Skip to content
Commits on Source (126)
Hide whitespace changes
Inline Side-by-side
.copr/Makefile
View file @ 02ef7a82
srpm:
./build.sh srpm
dnf install -y git
./build.sh --with-timestamp --with-commit-id srpm
if [[ "${outdir}" != "" ]]; then \
mv ${HOME}/build/jss/SRPMS/* ${outdir}; \
fi
.travis.yml
View file @ 02ef7a82
......@@ -13,8 +13,8 @@ stages:
- extra
env:
- BASE_IMAGE="fedora_28"
- BASE_IMAGE="fedora_29"
- BASE_IMAGE="fedora_30"
script:
- bash tools/run_container.sh "$BASE_IMAGE"
......@@ -32,6 +32,10 @@ matrix:
env: BASE_IMAGE="fedora_29_jdk11"
- stage: extra
env: BASE_IMAGE="fedora_rawhide"
- stage: extra
env: BASE_IMAGE="fast_finish"
script:
- "true"
allow_failures:
- stage: extra
env: BASE_IMAGE="pkcs11check"
......
CMakeLists.txt
View file @ 02ef7a82
......@@ -10,8 +10,8 @@ cmake_minimum_required(VERSION 3.0.2)
set(CMAKE_MODULE_PATH ${CMAKE_SOURCE_DIR}/cmake)
# Define optional variables and conditionals.
if (DEFINED CHECK_DEPRECATION)
set(CMAKE_JAVA_COMPILE_FLAGS "-Xlint:deprecation")
if (DEFINED ENV{CHECK_DEPRECATION})
list(APPEND JSS_JAVAC_FLAGS "-Xlint:deprecation")
endif()
# Build a debug build by default when no type is specified on the command line
......
README.md
View file @ 02ef7a82
......@@ -33,14 +33,13 @@ This project has the following dependencies:
- [JavaEE JAXB](https://github.com/eclipse-ee4j/jaxb-ri)
- [SLF4J](https://www.slf4j.org/)
- [JUnit 4](https://junit.org/junit4/)
- [Hamcrest](http://hamcrest.org/)
To install these dependencies on Fedora, execute the following:
sudo dnf install apache-commons-codec apache-commons-lang gcc-c++ \
java-devel jpackage-utils slf4j zlib-devel \
glassfish-jaxb-api nss-tools nss-devel cmake \
hamcrest junit
junit
To install these dependencies on Debian, execute the following:
......@@ -48,7 +47,7 @@ To install these dependencies on Debian, execute the following:
libcommons-lang-java libnss3-dev libslf4j-java \
openjdk-8-jdk pkg-config zlib1g-dev \
libjaxb-api-java libnss3-tools cmake zip unzip \
libhamcrest-java junit4
junit4
Building
......@@ -78,4 +77,4 @@ started, check out our [documentation](docs/contributing.md), or if you
want to contact us, check out the following forums:
- The [pki-devel mailing list](https://www.redhat.com/mailman/listinfo/pki-devel).
- The `#dogtagpki` IRC channel on [Freenode](https://freenode.net/).
- The `#dogtag-pki` IRC channel on [Freenode](https://freenode.net/).
cmake/JSSConfig.cmake
View file @ 02ef7a82
......@@ -2,7 +2,7 @@ macro(jss_config)
# Set the current JSS release number. Arguments are:
# MAJOR MINOR PATCH BETA
# When BETA is zero, it isn't a beta release.
jss_config_version(4 5 3 0)
jss_config_version(4 6 0 0)
# Configure output directories
jss_config_outputs()
......@@ -63,6 +63,7 @@ macro(jss_config_outputs)
set(CLASSES_OUTPUT_DIR "${CMAKE_BINARY_DIR}/classes/jss")
set(DOCS_OUTPUT_DIR "${CMAKE_BINARY_DIR}/docs")
set(LIB_OUTPUT_DIR "${CMAKE_BINARY_DIR}/lib")
set(BIN_OUTPUT_DIR "${CMAKE_BINARY_DIR}/bin")
set(INCLUDE_OUTPUT_DIR "${CMAKE_BINARY_DIR}/include/jss")
set(JNI_OUTPUT_DIR "${CMAKE_BINARY_DIR}/include/jss/_jni")
......@@ -100,6 +101,7 @@ macro(jss_config_outputs)
file(MAKE_DIRECTORY "${CLASSES_OUTPUT_DIR}")
file(MAKE_DIRECTORY "${DOCS_OUTPUT_DIR}")
file(MAKE_DIRECTORY "${LIB_OUTPUT_DIR}")
file(MAKE_DIRECTORY "${BIN_OUTPUT_DIR}")
file(MAKE_DIRECTORY "${INCLUDE_OUTPUT_DIR}")
file(MAKE_DIRECTORY "${JNI_OUTPUT_DIR}")
......@@ -119,13 +121,17 @@ macro(jss_config_cflags)
if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
list(APPEND JSS_RAW_C_FLAGS "-Og")
list(APPEND JSS_RAW_C_FLAGS "-ggdb")
list(APPEND JSS_RAW_C_FLAGS "-DDEBUG")
list(APPEND JSS_RAW_C_FLAGS "-DFORCE_PR_ASSERT")
else()
list(APPEND JSS_RAW_C_FLAGS "-O2")
endif()
list(APPEND JSS_RAW_C_FLAGS "-Wall")
list(APPEND JSS_RAW_C_FLAGS "-std=gnu99")
list(APPEND JSS_RAW_C_FLAGS "-Wno-cast-function-type")
list(APPEND JSS_RAW_C_FLAGS "-Wno-unused-parameter")
list(APPEND JSS_RAW_C_FLAGS "-Wno-unknown-warning-option")
list(APPEND JSS_RAW_C_FLAGS "-Werror-implicit-function-declaration")
list(APPEND JSS_RAW_C_FLAGS "-Wno-switch")
list(APPEND JSS_RAW_C_FLAGS "-I${NSPR_INCLUDE_DIR}")
......@@ -148,7 +154,7 @@ macro(jss_config_cflags)
# Handle passed-in C flags as well; assume they are valid.
separate_arguments(PASSED_C_FLAGS UNIX_COMMAND "${CMAKE_C_FLAGS}")
foreach(PASSED_C_FLAG ${PASSED_C_FLAGS})
list(APPEND JSS_C_FLAGS "${PASSED_C_FLAG}")
list(INSERT JSS_C_FLAGS 0 "${PASSED_C_FLAG}")
endforeach()
message(STATUS "JSS C FLAGS: ${JSS_C_FLAGS}")
......@@ -205,7 +211,7 @@ macro(jss_config_java)
)
find_jar(
HAMCREST_JAR
NAMES hamcrest/core
NAMES hamcrest/core hamcrest-core
)
# Validate that we've found the required JARs
......@@ -249,6 +255,19 @@ macro(jss_config_java)
list(APPEND JSS_JAVAC_FLAGS "${JAVAC_CLASSPATH}")
list(APPEND JSS_JAVAC_FLAGS "-sourcepath")
list(APPEND JSS_JAVAC_FLAGS "${PROJECT_SOURCE_DIR}")
# Ensure we're compatible with JDK 8
list(APPEND JSS_JAVAC_FLAGS "-target")
list(APPEND JSS_JAVAC_FLAGS "1.8")
list(APPEND JSS_JAVAC_FLAGS "-source")
list(APPEND JSS_JAVAC_FLAGS "1.8")
