From e5bdc5d01bf63b02e2117d74aa21a31c4943f3bb Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Tue, 7 Dec 2021 16:49:22 +0800 Subject: [PATCH] Remove conflicts tomcat-native (cherry picked from commit 7401b4f17a45be466abcb1034ab1433ab4942bd3) --- ...Manager-and-JSSTrustManager-from-JSS.patch | 387 ++++++++++++++++++ tomcatjss.spec | 8 +- 2 files changed, 393 insertions(+), 2 deletions(-) create mode 100644 Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch diff --git a/Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch b/Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch new file mode 100644 index 0000000..34bc306 --- /dev/null +++ b/Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch @@ -0,0 +1,387 @@ +From fb11bcd42aed364f77cd1b07a0d3139496817dea Mon Sep 17 00:00:00 2001 +From: Alexander Scheel +Date: Fri, 31 May 2019 15:20:46 -0400 +Subject: [PATCH] Use JSSKeyManager and JSSTrustManager from JSS + +With jss-pr#159 merged, we've added a KeyManager and TrustManager to the +JSS default provider that we should use instead of the instances +in-tree. + +Signed-off-by: Alexander Scheel +--- + src/org/dogtagpki/tomcat/JSSKeyManager.java | 146 ------------- + src/org/dogtagpki/tomcat/JSSTrustManager.java | 197 ------------------ + .../src/org/dogtagpki/tomcat/JSSUtil.java | 3 + + 3 files changed, 3 insertions(+), 343 deletions(-) + delete mode 100644 src/org/dogtagpki/tomcat/JSSKeyManager.java + delete mode 100644 src/org/dogtagpki/tomcat/JSSTrustManager.java + +diff --git a/src/org/dogtagpki/tomcat/JSSKeyManager.java b/src/org/dogtagpki/tomcat/JSSKeyManager.java +deleted file mode 100644 +index 1f94260..0000000 +--- a/src/org/dogtagpki/tomcat/JSSKeyManager.java ++++ /dev/null +@@ -1,146 +0,0 @@ +-/* BEGIN COPYRIGHT BLOCK +- * This library is free software; you can redistribute it and/or +- * modify it under the terms of the GNU Lesser General Public +- * License as published by the Free Software Foundation; either +- * version 2.1 of the License, or (at your option) any later version. +- * +- * This library is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- * Lesser General Public License for more details. +- * +- * You should have received a copy of the GNU Lesser General Public +- * License along with this library; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +- * +- * Copyright (C) 2017 Red Hat, Inc. +- * All rights reserved. +- * END COPYRIGHT BLOCK */ +- +-package org.dogtagpki.tomcat; +- +-import java.net.Socket; +-import java.security.Principal; +-import java.security.PrivateKey; +-import java.security.cert.X509Certificate; +-import java.util.ArrayList; +-import java.util.Collection; +- +-import javax.net.ssl.X509KeyManager; +- +-import org.mozilla.jss.CryptoManager; +-import org.mozilla.jss.crypto.ObjectNotFoundException; +-import org.slf4j.Logger; +-import org.slf4j.LoggerFactory; +- +-import sun.security.x509.X509CertImpl; +- +-public class JSSKeyManager implements X509KeyManager { +- +- final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class); +- +- @Override +- public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) { +- logger.debug("JSSKeyManager: chooseClientAlias()"); +- +- logger.debug("JSSKeyManager: key types:"); +- for (String keyType : keyTypes) { +- logger.debug("JSSKeyManager: - " + keyType); +- } +- +- logger.debug("JSSKeyManager: issuers:"); +- for (Principal issuer : issuers) { +- logger.debug("JSSKeyManager: - " + issuer.getName()); +- } +- +- return null; // not implemented +- } +- +- @Override +- public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) { +- logger.debug("JSSKeyManager: chooseServerAlias()"); +- logger.debug("JSSKeyManager: key type: " + keyType); +- +- logger.debug("JSSKeyManager: issuers:"); +- for (Principal issuer : issuers) { +- logger.debug("JSSKeyManager: - " + issuer.getName()); +- } +- +- return null; // not implemented +- } +- +- @Override +- public X509Certificate[] getCertificateChain(String alias) { +- +- logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")"); +- +- try { +- CryptoManager cm = CryptoManager.getInstance(); +- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias); +- +- org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert); +- logger.debug("JSSKeyManager: cert chain:"); +- +- Collection list = new ArrayList<>(); +- for (org.mozilla.jss.crypto.X509Certificate c : chain) { +- logger.debug("JSSKeyManager: - " + c.getSubjectDN()); +- list.add(new X509CertImpl(c.getEncoded())); +- } +- +- return list.toArray(new X509Certificate[list.size()]); +- +- } catch (Throwable e) { +- logger.error(e.getMessage(), e); +- throw