Mercurial > hg > icedtea8

changeset 1984:755ac518cabd

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Support the PKCS11 EC provider with --enable-nss. 2009-09-04 Andrew John Hughes <ahughes@redhat.com> * HACKING: Updated. * Makefile.am: Add two new patches. Copy nss.cfg to jre/lib/security if NSS is enabled. * configure.ac:Check for NSS and set NSS_LIBDIR and ENABLE_NSS if found. * nss.cfg.in: Template for the nss configuration file. * patches/icedtea-disable-intree-ec.patch: Turn off the new EC provider in java.security as we don't build it. * patches/icedtea-nss-6763530.patch: Fix for Sun bug 6763530 which is triggered by newer versions of NSS. * patches/icedtea-nss-config.patch: Patch java.security with the PCKS11 provider configuration.
author Andrew John Hughes <ahughes@redhat.com>
date Fri, 11 Sep 2009 15:32:10 +0100
parents 0373c927e1e9
children c3b3af26b93f
files ChangeLog HACKING Makefile.am configure.ac nss.cfg.in patches/icedtea-disable-intree-ec.patch patches/icedtea-nss-6763530.patch patches/icedtea-nss-config.patch
diffstat 8 files changed, 146 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Fri Sep 11 14:09:28 2009 +0100
+++ b/ChangeLog	Fri Sep 11 15:32:10 2009 +0100
@@ -1,3 +1,20 @@
+2009-09-04  Andrew John Hughes  <ahughes@redhat.com>
+
+	* HACKING: Updated.
+	* Makefile.am:
+	Add two new patches.  Copy nss.cfg to jre/lib/security if
+	NSS is enabled.
+	* configure.ac:Check for NSS and set NSS_LIBDIR
+	and ENABLE_NSS if found.
+	* nss.cfg.in: Template for the nss configuration file.
+	* patches/icedtea-disable-intree-ec.patch: Turn off
+	the new EC provider in java.security as we don't build it.
+	* patches/icedtea-nss-6763530.patch:
+	Fix for Sun bug 6763530 which is triggered by newer
+	versions of NSS.
+	* patches/icedtea-nss-config.patch: Patch java.security
+	with the PCKS11 provider configuration.
+
 2009-09-11  Andrew John Hughes  <ahughes@redhat.com>
 
 	* Makefile.am:
--- a/HACKING	Fri Sep 11 14:09:28 2009 +0100
+++ b/HACKING	Fri Sep 11 15:32:10 2009 +0100
@@ -114,6 +114,8 @@
   is broken in libgcj 4.3.
 * icedtea-override.patch: Remove @Override annotation in
   javax.management.AttributeValueExp (unsupported by ecj < 3.4).
+* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356)
+* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530).
 
 The following patches are only applied to the icedtea-ecj bootstrap tree:
 
--- a/Makefile.am	Fri Sep 11 14:09:28 2009 +0100
+++ b/Makefile.am	Fri Sep 11 15:32:10 2009 +0100
@@ -2080,7 +2080,8 @@
 	patches/icedtea-jvmtiEnv.patch \
 	patches/icedtea-xml-encodinginfo.patch \
 	patches/icedtea-cc-interp-backedge.patch \
-	patches/icedtea-netx.patch
+	patches/icedtea-netx.patch \
+	patches/icedtea-disable-intree-ec.patch
 
 if WITH_RHINO
 ICEDTEA_PATCHES += \
@@ -2140,6 +2141,11 @@
 endif
 endif
 
+if ENABLE_NSS
+ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \
+		   patches/icedtea-nss-6763530.patch
+endif
+
 ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES)
 
 stamps/extract.stamp: stamps/download.stamp
@@ -2760,6 +2766,10 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
 	fi
 endif
+if ENABLE_NSS
+	cp $(abs_top_builddir)/nss.cfg \
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
+endif
 	@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
 	mkdir -p stamps
 	touch stamps/icedtea.stamp
@@ -2846,6 +2856,10 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
 	fi
 endif
+if ENABLE_NSS
+	cp $(abs_top_builddir)/nss.cfg \
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
+endif
 	@echo "IcedTea (debug build) is served:" \
 	  $(BUILD_OUTPUT_DIR)-debug
 	mkdir -p stamps
--- a/configure.ac	Fri Sep 11 14:09:28 2009 +0100
+++ b/configure.ac	Fri Sep 11 15:32:10 2009 +0100
@@ -141,6 +141,14 @@
 AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes])
 AC_MSG_RESULT(${ENABLE_SYSTEMTAP})
 
+AC_MSG_CHECKING([whether to include elliptic curve cryptography support via NSS])
+AC_ARG_ENABLE([nss],
+	      [AS_HELP_STRING([--enable-nss],
+	      		      [Enable inclusion of NSS security provider])],
+	      [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no'])
+AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes])
+AC_MSG_RESULT(${ENABLE_NSS})
+
 AC_MSG_CHECKING([how many parallel build jobs to execute])
 AC_ARG_WITH([parallel-jobs],
 	[AS_HELP_STRING([--with-parallel-jobs],
@@ -444,6 +452,18 @@
   AC_SUBST(GTK_LIBS)
 fi
 