# Handle passed-in javac flags as well; assume they are valid.
separate_arguments(PASSED_JAVAC_FLAGS UNIX_COMMAND "$ENV{JAVACFLAGS}")
foreach(PASSED_JAVAC_FLAG ${PASSED_JAVAC_FLAGS})
list(APPEND JSS_JAVAC_FLAGS "${PASSED_JAVAC_FLAG}")
endforeach()
if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
list(APPEND JSS_JAVAC_FLAGS "-g")
else()
......@@ -260,6 +279,19 @@ macro(jss_config_java)
list(APPEND JSS_TEST_JAVAC_FLAGS "${JAVAC_CLASSPATH}:${JUNIT4_JAR}")
list(APPEND JSS_TEST_JAVAC_FLAGS "-sourcepath")
list(APPEND JSS_TEST_JAVAC_FLAGS "${PROJECT_SOURCE_DIR}")
# Ensure we're compatible with JDK 8
list(APPEND JSS_TEST_JAVAC_FLAGS "-target")
list(APPEND JSS_TEST_JAVAC_FLAGS "1.8")
list(APPEND JSS_TEST_JAVAC_FLAGS "-source")
list(APPEND JSS_TEST_JAVAC_FLAGS "1.8")
# Handle passed-in javac flags as well; assume they are valid.
separate_arguments(PASSED_JAVAC_FLAGS UNIX_COMMAND "$ENV{JAVACFLAGS}")
foreach(PASSED_JAVAC_FLAG ${PASSED_JAVAC_FLAGS})
list(APPEND JSS_TEST_JAVAC_FLAGS "${PASSED_JAVAC_FLAG}")
endforeach()
if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
list(APPEND JSS_TEST_JAVAC_FLAGS "-g")
else()
......@@ -269,7 +301,7 @@ macro(jss_config_java)
# Variables for javadoc building. Note that JSS_PACKAGES needs to be
# updated whenever a new package is created.
set(JSS_WINDOW_TITLE "JSS: Java Security Services")
set(JSS_PACKAGES "org.mozilla.jss;org.mozilla.jss.asn1;org.mozilla.jss.crypto;org.mozilla.jss.pkcs7;org.mozilla.jss.pkcs10;org.mozilla.jss.pkcs11;org.mozilla.jss.pkcs12;org.mozilla.jss.pkix.primitive;org.mozilla.jss.pkix.cert;org.mozilla.jss.pkix.cmc;org.mozilla.jss.pkix.cmmf;org.mozilla.jss.pkix.cms;org.mozilla.jss.pkix.crmf;org.mozilla.jss.provider.java.security;org.mozilla.jss.provider.javax.crypto;org.mozilla.jss.SecretDecoderRing;org.mozilla.jss.ssl;org.mozilla.jss.util")
set(JSS_PACKAGES "org.mozilla.jss;org.mozilla.jss.asn1;org.mozilla.jss.crypto;org.mozilla.jss.pkcs7;org.mozilla.jss.pkcs10;org.mozilla.jss.pkcs11;org.mozilla.jss.pkcs12;org.mozilla.jss.pkix.primitive;org.mozilla.jss.pkix.cert;org.mozilla.jss.pkix.cmc;org.mozilla.jss.pkix.cmmf;org.mozilla.jss.pkix.cms;org.mozilla.jss.pkix.crmf;org.mozilla.jss.provider.java.security;org.mozilla.jss.provider.javax.crypto;org.mozilla.jss.SecretDecoderRing;org.mozilla.jss.ssl;org.mozilla.jss.util;org.mozilla.jss.netscape.security.util;org.mozilla.jss.netscape.security.extensions;org.mozilla.jss.netscape.security.acl;org.mozilla.jss.netscape.security.pkcs;org.mozilla.jss.netscape.security.x509;org.mozilla.jss.netscape.security.provider;org.mozilla.jss.nss;org.mozilla.jss.ssl.javax")
set(JSS_BASE_PORT 2876)
math(EXPR JSS_TEST_PORT_CLIENTAUTH ${JSS_BASE_PORT}+0)
......
cmake/JSSTests.cmake
View file @ 02ef7a82
macro(jss_tests)
enable_testing()
jss_tests_compile()
# Common variables used as arguments to several tests
set(JSS_TEST_DIR "${PROJECT_SOURCE_DIR}/org/mozilla/jss/tests")
set(PASSWORD_FILE "${JSS_TEST_DIR}/passwords")
......@@ -76,6 +78,24 @@ macro(jss_tests)
NAME "BigObjectIdentifier"
COMMAND "org.mozilla.jss.tests.BigObjectIdentifier"
)
jss_test_java(
NAME "JSS_Test_PR_FileDesc"
COMMAND "org.mozilla.jss.tests.TestPRFD"
)
jss_test_java(
NAME "JSS_Test_Raw_SSL"
COMMAND "org.mozilla.jss.tests.TestRawSSL" "${RESULTS_NSSDB_OUTPUT_DIR}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "JSS_Test_Buffer"
COMMAND "org.mozilla.jss.tests.TestBuffer"
)
jss_test_java(
NAME "JSS_Test_BufferPRFD"
COMMAND "org.mozilla.jss.tests.TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
DEPENDS "List_CA_certs"
)
if ((${Java_VERSION_MAJOR} EQUAL 1) AND (${Java_VERSION_MINOR} LESS 9))
jss_test_java(
NAME "Test_PKCS11Constants.java_for_Sun_compatibility"
......@@ -106,6 +126,16 @@ macro(jss_tests)
NAME "JUnit_UTF8StringTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.UTF8StringTest"
)
jss_test_exec(
NAME "buffer_size_1"
COMMAND "${BIN_OUTPUT_DIR}/buffer_size_1"
DEPENDS "generate_c_buffer_size_1"
)
jss_test_exec(
NAME "buffer_size_4"
COMMAND "${BIN_OUTPUT_DIR}/buffer_size_4"
DEPENDS "generate_c_buffer_size_4"
)
jss_test_java(
NAME "JUnit_ChainSortingTest"
COMMAND "org.junit.runner.JUnitCore" "org.mozilla.jss.tests.ChainSortingTest"
......@@ -150,6 +180,11 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.SSLClientAuth" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}" "${JSS_TEST_PORT_CLIENTAUTH}" "50"
DEPENDS "List_CA_certs"
)
jss_test_exec(
NAME "TestBufferPRFD"
COMMAND "${BIN_OUTPUT_DIR}/TestBufferPRFD" "${RESULTS_NSSDB_OUTPUT_DIR}" "${DB_PWD}"
DEPENDS "List_CA_certs" "generate_c_TestBufferPRFD"
)
jss_test_java(
NAME "Key_Generation"
COMMAND "org.mozilla.jss.tests.TestKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
