From 04473999049090614f2e40e9a07354d6574aa6dd Mon Sep 17 00:00:00 2001
From: Kevin Wright <kwright@redhat.com>
Date: Nov 02 2010 22:40:11 +0000
Subject: - Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS


---

diff --git a/jss-VerifyCertificate.patch b/jss-VerifyCertificate.patch
new file mode 100644
index 0000000..a017b77
--- /dev/null
+++ b/jss-VerifyCertificate.patch
@@ -0,0 +1,220 @@
+diff -up jss-4.2.6/mozilla/security/jss/lib/jss.def.fix jss-4.2.6/mozilla/security/jss/lib/jss.def
+--- jss-4.2.6/mozilla/security/jss/lib/jss.def.fix	2010-10-20 09:53:10.288935000 -0700
++++ jss-4.2.6/mozilla/security/jss/lib/jss.def	2010-10-29 10:29:48.664212000 -0700
+@@ -331,6 +331,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairG
+ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateDSAKeyPairWithOpFlags;
+ Java_org_mozilla_jss_CryptoManager_OCSPCacheSettingsNative;
+ Java_org_mozilla_jss_CryptoManager_setOCSPTimeoutNative;
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative;
+ ;+    local:
+ ;+       *;
+ ;+};
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java.fix	2010-10-28 16:44:46.366082000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/CryptoManager.java	2010-10-31 17:30:25.502670000 -0700
+@@ -61,6 +61,7 @@ import org.mozilla.jss.provider.java.sec
+ public final class CryptoManager implements TokenSupplier
+ {
+     /**
++     * note: this is obsolete in NSS
+      * CertUsage options for validation
+      */
+     public final static class CertUsage {
+@@ -86,8 +87,6 @@ public final class CryptoManager impleme
+             return name;
+         }
+ 
+-
+-
+         // certUsage, these must be kept in sync with nss/lib/certdb/certt.h
+         public static final CertUsage SSLClient = new CertUsage(0, "SSLClient");
+         public static final CertUsage SSLServer = new CertUsage(1, "SSLServer");
+@@ -103,6 +102,63 @@ public final class CryptoManager impleme
+         public static final CertUsage AnyCA = new CertUsage(11, "AnyCA");
+     }
+ 
++    /**
++     * CertificateUsage options for validation
++     */
++    public final static class CertificateUsage {
++        private int usage;
++        private String name;
++
++        // certificateUsage, these must be kept in sync with nss/lib/certdb/certt.h
++        private static final int certificateUsageCheckAllUsages = 0x0000;
++        private static final int certificateUsageSSLClient = 0x0001;
++        private static final int certificateUsageSSLServer = 0x0002;
++        private static final int certificateUsageSSLServerWithStepUp = 0x0004;
++        private static final int certificateUsageSSLCA = 0x0008;
++        private static final int certificateUsageEmailSigner = 0x0010;
++        private static final int certificateUsageEmailRecipient = 0x0020;
++        private static final int certificateUsageObjectSigner = 0x0040;
++        private static final int certificateUsageUserCertImport = 0x0080;
++        private static final int certificateUsageVerifyCA = 0x0100;
++        private static final int certificateUsageProtectedObjectSigner = 0x0200;
++        private static final int certificateUsageStatusResponder = 0x0400;
++        private static final int certificateUsageAnyCA = 0x0800;
++
++        static private ArrayList list = new ArrayList();
++        private CertificateUsage() {};
++        private CertificateUsage(int usage, String name) {
++            this.usage = usage;
++            this.name =  name;
++            this.list.add(this);
++
++        }
++        public int getUsage() {
++            return usage;
++        }
++
++        static public Iterator getCertificateUsages() {
++            return list.iterator();
++
++        }
++        public String toString() {
++            return name;
++        }
++
