From 2fa72242e61e2180c2d110486283c3b8bfb7fe7b Mon Sep 17 00:00:00 2001 From: sa-buc Date: Tue, 17 Jun 2025 14:58:57 +0800 Subject: [PATCH 1/4] bouncycastle-modified Signed-off-by: sa-buc --- 1002-jmail_packages.patch | 214 ++++++++++++++++++++++++++++++++++++++ bouncycastle.spec | 5 +- 2 files changed, 217 insertions(+), 2 deletions(-) create mode 100644 1002-jmail_packages.patch diff --git a/1002-jmail_packages.patch b/1002-jmail_packages.patch new file mode 100644 index 0000000..f59983f --- /dev/null +++ b/1002-jmail_packages.patch @@ -0,0 +1,214 @@ +From c47f6444a744396135322784b5fea1d35d46a8a7 Mon Sep 17 00:00:00 2001 +From: Peter Dettman +Date: Wed, 3 Apr 2024 21:24:27 +0700 +Subject: [PATCH] BCJSSE: Improved workaround for InetAddress limitation + +- URLConnectionUtil now calls BCSSLSocket.setHost instead of direct SNI config +--- + .../jsse/provider/ProvSSLSocketDirect.java | 14 ++-- + .../jsse/provider/ProvSSLSocketWrap.java | 14 ++-- + .../jsse/util/SetHostSocketFactory.java | 80 +++++++++++++++++++ + .../jsse/util/URLConnectionUtil.java | 2 +- + 4 files changed, 99 insertions(+), 11 deletions(-) + create mode 100644 tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java + +diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java +index fe2d7138c1..245b1eb461 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketDirect.java +@@ -345,7 +345,6 @@ public synchronized void setEnableSessionCreation(boolean flag) + public synchronized void setHost(String host) + { + this.peerHost = host; +- this.peerHostSNI = host; + } + + @Override +@@ -531,6 +530,7 @@ synchronized void notifyConnected() + InetAddress peerAddress = getInetAddress(); + if (null == peerAddress) + { ++ this.peerHostSNI = null; + return; + } + +@@ -538,8 +538,8 @@ synchronized void notifyConnected() + * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be + * usable as a default SNI host_name. + */ +-// String originalHostName = null; +-// if (null != originalHostName) ++// String originalHostName = peerAddress.holder().getOriginalHostName(); ++// if (JsseUtils.isNameSpecified(originalHostName)) + // { + // this.peerHost = originalHostName; + // this.peerHostSNI = originalHostName; +@@ -555,13 +555,17 @@ synchronized void notifyConnected() + return; + } + +- if (useClientMode && provJdkTlsTrustNameService) ++ if (!useClientMode) ++ { ++ this.peerHost = peerAddress.getHostAddress(); ++ } ++ else if (provJdkTlsTrustNameService) + { + this.peerHost = peerAddress.getHostName(); + } + else + { +- this.peerHost = peerAddress.getHostAddress(); ++ this.peerHost = null; + } + + this.peerHostSNI = null; +diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java +index b31f215289..59fabd7bb4 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLSocketWrap.java +@@ -470,7 +470,6 @@ public synchronized void setEnableSessionCreation(boolean flag) + public synchronized void setHost(String host) + { + this.peerHost = host; +- this.peerHostSNI = host; + } + + @Override +@@ -720,6 +719,7 @@ synchronized void notifyConnected() + InetAddress peerAddress = getInetAddress(); + if (null == peerAddress) + { ++ this.peerHostSNI = null; + return; + } + +@@ -727,8 +727,8 @@ synchronized void notifyConnected() + * TODO[jsse] If we could somehow access the 'originalHostName' of peerAddress, it would be + * usable as a default SNI host_name. + */ +-// String originalHostName = null; +-// if (null != originalHostName) ++// String originalHostName = peerAddress.holder().getOriginalHostName(); ++// if (JsseUtils.isNameSpecified(originalHostName)) + // { + // this.peerHost = originalHostName; + // this.peerHostSNI = originalHostName; +@@ -744,13 +744,17 @@ synchronized void notifyConnected() + return; + } + +- if (useClientMode && provJdkTlsTrustNameService) ++ if (!useClientMode) ++ { ++ this.peerHost = peerAddress.getHostAddress(); ++ } ++ else if (provJdkTlsTrustNameService) + { + this.peerHost = peerAddress.getHostName(); + } + else + { +- this.peerHost = peerAddress.getHostAddress(); ++ this.peerHost = null; + } + + this.peerHostSNI = null; +diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java +new file mode 100644 +index 0000000000..0eeccaf367 +--- /dev/null ++++ b/tls/src/main/java/org/bouncycastle/jsse/util/SetHostSocketFactory.java +@@ -0,0 +1,80 @@ ++package org.bouncycastle.jsse.util; ++ ++import java.net.Socket; ++import java.net.URL; ++import java.util.concurrent.Callable; ++import java.util.logging.Logger; ++ ++import javax.net.SocketFactory; ++import javax.net.ssl.SSLSocketFactory; ++ ++import org.bouncycastle.jsse.BCSSLSocket; ++ ++public class SetHostSocketFactory extends CustomSSLSocketFactory ++{ ++ private static final Logger LOG = Logger.getLogger(SetHostSocketFactory.class.getName()); ++ ++ protected static final ThreadLocal threadLocal = new ThreadLocal(); ++ ++ /** ++ * Signature matches {@link SSLSocketFactory#getDefault()} so that it can be ++ * used with e.g. the "java.naming.ldap.factory.socket" property or similar. ++ * ++ * @see #call(Callable) ++ */ ++ public static SocketFactory getDefault() ++ { ++ SSLSocketFactory sslSocketFactory = threadLocal.get(); ++ if (null != sslSocketFactory) ++ { ++ return sslSocketFactory; ++ } ++ ++ return SSLSocketFactory.getDefault(); ++ } ++ ++ protected final URL url; ++ ++ public SetHostSocketFactory(SSLSocketFactory delegate, URL url) ++ { ++ super(delegate); ++ ++ this.url = url; ++ } ++ ++ /** ++ * Calls a {@link Callable} in a context where this class's static ++ * {@link #getDefault()} method will return this {@link SetHostSocketFactory}. ++ */ ++ public V call(Callable callable) throws Exception ++ { ++ try ++ { ++ threadLocal.set(this); ++ ++ return callable.call(); ++ } ++ finally ++ { ++ threadLocal.remove(); ++ } ++ } ++ ++ @Override ++ protected Socket configureSocket(Socket s) ++ { ++ if (url != null && s instanceof BCSSLSocket) ++ { ++ BCSSLSocket ssl = (BCSSLSocket)s; ++ ++ String host = url.getHost(); ++ if (host != null) ++ { ++ LOG.fine("Setting host on socket: " + host); ++ ++ ssl.setHost(host); ++ } ++ } ++ return s; ++ } ++} +diff --git a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java +index 63a7db5a0b..6eb4861f2d 100644 +--- a/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java ++++ b/tls/src/main/java/org/bouncycastle/jsse/util/URLConnectionUtil.java +@@ -66,6 +66,6 @@ protected URLConnection configureConnection(URL url, URLConnection connection) + + protected SSLSocketFactory createSSLSocketFactory(SSLSocketFactory delegate, URL url) + { +- return new SNISocketFactory(delegate, url); ++ return new SetHostSocketFactory(delegate, url); + } + } diff --git a/bouncycastle.spec b/bouncycastle.spec index d251fdd..5787c39 100644 --- a/bouncycastle.spec +++ b/bouncycastle.