......@@ -220,6 +255,11 @@ macro(jss_tests)
COMMAND "org.mozilla.jss.tests.JCASymKeyGen" "${RESULTS_NSSDB_OUTPUT_DIR}"
DEPENDS "Setup_DBs"
)
jss_test_java(
NAME "JSSProvider"
COMMAND "org.mozilla.jss.tests.JSSProvider" "${RESULTS_NSSDB_OUTPUT_DIR}" "${PASSWORD_FILE}"
DEPENDS "List_CA_certs"
)
# FIPS-related tests
jss_test_java(
......@@ -291,6 +331,33 @@ macro(jss_tests)
)
endmacro()
macro(jss_tests_compile)
jss_tests_compile_c("${PROJECT_SOURCE_DIR}/org/mozilla/jss/tests/buffer_size_1.c" "${BIN_OUTPUT_DIR}/buffer_size_1" "buffer_size_1")
jss_tests_compile_c("${PROJECT_SOURCE_DIR}/org/mozilla/jss/tests/buffer_size_4.c" "${BIN_OUTPUT_DIR}/buffer_size_4" "buffer_size_4")
jss_tests_compile_c("${PROJECT_SOURCE_DIR}/org/mozilla/jss/tests/TestBufferPRFD.c" "${BIN_OUTPUT_DIR}/TestBufferPRFD" "TestBufferPRFD")
endmacro()
macro(jss_tests_compile_c C_FILE C_OUTPUT C_TARGET)
# Generate the target executable from C_FILE
add_custom_command(
OUTPUT "${C_OUTPUT}"
COMMAND ${CMAKE_C_COMPILER} ${JSS_C_FLAGS} -o ${C_OUTPUT} ${C_FILE} -L${LIB_OUTPUT_DIR} -ljss4 ${JSS_LD_FLAGS}
WORKING_DIRECTORY ${C_DIR}
DEPENDS "${C_FILE}"
DEPENDS "${JSS_TESTS_SO_PATH}"
DEPENDS generate_java
DEPENDS generate_includes
)
add_custom_target(
"generate_c_${C_TARGET}"
DEPENDS "${C_OUTPUT}"
)
add_dependencies("generate_so" "generate_c_${C_TARGET}")
endmacro()
function(jss_test_java)
set(TEST_FLAGS "NAME")
set(TEST_ARGS "COMMAND" "DEPENDS")
......@@ -300,6 +367,7 @@ function(jss_test_java)
list(APPEND EXEC_COMMAND "-classpath")
list(APPEND EXEC_COMMAND "${TEST_CLASSPATH}")
list(APPEND EXEC_COMMAND "-ea")
list(APPEND EXEC_COMMAND "-Djava.library.path=${CMAKE_BINARY_DIR}")
set(EXEC_COMMAND "${EXEC_COMMAND};${TEST_JAVA_COMMAND}")
if(TEST_JAVA_DEPENDS)
......
debian/changelog
View file @ 02ef7a82
jss (4.6.0-1) unstable; urgency=medium
* New upstream release.
* control: Bump policy to 4.4.0.
* control, compat: Bump debhelper to 12.
* support-jdk8.diff: Dropped, upstream.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 10 Jul 2019 10:43:01 +0300
jss (4.5.3-2) experimental; urgency=medium
* support-jdk8.diff: Build with -target/-source 1.8.
......
debian/control
View file @ 02ef7a82
......@@ -3,7 +3,7 @@ Section: java
Maintainer: Debian FreeIPA Team <pkg-freeipa-devel@alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton@debian.org>,
Priority: optional
Build-Depends: debhelper (>= 11),
Build-Depends: debhelper (>= 12),
cmake,
default-jdk,
junit4,
......@@ -17,7 +17,7 @@ Build-Depends: debhelper (>= 11),
quilt,
unzip,
zip,
Standards-Version: 4.2.1
Standards-Version: 4.4.0
Vcs-Git: https://salsa.debian.org/freeipa-team/jss.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/jss
Homepage: https://github.com/dogtagpki/jss
......
debian/patches/series
View file @ 02ef7a82
support-jdk8.diff
#placeholder
debian/patches/support-jdk8.diff deleted 100644 → 0
View file @ c7bdeabb
From 76b80d261cc57dd3ce3b56e1e6de0311c6855073 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Wed, 24 Apr 2019 13:04:16 -0400
Subject: [PATCH] Use JDK8 as the source and target release
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
cmake/JSSConfig.cmake | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/cmake/JSSConfig.cmake b/cmake/JSSConfig.cmake
index fcbd3742..45fd8648 100644
--- a/cmake/JSSConfig.cmake
+++ b/cmake/JSSConfig.cmake
@@ -249,6 +249,13 @@ macro(jss_config_java)
list(APPEND JSS_JAVAC_FLAGS "${JAVAC_CLASSPATH}")
list(APPEND JSS_JAVAC_FLAGS "-sourcepath")
list(APPEND JSS_JAVAC_FLAGS "${PROJECT_SOURCE_DIR}")
+
+ # Ensure we're compatible with JDK 8
+ list(APPEND JSS_JAVAC_FLAGS "-target")
+ list(APPEND JSS_JAVAC_FLAGS "1.8")
+ list(APPEND JSS_JAVAC_FLAGS "-source")
+ list(APPEND JSS_JAVAC_FLAGS "1.8")
+
if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
list(APPEND JSS_JAVAC_FLAGS "-g")
else()
@@ -260,6 +267,13 @@ macro(jss_config_java)
list(APPEND JSS_TEST_JAVAC_FLAGS "${JAVAC_CLASSPATH}:${JUNIT4_JAR}")
list(APPEND JSS_TEST_JAVAC_FLAGS "-sourcepath")
list(APPEND JSS_TEST_JAVAC_FLAGS "${PROJECT_SOURCE_DIR}")
+
+ # Ensure we're compatible with JDK 8
+ list(APPEND JSS_TEST_JAVAC_FLAGS "-target")
+ list(APPEND JSS_TEST_JAVAC_FLAGS "1.8")
+ list(APPEND JSS_TEST_JAVAC_FLAGS "-source")
+ list(APPEND JSS_TEST_JAVAC_FLAGS "1.8")
+
if("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
list(APPEND JSS_TEST_JAVAC_FLAGS "-g")
else()
docs/contributing.md
View file @ 02ef7a82
......@@ -53,6 +53,6 @@ If you wish to discuss contributing to JSS or an issue, there are a few
forums of discussion:
- The [pki-devel mailing list](https://www.redhat.com/mailman/listinfo/pki-devel).