++        public static final CertificateUsage CheckAllUsages = new CertificateUsage(certificateUsageCheckAllUsages, "CheckAllUsages");
++        public static final CertificateUsage SSLClient = new CertificateUsage(certificateUsageSSLClient, "SSLClient");
++        public static final CertificateUsage SSLServer = new CertificateUsage(certificateUsageSSLServer, "SSLServer");
++        public static final CertificateUsage SSLServerWithStepUp = new CertificateUsage(certificateUsageSSLServerWithStepUp, "SSLServerWithStepUp");
++        public static final CertificateUsage SSLCA = new CertificateUsage(certificateUsageSSLCA, "SSLCA");
++        public static final CertificateUsage EmailSigner = new CertificateUsage(certificateUsageEmailSigner, "EmailSigner");
++        public static final CertificateUsage EmailRecipient = new CertificateUsage(certificateUsageEmailRecipient, "EmailRecipient");
++        public static final CertificateUsage ObjectSigner = new CertificateUsage(certificateUsageObjectSigner, "ObjectSigner");
++        public static final CertificateUsage UserCertImport = new CertificateUsage(certificateUsageUserCertImport, "UserCertImport");
++        public static final CertificateUsage VerifyCA = new CertificateUsage(certificateUsageVerifyCA, "VerifyCA");
++        public static final CertificateUsage ProtectedObjectSigner = new CertificateUsage(certificateUsageProtectedObjectSigner, "ProtectedObjectSigner");
++        public static final CertificateUsage StatusResponder = new CertificateUsage(certificateUsageStatusResponder, "StatusResponder");
++        public static final CertificateUsage AnyCA = new CertificateUsage(certificateUsageAnyCA, "AnyCA");
++    }
++
+     public final static class NotInitializedException extends Exception {}
+     public final static class NicknameConflictException extends Exception {}
+     public final static class UserCertConflictException extends Exception {}
+@@ -1386,6 +1442,7 @@ public final class CryptoManager impleme
+         }
+         return tok;
+     }
++
+     /////////////////////////////////////////////////////////////
+     // isCertValid
+     /////////////////////////////////////////////////////////////
+@@ -1395,6 +1452,39 @@ public final class CryptoManager impleme
+      * against Now.
+      * @param nickname The nickname of the certificate to verify.
+      * @param checkSig verify the signature of the certificate
++     * @param certificateUsage see exposed certificateUsage defines to verify Certificate; null will bypass usage check
++     * @return true for success; false otherwise
++     *
++     * @exception InvalidNicknameException If the nickname is null
++     * @exception ObjectNotFoundException If no certificate could be found
++     *      with the given nickname.
++     */
++
++    public boolean isCertValid(String nickname, boolean checkSig,
++            CertificateUsage certificateUsage)
++        throws ObjectNotFoundException, InvalidNicknameException
++    {
++        if (nickname==null) {
++            throw new InvalidNicknameException("Nickname must be non-null");
++        }
++        // 0 certificate usage was supposed to get current usage, however,
++        // it is not exposed at this point
++        return verifyCertificateNowNative(nickname,
++              checkSig,
++              (certificateUsage == null) ? 0:certificateUsage.getUsage());
++    }
++
++    private native boolean verifyCertificateNowNative(String nickname,
++        boolean checkSig, int certificateUsage) throws ObjectNotFoundException;
++
++    /**
++     * note: this method calls obsolete function in NSS
++     *
++     * Verify a certificate that exists in the given cert database,
++     * check if is valid and that we trust the issuer. Verify time
++     * against Now.
++     * @param nickname The nickname of the certificate to verify.
