[PATCH FOR REVIEW]: Support PKCS11 cryptography via NSS

Andrew John Hughes gnu_andrew at member.fsf.org
Thu Sep 3 12:50:35 PDT 2009 

IcedTea6, as currently built, does not support elliptic curve
cryptography (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356).
 For this to be enabled, the provider must be added to
jre/lib/security/java.security and configured to point to the system
NSS.

With the proprietary JDK, this is not something that can be done 'out
of the box', but we can do this with IcedTea by detecting NSS using
configure.  The attached patch does just that.  It also fixes an issue
(6763530) that prevents newer versions of NSS from working.  When
applied, NSS can be enabled just by passing --enable-nss to configure.

The following then works:

$ /home/andrew/build/icedtea6/bin/keytool -v -genkeypair -keyalg EC
-keysize 256 -keystore ectest.jks
Enter keystore password:
Re-enter new password:
etc.

The configure check doesn't verify that NSS was built with EC support.
 I couldn't find an easy way of doing this.  It is enabled during the
build by defining NSS_ENABLE_ECC (-DNSS_ENABLE_ESS).  From
mozilla/security/coreconf/config.mk:

ifdef NSS_ENABLE_ECC
DEFINES += -DNSS_ENABLE_ECC
endif

Thus the define is not available in the installed headers, so the only
way to do a check would seem to be to write code to generate an EC key
with NSS and check for failure.  The same check would later be
invalidated if the system NSS changes after OpenJDK is built, and so
OpenJDK would need to be rebuilt.

If someone wants to write such a test, feel free but AFAICS it
wouldn't gain anything.  OpenJDK will still build (linking is done at
runtime) and if NSS doesn't have EC support, then OpenJDK won't which
is no different from the current status quo.

Does this look ok for commit?

ChangeLog:

        * HACKING: Updated.
        * Makefile.am:
        Add two new patches.  Copy nss.cfg to jre/lib/security if
        NSS is enabled.
        * configure.ac:Check for NSS and set NSS_LIBDIR
        and ENABLE_NSS if found.
        * nss.cfg.in: Template for the nss configuration file.
        * patches/icedtea-nss-6763530.patch:
        Fix for Sun bug 6763530 which is triggered by newer
        versions of NSS.
        * patches/icedtea-nss-config.patch: Patch java.security
        with the PCKS11 provider configuration.

-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
-------------- next part --------------
diff -r 91ea4bb21412 HACKING
--- a/HACKING	Tue Sep 01 17:05:17 2009 +0100
+++ b/HACKING	Thu Sep 03 20:40:26 2009 +0100
@@ -124,7 +124,9 @@
   in Asia/Amman TimeZone. SimpleTimeZone checks too strict.
 * icedtea-dnd-filelists.patch: Fix drag and drop behaviour when dragging a file list between JVMs (S5079469). Backported from OpenJDK.
 * icedtea-signed-types-hot6.patch: Make use of unsigned/signed types explicit.
-* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext
+* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext (PR364/S6648816)
+* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356)
+* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530).
 
 The following patches are only applied to OpenJDK in IcedTea:
 
diff -r 91ea4bb21412 Makefile.am
--- a/Makefile.am	Tue Sep 01 17:05:17 2009 +0100
+++ b/Makefile.am	Thu Sep 03 20:40:26 2009 +0100
@@ -685,6 +685,11 @@
 ICEDTEA_PATCHES += patches/icedtea-systemtap.patch
 endif
 
+if ENABLE_NSS
+ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \
+		   patches/icedtea-nss-6763530.patch
+endif
+
 ICEDTEA_PATCHES += \
 	patches/icedtea-demo-swingapplet.patch \
 	patches/icedtea-awt-window-size.patch \
@@ -1218,6 +1223,10 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
 	fi
 endif
+if ENABLE_NSS
+	cp $(abs_top_builddir)/nss.cfg \
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
+endif
 	@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
 	mkdir -p stamps
 	touch stamps/icedtea.stamp
@@ -1303,6 +1312,10 @@
 	    $(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
 	fi
 endif
+if ENABLE_NSS
+	cp $(abs_top_builddir)/nss.cfg \
+	  $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
+endif
 	@echo "IcedTea (debug build) is served:" \
 	  $(BUILD_OUTPUT_DIR)-debug
 	mkdir -p stamps
diff -r 91ea4bb21412 configure.ac
--- a/configure.ac	Tue Sep 01 17:05:17 2009 +0100
+++ b/configure.ac	Thu Sep 03 20:40:26 2009 +0100
@@ -157,6 +157,14 @@
 AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes])
 AC_MSG_RESULT(${ENABLE_SYSTEMTAP})
 
