEAD */
+    public final static int TLS_AES_128_GCM_SHA256                        = 0x1301;
+    public final static int TLS_AES_256_GCM_SHA384                        = 0x1302;
+    public final static int TLS_CHACHA20_POLY1305_SHA256                  = 0x1303;
+
     /*
      * Locking strategy of SSLSocket
      *
@@ -1353,56 +1363,28 @@ public class SSLSocket extends java.net.Socket {
         setSSLDefaultOption(SocketBase.SSL_NO_CACHE, !b);
     }
 
-   /*
-    * _min_enum and _max_enum should be one of the following:
-    *     SocketBase.SSL_LIBRARY_VERSION_3_0
-    *     SocketBase.SSL_LIBRARY_VERSION_TLS_1_0
-    *     SocketBase.SSL_LIBRARY_VERSION_TLS_1_1
-    *     SocketBase.SSL_LIBRARY_VERSION_TLS_1_2
-    */
-    public static class SSLVersionRange {
-        private int _min_enum;
-        private int _max_enum;
-        public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0;
-        public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0;
-        public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1;
-        public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2;
-        public SSLVersionRange(int min_enum, int max_enum)
-          throws IllegalArgumentException {
-            if ((min_enum >= SocketBase.SSL_LIBRARY_VERSION_3_0) &&
-                (max_enum <= SocketBase.SSL_LIBRARY_VERSION_TLS_1_2) &&
-                (min_enum <= max_enum)) {
-                _min_enum = min_enum;
-                _max_enum = max_enum;
-            } else {
-                throw new IllegalArgumentException("JSS SSLSocket SSLVersionRange: arguments out of range");
-            }
-        }
-
-        int getMinEnum() { return _min_enum; }
-        int getMaxEnum() { return _max_enum; }
-
-    }
-
-    public static class SSLProtocolVariant {
-        private int _enum;
-        private SSLProtocolVariant(int val) { _enum = val; }
-
-        int getEnum() { return _enum; }
-
-        public static final SSLProtocolVariant STREAM =
-            new SSLProtocolVariant(SocketBase.SSL_Variant_Stream);
-        public static final SSLProtocolVariant DATA_GRAM =
-            new SSLProtocolVariant(SocketBase.SSL_Variant_Datagram);
+    public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range)
+        throws SocketException
+    {
+        if (range == null)
+            throw new SocketException("setSSLVersionRangeDefault: range null");
 
+        setSSLVersionRangeDefault(
+                ssl_variant.getEnum(),
+                range.getMinVersion().value(),
+                range.getMaxVersion().value());
     }
 
-    public static void setSSLVersionRangeDefault(SSLProtocolVariant ssl_variant, SSLVersionRange range)
+    public static SSLVersionRange boundSSLVersionRange(SSLProtocolVariant ssl_variant, SSLVersionRange range)
         throws SocketException
     {
         if (range == null)
             throw new SocketException("setSSLVersionRangeDefault: range null");
-        setSSLVersionRangeDefault(ssl_variant.getEnum(), range.getMinEnum(), range.getMaxEnum());
+
+        return boundSSLVersionRange(
+                ssl_variant.getEnum(),
+                range.getMinVersion().value(),
+                range.getMaxVersion().value());
     }
 
     /**
@@ -1411,6 +1393,12 @@ public class SSLSocket extends java.net.Socket {
     private static native void setSSLVersionRangeDefault(int ssl_variant, int min, int max)
         throws SocketException;
 
+    /**
+     * Checks SSL Version Range against Default
+     */
+    private static native SSLVersionRange boundSSLVersionRange(int ssl_variant, int min, int max)
+        throws SocketException;
+
     private static void setSSLDefaultOption(int option, boolean on)
         throws SocketException
     {
@@ -1545,21 +1533,6 @@ public class SSLSocket extends java.net.Socket {
         close(); /* in case user did not call close */
     }
 