- The `#dogtagpki` IRC channel on [Freenode](https://freenode.net/).
- The `#dogtag-pki` IRC channel on [Freenode](https://freenode.net/).
Thanks!
docs/dependencies.md
View file @ 02ef7a82
......@@ -39,16 +39,15 @@ additional packages:
- [SLF4J's JDK14 package](https://www.slf4j.org/api/org/slf4j/impl/JDK14LoggerAdapter.html)
- [NSS's pk12util](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_pk12util)
- [JUnit 4](https://junit.org/junit4/)
- [Hamcrest](http://hamcrest.org/)
To install these dependencies on Fedora, execute the following:
sudo dnf install nss nss-tools slf4j-jdk14 hamcrest junit
sudo dnf install nss nss-tools slf4j-jdk14 junit
To install these dependencies on Debian, execute the following:
sudo apt-get install libnss3 libnss3-tools libslf4j-java \
libhamcrest-java junit4
junit4
## Run-time Dependencies
......
jss.spec
View file @ 02ef7a82
......@@ -6,18 +6,17 @@ Summary: Java Security Services (JSS)
URL: http://www.dogtagpki.org/wiki/JSS
License: MPLv1.1 or GPLv2+ or LGPLv2+
Version: 4.5.3
Version: 4.6.0
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
# global _phase -a1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/jss.git
# $ cd jss
# $ git archive \
# --format=tar.gz \
# --prefix jss-VERSION/ \
# -o jss-VERSION.tar.gz \
# <version tag>
# $ git tag v4.5.<z>
# $ git push origin v4.5.<z>
# Then go to https://github.com/dogtagpki/jss/releases and download the source
# tarball.
Source: https://github.com/dogtagpki/%{name}/archive/v%{version}%{?_phase}/%{name}-%{version}%{?_phase}.tar.gz
# To create a patch for all changes since a version tag:
......@@ -52,12 +51,7 @@ BuildRequires: slf4j-jdk14
BuildRequires: apache-commons-lang
BuildRequires: apache-commons-codec
%if 0%{?fedora} >= 25 || 0%{?rhel} > 7
BuildRequires: perl-interpreter
%endif
BuildRequires: junit
BuildRequires: hamcrest
Requires: nss >= 3.30
Requires: java-headless
......@@ -119,7 +113,8 @@ rm -rf build && mkdir -p build && cd build
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
..
%{__make} all javadoc
%{__make} all
%{__make} javadoc || true
ctest --output-on-failure
################################################################################
......
lib/jss.map
View file @ 02ef7a82
......@@ -336,3 +336,57 @@ Java_org_mozilla_jss_CryptoManager_getJSSPatchVersion;
local:
*;
};
JSS_4.5.3 {
global:
Java_org_mozilla_jss_nss_PR_Open;
Java_org_mozilla_jss_nss_PR_Close;
Java_org_mozilla_jss_nss_PR_Write;
Java_org_mozilla_jss_nss_PR_Read;
Java_org_mozilla_jss_nss_PR_Send;
Java_org_mozilla_jss_nss_PR_Recv;
Java_org_mozilla_jss_nss_PR_NewTCPSocket;
Java_org_mozilla_jss_nss_PR_NewBufferPRFD;
Java_org_mozilla_jss_nss_PR_Shutdown;
Java_org_mozilla_jss_nss_PR_GetError;
Java_org_mozilla_jss_nss_PR_GetErrorText;
Java_org_mozilla_jss_nss_PR_getPRShutdownRcv;
Java_org_mozilla_jss_nss_PR_getPRShutdownSend;
Java_org_mozilla_jss_nss_PR_getPRShutdownBoth;
Java_org_mozilla_jss_nss_PR_getPRSuccess;
Java_org_mozilla_jss_nss_PR_getPRFailure;
Java_org_mozilla_jss_nss_PRErrors_getWouldBlockError;
Java_org_mozilla_jss_nss_SSL_ImportFD;
Java_org_mozilla_jss_nss_SSL_OptionSet;
Java_org_mozilla_jss_nss_SSL_OptionGet;
Java_org_mozilla_jss_nss_SSL_SetURL;
Java_org_mozilla_jss_nss_SSL_CipherPrefSet;
Java_org_mozilla_jss_nss_SSL_CipherPrefGet;
Java_org_mozilla_jss_nss_SSL_VersionRangeSetNative;
Java_org_mozilla_jss_nss_SSL_VersionRangeGet;
Java_org_mozilla_jss_nss_SSL_SecurityStatus;
Java_org_mozilla_jss_nss_SSL_ResetHandshake;
Java_org_mozilla_jss_nss_SSL_ForceHandshake;
Java_org_mozilla_jss_nss_SSL_ConfigSecureServer;
Java_org_mozilla_jss_nss_SSL_ConfigServerSessionIDCache;
Java_org_mozilla_jss_nss_SSL_getSSLRequestCertificate;
Java_org_mozilla_jss_nss_SSL_getSSLRequireCertificate;
Java_org_mozilla_jss_nss_SSL_getSSLSECSuccess;
Java_org_mozilla_jss_nss_SSL_getSSLSECFailure;
Java_org_mozilla_jss_nss_SSL_getSSLSECWouldBlock;
Java_org_mozilla_jss_nss_Buffer_Create;
Java_org_mozilla_jss_nss_Buffer_Capacity;
Java_org_mozilla_jss_nss_Buffer_CanRead;
Java_org_mozilla_jss_nss_Buffer_ReadCapacity;
Java_org_mozilla_jss_nss_Buffer_CanWrite;
Java_org_mozilla_jss_nss_Buffer_WriteCapacity;
Java_org_mozilla_jss_nss_Buffer_Read;
Java_org_mozilla_jss_nss_Buffer_Write;
Java_org_mozilla_jss_nss_Buffer_Get;
Java_org_mozilla_jss_nss_Buffer_Put;
Java_org_mozilla_jss_nss_Buffer_Free;
local:
*;
};
org/mozilla/jss/CryptoManager.c
View file @ 02ef7a82
......@@ -109,8 +109,8 @@ int ConfigureOCSP(
jstring ocspResponderURL,
jstring ocspResponderCertNickname )
{
char *ocspResponderURL_string=NULL;
char *ocspResponderCertNickname_string=NULL;
const char *ocspResponderURL_string = NULL;
const char *ocspResponderCertNickname_string = NULL;
SECStatus status;
int result = SECSuccess;
CERTCertDBHandle *certdb = CERT_GetDefaultCertDB();
......@@ -120,27 +120,8 @@ int ConfigureOCSP(
* strings associated with these args
*/
if (ocspResponderURL) {
ocspResponderURL_string =
(char*) (*env)->GetStringUTFChars(env, ocspResponderURL, NULL);
if (ocspResponderURL_string == NULL) {
JSS_throwMsg(env, GENERAL_SECURITY_EXCEPTION,
"OCSP invalid URL");
result = SECFailure;
goto finish;
}
}
