# HG changeset patch # User Andrew John Hughes # Date 1269989835 -3600 # Node ID 6728bebba215722d0359a1e4022e85fa92a959a9 # Parent 566af2483fbb67f911d340403340a03a7ec6c0cb Backport NSS bug fix. 2009-09-03 Andrew John Hughes PR icedtea/356 * HACKING: Updated. * Makefile.am: Add two new patches. Copy nss.cfg to jre/lib/security if NSS is enabled. * configure.ac:Check for NSS and set NSS_LIBDIR and ENABLE_NSS if found. * nss.cfg.in: Template for the nss configuration file. * patches/icedtea-nss-6763530.patch: Fix for Sun bug 6763530 which is triggered by newer versions of NSS. * patches/icedtea-nss-config.patch: Patch java.security with the PCKS11 provider configuration. diff -r 566af2483fbb -r 6728bebba215 ChangeLog --- a/ChangeLog Tue Mar 30 23:56:02 2010 +0100 +++ b/ChangeLog Tue Mar 30 23:57:15 2010 +0100 @@ -1,3 +1,19 @@ +2009-09-03 Andrew John Hughes + + PR icedtea/356 + * HACKING: Updated. + * Makefile.am: + Add two new patches. Copy nss.cfg to jre/lib/security if + NSS is enabled. + * configure.ac:Check for NSS and set NSS_LIBDIR + and ENABLE_NSS if found. + * nss.cfg.in: Template for the nss configuration file. + * patches/icedtea-nss-6763530.patch: + Fix for Sun bug 6763530 which is triggered by newer + versions of NSS. + * patches/icedtea-nss-config.patch: Patch java.security + with the PCKS11 provider configuration. + 2009-03-30 Andrew John Hughes * .hgignore: diff -r 566af2483fbb -r 6728bebba215 HACKING --- a/HACKING Tue Mar 30 23:56:02 2010 +0100 +++ b/HACKING Tue Mar 30 23:57:15 2010 +0100 @@ -124,7 +124,9 @@ since b22 was from "before hg". * icedtea-dnd-filelists.patch: Fix drag and drop behaviour when dragging a file list between JVMs (S5079469). Backported from OpenJDK. * icedtea-signed-types-hot6.patch: Make use of unsigned/signed types explicit. -* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext +* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext (PR364/S6648816) +* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356) +* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530). The following patches are only applied to OpenJDK in IcedTea: diff -r 566af2483fbb -r 6728bebba215 Makefile.am --- a/Makefile.am Tue Mar 30 23:56:02 2010 +0100 +++ b/Makefile.am Tue Mar 30 23:57:15 2010 +0100 @@ -723,6 +723,11 @@ ICEDTEA_PATCHES += patches/hotspot/$(HSBUILD)/systemtap.patch endif +if ENABLE_NSS +ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \ + patches/icedtea-nss-6763530.patch +endif + ICEDTEA_PATCHES += \ patches/icedtea-demo-swingapplet.patch \ patches/icedtea-awt-window-size.patch \ @@ -1283,6 +1288,10 @@ cp $(abs_top_builddir)/tapset/jstack.stp \ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -1376,6 +1385,10 @@ cp $(abs_top_builddir)/tapset/jstack.stp \ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea (debug build) is served:" \ $(BUILD_OUTPUT_DIR)-debug mkdir -p stamps diff -r 566af2483fbb -r 6728bebba215 configure.ac --- a/configure.ac Tue Mar 30 23:56:02 2010 +0100 +++ b/configure.ac Tue Mar 30 23:57:15 2010 +0100 @@ -157,6 +157,14 @@ AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes]) AC_MSG_RESULT(${ENABLE_SYSTEMTAP}) +AC_MSG_CHECKING([whether to include the NSS-based security provider]) +AC_ARG_ENABLE([nss], + [AS_HELP_STRING([--enable-nss], + [Enable inclusion of NSS security provider])], + [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no']) +AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes]) +AC_MSG_RESULT(${ENABLE_NSS}) + AC_MSG_CHECKING(how many parallel build jobs to execute) AC_ARG_WITH([parallel-jobs], [AS_HELP_STRING([--with-parallel-jobs], @@ -525,6 +533,18 @@ AC_SUBST(MOZILLA_VERSION_COLLAPSED, $xulrunner_cv_collapsed_version) fi +if test "x${ENABLE_NSS}" = "xyes" +then + PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = xno + then + AC_MSG_ERROR([Could not find NSS. Either install it or configure using --disable-nss.]) + fi + NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss` + AC_SUBST(NSS_LIBDIR) + AC_CONFIG_FILES([nss.cfg]) +fi + AC_MSG_CHECKING(for --with-additional-vms) AC_ARG_WITH(additional-vms, AC_HELP_STRING([--with-additional-vms=vm-list], [build additional virtual machines. Valid value is a comma separated string with the backend names `cacao', `zero' and `shark'.]), diff -r 566af2483fbb -r 6728bebba215 nss.cfg.in --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nss.cfg.in Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,4 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility diff -r 566af2483fbb -r 6728bebba215 patches/icedtea-nss-6763530.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-6763530.patch Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,55 @@ +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Thu Sep 03 18:47:40 2009 +0100 +@@ -40,6 +40,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * EC KeyFactory implemenation. + * +@@ -201,7 +203,14 @@ + + private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { + byte[] encodedParams = ECParameters.encodeParameters(params); +- byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve()); ++ DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, ++ ECParameters.encodePoint(point, params.getCurve())); ++ byte[] encodedPoint = null; ++ try { ++ encodedPoint = pkECPoint.toByteArray(); ++ } catch (IOException e) { ++ throw new IllegalArgumentException("Could not DER encode point", e); ++ } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Thu Sep 03 18:47:40 2009 +0100 +@@ -44,6 +44,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * Key implementation classes. + * +@@ -1014,10 +1016,13 @@ + }; + fetchAttributes(attributes); + try { ++ DerValue wECPoint = new DerValue(attributes[0].getByteArray()); ++ if (wECPoint.getTag() != DerValue.tag_OctetString) ++ throw new IOException("Unexpected tag: " + wECPoint.getTag()); + params = P11ECKeyFactory.decodeParameters + (attributes[1].getByteArray()); + w = P11ECKeyFactory.decodePoint +- (attributes[0].getByteArray(), params.getCurve()); ++ (wECPoint.getDataBytes(), params.getCurve()); + } catch (Exception e) { + throw new RuntimeException("Could not parse key values", e); + } diff -r 566af2483fbb -r 6728bebba215 patches/icedtea-nss-config.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-config.patch Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,10 @@ +--- openjdk.orig/jdk/src/share/lib/security/java.security 2009-08-25 11:43:59.000000000 +0100 ++++ openjdk/jdk/src/share/lib/security/java.security 2009-08-27 14:23:54.000000000 +0100 +@@ -51,6 +51,7 @@ + security.provider.6=com.sun.security.sasl.Provider + security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.8=sun.security.smartcardio.SunPCSC ++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Select the source of seed data for SecureRandom. By default an