Bug 1565658

Summary:	java-openjdk (JDK 10) does not support EC ciphers via system NSS
Product:	[Fedora] Fedora	Reporter:	Severin Gehwolf <sgehwolf>
Component:	java-openjdk	Assignee:	Severin Gehwolf <sgehwolf>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	jerboaa, jvanek, mbalao
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	java-openjdk-10.0.1.10-1.fc27, java-openjdk-10.0.1.10-1.fc28, java-openjdk-10.0.1.10-1.fc29	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-30 08:27:56 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Severin Gehwolf 2018-04-10 13:45:43 UTC

Description of problem:
This is a JDK 10 clone of bug 1537049. On JDK 8 (java-1.8.0-openjdk) one can use system NSS via a patched SunEC provider. This is currently not possible on JDK 10 (java-openjdk). It's a regression in terms of functionality.

Version-Release number of selected component (if applicable):
java-openjdk-10.0.0.46-10.fc27.x86_64

How reproducible:
100%

Steps to Reproduce:
1. $ wget https://src.fedoraproject.org/rpms/java-9-openjdk/raw/master/f/TestECDSA.java
2. $ javac TestECDSA.java
3. $ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA

Actual results:
Exception in thread "main" java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
	at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236)
	at TestECDSA.main(TestECDSA.java:29)

Expected results:
Signature: 3045022100ec68089396b64d8797638f1e5e16092573309a97f66df1041460242595335a3e022065d6a34d1fd312f3295c6be73466f86820da3f5b88c4a43d6abb13005f7e2661
Test passed.

Additional info:
This works with latest java-1.8.0-openjdk, and fails with latest java-openjdk.

$ rpm -ql java-1.8.0-openjdk-headless | grep libsunec
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so
$ ldd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so
	linux-vdso.so.1 (0x00007ffe6175b000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f529bc70000)
	libssl3.so => /lib64/libssl3.so (0x00007f529ba23000)
	libsmime3.so => /lib64/libsmime3.so (0x00007f529b7fc000)
	libnss3.so => /lib64/libnss3.so (0x00007f529b4d4000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007f529b2a4000)
	libplds4.so => /lib64/libplds4.so (0x00007f529b0a0000)
	libplc4.so => /lib64/libplc4.so (0x00007f529ae9b000)
	libnspr4.so => /lib64/libnspr4.so (0x00007f529ac5d000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f529aa3e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f529a83a000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f529a4e5000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f529a102000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f5299eeb000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f529c203000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f5299cd4000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f5299acc000)

$ rpm -ql java-openjdk-headless | grep libsunec
<nothing>

Comment 1 Severin Gehwolf 2018-04-10 15:11:25 UTC

The port was fairly straight-forward. Only some files needed changing since they included source repository paths. Namely jdk-options.m4 and Lib-jdk.crypto.ec.gmk.

PR which enables system NSS:
https://src.fedoraproject.org/rpms/java-openjdk/pull-request/1

Scratch build with this is running:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26291651

Martin it would be appreciated if you could look this over. Thanks!

Comment 2 Severin Gehwolf 2018-04-11 08:58:16 UTC

(In reply to Severin Gehwolf from comment #1)
> Scratch build with this is running:
> https://koji.fedoraproject.org/koji/taskinfo?taskID=26291651

For the record, this passed.

Comment 3 Severin Gehwolf 2018-04-11 15:59:49 UTC

JDK 10 for F27 from:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26303153

$ rpm -q java-openjdk
java-openjdk-10.0.0.46-12.fc27.x86_64

$ rpm -ql java-openjdk-headless | grep libsunec
/usr/lib/jvm/java-10-openjdk-10.0.0.46-12.fc27.x86_64/lib/libsunec.so
$ ldd /usr/lib/jvm/java-10-openjdk-10.0.0.46-12.fc27.x86_64/lib/libsunec.so
	linux-vdso.so.1 (0x00007ffd7157c000)
	libssl3.so => /lib64/libssl3.so (0x00007fdeabce7000)
	libsmime3.so => /lib64/libsmime3.so (0x00007fdeabac0000)
	libnss3.so => /lib64/libnss3.so (0x00007fdeab798000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fdeab568000)
	libplds4.so => /lib64/libplds4.so (0x00007fdeab364000)
	libplc4.so => /lib64/libplc4.so (0x00007fdeab15f000)
	libnspr4.so => /lib64/libnspr4.so (0x00007fdeaaf21000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdeaad03000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fdeaaaff000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fdeaa778000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fdeaa42d000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fdeaa077000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdea9e60000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fdea9c58000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fdeac146000)
$ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA
Signature: 30440220414ccda00b7ee01be3015115be47ec73550a23cdcf24bf258731294ebdbe822202203db858315dd94293e4ad5f47b09dbc3a2dd022251327e024eb94fbca28a86fc3
Test passed

Comment 4 Severin Gehwolf 2018-04-30 08:29:10 UTC

$ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA
Signature: 304502206791c2738381e0a8ab49db7ecb1435585ba95ec0bc3a06b20dff168b2ff96e7d022100b00121a0a36ecdd82b2075fe90b10e2d6e49b95539b78f32f9f8fcd2f3d08c98
Test passed.
$ rpm -ql java-openjdk-headless | grep sunec
/usr/lib/jvm/java-10-openjdk-10.0.1.10-1.fc27.x86_64/lib/libsunec.so
$ ldd /usr/lib/jvm/java-10-openjdk-10.0.1.10-1.fc27.x86_64/lib/libsunec.so
	linux-vdso.so.1 (0x00007fff6df9b000)
	libssl3.so => /lib64/libssl3.so (0x00007fdd65663000)
	libsmime3.so => /lib64/libsmime3.so (0x00007fdd6543c000)
	libnss3.so => /lib64/libnss3.so (0x00007fdd65114000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fdd64ee4000)
	libplds4.so => /lib64/libplds4.so (0x00007fdd64ce0000)
	libplc4.so => /lib64/libplc4.so (0x00007fdd64adb000)
	libnspr4.so => /lib64/libnspr4.so (0x00007fdd6489d000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdd6467f000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fdd6447b000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fdd640f4000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fdd63da9000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fdd639f3000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdd637dc000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fdd635d4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fdd65ac2000)

Comment 5 Red Hat Bugzilla 2023-09-14 04:26:36 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days