PING 2: [PATCH FOR REVIEW]: Support PKCS11 cryptography via NSS
Andrew John Hughes
gnu_andrew at member.fsf.org
Thu Sep 10 10:35:03 PDT 2009
2009/9/8 Andrew John Hughes <gnu_andrew at member.fsf.org>:
> 2009/9/3 Andrew John Hughes <gnu_andrew at member.fsf.org>:
>> IcedTea6, as currently built, does not support elliptic curve
>> cryptography (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356).
>> For this to be enabled, the provider must be added to
>> jre/lib/security/java.security and configured to point to the system
>> With the proprietary JDK, this is not something that can be done 'out
>> of the box', but we can do this with IcedTea by detecting NSS using
>> configure. The attached patch does just that. It also fixes an issue
>> (6763530) that prevents newer versions of NSS from working. When
>> applied, NSS can be enabled just by passing --enable-nss to configure.
>> The following then works:
>> $ /home/andrew/build/icedtea6/bin/keytool -v -genkeypair -keyalg EC
>> -keysize 256 -keystore ectest.jks
>> Enter keystore password:
>> Re-enter new password:
>> The configure check doesn't verify that NSS was built with EC support.
>> I couldn't find an easy way of doing this. It is enabled during the
>> build by defining NSS_ENABLE_ECC (-DNSS_ENABLE_ESS). From
>> ifdef NSS_ENABLE_ECC
>> DEFINES += -DNSS_ENABLE_ECC
>> Thus the define is not available in the installed headers, so the only
>> way to do a check would seem to be to write code to generate an EC key
>> with NSS and check for failure. The same check would later be
>> invalidated if the system NSS changes after OpenJDK is built, and so
>> OpenJDK would need to be rebuilt.
>> If someone wants to write such a test, feel free but AFAICS it
>> wouldn't gain anything. OpenJDK will still build (linking is done at
>> runtime) and if NSS doesn't have EC support, then OpenJDK won't which
>> is no different from the current status quo.
>> Does this look ok for commit?
>> * HACKING: Updated.
>> * Makefile.am:
>> Add two new patches. Copy nss.cfg to jre/lib/security if
>> NSS is enabled.
>> * configure.ac:Check for NSS and set NSS_LIBDIR
>> and ENABLE_NSS if found.
>> * nss.cfg.in: Template for the nss configuration file.
>> * patches/icedtea-nss-6763530.patch:
>> Fix for Sun bug 6763530 which is triggered by newer
>> versions of NSS.
>> * patches/icedtea-nss-config.patch: Patch java.security
>> with the PCKS11 provider configuration.
>> Andrew :-)
>> Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>> Support Free Java!
>> Contribute to GNU Classpath and the OpenJDK
>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
>> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
> I know it was a long weekend for some, but the Sun engineers have even
> responded to a patch I posted to hotspot-dev in the same time frame as
> this one...
> Andrew :-)
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
Ping! Ping! Ping!
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev