Mercurial > hg > icedtea8
changeset 1984:755ac518cabd
Support the PKCS11 EC provider with --enable-nss.
2009-09-04 Andrew John Hughes <ahughes@redhat.com>
* HACKING: Updated.
* Makefile.am:
Add two new patches. Copy nss.cfg to jre/lib/security if
NSS is enabled.
* configure.ac:Check for NSS and set NSS_LIBDIR
and ENABLE_NSS if found.
* nss.cfg.in: Template for the nss configuration file.
* patches/icedtea-disable-intree-ec.patch: Turn off
the new EC provider in java.security as we don't build it.
* patches/icedtea-nss-6763530.patch:
Fix for Sun bug 6763530 which is triggered by newer
versions of NSS.
* patches/icedtea-nss-config.patch: Patch java.security
with the PCKS11 provider configuration.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Fri, 11 Sep 2009 15:32:10 +0100 |
parents | 0373c927e1e9 |
children | c3b3af26b93f |
files | ChangeLog HACKING Makefile.am configure.ac nss.cfg.in patches/icedtea-disable-intree-ec.patch patches/icedtea-nss-6763530.patch patches/icedtea-nss-config.patch |
diffstat | 8 files changed, 146 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Sep 11 14:09:28 2009 +0100 +++ b/ChangeLog Fri Sep 11 15:32:10 2009 +0100 @@ -1,3 +1,20 @@ +2009-09-04 Andrew John Hughes <ahughes@redhat.com> + + * HACKING: Updated. + * Makefile.am: + Add two new patches. Copy nss.cfg to jre/lib/security if + NSS is enabled. + * configure.ac:Check for NSS and set NSS_LIBDIR + and ENABLE_NSS if found. + * nss.cfg.in: Template for the nss configuration file. + * patches/icedtea-disable-intree-ec.patch: Turn off + the new EC provider in java.security as we don't build it. + * patches/icedtea-nss-6763530.patch: + Fix for Sun bug 6763530 which is triggered by newer + versions of NSS. + * patches/icedtea-nss-config.patch: Patch java.security + with the PCKS11 provider configuration. + 2009-09-11 Andrew John Hughes <ahughes@redhat.com> * Makefile.am:
--- a/HACKING Fri Sep 11 14:09:28 2009 +0100 +++ b/HACKING Fri Sep 11 15:32:10 2009 +0100 @@ -114,6 +114,8 @@ is broken in libgcj 4.3. * icedtea-override.patch: Remove @Override annotation in javax.management.AttributeValueExp (unsupported by ecj < 3.4). +* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356) +* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530). The following patches are only applied to the icedtea-ecj bootstrap tree:
--- a/Makefile.am Fri Sep 11 14:09:28 2009 +0100 +++ b/Makefile.am Fri Sep 11 15:32:10 2009 +0100 @@ -2080,7 +2080,8 @@ patches/icedtea-jvmtiEnv.patch \ patches/icedtea-xml-encodinginfo.patch \ patches/icedtea-cc-interp-backedge.patch \ - patches/icedtea-netx.patch + patches/icedtea-netx.patch \ + patches/icedtea-disable-intree-ec.patch if WITH_RHINO ICEDTEA_PATCHES += \ @@ -2140,6 +2141,11 @@ endif endif +if ENABLE_NSS +ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \ + patches/icedtea-nss-6763530.patch +endif + ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES) stamps/extract.stamp: stamps/download.stamp @@ -2760,6 +2766,10 @@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \ fi endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -2846,6 +2856,10 @@ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \ fi endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea (debug build) is served:" \ $(BUILD_OUTPUT_DIR)-debug mkdir -p stamps
--- a/configure.ac Fri Sep 11 14:09:28 2009 +0100 +++ b/configure.ac Fri Sep 11 15:32:10 2009 +0100 @@ -141,6 +141,14 @@ AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes]) AC_MSG_RESULT(${ENABLE_SYSTEMTAP}) +AC_MSG_CHECKING([whether to include elliptic curve cryptography support via NSS]) +AC_ARG_ENABLE([nss], + [AS_HELP_STRING([--enable-nss], + [Enable inclusion of NSS security provider])], + [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no']) +AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes]) +AC_MSG_RESULT(${ENABLE_NSS}) + AC_MSG_CHECKING([how many parallel build jobs to execute]) AC_ARG_WITH([parallel-jobs], [AS_HELP_STRING([--with-parallel-jobs], @@ -444,6 +452,18 @@ AC_SUBST(GTK_LIBS) fi +if test "x${ENABLE_NSS}" = "xyes" +then + PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = xno + then + AC_MSG_ERROR([Could not find NSS. Either install it or configure using --disable-nss.]) + fi + NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss` + AC_SUBST(NSS_LIBDIR) + AC_CONFIG_FILES([nss.cfg]) +fi + if test "x${ZERO_BUILD_TRUE}" = x || test "x${ADD_ZERO_BUILD_TRUE}" = x; then dnl Check for libffi headers and libraries. PKG_CHECK_MODULES(LIBFFI, libffi,[LIBFFI_FOUND=yes],[LIBFFI_FOUND=no])
