Mercurial > hg > icedtea9
changeset 2609:a84cfe9142fd
PR1983: Support using the system installation of NSS with the SunEC provider
2016-01-29 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1983: Support using the system installation
of NSS with the SunEC provider
* INSTALL: Fix header from 'IcedTea7' to 'IcedTea'.
* Makefile.am:
(ICEDTEA_PATCHES): Make disable-intree-ec patch
conditional on whether or not the SunEC provider
is enabled. Add new variants of the NSS/PKCS11
configuration patch for cases where it is not applied.
(ICEDTEA_CONFIGURE): Pass --enable-system-nss or
--disable-system-nss, depending on whether or
not the SunEC provider is enabled.
(ICEDTEA_ENV): Remove DISABLE_INTREE_EC which
is not applicable in OpenJDK 8.
* README: Fix header from 'IcedTea7' to 'IcedTea'.
* patches/nss-config-with-sunec.patch,
* patches/nss-not-enabled-config-with-sunec.patch:
New variants of nss-config.patch and nss-not-enabled-config.patch
which apply when the SunEC provider is also enabled.
2015-07-06 Andrew John Hughes <gnu.andrew@member.fsf.org>
* INSTALL: Document the SunEC provider.
2014-05-09 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1762: Undefined references when building with NSS 3.16.1
* acinclude.m4:
(IT_ENABLE_SUNEC): For NSS >= 3.16.1, add -lfreebl
to SUNEC_LIBS, not SUNEC_CFLAGS, and use NSS_LIBS as
the base, not NSS_SOFTOKN_LIBS.
2014-04-23 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1742: Allow SunEC provider to be built with changes
in NSS >= 3.16.1
* Makefile.am:
(ICEDTEA_ENV): Use SUNEC_LIBS and SUNEC_CFLAGS
instead of NSS_LIBS and NSS_CFLAGS respectively.
* acinclude.m4:
(IT_ENABLE_SUNEC): Use SUNEC_CFLAGS and SUNEC_LIBS
for clarity as NSS_CFLAGS and NSS_LIBS are also set
by the NSS detection.
2014-04-18 Andrew John Hughes <gnu.andrew@member.fsf.org>
PR1699: Support building the SunEC provider
with system NSS
* Makefile.am:
(ICEDTEA_ENV): Set NSS_LIBS and NSS_CFLAGS
when ENABLE_SUNEC is set.
* acinclude.m4:
(IT_LOCATE_NSS): Fix wording to make it clear that
this is the PKCS11 provider, using NSS as the
implementation.
(IT_ENABLE_SUNEC): Allow the Sun elliptic curve
crypto provider to be enabled.
* configure.ac:
Replace IT_LOCATE_NSS with IT_ENABLE_SUNEC (which
depends on the former).
* fsg.sh.in:
Only delete the SunEC implementation code at this
level. This is the part that is legally dubious,
due to the use of many more elliptic curves than
those provided by the NSS version.
* remove-intree-libraries.sh.in:
Include the remaining SunEC deletion from fsg.sh
here and make it optional.
author | Andrew John Hughes <gnu_andrew@member.fsf.org> |
---|---|
date | Fri, 29 Jan 2016 17:41:08 +0000 |
parents | 241cf3509015 |
children | 969d84a2df36 |
files | ChangeLog INSTALL Makefile.am README acinclude.m4 configure.ac fsg.sh.in patches/nss-config-with-sunec.patch patches/nss-not-enabled-config-with-sunec.patch remove-intree-libraries.sh.in |
diffstat | 10 files changed, 186 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Jan 29 14:24:16 2016 +0000 +++ b/ChangeLog Fri Jan 29 17:41:08 2016 +0000 @@ -1,3 +1,73 @@ +2016-01-29 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1983: Support using the system installation + of NSS with the SunEC provider + * INSTALL: Fix header from 'IcedTea7' to 'IcedTea'. + * Makefile.am: + (ICEDTEA_PATCHES): Make disable-intree-ec patch + conditional on whether or not the SunEC provider + is enabled. Add new variants of the NSS/PKCS11 + configuration patch for cases where it is not applied. + (ICEDTEA_CONFIGURE): Pass --enable-system-nss