Address Bugzilla: Bug 1560682 - (RFE) Migrate RHCS x509 cert and crl … #11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
edewata
reviewed
Jun 16, 2018
jss.spec.in
Outdated
| @@ -56,6 +58,8 @@ Requires: slf4j | |||
| Requires: slf4j-jdk14 | |||
| %endif | |||
| Requires: apache-commons-lang | |||
| Requires: apache-commons-codec | |||
| Requires: ldapjdk | |||
…functionality to JSS.
This consists of a migration of low level X509 cert and crl related classes from dogtag into JSS.
This initial migration will allow users of jss to utilize these classes to create certs and crls.
The initial goal is to simply provide the classes from dogtag to be used in JSS.
A later goal will be to refactor dogtag to use the classes moved to JSS, but that will be for
a future ticket.
This migration will also address this issue:
Bug 1577991 - org.mozilla.jss.netscape.security.util.ObjectIdentifier cannot parse OID arcs larger than Integer.MAX_VALUE.
The file ObjectIdentifier.java has been modified to use BigInt instead of the int type, allowing for a greater range of values.
Fixed minor indentation issue in spec file.
jmagne
force-pushed
the
jacks-candlepin-master
branch
from
14475bb
to
9400b5d
Compare
edewata
approved these changes
Jun 20, 2018
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jun 21, 2018
The PK11RSAPrivateKey.getModulus() has been modified to get the modulus from the public key, which was converted from the private key using SECKEY_ConvertToPublicKey(). A new PK11Exception has been added as a generic exception for all PKCS dogtagpki#11-related errors. https://pagure.io/jss/issue/9
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jun 21, 2018
The JSSProvider has been modified to provide PKCS dogtagpki#11 keystore service using JSSKeyStoreSpi.
frasertweedale
added a commit
to frasertweedale/jss
that referenced
this pull request
Jun 28, 2018
NSS identifies RSA private keys by setting the PKCS dogtagpki#11 CKA_ID attribute to the SHA-1 digest of the public key (modulus). PK11KeyWrapper can receive this modulus value (a byte[]) with a leading null byte. This results in the digest (CKA_ID) not matching what the rest of NSS expects, e.g. when adding the corresponding certificate, NSS fails to associate it with the private key, because it is looking for a different CKA_ID. This results in Dogtag lightweight CA key replication failures. Apparently the problem did not occur with the old DB backend, only with the new SQL backend. Or there was some other change in NSS that landed in Fedora 28, which prompted this issue. In either case, the resolve the problem by dropping the leading null byte from the modulus byte[]. Fixes: https://pagure.io/jss/issue/5 Change-Id: I4685d7e091b0adc72d5ca067f2d65c3c068c8f7a
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jun 28, 2018
The JSSKeyStoreSpi.engineDeleteEntry() has been modified to use JSS API to remove a cert/key from a PKCS dogtagpki#11 token. https://pagure.io/jss/issue/10
edewata
added a commit
that referenced
this pull request
Jun 29, 2018
The JSSKeyStoreSpi.engineDeleteEntry() has been modified to use JSS API to remove a cert/key from a PKCS #11 token. https://pagure.io/jss/issue/10
frasertweedale
added a commit
to frasertweedale/jss
that referenced
this pull request
Jun 29, 2018
The NSS SQL backend, unlike the DBM backend that preceded it, does not automatically create PKCS dogtagpki#11 public key objects when unwrapping private keys. When certificates are added, this can result in a failure to properly associate the certificate with a private key in the token. When unwrapping a private key, if the given public key wraps an NSS SECKEYPublicKey object, import the public key to the token as well. Change-Id: I146952382d535ad71d9914f3a43d7df5c0a0f510 Related: https://pagure.io/jss/issue/13
frasertweedale
added a commit
that referenced
this pull request
Jun 29, 2018
The NSS SQL backend, unlike the DBM backend that preceded it, does not automatically create PKCS #11 public key objects when unwrapping private keys. When certificates are added, this can result in a failure to properly associate the certificate with a private key in the token. When unwrapping a private key, if the given public key wraps an NSS SECKEYPublicKey object, import the public key to the token as well. Change-Id: I146952382d535ad71d9914f3a43d7df5c0a0f510 Related: https://pagure.io/jss/issue/13
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 12, 2018
The PK11Store.putKeysInVector() has been converted into loadPrivateKeys() which loads all private keys in the PKCS dogtagpki#11 token into a Collection instead of Vector.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 12, 2018
A new CryptoStore.getPublicKeys() has been added to return all public keys in the PKCS dogtagpki#11 token.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 12, 2018
A new CryptoStore.findPublicKey() has been added to find the public key corresponding to a private key in a PKCS dogtagpki#11 token. Currently it only supports RSA keys.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 12, 2018
A new CryptoStore.deletePublicKey() method has been added to remove a public key from a PKCS dogtagpki#11 token.
edewata
added a commit
that referenced
this pull request
Jul 13, 2018
A new CryptoStore.findPublicKey() has been added to find the public key corresponding to a private key in a PKCS #11 token. Currently it only supports RSA keys.
edewata
added a commit
that referenced
this pull request
Jul 13, 2018
A new CryptoStore.deletePublicKey() method has been added to remove a public key from a PKCS #11 token.
