[security-dev 01137]: Re: 6840752: Provide out-of-the-box support for ECC algorithms

Max (Weijun) Wang Weijun.Wang at Sun.COM
Thu Aug 27 19:28:25 PDT 2009

On Aug 28, 2009, at 9:56 AM, Andrew John Hughes wrote:

> 2009/8/28 Max (Weijun) Wang <Weijun.Wang at sun.com>:
>> On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
>>> The problem is more the fact that it's an additional copy rather  
>>> than
>>> using the system installation, which means it has to be patched for
>>> bugs and security fixes separately.  For IcedTea, I'll look at
>>> providing and using the option of using the system NSS and will also
>>> submit this for review here if there is interest in providing such  
>>> an
>>> option.
>> Since Java security is already provider based, I guess you can  
>> simply write
>> one provider named NSS and remove all other security.provider.<n>  
>> lines in
>> jre/lib/security/java.security.
>> Max
> Sounds like the JDK6 solution :)

No, this is the real Java solution. :)

> I think the simpler fix is to just provide an option for the calls to
> the native code to use the system library rather than the included
> copy (some of the new files appear to be verbatim copies of files from
> NSS AFAICS).  But I need to look at this in more detail.

This only redirects native calls to your centralized ones, but JRE  
includes a lot of pure Java providers. If they are still listed in the  
java.security file, your so called "Fedora Crypto Consolidation" is  
not 100% complete.


> Thanks,
> -- 
> Andrew :-)
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> Support Free Java!
> Contribute to GNU Classpath and the OpenJDK
> http://www.gnu.org/software/classpath
> http://openjdk.java.net
> PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
> Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the security-dev mailing list