[Bug 3667] New: [IcedTea8] Use the internal copy of the SunEC library rather than statically linking against NSS

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Thu Dec 6 03:56:14 UTC 2018 

https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3667

            Bug ID: 3667
           Summary: [IcedTea8] Use the internal copy of the SunEC library
                    rather than statically linking against NSS
           Product: IcedTea
           Version: 3.x-hg
          Hardware: all
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: IcedTea
          Assignee: gnu.andrew at redhat.com
          Reporter: gnu.andrew at redhat.com
                CC: unassigned at icedtea.classpath.org

For a long time, we've been carrying a rather inelegant solution to
providing ECC support and I'd like us to move to something closer to what is
present upstream.

The current situation is that OpenJDK includes a copy of the SunEC C
library, which was also contributed to NSS at some point in the past:

https://icedtea.classpath.org/hg/icedtea8-forest/jdk/file/tip/src/share/native/sun/security/ec/impl

The main way this differs from the version in NSS is that they include
a lot more curves:

https://icedtea.classpath.org/hg/icedtea8-forest/jdk/file/tip/src/share/native/sun/security/ec/impl/ecl-curve.h

At present, we go to the length of deleting and not building any of the in-tree
copy of the SunEC code via fsg.sh, and instead patch the Oracle native provider
code to build against the system NSS library:

https://icedtea.classpath.org/hg/icedtea8-forest/jdk/file/tip/src/share/native/sun/security/ec/ECC_JNI.cpp

This is messy, because we have to link against some functions that are
only available statically. That means that our builds end up depending on the
specific version of NSS they were built against and can break if someone
upgrades NSS but not OpenJDK.

I propose to still remove the curves from both the Java code (as we do now) and
the restored in-tree SunEC code when ENABLE_NON_NSS_CURVES is not set, and drop
the collection of patches used to provide SunEC+NSS.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20181206/a41d1f95/attachment.html>

More information about the distro-pkg-dev mailing list