PING 3: [PATCH FOR REVIEW]: Support PKCS11 cryptography via NSS

Andrew John Hughes gnu_andrew at member.fsf.org
Mon Sep 21 04:56:05 PDT 2009 

2009/9/10 Andrew John Hughes <gnu_andrew at member.fsf.org>:
> 2009/9/8 Andrew John Hughes <gnu_andrew at member.fsf.org>:
>> 2009/9/3 Andrew John Hughes <gnu_andrew at member.fsf.org>:
>>> IcedTea6, as currently built, does not support elliptic curve
>>> cryptography (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356).
>>>  For this to be enabled, the provider must be added to
>>> jre/lib/security/java.security and configured to point to the system
>>> NSS.
>>>
>>> With the proprietary JDK, this is not something that can be done 'out
>>> of the box', but we can do this with IcedTea by detecting NSS using
>>> configure.  The attached patch does just that.  It also fixes an issue
>>> (6763530) that prevents newer versions of NSS from working.  When
>>> applied, NSS can be enabled just by passing --enable-nss to configure.
>>>
>>> The following then works:
>>>
>>> $ /home/andrew/build/icedtea6/bin/keytool -v -genkeypair -keyalg EC
>>> -keysize 256 -keystore ectest.jks
>>> Enter keystore password:
>>> Re-enter new password:
>>> etc.
>>>
>>> The configure check doesn't verify that NSS was built with EC support.
>>>  I couldn't find an easy way of doing this.  It is enabled during the
>>> build by defining NSS_ENABLE_ECC (-DNSS_ENABLE_ESS).  From
>>> mozilla/security/coreconf/config.mk:
>>>
>>> ifdef NSS_ENABLE_ECC
>>> DEFINES += -DNSS_ENABLE_ECC
>>> endif
>>>
>>> Thus the define is not available in the installed headers, so the only
>>> way to do a check would seem to be to write code to generate an EC key
>>> with NSS and check for failure.  The same check would later be
>>> invalidated if the system NSS changes after OpenJDK is built, and so
>>> OpenJDK would need to be rebuilt.
>>>
>>> If someone wants to write such a test, feel free but AFAICS it
>>> wouldn't gain anything.  OpenJDK will still build (linking is done at
>>> runtime) and if NSS doesn't have EC support, then OpenJDK won't which
>>> is no different from the current status quo.
>>>
>>> Does this look ok for commit?
>>>
>>> ChangeLog:
>>>
>>>        * HACKING: Updated.
>>>        * Makefile.am:
>>>        Add two new patches.  Copy nss.cfg to jre/lib/security if
>>>        NSS is enabled.
>>>        * configure.ac:Check for NSS and set NSS_LIBDIR
>>>        and ENABLE_NSS if found.
>>>        * nss.cfg.in: Template for the nss configuration file.
>>>        * patches/icedtea-nss-6763530.patch:
>>>        Fix for Sun bug 6763530 which is triggered by newer
>>>        versions of NSS.
>>>        * patches/icedtea-nss-config.patch: Patch java.security
>>>        with the PCKS11 provider configuration.
>>>
>>> --
>>> Andrew :-)
>>>
>>> Free Java Software Engineer
>>> Red Hat, Inc. (http://www.redhat.com)
>>>
>>> Support Free Java!
>>> Contribute to GNU Classpath and the OpenJDK
>>> http://www.gnu.org/software/classpath
>>> http://openjdk.java.net
>>>
>>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
>>> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>>>
>>
>> Ping?
>>
>> I know it was a long weekend for some, but the Sun engineers have even
>> responded to a patch I posted to hotspot-dev in the same time frame as
>> this one...
>> --
>> Andrew :-)
>>
>> Free Java Software Engineer
>> Red Hat, Inc. (http://www.redhat.com)
>>
>> Support Free Java!
>> Contribute to GNU Classpath and the OpenJDK
>> http://www.gnu.org/software/classpath
>> http://openjdk.java.net
>>
>> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
>> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>>
>
>
> Ping! Ping! Ping!
> --
> Andrew :-)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
>
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8
>

Ping?
-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list