-    public static class CipherPolicy {
-        private int _enum;
-        private CipherPolicy(int _enum) { }
-
-        int getEnum() { return _enum; }
-
-        public static final CipherPolicy DOMESTIC =
-            new CipherPolicy(SocketBase.SSL_POLICY_DOMESTIC);
-        public static final CipherPolicy EXPORT =
-            new CipherPolicy(SocketBase.SSL_POLICY_EXPORT);
-        public static final CipherPolicy FRANCE =
-            new CipherPolicy(SocketBase.SSL_POLICY_FRANCE);
-
-    }
-
     /**
      * Sets the SSL cipher policy. This must be called before creating any
      *  SSL sockets.

org/mozilla/jss/ssl/SSLVersion.java

+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package org.mozilla.jss.ssl;
+
+public enum SSLVersion {
+
+    SSL_3_0 ("SSL3",   SocketBase.SSL_LIBRARY_VERSION_3_0),
+    TLS_1_0 ("TLS1_0", SocketBase.SSL_LIBRARY_VERSION_TLS_1_0),
+    TLS_1_1 ("TLS1_1", SocketBase.SSL_LIBRARY_VERSION_TLS_1_1),
+    TLS_1_2 ("TLS1_2", SocketBase.SSL_LIBRARY_VERSION_TLS_1_2),
+    TLS_1_3 ("TLS1_3", SocketBase.SSL_LIBRARY_VERSION_TLS_1_3);
+
+    private String alias;
+    private int value;
+
+    private SSLVersion(String alias, int value) {
+        this.alias = alias;
+        this.value = value;
+    }
+
+    public String alias() {
+        return alias;
+    }
+
+    public int value() {
+        return value;
+    }
+
+    public static SSLVersion valueOf(int value) {
+        for (SSLVersion version : SSLVersion.values()) {
+            if (version.value == value) return version;
+        }
+
+        throw new IllegalArgumentException("Invalid SSLVersion value: " + value);
+    }
+
+    public static SSLVersion findByAlias(String alias) {
+
+        alias = alias.toUpperCase();
+
+        // find by alias
+        for (SSLVersion version : SSLVersion.values()) {
+            String a = version.alias.toUpperCase();
+            if (a.equals(alias)) return version;
+        }
+
+        // find by name
+        return SSLVersion.valueOf(alias);
+    }
+}

org/mozilla/jss/ssl/SSLVersionRange.java

+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+package org.mozilla.jss.ssl;
+
+public class SSLVersionRange {
+
+    private SSLVersion minVersion;
+    private SSLVersion maxVersion;
+
+    /**
+     * @deprecated Replaced with SSLVersion.SSL_3_0.
+     */
+    @Deprecated
+    public static final int ssl3 = SocketBase.SSL_LIBRARY_VERSION_3_0;
+
+    /**
+     * @deprecated Replaced with SSLVersion.TLS_1_0.
+     */
+    @Deprecated
+    public static final int tls1_0 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_0;
+
+    /**
+     * @deprecated Replaced with SSLVersion.TLS_1_1.
+     */
+    @Deprecated
+    public static final int tls1_1 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_1;
+
+    /**
+     * @deprecated Replaced with SSLVersion.TLS_1_2.
+     */
+    @Deprecated
+    public static final int tls1_2 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_2;
+
+    /**
+     * @deprecated Replaced with SSLVersion.TLS_1_3.
+     */
+    @Deprecated
+    public static final int tls1_3 = SocketBase.SSL_LIBRARY_VERSION_TLS_1_3;
+
+    public SSLVersionRange(SSLVersion minVersion, SSLVersion maxVersion) throws IllegalArgumentException {
+
+        if (minVersion.value() > maxVersion.value()) {
+            throw new IllegalArgumentException("Arguments out of range");
+        }
+
+        this.minVersion = minVersion;
+        this.maxVersion = maxVersion;
+    }
+
+    /**
+     * Used by the C code, do not use it directly
+     * @deprecated Replaced with SSLVersionRange(SSLVersion minVersion, SSLVersion maxVersion).
+     * @param min_enum
+     * @param max_enum
+     * @throws IllegalArgumentException
+     */
+    public SSLVersionRange(int min_enum, int max_enum) throws IllegalArgumentException {
+        this(SSLVersion.valueOf(min_enum), SSLVersion.valueOf(max_enum));
+    }
+
+    public SSLVersion getMinVersion() {
+        return minVersion;
+    }
+
+    public SSLVersion getMaxVersion() {
+        return maxVersion;
+    }
+
+    /**
+     * @return enumeration value
+     */
+    public int getMinEnum() { return minVersion.value(); }
+
+    /**
+     * @return enumeration value
+     */
+    public int getMaxEnum() { return maxVersion.value(); }
+}