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nss.cfg.in Fri Sep 11 15:32:10 2009 +0100 @@ -0,0 +1,4 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-disable-intree-ec.patch Fri Sep 11 15:32:10 2009 +0100 @@ -0,0 +1,23 @@ +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security openjdk/jdk/src/share/lib/security/java.security +--- openjdk.orig/jdk/src/share/lib/security/java.security 2009-09-10 19:04:25.000000000 +0100 ++++ openjdk/jdk/src/share/lib/security/java.security 2009-09-11 14:53:07.000000000 +0100 +@@ -45,13 +45,12 @@ + # + security.provider.1=sun.security.provider.Sun + security.provider.2=sun.security.rsa.SunRsaSign +-security.provider.3=sun.security.ec.SunEC +-security.provider.4=com.sun.net.ssl.internal.ssl.Provider +-security.provider.5=com.sun.crypto.provider.SunJCE +-security.provider.6=sun.security.jgss.SunProvider +-security.provider.7=com.sun.security.sasl.Provider +-security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI +-security.provider.9=sun.security.smartcardio.SunPCSC ++security.provider.3=com.sun.net.ssl.internal.ssl.Provider ++security.provider.4=com.sun.crypto.provider.SunJCE ++security.provider.5=sun.security.jgss.SunProvider ++security.provider.6=com.sun.security.sasl.Provider ++security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI ++security.provider.8=sun.security.smartcardio.SunPCSC + + # + # Select the source of seed data for SecureRandom. By default an
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-6763530.patch Fri Sep 11 15:32:10 2009 +0100 @@ -0,0 +1,55 @@ +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Thu Sep 03 18:47:40 2009 +0100 +@@ -40,6 +40,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * EC KeyFactory implemenation. + * +@@ -201,7 +203,14 @@ + + private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { + byte[] encodedParams = ECParameters.encodeParameters(params); +- byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve()); ++ DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, ++ ECParameters.encodePoint(point, params.getCurve())); ++ byte[] encodedPoint = null; ++ try { ++ encodedPoint = pkECPoint.toByteArray(); ++ } catch (IOException e) { ++ throw new IllegalArgumentException("Could not DER encode point", e); ++ } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Thu Sep 03 18:47:40 2009 +0100 +@@ -44,6 +44,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * Key implementation classes. + * +@@ -1014,10 +1016,13 @@ + }; + fetchAttributes(attributes); + try { ++ DerValue wECPoint = new DerValue(attributes[0].getByteArray()); ++ if (wECPoint.getTag() != DerValue.tag_OctetString) ++ throw new IOException("Unexpected tag: " + wECPoint.getTag()); + params = P11ECKeyFactory.decodeParameters + (attributes[1].getByteArray()); + w = P11ECKeyFactory.decodePoint +- (attributes[0].getByteArray(), params.getCurve()); ++ (wECPoint.getDataBytes(), params.getCurve()); + } catch (Exception e) { + throw new RuntimeException("Could not parse key values", e); + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-config.patch Fri Sep 11 15:32:10 2009 +0100 @@ -0,0 +1,10 @@ +--- openjdk.orig/jdk/src/share/lib/security/java.security 2009-08-25 11:43:59.000000000 +0100 ++++ openjdk/jdk/src/share/lib/security/java.security 2009-08-27 14:23:54.000000000 +0100 +@@ -51,6 +51,7 @@ + security.provider.6=com.sun.security.sasl.Provider + security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.8=sun.security.smartcardio.SunPCSC ++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Select the source of seed data for SecureRandom. By default an