[security-dev 01137]: Re: 6840752: Provide out-of-the-box support for ECC algorithms
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Fri Aug 28 02:28:25 UTC 2009
On Aug 28, 2009, at 9:56 AM, Andrew John Hughes wrote:
> 2009/8/28 Max (Weijun) Wang <Weijun.Wang at sun.com>:
>>
>> On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
>>
>>> The problem is more the fact that it's an additional copy rather
>>> than
>>> using the system installation, which means it has to be patched for
>>> bugs and security fixes separately. For IcedTea, I'll look at
>>> providing and using the option of using the system NSS and will also
>>> submit this for review here if there is interest in providing such
>>> an
>>> option.
>>
>> Since Java security is already provider based, I guess you can
>> simply write
>> one provider named NSS and remove all other security.provider.<n>
>> lines in
>> jre/lib/security/java.security.
>>
>> Max
>>
>>
>
> Sounds like the JDK6 solution :)
No, this is the real Java solution. :)
>
> I think the simpler fix is to just provide an option for the calls to
> the native code to use the system library rather than the included
> copy (some of the new files appear to be verbatim copies of files from
> NSS AFAICS). But I need to look at this in more detail.
This only redirects native calls to your centralized ones, but JRE
includes a lot of pure Java providers. If they are still listed in the
java.security file, your so called "Fedora Crypto Consolidation" is
not 100% complete.
Thanks
Max
>
> Thanks,
> --
> Andrew :-)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
>
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the security-dev
mailing list