/hg/icedtea6: Support the NSS-based crypto provider when --enabl...
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Mon Sep 28 10:59:45 PDT 2009
changeset b387a64caa08 in /hg/icedtea6
details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=b387a64caa08
author: Andrew John Hughes <ahughes at redhat.com>
date: Mon Sep 28 19:02:32 2009 +0100
Support the NSS-based crypto provider when --enable-nss is passed.
Reviewed-by: doko
2009-09-03 Andrew John Hughes <ahughes at redhat.com>
PR icedtea/356
* HACKING: Updated.
* Makefile.am: Add two new patches. Copy nss.cfg to
jre/lib/security if NSS is enabled.
* configure.ac:Check for NSS and set NSS_LIBDIR and ENABLE_NSS
if found.
* nss.cfg.in: Template for the nss configuration file.
* patches/icedtea-nss-6763530.patch: Fix for Sun bug 6763530
which is triggered by newer versions of NSS.
* patches/icedtea-nss-config.patch: Patch java.security with
the PCKS11 provider configuration.
diffstat:
7 files changed, 121 insertions(+), 2 deletions(-)
ChangeLog | 17 ++++++++++-
HACKING | 4 ++
Makefile.am | 13 ++++++++
configure.ac | 20 +++++++++++++
nss.cfg.in | 4 ++
patches/icedtea-nss-6763530.patch | 55 +++++++++++++++++++++++++++++++++++++
patches/icedtea-nss-config.patch | 10 ++++++
diffs (200 lines):
diff -r 2a3725ce72d4 -r b387a64caa08 ChangeLog
--- a/ChangeLog Fri Sep 25 05:35:49 2009 -0400
+++ b/ChangeLog Mon Sep 28 19:02:32 2009 +0100
@@ -1,3 +1,19 @@ 2009-09-25 Gary Benson <gbenson at redhat
+2009-09-03 Andrew John Hughes <ahughes at redhat.com>
+
+ PR icedtea/356
+ * HACKING: Updated.
+ * Makefile.am:
+ Add two new patches. Copy nss.cfg to jre/lib/security if
+ NSS is enabled.
+ * configure.ac:Check for NSS and set NSS_LIBDIR
+ and ENABLE_NSS if found.
+ * nss.cfg.in: Template for the nss configuration file.
+ * patches/icedtea-nss-6763530.patch:
+ Fix for Sun bug 6763530 which is triggered by newer
+ versions of NSS.
+ * patches/icedtea-nss-config.patch: Patch java.security
+ with the PCKS11 provider configuration.
+
2009-09-25 Gary Benson <gbenson at redhat.com>
* ports/hotspot/src/cpu/zero/vm/assembler_zero.hpp: Moved ffi.h to...
@@ -701,7 +717,6 @@ 2009-08-25 Deepak Bhole <dbhole at redhat
(getInstance): Same.
(initializeExtensions): Provide unique key to getInstance.
->>>>>>> other
2009-08-21 Xerxes RÃ¥nby <xerxes at zafena.se>
* ports/hotspot/src/share/vm/shark/sharkBuilder.cpp
diff -r 2a3725ce72d4 -r b387a64caa08 HACKING
--- a/HACKING Fri Sep 25 05:35:49 2009 -0400
+++ b/HACKING Mon Sep 28 19:02:32 2009 +0100
@@ -124,7 +124,9 @@ The following patches are only applied t
in Asia/Amman TimeZone. SimpleTimeZone checks too strict.
* icedtea-dnd-filelists.patch: Fix drag and drop behaviour when dragging a file list between JVMs (S5079469). Backported from OpenJDK.
* icedtea-signed-types-hot6.patch: Make use of unsigned/signed types explicit.
-* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext
+* openjdk/6648816.patch: Backport of regression (NPE) fix in AccessControlContext (PR364/S6648816)
+* icedtea-nss-config.patch: Add the NSS PKCS11 security provider. (PR356)
+* icedtea-nss-6763530.patch: Fix PKCS11 provider when used with newer version of NSS (>=3.12.3) (PR356, S6763530).