+if test "x${ENABLE_NSS}" = "xyes"
+then
+  PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no])
+  if test "x${NSS_FOUND}" = xno
+  then
+    AC_MSG_ERROR([Could not find NSS.  Either install it or configure using --disable-nss.])
+  fi
+  NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss`
+  AC_SUBST(NSS_LIBDIR)
+  AC_CONFIG_FILES([nss.cfg])
+fi
+
 if test "x${ZERO_BUILD_TRUE}" = x || test "x${ADD_ZERO_BUILD_TRUE}" = x; then
   dnl Check for libffi headers and libraries.
   PKG_CHECK_MODULES(LIBFFI, libffi,[LIBFFI_FOUND=yes],[LIBFFI_FOUND=no])
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nss.cfg.in	Fri Sep 11 15:32:10 2009 +0100
@@ -0,0 +1,4 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-disable-intree-ec.patch	Fri Sep 11 15:32:10 2009 +0100
@@ -0,0 +1,23 @@
+diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security openjdk/jdk/src/share/lib/security/java.security
+--- openjdk.orig/jdk/src/share/lib/security/java.security	2009-09-10 19:04:25.000000000 +0100
++++ openjdk/jdk/src/share/lib/security/java.security	2009-09-11 14:53:07.000000000 +0100
+@@ -45,13 +45,12 @@
+ #
+ security.provider.1=sun.security.provider.Sun
+ security.provider.2=sun.security.rsa.SunRsaSign
+-security.provider.3=sun.security.ec.SunEC
+-security.provider.4=com.sun.net.ssl.internal.ssl.Provider
+-security.provider.5=com.sun.crypto.provider.SunJCE
+-security.provider.6=sun.security.jgss.SunProvider
+-security.provider.7=com.sun.security.sasl.Provider
+-security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+-security.provider.9=sun.security.smartcardio.SunPCSC
++security.provider.3=com.sun.net.ssl.internal.ssl.Provider
++security.provider.4=com.sun.crypto.provider.SunJCE
++security.provider.5=sun.security.jgss.SunProvider
++security.provider.6=com.sun.security.sasl.Provider
++security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
++security.provider.8=sun.security.smartcardio.SunPCSC
+ 
+ #
+ # Select the source of seed data for SecureRandom. By default an
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-6763530.patch	Fri Sep 11 15:32:10 2009 +0100
@@ -0,0 +1,55 @@
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Thu Sep 03 18:47:40 2009 +0100
+@@ -40,6 +40,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
++import sun.security.util.DerValue;
++
+ /**
+  * EC KeyFactory implemenation.
+  *
+@@ -201,7 +203,14 @@
+ 
+     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
+         byte[] encodedParams = ECParameters.encodeParameters(params);
+-        byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve());
++        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
++                                          ECParameters.encodePoint(point, params.getCurve()));
++        byte[] encodedPoint = null;
++        try {
++          encodedPoint = pkECPoint.toByteArray();
++        } catch (IOException e) {
++          throw new IllegalArgumentException("Could not DER encode point", e);
++        }
+         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+             new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY),
+             new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Thu Sep 03 18:47:40 2009 +0100
+@@ -44,6 +44,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
++import sun.security.util.DerValue;
++
+ /**
+  * Key implementation classes.
+  *
+@@ -1014,10 +1016,13 @@
+             };
+             fetchAttributes(attributes);
+             try {
++                DerValue wECPoint = new DerValue(attributes[0].getByteArray());
++                if (wECPoint.getTag() != DerValue.tag_OctetString)
++                    throw new IOException("Unexpected tag: " + wECPoint.getTag());
+                 params = P11ECKeyFactory.decodeParameters
+                             (attributes[1].getByteArray());
+                 w = P11ECKeyFactory.decodePoint
+-                            (attributes[0].getByteArray(), params.getCurve());
++                    (wECPoint.getDataBytes(), params.getCurve());
+             } catch (Exception e) {
+                 throw new RuntimeException("Could not parse key values", e);
+             }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-config.patch	Fri Sep 11 15:32:10 2009 +0100
@@ -0,0 +1,10 @@
+--- openjdk.orig/jdk/src/share/lib/security/java.security	2009-08-25 11:43:59.000000000 +0100
++++ openjdk/jdk/src/share/lib/security/java.security		2009-08-27 14:23:54.000000000 +0100
+@@ -51,6 +51,7 @@
+ security.provider.6=com.sun.security.sasl.Provider
+ security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.8=sun.security.smartcardio.SunPCSC
++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
+ # Select the source of seed data for SecureRandom. By default an