if (ocspResponderCertNickname) {
ocspResponderCertNickname_string =
(char*) (*env)->GetStringUTFChars(env, ocspResponderCertNickname, NULL);
if (ocspResponderCertNickname_string == NULL) {
JSS_throwMsg(env, GENERAL_SECURITY_EXCEPTION,
"OCSP invalid nickname");
result = SECFailure;
goto finish;
}
}
ocspResponderURL_string = JSS_RefJString(env, ocspResponderURL);
ocspResponderCertNickname_string = JSS_RefJString(env, ocspResponderCertNickname);
/* first disable OCSP - we'll enable it later */
......@@ -149,7 +130,7 @@ int ConfigureOCSP(
/* if they set the default responder, then set it up
* and enable it
*/
if (ocspResponderURL) {
if (ocspResponderURL_string) {
/* if ocspResponderURL is set they must specify the
ocspResponderCertNickname */
if (ocspResponderCertNickname == NULL ) {
......@@ -188,8 +169,7 @@ int ConfigureOCSP(
goto finish;
}
CERT_EnableOCSPDefaultResponder(certdb);
}
else {
} else if (ocspResponderURL == NULL) {
/* if no defaultresponder is set, disable it */
CERT_DisableOCSPDefaultResponder(certdb);
}
......@@ -202,16 +182,8 @@ int ConfigureOCSP(
}
finish:
if (ocspResponderURL_string) {
(*env)->ReleaseStringUTFChars(env,
ocspResponderURL, ocspResponderURL_string);
}
if (ocspResponderCertNickname_string) {
(*env)->ReleaseStringUTFChars(env,
ocspResponderCertNickname, ocspResponderCertNickname_string);
}
JSS_DerefJString(env, ocspResponderURL, ocspResponderURL_string);
JSS_DerefJString(env, ocspResponderCertNickname, ocspResponderCertNickname_string);
return result;
......@@ -326,18 +298,18 @@ Java_org_mozilla_jss_CryptoManager_initializeAllNative2
jboolean cooperate)
{
SECStatus rv = SECFailure;
char *szConfigDir = NULL;
char *szCertPrefix = NULL;
char *szKeyPrefix = NULL;
char *szSecmodName = NULL;
char *manuChars=NULL;
char *libraryChars=NULL;
char *tokChars=NULL;
char *keyTokChars=NULL;
char *slotChars=NULL;
char *keySlotChars=NULL;
char *fipsChars=NULL;
char *fipsKeyChars=NULL;
const char *szConfigDir = NULL;
const char *szCertPrefix = NULL;
const char *szKeyPrefix = NULL;
const char *szSecmodName = NULL;
const char *manuChars = NULL;
const char *libraryChars = NULL;
const char *tokChars = NULL;
const char *keyTokChars = NULL;
const char *slotChars = NULL;
const char *keySlotChars = NULL;
const char *fipsChars = NULL;
const char *fipsKeyChars = NULL;
PRUint32 initFlags;
/* This is thread-safe because initialize is synchronized */
......@@ -392,14 +364,14 @@ Java_org_mozilla_jss_CryptoManager_initializeAllNative2
/*
* Set the PKCS #11 strings
*/
manuChars = (char*) (*env)->GetStringUTFChars(env, manuString, NULL);
libraryChars = (char*) (*env)->GetStringUTFChars(env, libraryString, NULL);
tokChars = (char*) (*env)->GetStringUTFChars(env, tokString, NULL);
keyTokChars = (char*) (*env)->GetStringUTFChars(env, keyTokString, NULL);
slotChars = (char*) (*env)->GetStringUTFChars(env, slotString, NULL);
keySlotChars = (char*) (*env)->GetStringUTFChars(env, keySlotString, NULL);
fipsChars = (char*) (*env)->GetStringUTFChars(env, fipsString, NULL);
fipsKeyChars = (char*) (*env)->GetStringUTFChars(env, fipsKeyString, NULL);
manuChars = JSS_RefJString(env, manuString);
libraryChars = JSS_RefJString(env, libraryString);
tokChars = JSS_RefJString(env, tokString);
keyTokChars = JSS_RefJString(env, keyTokString);
slotChars = JSS_RefJString(env, slotString);
keySlotChars = JSS_RefJString(env, keySlotString);
fipsChars = JSS_RefJString(env, fipsString);
fipsKeyChars = JSS_RefJString(env, fipsKeyString);
if( (*env)->ExceptionOccurred(env) ) {
ASSERT_OUTOFMEM(env);
goto finish;
......@@ -425,7 +397,7 @@ Java_org_mozilla_jss_CryptoManager_initializeAllNative2
);
szConfigDir = (char*) (*env)->GetStringUTFChars(env, configDir, NULL);
szConfigDir = JSS_RefJString(env, configDir);
if( certPrefix != NULL || keyPrefix != NULL || secmodName != NULL ||
noCertDB || noModDB || forceOpen || noRootInit ||
optimizeSpace || PK11ThreadSafe || PK11Reload ||
......@@ -433,18 +405,10 @@ Java_org_mozilla_jss_CryptoManager_initializeAllNative2
/*
* Set up arguments to NSS_Initialize
*/
if( certPrefix != NULL ) {
szCertPrefix =
(char*) (*env)->GetStringUTFChars(env, certPrefix, NULL);
}
if ( keyPrefix != NULL ) {
szKeyPrefix =
(char*) (*env)->GetStringUTFChars(env, keyPrefix, NULL);
}
if ( secmodName != NULL ) {
szSecmodName =
(char*) (*env)->GetStringUTFChars(env, secmodName, NULL);
}
szCertPrefix = JSS_RefJString(env, certPrefix);
szKeyPrefix = JSS_RefJString(env, keyPrefix);
szSecmodName = JSS_RefJString(env, secmodName);
initFlags = 0;
if( readOnly ) {
initFlags |= NSS_INIT_READONLY;
......@@ -529,31 +493,18 @@ Java_org_mozilla_jss_CryptoManager_initializeAllNative2
initialized = PR_TRUE;
finish:
/* LET'S BE CAREFUL. Unbraced if statements ahead. */
if(szConfigDir)
(*env)->ReleaseStringUTFChars(env, configDir, szConfigDir);
if(szCertPrefix)
(*env)->ReleaseStringUTFChars(env, certPrefix, szCertPrefix);
if(szKeyPrefix)
(*env)->ReleaseStringUTFChars(env, keyPrefix, szKeyPrefix);
if(szSecmodName)
(*env)->ReleaseStringUTFChars(env, secmodName, szSecmodName);
if(manuChars)
(*env)->ReleaseStringUTFChars(env, manuString, manuChars);