org/mozilla/jss/ssl/SocketBase.java

@@ -97,6 +97,7 @@ class SocketBase {
     static final int SSL_LIBRARY_VERSION_TLS_1_0 = 30;
     static final int SSL_LIBRARY_VERSION_TLS_1_1 = 31;
     static final int SSL_LIBRARY_VERSION_TLS_1_2 = 32;
+    static final int SSL_LIBRARY_VERSION_TLS_1_3 = 35;
     /* ssl/sslt.h */
     static final int SSL_Variant_Stream = 33;
     static final int SSL_Variant_Datagram = 34;
@@ -182,13 +183,13 @@ class SocketBase {
     native void setSSLOption(int option, int on)
             throws SocketException;
 
-    void setSSLVersionRange(org.mozilla.jss.ssl.SSLSocket.SSLVersionRange range)
+    void setSSLVersionRange(SSLVersionRange range)
             throws SocketException {
-        setSSLVersionRange(range.getMinEnum(), range.getMaxEnum());
+        setSSLVersionRange(range.getMinVersion().value(), range.getMaxVersion().value());
     }
 
     /**
-     * Sets SSL Version Range for this socket to support TLS v1.1 and v1.2
+     * Sets SSL Version Range for this socket to support TLS v1.1 to v1.3
      */
     native void setSSLVersionRange(int min, int max)
             throws SocketException;

org/mozilla/jss/ssl/common.c

@@ -409,6 +409,7 @@ PRInt32 JSSL_enums[] = {
     SSL_LIBRARY_VERSION_TLS_1_2,  /* 32 */      /* sslproto.h */
     ssl_variant_stream,           /* 33 */      /* sslt.h */
     ssl_variant_datagram,         /* 34 */      /* sslt.h */
+    SSL_LIBRARY_VERSION_TLS_1_3,  /* 35 */      /* sslproto.h */
     0
 };
 

org/mozilla/jss/ssl/jssl.h

@@ -87,7 +87,7 @@ JSSL_DestroySocketData(JNIEnv *env, JSSL_SocketData *sd);
 
 
 extern PRInt32 JSSL_enums[];
-#define JSSL_enums_size 35
+#define JSSL_enums_size 36
 
 JSSL_SocketData*
 JSSL_CreateSocketData(JNIEnv *env, jobject sockObj, PRFileDesc* newFD,

org/mozilla/jss/tests/Constants.java

@@ -150,7 +150,14 @@ public interface Constants {
 /*85*/  new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"),
 /*86*/  new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"),
 /*87*/  new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"),
-/*88*/  new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
+/*88*/  new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"),
+// TLSv1_3
+/*89*/  new cipher(SSLSocket.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
+/*90*/  new cipher(SSLSocket.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"),
+/*91*/  new cipher(SSLSocket.TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256"),
+/*92*/  new cipher(SSLSocket.TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256"),
+/*93*/  new cipher(SSLSocket.TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384"),
+/*94*/  new cipher(SSLSocket.TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256")
     };
     
     /** Cipher supported by JSSE (JDK 1.5.x) */

org/mozilla/jss/tests/SSLClientAuth.java

@@ -171,7 +171,7 @@ public class SSLClientAuth implements Runnable {
     private void generateCerts(CryptoManager cm, int serialNum) {
         