or + --disable-system-nss, depending on whether or + not the SunEC provider is enabled. + (ICEDTEA_ENV): Remove DISABLE_INTREE_EC which + is not applicable in OpenJDK 8. + * README: Fix header from 'IcedTea7' to 'IcedTea'. + * patches/nss-config-with-sunec.patch, + * patches/nss-not-enabled-config-with-sunec.patch: + New variants of nss-config.patch and nss-not-enabled-config.patch + which apply when the SunEC provider is also enabled. + +2015-07-06 Andrew John Hughes <gnu.andrew@member.fsf.org> + + * INSTALL: Document the SunEC provider. + +2014-05-09 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1762: Undefined references when building with NSS 3.16.1 + * acinclude.m4: + (IT_ENABLE_SUNEC): For NSS >= 3.16.1, add -lfreebl + to SUNEC_LIBS, not SUNEC_CFLAGS, and use NSS_LIBS as + the base, not NSS_SOFTOKN_LIBS. + +2014-04-23 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1742: Allow SunEC provider to be built with changes + in NSS >= 3.16.1 + * Makefile.am: + (ICEDTEA_ENV): Use SUNEC_LIBS and SUNEC_CFLAGS + instead of NSS_LIBS and NSS_CFLAGS respectively. + * acinclude.m4: + (IT_ENABLE_SUNEC): Use SUNEC_CFLAGS and SUNEC_LIBS + for clarity as NSS_CFLAGS and NSS_LIBS are also set + by the NSS detection. + +2014-04-18 Andrew John Hughes <gnu.andrew@member.fsf.org> + + PR1699: Support building the SunEC provider + with system NSS + * Makefile.am: + (ICEDTEA_ENV): Set NSS_LIBS and NSS_CFLAGS + when ENABLE_SUNEC is set. + * acinclude.m4: + (IT_LOCATE_NSS): Fix wording to make it clear that + this is the PKCS11 provider, using NSS as the + implementation. + (IT_ENABLE_SUNEC): Allow the Sun elliptic curve + crypto provider to be enabled. + * configure.ac: + Replace IT_LOCATE_NSS with IT_ENABLE_SUNEC (which + depends on the former). + * fsg.sh.in: + Only delete the SunEC implementation code at this + level. This is the part that is legally dubious, + due to the use of many more elliptic curves than + those provided by the NSS version. + * remove-intree-libraries.sh.in: + Include the remaining SunEC deletion from fsg.sh + here and make it optional. + 2016-01-29 Andrew John Hughes <gnu.andrew@member.fsf.org> PR2768: Move SystemTap GCC 4.5 patch to OpenJDK
--- a/INSTALL Fri Jan 29 14:24:16 2016 +0000 +++ b/INSTALL Fri Jan 29 17:41:08 2016 +0000 @@ -1,5 +1,5 @@ -Building IcedTea7 -================= +Building IcedTea +================ For convenience we've provided make targets that automatically download, extract and patch the source code from the IcedTea forest @@ -159,6 +159,7 @@ * --with-hotspot-build: The HotSpot to use, defaulting to 'original' i.e. hs14 as bundled with OpenJDK. * --with-additional-vms=vm-list: Additional VMs to build using the system described below. +* --enable-sunec: Build the SunEC crypto provider against system NSS. Testing ======= @@ -205,8 +206,8 @@ /usr/lib/jvm/java-1.6.0-openjdk, then you should specify --with-abs-install-dir=/usr/lib/jvm/java-1.6.0-openjdk. -NSS Security Provider -===================== +The NSS PKCS11 Security Provider and Elliptic Curve Cryptography +================================================================ OpenJDK includes an NSS-based security provider in the form of sun.security.pkcs11.SunPKCS11. However, as this needs to know the @@ -217,6 +218,14 @@ this configuration will be turned on in lib/security/java.security. This can also be done manually at a later date. +The PKCS11 option was originally added as it was the only way that +elliptic curve cryptography support could be provided. From OpenJDK 7 +onwards, there is another provider, SunEC. This also utilises NSS, but +directly via its ECC functions rather than the PKCS11 interface. +Specifying --enable-sunec will build this provider, linked against +NSS. Version 3.16.1 or later of NSS is required so that the +appropriate softokn ABI is available to the provider. + CACAO =====