if(libraryChars)
(*env)->ReleaseStringUTFChars(env, libraryString, libraryChars);
if(tokChars)
(*env)->ReleaseStringUTFChars(env, tokString, tokChars);
if(keyTokChars)
(*env)->ReleaseStringUTFChars(env, keyTokString, keyTokChars);
if(slotChars)
(*env)->ReleaseStringUTFChars(env, slotString, slotChars);
if(keySlotChars)
(*env)->ReleaseStringUTFChars(env, keySlotString, keySlotChars);
if(fipsChars)
(*env)->ReleaseStringUTFChars(env, fipsString, fipsChars);
if(fipsKeyChars)
(*env)->ReleaseStringUTFChars(env, fipsKeyString, fipsKeyChars);
JSS_DerefJString(env, configDir, szConfigDir);
JSS_DerefJString(env, certPrefix, szCertPrefix);
JSS_DerefJString(env, keyPrefix, szKeyPrefix);
JSS_DerefJString(env, secmodName, szSecmodName);
JSS_DerefJString(env, manuString, manuChars);
JSS_DerefJString(env, libraryString, libraryChars);
JSS_DerefJString(env, tokString, tokChars);
JSS_DerefJString(env, keyTokString, keyTokChars);
JSS_DerefJString(env, slotString, slotChars);
JSS_DerefJString(env, keySlotString, keySlotChars);
JSS_DerefJString(env, fipsString, fipsChars);
JSS_DerefJString(env, fipsKeyString, fipsKeyChars);
return;
}
......@@ -757,7 +708,7 @@ getPWFromCallback(PK11SlotInfo *slot, PRBool retry, void *arg)
returnchars = PL_strdup(pwchars);
JSS_wipeCharArray(pwchars);
(*env)->ReleaseByteArrayElements(env, pwArray, (jbyte*)pwchars, 0);
JSS_DerefByteArray(env, pwArray, pwchars, 0);
} else {
returnchars = NULL;
}
......@@ -1033,9 +984,8 @@ Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative(
ocsp_max_cache_entry_duration);
if (rv != SECSuccess) {
JSS_throwMsgPrErr(env,
GENERAL_SECURITY_EXCEPTION,
"Failed to set OCSP cache: error "+ PORT_GetError());
JSS_throwMsgPrErrArg(env, GENERAL_SECURITY_EXCEPTION,
"Failed to set OCSP cache: error", PORT_GetError());
}
}
......@@ -1049,9 +999,8 @@ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative(
rv = CERT_SetOCSPTimeout(ocsp_timeout);
if (rv != SECSuccess) {
JSS_throwMsgPrErr(env,
GENERAL_SECURITY_EXCEPTION,
"Failed to set OCSP timeout: error "+ PORT_GetError());
JSS_throwMsgPrErrArg(env, GENERAL_SECURITY_EXCEPTION,
"Failed to set OCSP timeout: error ", PORT_GetError());
}
}
......
org/mozilla/jss/CryptoManager.java
View file @ 02ef7a82
......@@ -1201,6 +1201,44 @@ public final class CryptoManager implements TokenSupplier
// OCSP management
///////////////////////////////////////////////////////////////////////
/* OCSP Policy related */
public enum OCSPPolicy {
NONE,
NORMAL,
LEAF_AND_CHAIN;
}
private static OCSPPolicy ocspPolicy = OCSPPolicy.NONE;
/**
* Gets the current ocsp Policy.
* Currently we only support 2 modes OCSP_LEAF_AND_CHAIN_POLICY.
* And OCSP_NORMAL_POLICY, which is current processing , by default.
* If we have AIA based OCSP enabled we will check all certs in the chain.
* using PKIX cert verfication calls in the various cert auth callbacks we
* have.
* @return - The current ocsp policy in effect.
*/
public static synchronized int getOCSPPolicy() {
return ocspPolicy.ordinal();
}
/**
* Sets the current ocsp Policy.
* Currently we only support one mode OCSP_LEAF_AND_CHAIN_POLICY.
* If we have AIA based OCSP enabled we will check all certs in the chain.
* using PKIX cert verfication calls in the various cert auth callbacks we
* have.
* @param policy - Either cert and chain or normal default processing.
*
*/
public static synchronized void setOCSPPolicy(OCSPPolicy policy) {
ocspPolicy = policy;
}
/**
* Enables OCSP, note when you Initialize JSS for the first time, for
* backwards compatibility, the initialize will enable OCSP if you
......@@ -1220,6 +1258,16 @@ public final class CryptoManager implements TokenSupplier
String ocspResponderCertNickname )
throws GeneralSecurityException
{
/* set the ocsp policy */
if(ocspCheckingEnabled &&
ocspResponderURL == null &&
ocspResponderCertNickname == null) {
setOCSPPolicy(OCSPPolicy.LEAF_AND_CHAIN);
} else {
setOCSPPolicy(OCSPPolicy.NORMAL);
}
configureOCSPNative(ocspCheckingEnabled,
ocspResponderURL,
ocspResponderCertNickname );
......
org/mozilla/jss/JSSProvider.java
View file @ 02ef7a82
......@@ -237,6 +237,25 @@ public final class JSSProvider extends java.security.Provider {
"org.mozilla.jss.provider.javax.crypto.JSSMacSpi$HmacSHA512");
put("Alg.Alias.Mac.Hmac-SHA512", "HmacSHA512");
/////////////////////////////////////////////////////////////
// KeyManagerFactory
/////////////////////////////////////////////////////////////
put("KeyManagerFactory.NssX509",
"org.mozilla.jss.provider.javax.crypto.JSSKeyManagerFactory");
put("Alg.Alias.KeyManagerFactory.SunX509", "NssX509");
put("Alg.Alias.KeyManagerFactory.PKIX", "SunX509");
/////////////////////////////////////////////////////////////
// TrustManagerFactory
/////////////////////////////////////////////////////////////
put("TrustManagerFactory.NssX509",
"org.mozilla.jss.provider.javax.crypto.JSSTrustManagerFactory");
put("Alg.Alias.TrustManagerFactory.SunX509", "NssX509");
put("Alg.Alias.TrustManagerFactory.PKIX", "NssX509");
put("Alg.Alias.TrustManagerFactory.X509", "NssX509");
put("Alg.Alias.TrustManagerFactory.X.509", "NssX509");
}
public String toString() {
......