The following patches are only applied to OpenJDK in IcedTea:
diff -r 2a3725ce72d4 -r b387a64caa08 Makefile.am
--- a/Makefile.am Fri Sep 25 05:35:49 2009 -0400
+++ b/Makefile.am Mon Sep 28 19:02:32 2009 +0100
@@ -711,6 +711,11 @@ ICEDTEA_PATCHES += patches/icedtea-syste
ICEDTEA_PATCHES += patches/icedtea-systemtap.patch
endif
+if ENABLE_NSS
+ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \
+ patches/icedtea-nss-6763530.patch
+endif
+
ICEDTEA_PATCHES += \
patches/icedtea-demo-swingapplet.patch \
patches/icedtea-awt-window-size.patch \
@@ -1241,6 +1246,10 @@ if ENABLE_SYSTEMTAP
$(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
fi
endif
+if ENABLE_NSS
+ cp $(abs_top_builddir)/nss.cfg \
+ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
+endif
@echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
mkdir -p stamps
touch stamps/icedtea.stamp
@@ -1325,6 +1334,10 @@ if ENABLE_SYSTEMTAP
cp $(abs_top_builddir)/tapset/hotspot.stp \
$(BUILD_OUTPUT_DIR)/j2sdk-image/tapset/hotspot.stp; \
fi
+endif
+if ENABLE_NSS
+ cp $(abs_top_builddir)/nss.cfg \
+ $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib/security;
endif
@echo "IcedTea (debug build) is served:" \
$(BUILD_OUTPUT_DIR)-debug
diff -r 2a3725ce72d4 -r b387a64caa08 configure.ac
--- a/configure.ac Fri Sep 25 05:35:49 2009 -0400
+++ b/configure.ac Mon Sep 28 19:02:32 2009 +0100
@@ -156,6 +156,14 @@ AC_ARG_ENABLE([systemtap],
[ENABLE_SYSTEMTAP="${enableval}"], [ENABLE_SYSTEMTAP='no'])
AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes])
AC_MSG_RESULT(${ENABLE_SYSTEMTAP})
+
+AC_MSG_CHECKING([whether to include the NSS-based security provider])
+AC_ARG_ENABLE([nss],
+ [AS_HELP_STRING([--enable-nss],
+ [Enable inclusion of NSS security provider])],
+ [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no'])
+AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes])
+AC_MSG_RESULT(${ENABLE_NSS})
AC_MSG_CHECKING(how many parallel build jobs to execute)
AC_ARG_WITH([parallel-jobs],
@@ -486,6 +494,18 @@ return EXIT_SUCCESS;
AC_SUBST(MOZILLA_VERSION_COLLAPSED, $xulrunner_cv_collapsed_version)
fi
+if test "x${ENABLE_NSS}" = "xyes"
+then
+ PKG_CHECK_MODULES(NSS, nss, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = xno
+ then
+ AC_MSG_ERROR([Could not find NSS. Either install it or configure using --disable-nss.])
+ fi
+ NSS_LIBDIR=`$PKG_CONFIG --variable=libdir nss`
+ AC_SUBST(NSS_LIBDIR)
+ AC_CONFIG_FILES([nss.cfg])
+fi
+
AC_MSG_CHECKING(for --with-additional-vms)
AC_ARG_WITH(additional-vms,
AC_HELP_STRING([--with-additional-vms=vm-list], [build additional virtual machines. Valid value is a comma separated string with the backend names `cacao', `zero' and `shark'.]),
diff -r 2a3725ce72d4 -r b387a64caa08 nss.cfg.in
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/nss.cfg.in Mon Sep 28 19:02:32 2009 +0100
@@ -0,0 +1,4 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
diff -r 2a3725ce72d4 -r b387a64caa08 patches/icedtea-nss-6763530.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-6763530.patch Mon Sep 28 19:02:32 2009 +0100
@@ -0,0 +1,55 @@
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11ECKeyFactory.java Thu Sep 03 18:47:40 2009 +0100
+@@ -40,6 +40,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
++import sun.security.util.DerValue;
++
+ /**
+ * EC KeyFactory implemenation.
+ *
+@@ -201,7 +203,14 @@
+
+ private PublicKey generatePublic(ECPoint point, ECParameterSpec params) throws PKCS11Exception {
+ byte[] encodedParams = ECParameters.encodeParameters(params);
+- byte[] encodedPoint = ECParameters.encodePoint(point, params.getCurve());
++ DerValue pkECPoint = new DerValue(DerValue.tag_OctetString,
++ ECParameters.encodePoint(point, params.getCurve()));
++ byte[] encodedPoint = null;
++ try {
++ encodedPoint = pkECPoint.toByteArray();
++ } catch (IOException e) {
++ throw new IllegalArgumentException("Could not DER encode point", e);
++ }
+ CK_ATTRIBUTE[] attributes = new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_PUBLIC_KEY),
+ new CK_ATTRIBUTE(CKA_KEY_TYPE, CKK_EC),
+diff -r 1f83d4e42eda src/share/classes/sun/security/pkcs11/P11Key.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Mon Aug 31 12:55:15 2009 +0900
++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Key.java Thu Sep 03 18:47:40 2009 +0100
+@@ -44,6 +44,8 @@
+ import sun.security.pkcs11.wrapper.*;
+ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+
++import sun.security.util.DerValue;
++
+ /**
+ * Key implementation classes.
+ *
+@@ -1014,10 +1016,13 @@
+ };
+ fetchAttributes(attributes);
+ try {
++ DerValue wECPoint = new DerValue(attributes[0].getByteArray());
++ if (wECPoint.getTag() != DerValue.tag_OctetString)
++ throw new IOException("Unexpected tag: " + wECPoint.getTag());
+ params = P11ECKeyFactory.decodeParameters
+ (attributes[1].getByteArray());
+ w = P11ECKeyFactory.decodePoint
+- (attributes[0].getByteArray(), params.getCurve());
++ (wECPoint.getDataBytes(), params.getCurve());
+ } catch (Exception e) {
+ throw new RuntimeException("Could not parse key values", e);
+ }
diff -r 2a3725ce72d4 -r b387a64caa08 patches/icedtea-nss-config.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/icedtea-nss-config.patch Mon Sep 28 19:02:32 2009 +0100
@@ -0,0 +1,10 @@
+--- openjdk.orig/jdk/src/share/lib/security/java.security 2009-08-25 11:43:59.000000000 +0100
++++ openjdk/jdk/src/share/lib/security/java.security 2009-08-27 14:23:54.000000000 +0100
+@@ -51,6 +51,7 @@
+ security.provider.6=com.sun.security.sasl.Provider
+ security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
+ security.provider.8=sun.security.smartcardio.SunPCSC
++security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # Select the source of seed data for SecureRandom. By default an
More information about the distro-pkg-dev
mailing list