RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1560682 - (RFE) Migrate RHCS x509 cert and crl functionality to JSS
Summary: (RFE) Migrate RHCS x509 cert and crl functionality to JSS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jss
Version: 7.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 7.6
Assignee: Jack Magne
QA Contact: ipa-qe
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks: 1550132
TreeView+ depends on / blocked
 
Reported: 2018-03-26 18:15 UTC by Jack Magne
Modified: 2020-10-04 21:44 UTC (History)
4 users (show)

Fixed In Version: jss-4.4.4-2.el7
Doc Type: Enhancement
Doc Text:
A low-level API to create X.509 certificates and CRLs has been added to JSS This enhancements adds a low-level API, which can be used to create X.509 certificate and certificate revocation lists (CRL) to the Java Security Services (JSS).
Clone Of:
Environment:
Last Closed: 2018-10-30 11:00:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3143 0 None None None 2020-10-04 21:44:13 UTC
Red Hat Product Errata RHBA-2018:3188 0 None None None 2018-10-30 11:01:21 UTC

Description Jack Magne 2018-03-26 18:15:23 UTC 
Description of problem:

We have a need by an internal customer that would like to be able to create x509 certificates and crl's using our JSS java binding for NSS crypto functionality.


This will be done by simply moving a collection of RHCS code down in the JSS code base. This code is an extensive collection of x509 cert and crl routines that are currently in use by RHCS to actually create the certificates managed by the RHCS certificate authority.

The JSS part of this work will be to simply copy this collection of code down into JSS, such that other users can make use of this code to create their own certs and crls. The benefit of this ability is the fact that the user can take advantage of NSS's FIPS certified status.
Comment 5 Jack Magne 2018-06-21 02:35:29 UTC 
Checkin:

 Address Bugzilla: Bug 1560682 - (RFE) Migrate RHCS x509 cert and crl …

…functionality to JSS.

    This consists of a migration of low level X509 cert and crl related classes from dogtag into JSS.
    This initial migration will allow users of jss to utilize these classes to create certs and crls.

    The initial goal is to simply provide the classes from dogtag to be used in JSS.
    A later goal will be to refactor dogtag to use the classes moved to JSS, but that will be for
    a future ticket.

    This migration will also address this issue:

    Bug 1577991 - org.mozilla.jss.netscape.security.util.ObjectIdentifier cannot parse OID arcs larger than Integer.MAX_VALUE.

    The file ObjectIdentifier.java has been modified to use BigInt instead of the int type, allowing for a greater range of values.
    Fixed minor classpath issue.

    JSS_4_4_BRANCH (#10) 

@jmagne
jmagne committed 5 days ago
1 parent f6df4da commit 06eacad918e745d632067deea398f14ce9da29ac
Comment 6 Jack Magne 2018-06-21 02:37:50 UTC 
Testing:

For our purposes our testing for this issue should be to execute extensive sanity, simply to make sure that we have not caused any regressions with this feature. 

The reason for this is that this feature consists of mostly migrated / added code taken from dogtag. The rest of the changes are minor build related changes. Nevertheless, we need to make sure we have not done anything to harm the current JSS.
Comment 8 Matthew Harmsen 2018-06-22 05:28:06 UTC 
commit 06eacad918e745d632067deea398f14ce9da29ac (HEAD -> JSS_4_4_BRANCH, origin/JSS_4_4_BRANCH)
Author: Jack Magne <jmagne>
Date:   Fri Jun 15 14:53:53 2018 -0700
Comment 9 Roshni 2018-08-20 19:29:03 UTC 
[root@nocp1 ecc]# rpm -qi jss
Name        : jss
Version     : 4.4.4
Release     : 3.el7
Architecture: x86_64
Install Date: Thu 26 Jul 2018 10:38:39 AM EDT
Group       : Unspecified
Size        : 1456493
License     : MPLv1.1 or GPLv2+ or LGPLv2+
Signature   : RSA/SHA256, Mon 16 Jul 2018 04:07:45 PM EDT, Key ID 199e2f91fd431d51
Source RPM  : jss-4.4.4-3.el7.src.rpm
Build Date  : Mon 16 Jul 2018 03:48:21 PM EDT
Build Host  : x86-038.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.dogtagpki.org/wiki/JSS
Summary     : Java Security Services (JSS)

Sanity tests look good
Comment 11 errata-xmlrpc 2018-10-30 11:00:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3188
Note You need to log in before you can comment on or make changes to this bug.