--- a/Makefile.am Fri Jan 29 14:24:16 2016 +0000 +++ b/Makefile.am Fri Jan 29 17:41:08 2016 +0000 @@ -229,8 +229,7 @@ ICEDTEA_PATCHES = \ patches/memory-limits.patch \ patches/override-redirect-metacity.patch \ - patches/rh1022017.patch \ - patches/disable-intree-ec.patch + patches/rh1022017.patch # Conditional patches @@ -260,11 +259,24 @@ patches/jamvm/find_class_from_caller.patch endif +if !ENABLE_SUNEC +ICEDTEA_PATCHES += \ + patches/disable-intree-ec.patch +endif + if ENABLE_NSS +if ENABLE_SUNEC +ICEDTEA_PATCHES += patches/nss-config-with-sunec.patch +else ICEDTEA_PATCHES += patches/nss-config.patch +endif +else +if ENABLE_SUNEC +ICEDTEA_PATCHES += patches/nss-not-enabled-config-with-sunec.patch else ICEDTEA_PATCHES += patches/nss-not-enabled-config.patch endif +endif ICEDTEA_PATCHES += $(DISTRIBUTION_PATCHES) @@ -345,6 +357,14 @@ --with-giflib=bundled endif +if ENABLE_SUNEC +ICEDTEA_CONFIGURE += \ + --enable-system-nss +else +ICEDTEA_CONFIGURE += \ + --disable-system-nss +endif + if ZERO_BUILD ICEDTEA_CONFIGURE += \ --with-jvm-variants=zero @@ -390,7 +410,6 @@ DERIVATIVE_ID="$(ICEDTEA_NAME) $(PACKAGE_VERSION)$(ICEDTEA_REV)" \ DEBUG_CLASSFILES="true" \ DEBUG_BINARIES="true" \ - DISABLE_INTREE_EC="true" \ LOG="debug" SCTP_WERROR= \ POST_STRIP_CMD= STRIP_POLICY="no_strip" \ JOBS="$(PARALLEL_JOBS)" @@ -459,6 +478,12 @@ GIF_CFLAGS="${GIF_CFLAGS}" endif +if ENABLE_SUNEC +ICEDTEA_ENV += \ + NSS_LIBS="${SUNEC_LIBS}" \ + NSS_CFLAGS="${SUNEC_CFLAGS}" +endif + # OpenJDK boot build environment. ICEDTEA_CONFIGURE_BOOT = $(ICEDTEA_CONFIGURE) ICEDTEA_ENV_BOOT = $(ICEDTEA_ENV) \
--- a/README Fri Jan 29 14:24:16 2016 +0000 +++ b/README Fri Jan 29 17:41:08 2016 +0000 @@ -1,5 +1,5 @@ -IcedTea7 -======== +IcedTea +======= The IcedTea project provides a harness to build the source code from openjdk.java.net using Free Software tools and dependencies.
--- a/acinclude.m4 Fri Jan 29 14:24:16 2016 +0000 +++ b/acinclude.m4 Fri Jan 29 17:41:08 2016 +0000 @@ -1396,10 +1396,10 @@ AC_DEFUN_ONCE([IT_LOCATE_NSS], [ AC_REQUIRE([IT_OBTAIN_DEFAULT_LIBDIR]) -AC_MSG_CHECKING([whether to enable the NSS-based security provider]) +AC_MSG_CHECKING([whether to enable the PKCS11 crypto provider using NSS]) AC_ARG_ENABLE([nss], [AS_HELP_STRING([--enable-nss], - [Enable inclusion of NSS security provider])], + [Enable inclusion of PKCS11 crypto provider using NSS])], [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no']) AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes]) if test "x${ENABLE_NSS}" = "xyes" @@ -1943,3 +1943,40 @@ AC_MSG_RESULT([$has_native_hotspot_port]) ]) +AC_DEFUN_ONCE([IT_ENABLE_SUNEC], +[ + AC_REQUIRE([IT_LOCATE_NSS]) + AC_MSG_CHECKING([whether to enable the Sun elliptic curve crypto provider]) + AC_ARG_ENABLE([sunec], + [AS_HELP_STRING(--enable-sunec,build the Sun elliptic curve crypto provider [[default=no]])], + [ + case "${enableval}" in + yes) + enable_sunec=yes + ;; + *) + enable_sunec=no + ;; + esac + ], + [ + enable_sunec=no + ]) + AC_MSG_RESULT([$enable_sunec]) + AM_CONDITIONAL([ENABLE_SUNEC], test x"${enable_sunec}" = "xyes") + if test x"${enable_sunec}" = "xyes"; then + PKG_CHECK_MODULES(NSS_SOFTOKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no]) + PKG_CHECK_MODULES(NSS_JAVA, nss-java, [NSS_JAVA_FOUND=yes], [NSS_JAVA_FOUND=no]) + if test "x${NSS_SOFTOKN_FOUND}" = "xyes"; then + SUNEC_CFLAGS=$NSS_SOFTOKN_CFLAGS; + SUNEC_LIBS="$NSS_LIBS -lfreebl"; + elif test "x${NSS_JAVA_FOUND}" = "xyes"; then + SUNEC_CFLAGS="$NSS_JAVA_CFLAGS -DLEGACY_NSS"; + SUNEC_LIBS=$NSS_JAVA_LIBS; + else + AC_MSG_ERROR([Could not find a suitable NSS installation to use for the SunEC provider.]) + fi + AC_SUBST(SUNEC_CFLAGS) + AC_SUBST(SUNEC_LIBS) + fi +])