new RuntimeException(e); +- } +- } +- +- @Override +- public String[] getClientAliases(String keyType, Principal[] issuers) { +- logger.debug("JSSKeyManager: getClientAliases()"); +- logger.debug("JSSKeyManager: key type: " + keyType); +- +- logger.debug("JSSKeyManager: issuers:"); +- for (Principal issuer : issuers) { +- logger.debug("JSSKeyManager: - " + issuer.getName()); +- } +- +- return null; // not implemented +- } +- +- @Override +- public PrivateKey getPrivateKey(String alias) { +- +- logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")"); +- +- try { +- CryptoManager cm = CryptoManager.getInstance(); +- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias); +- PrivateKey privateKey = cm.findPrivKeyByCert(cert); +- +- logger.debug("JSSKeyManager: key found: " + alias); +- return privateKey; +- +- } catch (ObjectNotFoundException e) { +- logger.debug("JSSKeyManager: key not found: " + alias); +- return null; +- +- } catch (Throwable e) { +- logger.error(e.getMessage(), e); +- throw new RuntimeException(e); +- } +- } +- +- @Override +- public String[] getServerAliases(String keyType, Principal[] issuers) { +- logger.debug("JSSKeyManager: getServerAliases()"); +- logger.debug("JSSKeyManager: key type: " + keyType); +- +- logger.debug("JSSKeyManager: issuers:"); +- for (Principal issuer : issuers) { +- logger.debug("JSSKeyManager: - " + issuer.getName()); +- } +- +- return null; // not implemented +- } +-} +diff --git a/src/org/dogtagpki/tomcat/JSSTrustManager.java b/src/org/dogtagpki/tomcat/JSSTrustManager.java +deleted file mode 100644 +index 87c7bdd..0000000 +--- a/src/org/dogtagpki/tomcat/JSSTrustManager.java ++++ /dev/null +@@ -1,197 +0,0 @@ +-/* BEGIN COPYRIGHT BLOCK +- * This library is free software; you can redistribute it and/or +- * modify it under the terms of the GNU Lesser General Public +- * License as published by the Free Software Foundation; either +- * version 2.1 of the License, or (at your option) any later version. +- * +- * This library is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +- * Lesser General Public License for more details. +- * +- * You should have received a copy of the GNU Lesser General Public +- * License along with this library; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +- * +- * Copyright (C) 2017 Red Hat, Inc. +- * All rights reserved. +- * END COPYRIGHT BLOCK */ +- +-package org.dogtagpki.tomcat; +- +-import java.security.cert.CertificateException; +-import java.security.cert.X509Certificate; +-import java.util.ArrayList; +-import java.util.Arrays; +-import java.util.Collection; +-import java.util.List; +- +-import javax.net.ssl.X509TrustManager; +- +-import org.mozilla.jss.CryptoManager; +-import org.mozilla.jss.NotInitializedException; +-import org.mozilla.jss.netscape.security.util.Cert; +-import org.slf4j.Logger; +-import org.slf4j.LoggerFactory; +- +-import sun.security.x509.X509CertImpl; +- +-public class JSSTrustManager implements X509TrustManager { +- +- final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class); +- +- final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1"; +- final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2"; +- +- public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception { +- +- logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")"); +- +- // sort cert chain from root to leaf +- certChain = Cert.sortCertificateChain(certChain); +- +- for (X509Certificate cert : certChain) { +- logger.debug("JSSTrustManager: - " + cert.getSubjectDN()); +- } +- +- // get CA certs +- X509Certificate[] caCerts = getAcceptedIssuers(); +- +- // validating cert chain from root to leaf +- for (int i = 0; i < certChain.length; i++) { +- +- X509Certificate cert = certChain[i]; +- +- // validating key usage on leaf cert only +- String usage; +- if (i == certChain.length - 1) { +- usage = keyUsage; +- } else { +- usage = null; +- } +- +- checkCert(cert, caCerts, usage); +- +- // use the current cert as the CA cert for the next cert in the chain +- caCerts = new X509Certificate[] { cert }; +- } +- } +- +- public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception { +- +- logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):"); +- +- boolean[] aki = cert.getIssuerUniqueID(); +- logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki)); +- +- X509Certificate issuer = null; +- for (X509Certificate caCert : caCerts) { +- +- boolean[] ski = caCert.getSubjectUniqueID(); +- logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski)); +- +- try { +- cert.verify(caCert.getPublicKey(), "Mozilla-JSS"); +- issuer = caCert; +- break; +- } catch (Exception e) { +- logger.debug("JSSTrustManager: invalid certificate: " + e); +- } +- } +- +- if (issuer == null) { +- throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN()); +- } +- +- logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN()); +- +- logger.debug("JSSTrustManager: checking validity range:"); +- logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore()); +- logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter()); +- cert.checkValidity(); +- +- if (keyUsage != null) { +- +- List extendedKeyUsages = cert.getExtendedKeyUsage(); +- logger.debug("JSSTrustManager: checking extended key usages:"); +- +- for (String extKeyUsage : extendedKeyUsages) { +- logger.debug("JSSTrustManager: - " + extKeyUsage); +- } +- +- if (extendedKeyUsages.contains(keyUsage)) { +- logger.debug("JSSTrustManager: extended key usage found: " + keyUsage); +- } else { +- throw new CertificateException("Missing extended key usage: " + keyUsage); +- } +- } +- } +- +- @Override +- public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException { +- +- logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):"); +- +- try { +- checkCertChain(certChain, CLIENT_AUTH_OID); +- logger.debug("JSSTrustManager: SSL client certificate is valid"); +- +- } catch (CertificateException e) { +- logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e); +- throw e; +- +- } catch (Exception e) { +- logger.warn("JSSTrustManager: Unable to validate certificate: " + e); +- throw new CertificateException(e); +- } +- } +- +- @Override +- public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException { +- +- logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):"); +- +- try { +- checkCertChain(certChain, SERVER_AUTH_OID); +- logger.debug("JSSTrustManager: SSL server certificate is valid"); +- +- } catch (CertificateException e) { +- logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e); +- throw e; +- +- } catch (Exception e) { +- logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e); +- throw new CertificateException(e); +- } +- } +- +- @Override +- public X509Certificate[] getAcceptedIssuers() { +- +- logger.debug("JSSTrustManager: getAcceptedIssuers():"); +- +- Collection caCerts = new ArrayList<>(); +- +- try { +- CryptoManager manager = CryptoManager.getInstance(); +- for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) { +- logger.debug("JSSTrustManager: - " + cert.getSubjectDN()); +- +- try { +- X509CertImpl caCert = new X509CertImpl(cert.getEncoded()); +- caCert.checkValidity(); +- caCerts.add(caCert); +- +- } catch (Exception e) { +- logger.debug("JSSTrustManager: invalid CA certificate: " + e); +- } +- } +- +- } catch (NotInitializedException e) { +- logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e); +- throw new RuntimeException(e); +- } +- +- return caCerts.toArray(new X509Certificate[caCerts.size()]); +- } +-} +diff --git a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java +index 22c607d..a2e3cd5 100644 +--- a/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java ++++ b/tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java +@@ -28,6 +28,9 @@ + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + ++import org.mozilla.jss.provider.javax.crypto.JSSKeyManager; ++import org.mozilla.jss.provider.javax.crypto.JSSTrustManager; ++ + public class JSSUtil extends JSSEUtil { + + public static Logger logger = LoggerFactory.getLogger(JSSUtil.class); diff --git a/tomcatjss.spec b/tomcatjss.spec index 5b1c6bd..6fc4cee 100644 --- a/tomcatjss.spec +++ b/tomcatjss.spec @@ -4,12 +4,13 @@ URL: http://www.dogtagpki.org/wiki/TomcatJSS License: LGPLv2+ BuildArch: noarch Version: 7.4.1 -Release: 4 +Release: 5 Source: https://github.com/dogtagpki/tomcatjss/archive/v%{version}%{?_phase}/tomcatjss-%{version}%{?_phase}.tar.gz +Patch0: Use-JSSKeyManager-and-JSSTrustManager-from-JSS.patch BuildRequires: ant apache-commons-lang java-devel jpackage-utils >= 0:1.7.5-15 slf4j BuildRequires: slf4j-jdk14 jss >= 4.6.0 tomcat >= 1:9.0.7 Requires: apache-commons-lang java-headless jpackage-utils >= 0:1.7.5-15 slf4j jss >= 4.6.0 tomcat >= 1:9.0.7 -Conflicts: tomcat-native pki-base < 10.6.5 +Conflicts: pki-base < 10.6.5 %define _sharedstatedir /var/lib %description @@ -36,6 +37,9 @@ ant -f build.xml -Dversion=%{version} -Dsrc.dir=$app_server -Djnidir=%{_jnidir} %{_javadir}/* %changelog +* Tue Dec 07 2021 wangkai - 7.4.1-5 +- Remove conflicts tomcat-native + * Fri Jul 30 2021 chenyanpanHW - 7.4.1-4 - DESC: delete -S git from %autosetup, and delete BuildRequires git -- Gitee