[PATCH FOR REVIEW]: Support PKCS11 cryptography via NSS

Matthias Klose doko at ubuntu.com
Mon Sep 28 05:40:04 PDT 2009 

On 03.09.2009 21:50, Andrew John Hughes wrote:
> IcedTea6, as currently built, does not support elliptic curve
> cryptography (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=356).
>   For this to be enabled, the provider must be added to
> jre/lib/security/java.security and configured to point to the system
> NSS.
>
> With the proprietary JDK, this is not something that can be done 'out
> of the box', but we can do this with IcedTea by detecting NSS using
> configure.  The attached patch does just that.  It also fixes an issue
> (6763530) that prevents newer versions of NSS from working.  When
> applied, NSS can be enabled just by passing --enable-nss to configure.
>
> The following then works:
>
> $ /home/andrew/build/icedtea6/bin/keytool -v -genkeypair -keyalg EC
> -keysize 256 -keystore ectest.jks
> Enter keystore password:
> Re-enter new password:
> etc.
>
> The configure check doesn't verify that NSS was built with EC support.
>   I couldn't find an easy way of doing this.  It is enabled during the
> build by defining NSS_ENABLE_ECC (-DNSS_ENABLE_ESS).  From
> mozilla/security/coreconf/config.mk:
>
> ifdef NSS_ENABLE_ECC
> DEFINES += -DNSS_ENABLE_ECC
> endif
>
> Thus the define is not available in the installed headers, so the only
> way to do a check would seem to be to write code to generate an EC key
> with NSS and check for failure.  The same check would later be
> invalidated if the system NSS changes after OpenJDK is built, and so
> OpenJDK would need to be rebuilt.
>
> If someone wants to write such a test, feel free but AFAICS it
> wouldn't gain anything.  OpenJDK will still build (linking is done at
> runtime) and if NSS doesn't have EC support, then OpenJDK won't which
> is no different from the current status quo.
>
> Does this look ok for commit?
>
> ChangeLog:
>
>          * HACKING: Updated.
>          * Makefile.am:
>          Add two new patches.  Copy nss.cfg to jre/lib/security if
>          NSS is enabled.
>          * configure.ac:Check for NSS and set NSS_LIBDIR
>          and ENABLE_NSS if found.
>          * nss.cfg.in: Template for the nss configuration file.
>          * patches/icedtea-nss-6763530.patch:
>          Fix for Sun bug 6763530 which is triggered by newer
>          versions of NSS.
>          * patches/icedtea-nss-config.patch: Patch java.security
>          with the PCKS11 provider configuration.
>

tested the patch on the 1.6 branch, and checked that the certificate from the 
bug report can be imported in a keystore. Could you mention the bug number in 
the changelog as well?

   Matthias

More information about the distro-pkg-dev mailing list