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 %global gittag r1rv77 %global classname org.bouncycastle.jce.provider.BouncyCastleProvider @@ -29,6 +29,7 @@ Source8: get-poms.sh # From https://src.fedoraproject.org/rpms/bouncycastle/blob/d0ad563d8f8f61b9631e5562028b30b407d97094/f/jmail.packages.patch Patch0: 1001-jmail_packages.patch +Patch1: 1002-jmail_packages.patch BuildArch: noarch ExclusiveArch: %{java_arches} noarch @@ -110,7 +111,7 @@ API documentation for the Bouncy Castle Cryptography APIs. %prep %setup -q -n bc-java-%{gittag} %patch -P0 -p1 - +%patch -P1 -p1 for x in `find | grep -e x_pkcs7_signature.java -e PKCS7ContentHandler.java -e multipart_signed.java` ; do sed "s/getTransferData.ActivationDataFlavor/getTransferData(DataFlavor/g" -i $x sed "s/ ActivationDataFlavor df,/ DataFlavor df,/g" -i $x -- Gitee From d60e0d13ead7b13b0ec1f507b1fedecc92410b5d Mon Sep 17 00:00:00 2001 From: liuzhiqiang Date: Tue, 17 Jun 2025 08:01:44 +0000 Subject: [PATCH 2/4] update bouncycastle.spec. Signed-off-by: liuzhiqiang --- bouncycastle.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bouncycastle.spec b/bouncycastle.spec index 5787c39..6ae7f59 100644 --- a/bouncycastle.spec +++ b/bouncycastle.spec @@ -110,8 +110,7 @@ API documentation for the Bouncy Castle Cryptography APIs. %prep %setup -q -n bc-java-%{gittag} -%patch -P0 -p1 -%patch -P1 -p1 +%patch -P0 -p1 for x in `find | grep -e x_pkcs7_signature.java -e PKCS7ContentHandler.java -e multipart_signed.java` ; do sed "s/getTransferData.ActivationDataFlavor/getTransferData(DataFlavor/g" -i $x sed "s/ ActivationDataFlavor df,/ DataFlavor df,/g" -i $x @@ -243,6 +242,9 @@ fi %license LICENSE.html %changelog +* Mon Jun 16 2025 lzq11122 - 1.78-1 +- Update to 1.78 + * Mon Jun 09 2025 zhoujiajia111 - 1.77-1 - Update to 1.77 -- Gitee From 07f3fe429dfba8d21773b7e1393da1c3afc36cd7 Mon Sep 17 00:00:00 2001 From: liuzhiqiang Date: Tue, 17 Jun 2025 08:04:23 +0000 Subject: [PATCH 3/4] rename 1002-jmail_packages.patch to 0002_fix_CVE-2024-34447. Signed-off-by: liuzhiqiang --- 1002-jmail_packages.patch => 0002_fix_CVE-2024-34447 | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename 1002-jmail_packages.patch => 0002_fix_CVE-2024-34447 (100%) diff --git a/1002-jmail_packages.patch b/0002_fix_CVE-2024-34447 similarity index 100% rename from 1002-jmail_packages.patch rename to 0002_fix_CVE-2024-34447 -- Gitee From fc6b86f7c5826ba8884789e6eca5eedb74f8fe10 Mon Sep 17 00:00:00 2001 From: liuzhiqiang Date: Tue, 17 Jun 2025 08:11:50 +0000 Subject: [PATCH 4/4] update bouncycastle.spec. Signed-off-by: liuzhiqiang --- bouncycastle.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bouncycastle.spec b/bouncycastle.spec index 6ae7f59..ff3982d 100644 --- a/bouncycastle.spec +++ b/bouncycastle.spec @@ -29,7 +29,7 @@ Source8: get-poms.sh # From https://src.fedoraproject.org/rpms/bouncycastle/blob/d0ad563d8f8f61b9631e5562028b30b407d97094/f/jmail.packages.patch Patch0: 1001-jmail_packages.patch -Patch1: 1002-jmail_packages.patch +Patch1: 0002_fix_CVE-2024-34447 BuildArch: noarch ExclusiveArch: %{java_arches} noarch @@ -109,7 +109,7 @@ Summary: Javadoc for %{name} API documentation for the Bouncy Castle Cryptography APIs. %prep -%setup -q -n bc-java-%{gittag} +%setup -q -n -p1 bc-java-%{gittag} %patch -P0 -p1 for x in `find | grep -e x_pkcs7_signature.java -e PKCS7ContentHandler.java -e multipart_signed.java` ; do sed "s/getTransferData.ActivationDataFlavor/getTransferData(DataFlavor/g" -i $x -- Gitee