--- a/configure.ac Fri Jan 29 14:24:16 2016 +0000 +++ b/configure.ac Fri Jan 29 17:41:08 2016 +0000 @@ -58,6 +58,7 @@ IT_DISABLE_HOTSPOT_TESTS IT_DISABLE_LANGTOOLS_TESTS IT_DISABLE_JDK_TESTS +IT_ENABLE_SUNEC # Use xvfb-run if found to run gui tests (check-jdk). AC_CHECK_PROG(XVFB_RUN_CMD, xvfb-run, [xvfb-run -a -e xvfb-errors], []) @@ -79,7 +80,6 @@ AM_CONDITIONAL([ENABLE_DOCS], [test x$ENABLE_DOCS = xyes]) AC_MSG_RESULT(${ENABLE_DOCS}) -IT_LOCATE_NSS IT_GET_PKGVERSION IT_GET_LSB_DATA
--- a/fsg.sh.in Fri Jan 29 14:24:16 2016 +0000 +++ b/fsg.sh.in Fri Jan 29 17:41:08 2016 +0000 @@ -11,11 +11,7 @@ rm -rvf openjdk/jdk/test/com/sun/jmx/snmp echo "Removing EC source code we don't build" -rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDHKeyAgreement.java -rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDSASignature.java -rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java -rm -rvf openjdk/jdk/src/share/native/sun/security/ec -rm -rvf openjdk/jdk/make/sun/security/ec +rm -rvf openjdk/jdk/src/share/native/sun/security/ec/impl echo "Syncing EC list with NSS" patch -Np0 < @abs_top_srcdir@/patches/pr2126.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/nss-config-with-sunec.patch Fri Jan 29 17:41:08 2016 +0000 @@ -0,0 +1,11 @@ +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2015-10-27 19:19:15.000000000 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-linux 2016-01-29 15:41:59.434852299 +0000 +@@ -74,6 +74,7 @@ + security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC ++security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Sun Provider SecureRandom seed source.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/nss-not-enabled-config-with-sunec.patch Fri Jan 29 17:41:08 2016 +0000 @@ -0,0 +1,13 @@ +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux 2009-08-25 11:43:59.000000000 +0100 ++++ openjdk/jdk/src/share/lib/security/java.security-linux 2009-08-27 14:23:54.000000000 +0100 +@@ -51,6 +51,10 @@ + security.provider.7=com.sun.security.sasl.Provider + security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.9=sun.security.smartcardio.SunPCSC ++# the NSS security provider was not enabled for this build; it can be enabled ++# if NSS (libnss3) is available on the machine. The nss.cfg file may need ++# editing to reflect the location of the NSS installation. ++#security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Sun Provider SecureRandom seed source.
--- a/remove-intree-libraries.sh.in Fri Jan 29 14:24:16 2016 +0000 +++ b/remove-intree-libraries.sh.in Fri Jan 29 17:41:08 2016 +0000 @@ -114,3 +114,11 @@ rm -vf ${LCMS_SRC}/lcms2_plugin.h fi +if test "x@ENABLE_SUNEC@" = "xno"; then + rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDHKeyAgreement.java + rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECDSASignature.java + rm -vf openjdk/jdk/src/share/classes/sun/security/ec/ECKeyPairGenerator.java + rm -vf openjdk/jdk/src/share/classes/sun/security/ec/SunEC.java + rm -vf openjdk/jdk/src/share/classes/sun/security/ec/SunECEntries.java + rm -rvf openjdk/jdk/src/share/native/sun/security/ec +fi