Mercurial > hg > release > icedtea6-1.6
changeset 1725:6728bebba215
Backport NSS bug fix.
2009-09-03 Andrew John Hughes <ahughes@redhat.com>
PR icedtea/356
* HACKING: Updated.
* Makefile.am:
Add two new patches. Copy nss.cfg to jre/lib/security if
NSS is enabled.
* configure.ac:Check for NSS and set NSS_LIBDIR
and ENABLE_NSS if found.
* nss.cfg.in: Template for the nss configuration file.
* patches/icedtea-nss-6763530.patch:
Fix for Sun bug 6763530 which is triggered by newer
versions of NSS.
* patches/icedtea-nss-config.patch: Patch java.security
with the PCKS11 provider configuration.
| author | Andrew John Hughes <ahughes@redhat.com> |
|---|---|
| date | Tue, 30 Mar 2010 23:57:15 +0100 |
| parents | 566af2483fbb |
| children | f9061e19dfb0 |
| files | ChangeLog HACKING Makefile.am configure.ac nss.cfg.in patches/icedtea-nss-6763530.patch patches/icedtea-nss-config.patch |
| diffstat | 7 files changed, 121 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Mar 30 23:56:02 2010 +0100 +++ b/ChangeLog Tue Mar 30 23:57:15 2010 +0100 @@ -1,3 +1,19 @@ +2009-09-03 Andrew John Hughes <ahughes@redhat.com> + + PR icedtea/356 + * HACKING: Updated. + * Makefile.am: + Add two new patches. Copy nss.cfg to jre/lib/security if + NSS is enabled. + * configure.ac:Check for NSS and set NSS_LIBDIR + and ENABLE_NSS if found. + * nss.cfg.in: Template for the nss configuration file. + * patches/icedtea-nss-6763530.patch: + Fix for Sun bug 6763530 which is triggered by newer + versions of NSS. + * patches/icedtea-nss-config.patch: Patch java.security + with the PCKS11 provider configuration. + 2009-03-30 Andrew John Hughes <ahughes@redhat.com> * .hgignore:
--- a/HACKING Tue Mar 30 23:56:02 2010 +0100 +++ b/HACKING Tue Mar 30 23:57:15 2010 +0100 @@ -124,7 +124,9 @@ since b22 was from "before hg". * icedtea-dnd-filelists.patch: Fix drag and drop behaviour when dragging a file list between JVMs (S5079469). Backported from OpenJDK. * icedtea-signed-types-hot6.patch: Make use of unsigned/signed types explicit. -* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext +* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext (PR364/S6648816) +* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356) +* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530). The following patches are only applied to OpenJDK in IcedTea:
--- a/Makefile.am Tue Mar 30 23:56:02 2010 +0100 +++ b/Makefile.am Tue Mar 30 23:57:15 2010 +0100 @@ -723,6 +723,11 @@ ICEDTEA_PATCHES += patches/hotspot/$(HSBUILD)/systemtap.patch endif +if ENABLE_NSS +ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \ + patches/icedtea-nss-6763530.patch +endif + ICEDTEA_PATCHES += \ patches/icedtea-demo-swingapplet.patch \ patches/icedtea-awt-window-size.patch \ @@ -1283,6 +1288,10 @@ cp $(abs_top_builddir)/tapset/jstack.stp \ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR) mkdir -p stamps touch stamps/icedtea.stamp @@ -1376,6 +1385,10 @@ cp $(abs_top_builddir)/tapset/jstack.stp \ $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/jstack.stp endif +if ENABLE_NSS + cp $(abs_top_builddir)/nss.cfg \ + $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security; +endif @echo "IcedTea (debug build) is served:" \ $(BUILD_OUTPUT_DIR)-debug mkdir -p stamps
--- a/configure.ac Tue Mar 30 23:56:02 2010 +0100 +++ b/configure.ac Tue Mar 30 23:57:15 2010 +0100 @@ -157,6 +157,14 @@ AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes]) AC_MSG_RESULT(${ENABLE_SYSTEMTAP}) +AC_MSG_CHECKING([whether to include the NSS-based security provider]) +AC_ARG_ENABLE([nss], + [AS_HELP_STRING([--enable-nss], + [Enable inclusion of NSS security provider])], + [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no']) +AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes]) +AC_MSG_RESULT(${ENABLE_NSS}) + AC_MSG_CHECKING(how many parallel build jobs to execute) AC_ARG_WITH([parallel-jobs], [AS_HELP_STRING([--with-parallel-jobs], @@ -525,6 +533,18 @@ AC_SUBST(MOZILLA_VERSION_COLLAPSED, $xulrunner_cv_collapsed_version) fi +if test "x${ENABLE_NSS}" = "xyes" +then + PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no]) + if test "x${NSS_FOUND}" = xno + then + AC_MSG_ERROR([Could not find NSS. Either install it or configure using --disable-nss.]) + fi + NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss` + AC_SUBST(NSS_LIBDIR) + AC_CONFIG_FILES([nss.cfg]) +fi + AC_MSG_CHECKING(for --with-additional-vms) AC_ARG_WITH(additional-vms, AC_HELP_STRING([--with-additional-vms=vm-list], [build additional virtual machines. Valid value is a comma separated string with the backend names `cacao', `zero' and `shark'.]),
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/nss.cfg.in Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,4 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-6763530.patch Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,55 @@ +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Thu Sep 03 18:47:40 2009 +0100 +@@ -40,6 +40,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * EC KeyFactory implemenation. + * +@@ -201,7 +203,14 @@ + + private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception { + byte[] encodedParams = ECParameters.encodeParameters(params); +- byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve()); ++ DerValue pkECPoint = new DerValue(DerValue.tag_OctetString, ++ ECParameters.encodePoint(point, params.getCurve())); ++ byte[] encodedPoint = null; ++ try { ++ encodedPoint = pkECPoint.toByteArray(); ++ } catch (IOException e) { ++ throw new IllegalArgumentException("Could not DER encode point", e); ++ } + CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] { + new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY), + new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC), +diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Mon Aug 31 12:55:15 2009 +0900 ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Thu Sep 03 18:47:40 2009 +0100 +@@ -44,6 +44,8 @@ + import sun.security.pkcs11.wrapper.*; + import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + ++import sun.security.util.DerValue; ++ + /** + * Key implementation classes. + * +@@ -1014,10 +1016,13 @@ + }; + fetchAttributes(attributes); + try { ++ DerValue wECPoint = new DerValue(attributes[0].getByteArray()); ++ if (wECPoint.getTag() != DerValue.tag_OctetString) ++ throw new IOException("Unexpected tag: " + wECPoint.getTag()); + params = P11ECKeyFactory.decodeParameters + (attributes[1].getByteArray()); + w = P11ECKeyFactory.decodePoint +- (attributes[0].getByteArray(), params.getCurve()); ++ (wECPoint.getDataBytes(), params.getCurve()); + } catch (Exception e) { + throw new RuntimeException("Could not parse key values", e); + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/icedtea-nss-config.patch Tue Mar 30 23:57:15 2010 +0100 @@ -0,0 +1,10 @@ +--- openjdk.orig/jdk/src/share/lib/security/java.security 2009-08-25 11:43:59.000000000 +0100 ++++ openjdk/jdk/src/share/lib/security/java.security 2009-08-27 14:23:54.000000000 +0100 +@@ -51,6 +51,7 @@ + security.provider.6=com.sun.security.sasl.Provider + security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI + security.provider.8=sun.security.smartcardio.SunPCSC ++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # Select the source of seed data for SecureRandom. By default an