+AC_MSG_CHECKING([whether to include elliptic curve cryptography support via NSS])
+AC_ARG_ENABLE([nss],
+	      [AS_HELP_STRING([--enable-nss],
+	      		      [Enable inclusion of NSS security provider])],
+	      [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no'])
+AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes])
+AC_MSG_RESULT(${ENABLE_NSS})
+
 AC_MSG_CHECKING(how many parallel build jobs to execute)
 AC_ARG_WITH([parallel-jobs],
 	[AS_HELP_STRING([--with-parallel-jobs],
@@ -486,6 +494,18 @@
   AC_SUBST(MOZILLA_VERSION_COLLAPSED, $xulrunner_cv_collapsed_version)
 fi
 
+if test "x${ENABLE_NSS}" = "xyes"
+then
+  PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no])
+  if test "x${NSS_FOUND}" = xno
+  then
+    AC_MSG_ERROR([Could not find NSS.  Either install it or configure using --disable-nss.])
+  fi
+  NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss`
+  AC_SUBST(NSS_LIBDIR)
+  AC_CONFIG_FILES([nss.cfg])
+fi
+
 AC_MSG_CHECKING(for --with-additional-vms)
 AC_ARG_WITH(additional-vms,
             AC_HELP_STRING([--with-additional-vms=vm-list], [build additional virtual machines. Valid value is a comma separated string with the backend names `cacao', `zero' and `shark'.]),
diff -r 91ea4bb21412 nss.cfg.in
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/nss.cfg.in	Thu Sep 03 20:40:26 2009 +0100
@@ -0,0 +1,4 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
diff -r 91ea4bb21412 patches/icedtea-nss-6763530.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-6763530.patch	Thu Sep 03 20:40:26 2009 +0100
@@ -0,0 +1,55 @@
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java	Thu Sep 03 18:47:40 2009 +0100
+@@ -40,6 +40,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
++import sun.security.util.DerValue;
++
+ /**
+  * EC KeyFactory implemenation.
+  *
+@@ -201,7 +203,14 @@
+ 
+     private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
+         byte[] encodedParams = ECParameters.encodeParameters(params);
+-        byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve());
++        DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
++                                          ECParameters.encodePoint(point, params.getCurve()));
++        byte[] encodedPoint = null;
++        try {
++          encodedPoint = pkECPoint.toByteArray();
++        } catch (IOException e) {
++          throw new IllegalArgumentException("Could not DER encode point", e);
++        }
+         CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+             new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY),
+             new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java	Thu Sep 03 18:47:40 2009 +0100
+@@ -44,6 +44,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ 
++import sun.security.util.DerValue;
++
+ /**
+  * Key implementation classes.
+  *
+@@ -1014,10 +1016,13 @@
+             };
+             fetchAttributes(attributes);
+             try {
++                DerValue wECPoint = new DerValue(attributes[0].getByteArray());
++                if (wECPoint.getTag() != DerValue.tag_OctetString)
++                    throw new IOException("Unexpected tag: " + wECPoint.getTag());
+                 params = P11ECKeyFactory.decodeParameters
+                             (attributes[1].getByteArray());
+                 w = P11ECKeyFactory.decodePoint
+-                            (attributes[0].getByteArray(), params.getCurve());
++                    (wECPoint.getDataBytes(), params.getCurve());
+             } catch (Exception e) {
+                 throw new RuntimeException("Could not parse key values", e);
+             }
diff -r 91ea4bb21412 patches/icedtea-nss-config.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-config.patch	Thu Sep 03 20:40:26 2009 +0100
@@ -0,0 +1,10 @@
+--- openjdk.orig/jdk/src/share/lib/security/java.security	2009-08-25 11:43:59.000000000 +0100
++++ openjdk/jdk/src/share/lib/security/java.security		2009-08-27 14:23:54.000000000 +0100
+@@ -51,6 +51,7 @@
+ security.provider.6=com.sun.security.sasl.Provider
+ security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.8=sun.security.smartcardio.SunPCSC
++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
+ # Select the source of seed data for SecureRandom. By default an

More information about the distro-pkg-dev mailing list