         // RSA Key with default exponent
-        int keyLength = 1024;
+        int keyLength = 2048;
         try {
             java.security.KeyPairGenerator kpg =
                     java.security.KeyPairGenerator.getInstance("RSA",

org/mozilla/jss/tests/all.pl

@@ -149,10 +149,11 @@ sub setup_vars {
         $jss_rel_dir   = "$dist_dir/classes/org";
         $jss_classpath = "$dist_dir/xpclass.jar";
 
-        $ENV{CLASSPATH} .= "$dist_dir/xpclass.jar";
-        ( -f $ENV{CLASSPATH} ) or die "$ENV{CLASSPATH} does not exist";
-        #$ENV{$ld_lib_path} = $ENV{$ld_lib_path} . $pathsep . "$obj_dir/lib";
-        $ENV{$ld_lib_path} = "$obj_dir/lib";
+        ( -f $jss_classpath ) or die "$jss_classpath does not exist";
+
+        $ENV{CLASSPATH} .= "$jss_classpath";
+        #$ENV{$ld_lib_path} = $ENV{$ld_lib_path} . $pathsep . "$nss_lib_dir";
+        $ENV{$ld_lib_path} = "$nss_lib_dir";
 
     } elsif( $$argv[0] eq "release" ) {
         shift @$argv;
@@ -161,17 +162,19 @@ sub setup_vars {
         my $nss_rel_dir  = shift @$argv or usage();
         my $nspr_rel_dir = shift @$argv or usage();
 
-        $ENV{CLASSPATH} .= "$jss_rel_dir/../xpclass.jar";
-        $ENV{$ld_lib_path} =
-            "$jss_rel_dir/lib$pathsep$nss_rel_dir/lib$pathsep$nspr_rel_dir/lib"
-            . $pathsep . $ENV{$ld_lib_path};
-        print "LD_LIBRARY_PATH is $ld_lib_path\n";
-        print "$ld_lib_path=$ENV{$ld_lib_path}\n";
+        $nspr_lib_dir = "$nspr_rel_dir/lib";
         $nss_bin_dir = "$nss_rel_dir/bin";
         $nss_lib_dir = "$nss_rel_dir/lib";
-        $jss_lib_dir = "$nss_rel_dir/lib";
+        $jss_lib_dir = "$jss_rel_dir/lib";
         $jss_classpath = "$jss_rel_dir/../xpclass.jar";
 
+        $ENV{CLASSPATH} .= "$jss_classpath";
+        $ENV{$ld_lib_path} =
+                "$jss_lib_dir" . $pathsep .
+                "$nss_lib_dir" . $pathsep .
+                "$nspr_lib_dir" . $pathsep .
+                $ENV{$ld_lib_path};
+
     } else {
         usage();
     }
@@ -223,7 +226,7 @@ sub setup_vars {
     }
 
     #MAC OS X have the -Djava.library.path for the JSS JNI library
-    if ($osname =~ /Darwin/) {
+    if ($osname =~ /Darwin/ || $osname =~ /Linux/) {
         $java = $java . " -Djava.library.path=$jss_lib_dir";
     } 
 
@@ -426,8 +429,9 @@ if( ! -d $testdir ) {
     my @dbfiles = 
         ("$testdir/cert8.db", "$testdir/key3.db", "$testdir/secmod.db", "$testdir/rsa.pfx");
     (grep{ -f } @dbfiles)  and die "There is already an old database in $testdir";
-    my $result = system("cp $nss_lib_dir/*nssckbi* $testdir"); $result >>= 8;
-    $result and die "Failed to copy built-ins library";
+    my $result = system("cp $nss_lib_dir/*nssckbi* $testdir");
+    $result >>= 8;
+    # $result and die "Failed to copy built-ins library";
 }
 
 print "creating pkcs11config file\n";