Merged
cipherboy
added a commit
to cipherboy/jss
that referenced
this pull request
Jul 24, 2019
We need to map PKCS11 Constants between their names and their values and also between their values and Algorithm identifiers. To do so, we add PKCS11Algorithm which enumerates identifiers common to both Algorithm and PKCS11Constants. This will let us call into the NSS API with the correct constant identifier from PKCS11, when needed. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
cipherboy
added a commit
to cipherboy/jss
that referenced
this pull request
Jul 24, 2019
We need to map PKCS11 Constants between their names and their values and also between their values and Algorithm identifiers. To do so, we add PKCS11Algorithm which enumerates identifiers common to both Algorithm and PKCS11Constants. This will let us call into the NSS API with the correct constant identifier from PKCS11, when needed. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
cipherboy
added a commit
that referenced
this pull request
Jul 24, 2019
We need to map PKCS11 Constants between their names and their values and also between their values and Algorithm identifiers. To do so, we add PKCS11Algorithm which enumerates identifiers common to both Algorithm and PKCS11Constants. This will let us call into the NSS API with the correct constant identifier from PKCS11, when needed. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
cipherboy
added a commit
to cipherboy/jss
that referenced
this pull request
Aug 5, 2019
This release features HSM support for PKCS dogtagpki#11 AES KeyWrap/Padding mechanism. Also in this release are several minor fixes to OCSP handling in SSLSocket code. Signed-off-by: Alexander Scheel <ascheel@redhat.com>
edewata
added a commit
to edewata/jss
that referenced
this pull request
Apr 13, 2021
The KeyPairGeneratorSpi.Usage class has been converted into an enumeration that defines the same elements. These elements store the values of the corresponding PKCS dogtagpki#11 constants. The getVal() method has been simplified, but it will continue to work like before for backward compatibility. The opFlags and opFlagsMask fields in PK11KeyPairGenerator have been converted to long to match the PKCS dogtagpki#11 constants. The values will be downcasted to int if needed. The opFlagForUsage array in PK11KeyPairGenerator has become redundant since the PKCS dogtagpki#11 constants can be obtained from the enumeration elements, so it has been removed.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Apr 13, 2021
The KeyPairGeneratorSpi.Usage class has been converted into an enumeration that defines the same elements. These elements store the values of the corresponding PKCS dogtagpki#11 constants. The getVal() method has been simplified, but it will continue to work like before for backward compatibility. The opFlags and opFlagsMask fields in PK11KeyPairGenerator have been converted to long to match the PKCS dogtagpki#11 constants. The values will be down-casted to int if needed. The opFlagForUsage array in PK11KeyPairGenerator has become redundant since the PKCS dogtagpki#11 constants can be obtained from the enumeration elements, so it has been removed.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Apr 13, 2021
The KeyPairGeneratorSpi.Usage class has been converted into an enumeration that defines the same elements. These elements store the values of the corresponding PKCS dogtagpki#11 constants. The getVal() method has been simplified, but it will continue to work like before for backward compatibility. The opFlags and opFlagsMask fields in PK11KeyPairGenerator have been converted to long to match the PKCS dogtagpki#11 constants. The values will be down-casted to int whenever needed. The opFlagForUsage array in PK11KeyPairGenerator has become redundant since the PKCS dogtagpki#11 constants can be obtained from the enumeration elements, so it has been removed.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 3, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
that referenced
this pull request
May 3, 2021
Currently the PKCS #11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS #11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 12, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 13, 2021
Currently the PKCS dogtagpki#11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS dogtagpki#11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
that referenced
this pull request
May 13, 2021
Currently the PKCS #11 constants are only tested on Rawhide and it's failing, but it's actually working fine on Fedora 33. For now the test has been moved into the Fedora 33 test so the CI will pass, but later the tests will need to be expanded to include newer Fedora versions. That way the PKCS #11 constants will be tested separately on each platform, so it will be easier to isolate the problem.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
The PKCS dogtagpki#11 constants tests in fedora_33 and fedora_34 have been moved into a separate workflow such that it can be configured using the test MATRIX.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
The PKCS dogtagpki#11 constants tests in fedora_33 and fedora_34 have been moved into a separate workflow such that it can be configured using the test MATRIX.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
The PKCS dogtagpki#11 constants tests for Fedora 33 and 34 have been moved into a new workflow such that the platforms can be configured using the test MATRIX.
edewata
added a commit
to edewata/jss
that referenced
this pull request
Jul 28, 2021
The PKCS dogtagpki#11 constants tests for Fedora 33 and 34 have been converted into a new workflow such that the platform versions will update automatically and can be configured using the test MATRIX.
edewata
added a commit
that referenced
this pull request
Jul 28, 2021
The PKCS #11 constants tests for Fedora 33 and 34 have been converted into a new workflow such that the platform versions will update automatically and can be configured using the test MATRIX.
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 4, 2022
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 4, 2022
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 4, 2022
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 4, 2022
edewata
added a commit
to edewata/jss
that referenced
this pull request
May 4, 2022
edewata
added a commit
to edewata/jss
that referenced
this pull request
Feb 16, 2024
The PKCS dogtagpki#11 constants test failed on Fedora 40 since it has NSS 3.97 that introduced some new PKCS dogtagpki#11 constants. As a workaround the new constants need to be excluded until NSS 3.97 becomes available on all supported platforms. The test has also been modified to reuse the jss-builder image. Resolves: dogtagpki#993
edewata
added a commit
to edewata/jss
that referenced
this pull request
Feb 16, 2024
The PKCS dogtagpki#11 constants test failed on Fedora 40 since it uses NSS 3.97 that provides some new PKCS dogtagpki#11 constants. As a workaround the new constants need to be excluded until NSS 3.97 becomes available on all supported platforms. The test has also been modified to reuse the jss-builder image which already has the build dependencies. Resolves: dogtagpki#993
edewata
added a commit
that referenced
this pull request
Feb 16, 2024
The PKCS #11 constants test failed on Fedora 40 since it uses NSS 3.97 that provides some new PKCS #11 constants. As a workaround the new constants need to be excluded until NSS 3.97 becomes available on all supported platforms. The test has also been modified to reuse the jss-builder image which already has the build dependencies. Resolves: #993
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…functionality to JSS.