org/mozilla/jss/PK11Finder.c
View file @ 02ef7a82
......@@ -14,9 +14,9 @@
#include <secpkcs7.h>
#include <jssutil.h>
#include <jss_exceptions.h>
#include "pk11util.h"
#include "ssl/jssl.h"
#include <java_ids.h>
/*
......@@ -41,14 +41,14 @@ JNIEXPORT jobject JNICALL
Java_org_mozilla_jss_CryptoManager_findCertByNicknameNative
(JNIEnv *env, jobject this, jstring nickname)
{
char *nick=NULL;
const char *nick = NULL;
jobject certObject=NULL;
CERTCertificate *cert=NULL;
PK11SlotInfo *slot=NULL;
PR_ASSERT(env!=NULL && this!=NULL && nickname!=NULL);
nick = (char*) (*env)->GetStringUTFChars(env, nickname, NULL);
nick = JSS_RefJString(env, nickname);
PR_ASSERT(nick!=NULL);
cert = JSS_PK11_findCertAndSlotFromNickname(nick, NULL, &slot);
......@@ -63,9 +63,7 @@ Java_org_mozilla_jss_CryptoManager_findCertByNicknameNative
certObject = JSS_PK11_wrapCertAndSlot(env, &cert, &slot);
finish:
if(nick != NULL) {
(*env)->ReleaseStringUTFChars(env, nickname, nick);
}
JSS_DerefJString(env, nickname, nick);
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
......@@ -89,13 +87,12 @@ Java_org_mozilla_jss_CryptoManager_findCertsByNicknameNative
jobjectArray certArray=NULL;
CERTCertListNode *node;
const char *nickChars=NULL;
jboolean charsAreCopied;
jclass certClass;
int count;
int i;
/* convert the nickname string */
nickChars = (*env)->GetStringUTFChars(env, nickname, &charsAreCopied);
nickChars = JSS_RefJString(env, nickname);
if( nickChars == NULL ) {
goto finish;
}
......@@ -165,9 +162,7 @@ finish:
if(slot) {
PK11_FreeSlot(slot);
}
if( nickChars && charsAreCopied ) {
(*env)->ReleaseStringUTFChars(env, nickname, nickChars);
}
JSS_DerefJString(env, nickname, nickChars);
return certArray;
}
......@@ -550,9 +545,8 @@ Java_org_mozilla_jss_CryptoManager_importCertToPermNative
}
PR_ASSERT(oldCert != NULL);
if (nickString != NULL) {
nickname = (char*) (*env)->GetStringUTFChars(env, nickString, NULL);
}
/* dereference, discarding const qualifier */
nickname = (char *)JSS_RefJString(env, nickString);
/* Then, add to permanent database */
derCertArray[0] = &oldCert->derCert;
......@@ -570,9 +564,7 @@ Java_org_mozilla_jss_CryptoManager_importCertToPermNative
finish:
/* this checks for NULL */
CERT_DestroyCertArray(certArray, 1);
if (nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
JSS_DerefJString(env, nickString, nickname);
return result;
}
......@@ -824,12 +816,10 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
/***************************************************
* Convert package from byte array to jbyte*
***************************************************/
packageBytes = (*env)->GetByteArrayElements(env, packageArray, NULL);
if(packageBytes == NULL) {
PR_ASSERT( (*env)->ExceptionOccurred(env) );
if (!JSS_RefByteArray(env, packageArray, &packageBytes, &packageLen)) {
PR_ASSERT((*env)->ExceptionOccurred(env));
goto finish;
}
packageLen = (*env)->GetArrayLength(env, packageArray);
/***************************************************
* Decode package with NSS function
......@@ -849,13 +839,9 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
numCerts = collection.numCerts;
/***************************************************
* convert nickname to char*
* convert nickname to char*, discarding const
***************************************************/
if(nickString == NULL) {
nickChars = NULL;
} else {
nickChars = (char*) (*env)->GetStringUTFChars(env, nickString, NULL);
}
nickChars = (char *)JSS_RefJString(env, nickString);
/***************************************************
* user cert can be anywhere in the cert chain. loop and find it.
......@@ -880,7 +866,7 @@ Java_org_mozilla_jss_CryptoManager_importCertPackageNative
Handles the case when the user certificate is not in
the certificate chain.
*/
if ((slot == NULL)) { /* same as "noUser = 1" */
if (slot == NULL) { /* same as "noUser = 1" */
/* #397713 */
if (!find_leaf_cert(certdb, derCerts,
numCerts, &theDerCert))
......@@ -1036,13 +1022,12 @@ finish:
}
PR_Free(derCerts);
}
if(packageBytes != NULL) {
(*env)->ReleaseByteArrayElements(env, packageArray, packageBytes,
JNI_ABORT); /* don't copy back */
}
/* don't copy back */
JSS_DerefByteArray(env, packageArray, packageBytes, JNI_ABORT);
if(leafCert != NULL) {
CERT_DestroyCertificate(leafCert);
}
JSS_DerefJString(env, nickString, nickChars);
return leafObject;
}
......@@ -1335,10 +1320,7 @@ finish:
if( cinfo != NULL) {
SEC_PKCS7DestroyContentInfo(cinfo);
}
if(pkcs7Bytes != NULL) {
PR_ASSERT(pkcs7ByteArray != NULL);
(*env)->ReleaseByteArrayElements(env, pkcs7ByteArray, pkcs7Bytes, 0);
}
JSS_DerefByteArray(env, pkcs7ByteArray, pkcs7Bytes, 0);
if( info != NULL ) {
destroyEncoderCallbackInfo(info);
}
......@@ -1468,7 +1450,7 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
SECItem *packageItem = NULL;
int status = SECFailure;
char *url = NULL;
char *errmsg = NULL;
const char *errmsg = NULL;
/***************************************************
* Validate arguments
......@@ -1489,14 +1471,10 @@ Java_org_mozilla_jss_CryptoManager_importCRLNative
if ( packageItem == NULL ) {
goto finish;
}
/* XXX need to deal with if error */
if (url_jstr != NULL) {
url = (char*) (*env)->GetStringUTFChars(env, url_jstr, NULL);
PR_ASSERT(url!=NULL);
}
else {
url = NULL;
url = (char *)JSS_RefJString(env, url_jstr);
if (url_jstr != NULL && url == NULL) {
goto finish;
}
crl = CERT_ImportCRL( certdb, packageItem, url, rl_type, NULL);
......@@ -1546,9 +1524,7 @@ finish:
SECITEM_FreeItem(packageItem, PR_TRUE /*freeit*/);
}
if(url != NULL) {
(*env)->ReleaseStringUTFChars(env, url_jstr, url);
}
JSS_DerefJString(env, url_jstr, url);
if (crl) {
SEC_DestroyCrl(crl);
......@@ -1567,13 +1543,16 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
SECStatus rv = SECFailure;
SECCertificateUsage certificateUsage;
CERTCertificate *cert=NULL;
char *nickname=NULL;
const char *nickname = NULL;
nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
nickname = JSS_RefJString(env, nickString);
if( nickname == NULL ) {
goto finish;
}
int ocspPolicy = JSSL_getOCSPPolicy();
certificateUsage = required_certificateUsage;
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
......@@ -1587,8 +1566,24 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
/* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
* retrieve the current valid usage into currUsage
*/
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, currUsage );
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
rv = JSSL_verifyCertPKIX( cert, certificateUsage,
NULL /* pin arg */, ocspPolicy, NULL, currUsage);
/* we need to do this just to get the cert usages, the pkix version
doesn't seem to honor the method to get the usages as of yet.
Let the PKIX call only determine the final fate.