++     * @param checkSig verify the signature of the certificate
+      * @param certUsage see exposed certUsage defines to verify Certificate
+      * @return true for success; false otherwise
+      *
+@@ -1413,6 +1503,9 @@ public final class CryptoManager impleme
+         return verifyCertNowNative(nickname, checkSig, certUsage.getUsage());
+     }
+ 
++    /*
++     * Obsolete in NSS
++     */
+     private native boolean verifyCertNowNative(String nickname,
+         boolean checkSig, int cUsage) throws ObjectNotFoundException;
+ 
+diff -up jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c
+--- jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c.fix	2010-10-28 16:45:46.501899000 -0700
++++ jss-4.2.6/mozilla/security/jss/org/mozilla/jss/PK11Finder.c	2010-10-31 17:25:53.575482000 -0700
+@@ -1575,11 +1575,62 @@ finish:
+ }
+ 
+ /***********************************************************************
+- * CryptoManager.verifyCertNowNative
++ * CryptoManager.verifyCertificateNowNative
+  *
+  * Returns JNI_TRUE if success, JNI_FALSE otherwise
+  */
+ JNIEXPORT jboolean JNICALL
++Java_org_mozilla_jss_CryptoManager_verifyCertificateNowNative(JNIEnv *env,
++        jobject self, jstring nickString, jboolean checkSig, jint required_certificateUsage)
++{
++    SECStatus         rv    = SECFailure;
++    SECCertificateUsage      certificateUsage;
++    SECCertificateUsage      currUsage;  /* unexposed for now */
++    CERTCertificate   *cert=NULL;
++    char *nickname=NULL;
++
++    nickname = (char *) (*env)->GetStringUTFChars(env, nickString, NULL);
++    if( nickname == NULL ) {
++         goto finish;
++    }
++
++    certificateUsage = required_certificateUsage;
++
++    cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(), nickname);
++
++    if (cert == NULL) {
++        JSS_throw(env, OBJECT_NOT_FOUND_EXCEPTION);
++        goto finish;
++    } else {
++    /* 0 for certificateUsage in call to CERT_VerifyCertificateNow to
++     * just get the current usage (which we are not passing back for now
++     * but will bypass the certificate usage check
++     */
++        rv = CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert,
++            checkSig, certificateUsage, NULL, &currUsage );
++    }
++
++finish:
++    if(nickname != NULL) {
++      (*env)->ReleaseStringUTFChars(env, nickString, nickname);
++    }
++    if(cert != NULL) {
++       CERT_DestroyCertificate(cert);
++    }
++    if( rv == SECSuccess) {
++        return JNI_TRUE;
++    } else {
++        return JNI_FALSE;
++    }
++}
++
++
++/***********************************************************************
++ * CryptoManager.verifyCertNowNative
++ * note: this calls obsolete NSS function
++ * Returns JNI_TRUE if success, JNI_FALSE otherwise
++ */
++JNIEXPORT jboolean JNICALL
+ Java_org_mozilla_jss_CryptoManager_verifyCertNowNative(JNIEnv *env,
+         jobject self, jstring nickString, jboolean checkSig, jint cUsage)
+ {
diff --git a/jss.spec b/jss.spec
index 9390220..032e397 100644
--- a/jss.spec
+++ b/jss.spec
@@ -1,6 +1,6 @@
 Name:           jss
 Version:        4.2.6
-Release:        7%{?dist}
+Release:        8%{?dist}
 Summary:        Java Security Services (JSS)
 
 Group:          System Environment/Libraries
@@ -29,6 +29,7 @@ Patch4:         jss-ECC-pop.patch
 Patch5:         jss-loadlibrary.patch
 Patch6:         jss-ocspSettings.patch
 Patch7:         jss-ECC_keygen_byCurveName.patch
+Patch8:         jss-VerifyCertificate.patch
 
 
 %description
@@ -53,6 +54,7 @@ This package contains the API documentation for JSS.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 %build
 [ -z "$JAVA_HOME" ] && export JAVA_HOME=%{_jvmdir}/java
@@ -148,6 +150,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Mon Nov 1 2010 Christina Fu <cfu@redhat.com> 4.2.6-8
+- Bugzilla Bug # 647364 - Expose updated certificate verification function in JSS
+
 * Wed Oct 20 2010 Christina Fu <cfu@redhat.com> 4.2.6-7
 - Bugzilla Bug # 638833 - rfe ecc - add ec curve name support in JSS and CS
 - Bugzilla Bug # 529945 - expose NSS calls for OCSP settings