*/
if(rv == SECSuccess) {
CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, currUsage );
}
} else {
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, currUsage );
}
if ((rv == SECSuccess) && certificateUsage == 0x0000) {
if (*currUsage ==
( certUsageUserCertImport |
......@@ -1609,9 +1604,7 @@ SECStatus verifyCertificateNow(JNIEnv *env, jobject self, jstring nickString,
}
finish:
if(nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
JSS_DerefJString(env, nickString, nickname);
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
......@@ -1632,13 +1625,15 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
SECCertificateUsage certificateUsage;
SECCertificateUsage currUsage; /* unexposed for now */
CERTCertificate *cert=NULL;
char *nickname=NULL;
const char *nickname = NULL;
nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
nickname = JSS_RefJString(env, nickString);
if( nickname == NULL ) {
goto finish;
}
int ocspPolicy = JSSL_getOCSPPolicy();
certificateUsage = required_certificateUsage;
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
......@@ -1653,14 +1648,27 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
* just get the current usage (which we are not passing back for now
* but will bypass the certificate usage check
*/
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage );
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
rv= JSSL_verifyCertPKIX( cert, certificateUsage,
NULL /* pin arg */, ocspPolicy, NULL, &currUsage);
/* we need to do this just to get the cert usages, the pkix version
doesn't seem to honor the method to get the usages as of yet.
Let the PKIX call only determine the final fate.
*/
if(rv == SECSuccess) {
CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage );
}
} else {
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage );
}
}
finish:
if(nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
JSS_DerefJString(env, nickString, nickname);
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
......@@ -1719,14 +1727,16 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative2(JNIEnv *env,
SECCertificateUsage currUsage = 0x0000; /* unexposed for now */
SECStatus rv = SECFailure;
CERTCertificate *cert = NULL;
char *nickname = NULL;
const char *nickname = NULL;
if (nickString == NULL) {
JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
goto finish;
}
nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
int ocspPolicy = JSSL_getOCSPPolicy();
nickname = JSS_RefJString(env, nickString);
if (nickname == NULL) {
JSS_throwMsg(env, INVALID_NICKNAME_EXCEPTION, "Missing certificate nickname");
goto finish;
......@@ -1747,8 +1757,25 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative2(JNIEnv *env,
/* 0 for certificateUsage in call to CERT_VerifyCertificateNow will
* retrieve the current valid usage into currUsage
*/
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage);
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
rv = JSSL_verifyCertPKIX( cert, certificateUsage,
NULL /* pin arg */, ocspPolicy, NULL, &currUsage);
/* we need to do this just to get the cert usages, the pkix version
doesn't seem to honor the method to get the usages as of yet.
Let the PKIX call only determine the final fate.
*/
if(rv == SECSuccess) {
CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage );
}
} else {
rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
checkSig, certificateUsage, NULL, &currUsage);
}
if (rv != SECSuccess) {
JSS_throwMsgPrErr(env, CERTIFICATE_EXCEPTION, "Invalid certificate");
......@@ -1776,9 +1803,7 @@ Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative2(JNIEnv *env,
}
finish:
if (nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
JSS_DerefJString(env, nickString, nickname);
if (cert != NULL) {
CERT_DestroyCertificate(cert);
}
......@@ -1797,12 +1822,15 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
SECStatus rv = SECFailure;
SECCertUsage certUsage;
CERTCertificate *cert=NULL;
char *nickname=NULL;
const char *nickname = NULL;
nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
nickname = JSS_RefJString(env, nickString);
if( nickname == NULL ) {
goto finish;
}
int ocspPolicy = JSSL_getOCSPPolicy();
certUsage = cUsage;
cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
......@@ -1812,14 +1840,17 @@ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
PR_smprintf_free(message);
goto finish;
} else {
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
checkSig, certUsage, NULL );
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
rv = JSSL_verifyCertPKIX( cert, certUsage,
NULL /* pin arg */, ocspPolicy, NULL, NULL);
} else {
rv = CERT_VerifyCertNow(CERT_GetDefaultCertDB(), cert,
checkSig, certUsage, NULL );
}
}
finish:
if(nickname != NULL) {
(*env)->ReleaseStringUTFChars(env, nickString, nickname);
}
JSS_DerefJString(env, nickString, nickname);
if(cert != NULL) {
CERT_DestroyCertificate(cert);
}
......@@ -1858,6 +1889,8 @@ Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env,
derCerts[0] = JSS_ByteArrayToSECItem(env, packageArray);
derCerts[1] = NULL;
int ocspPolicy = JSSL_getOCSPPolicy();
rv = CERT_ImportCerts(certdb, cUsage,
1, derCerts, &certArray, PR_FALSE /*temp Certs*/,
PR_FALSE /*caOnly*/, NULL);
......@@ -1869,8 +1902,14 @@ Java_org_mozilla_jss_CryptoManager_verifyCertTempNative(JNIEnv *env,
}
certUsage = cUsage;
rv = CERT_VerifyCertNow(certdb, certArray[0],
checkSig, certUsage, NULL );
if( ocspPolicy == OCSP_LEAF_AND_CHAIN_POLICY) {
rv = JSSL_verifyCertPKIX( certArray[0], certUsage,
NULL /* pin arg */, ocspPolicy, NULL, NULL);
} else {
rv = CERT_VerifyCertNow(certdb, certArray[0],
checkSig, certUsage, NULL );
}
finish:
/* this checks for NULL */
......
org/mozilla/jss/SecretDecoderRing/KeyManager.c
View file @ 02ef7a82
......@@ -119,7 +119,7 @@ Java_org_mozilla_jss_SecretDecoderRing_KeyManager_generateUniqueNamedKeyNative
}
/* convert the Java String into a native "C" string */
keyname = (*env)->GetStringUTFChars( env, nickname, 0 );
keyname = JSS_RefJString(env, nickname);
/* name the key */
status = PK11_SetSymKeyNickname( symk, keyname );
......@@ -136,10 +136,9 @@ finish:
if( keyID != NULL ) {
SECITEM_FreeItem(keyID, PR_TRUE /*freeit*/);
}
if( keyname != NULL ) {
/* free the native "C" string */
(*env)->ReleaseStringUTFChars(env, nickname, keyname);
}
/* free the native "C" string */
JSS_DerefJString(env, nickname, keyname);
return;
}
......@@ -234,7 +233,7 @@ Java_org_mozilla_jss_SecretDecoderRing_KeyManager_lookupUniqueNamedKeyNative
}
/* convert the Java String into a native "C" string */
keyname = (*env)->GetStringUTFChars( env, nickname, 0 );
keyname = JSS_RefJString(env, nickname);
/* initialize the symmetric key list. */
symKey = PK11_ListFixedKeysInSlot(
......@@ -313,10 +312,10 @@ finish:
if( symKey != NULL ) {
PK11_FreeSymKey(symKey);
}
if( keyname != NULL ) {
/* free the native "C" string */
(*env)->ReleaseStringUTFChars(env, nickname, keyname);
}
/* free the native "C" string */
JSS_DerefJString(env, nickname, keyname);
return symKeyObj;
}
......