Description of problem: On JDK 8 (java-1.8.0-openjdk) one can use system NSS via a patched SunEC provider. This is currently not possible on JDK 9 (java-9-openjdk). It's a regression in terms of functionality. Version-Release number of selected component (if applicable): java-9-openjdk-9.0.1.11-4.fc27 How reproducible: 100% Steps to Reproduce: 1. $ wget https://src.fedoraproject.org/rpms/java-9-openjdk/raw/master/f/TestECDSA.java 2. $ javac TestECDSA.java 3. $ /usr/lib/jvm/java-9-openjdk/bin/java TestECDSA Actual results: Exception in thread "main" java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236) at TestECDSA.main(TestECDSA.java:29) Expected results: Signature: 3045022100ec68089396b64d8797638f1e5e16092573309a97f66df1041460242595335a3e022065d6a34d1fd312f3295c6be73466f86820da3f5b88c4a43d6abb13005f7e2661 Test passed. Additional info: This works with latest java-1.8.0-openjdk, and fails with latest java-9-openjdk. $ rpm -ql java-1.8.0-openjdk-headless | grep libsunec /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so [sgehwolf@p50-laptop java-9-openjdk]$ ldd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so linux-vdso.so.1 (0x00007ffe6175b000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f529bc70000) libssl3.so => /lib64/libssl3.so (0x00007f529ba23000) libsmime3.so => /lib64/libsmime3.so (0x00007f529b7fc000) libnss3.so => /lib64/libnss3.so (0x00007f529b4d4000) libnssutil3.so => /lib64/libnssutil3.so (0x00007f529b2a4000) libplds4.so => /lib64/libplds4.so (0x00007f529b0a0000) libplc4.so => /lib64/libplc4.so (0x00007f529ae9b000) libnspr4.so => /lib64/libnspr4.so (0x00007f529ac5d000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f529aa3e000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f529a83a000) libm.so.6 => /lib64/libm.so.6 (0x00007f529a4e5000) libc.so.6 => /lib64/libc.so.6 (0x00007f529a102000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f5299eeb000) /lib64/ld-linux-x86-64.so.2 (0x00007f529c203000) libz.so.1 => /lib64/libz.so.1 (0x00007f5299cd4000) librt.so.1 => /lib64/librt.so.1 (0x00007f5299acc000) $ rpm -ql java-9-openjdk-headless | grep libsunec <nothing>
Created attachment 1384387 [details] Top-level patch for the JDK 9 forest for system-nss support.
Created attachment 1384388 [details] Patch for jdk repo of a JDK 9 tree for system NSS support.
With the two patches applied to top and jdk, one can use configure option: --enable-system-nss provided nss-softokn-devel and nss-devel packages are installed. One can remove the upstream in-tree version of libsunec at jdk/src/jdk.crypto.ec/share/native/libsunec/impl.
If above is satisfied, configure output will contain: [...] checking whether to build the Sun EC provider against the system NSS libraries... yes checking for NSS_SOFTTKN... yes checking for NSS... yes [...]
$ ldd build/linux-x86_64-normal-server-release/images/jdk/lib/libsunec.so ldd: warning: you do not have execution permission for `build/linux-x86_64-normal-server-release/images/jdk/lib/libsunec.so' linux-vdso.so.1 (0x00007ffe5b9f7000) libssl3.so => /lib64/libssl3.so (0x00007fe8836c0000) libsmime3.so => /lib64/libsmime3.so (0x00007fe883499000) libnss3.so => /lib64/libnss3.so (0x00007fe883171000) libnssutil3.so => /lib64/libnssutil3.so (0x00007fe882f41000) libplds4.so => /lib64/libplds4.so (0x00007fe882d3d000) libplc4.so => /lib64/libplc4.so (0x00007fe882b38000) libnspr4.so => /lib64/libnspr4.so (0x00007fe8828fa000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fe8826db000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fe8824d7000) libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fe882151000) libm.so.6 => /lib64/libm.so.6 (0x00007fe881dfc000) libc.so.6 => /lib64/libc.so.6 (0x00007fe881a19000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fe881802000) libz.so.1 => /lib64/libz.so.1 (0x00007fe8815eb000) librt.so.1 => /lib64/librt.so.1 (0x00007fe8813e3000) /lib64/ld-linux-x86-64.so.2 (0x00007fe883b1a000) $ ./build/linux-x86_64-normal-server-release/images/jdk/bin/java TestECDSA Signature: 3045022100ffe70f5fa3fb501fccc5601c87100a68c3a0db2c0c3d8e014cdb7830ed74a7120220793141fc98f8e4536d64ddb11ca03a72838bd8ed0283a94436ec175fc69ffac7 Test passed.
Created attachment 1385744 [details] Patch for jdk repo of a JDK 9 tree for system NSS support. Updated JDK patch based on review feedback.
Created attachment 1390261 [details] java-9-openjdk RPM repository patch: use system NSS library in SunEC
Based on Severin's patches, I attached a patch (attachment 1390261 [details]) with the following changes: * Merged both top level and jdk patches into one RPM patch: system-nss-ec-rh1537049.patch * Changed file paths inside patch to be applied when preparing the RPM * Removed pr2126 changes from patch (as they are going to be applied separately through pr2126-9.patch when building the source tarball) * Applied required changes in SPEC file (java-9-openjdk master repo, rev 4ba5fbc2d04d27c206e55e82df04ed675179f177) * Built RPM and tested on Fedora rawhide * Debugged EC_NewKey in depth (called from ECKeyPairGenerator.generateKeyPair) to make sure that system NSS library was used. * Compared assembly from libsunec.so in java-1.8.0-openjdk and java-9-openjdk when calling EC_NewKey to make sure they are equivalent This patch looks ready in my opinion.
Jiri, could you please build with the patch in comment 7. Getting this into java-9-openjdk will be a requirement for JDK 10 which is currently in review.
Can we rather put this into jdk10 directly?
nvm.. applying and building. Btw, there is nss.cfg.in and with it also this patch: diff -r 5b86f66575b7 src/share/lib/security/java.security-linux --- openjdk/jdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700 +++ openjdk/jdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200 @@ -83,6 +83,7 @@ #ifndef solaris security.provider.tbd=SunPKCS11 #endif +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg # # A list of preferred providers for specific algorithms. These providers will Isnt (shouldn't) it (be) affected?
nss.cfg.in is: name = NSS nssLibraryDirectory = @NSS_LIBDIR@ nssDbMode = noDb attributes = compatibility handleStartupErrors = ignoreMultipleInitialisation
(In reply to jiri vanek from comment #11) > nvm.. applying and building. Thanks! > Btw, there is nss.cfg.in and with it also this > patch: > diff -r 5b86f66575b7 src/share/lib/security/java.security-linux > --- openjdk/jdk/src/java.base/share/conf/security/java.security Tue May 16 > 13:29:05 2017 -0700 > +++ openjdk/jdk/src/java.base/share/conf/security/java.security Tue Jun 06 > 14:05:12 2017 +0200 > @@ -83,6 +83,7 @@ > #ifndef solaris > security.provider.tbd=SunPKCS11 > #endif > +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg > > # > # A list of preferred providers for specific algorithms. These providers > will > > > > Isnt (shouldn't) it (be) affected? It shouldn't be no. This is nss config for use via SunPKCS11. This bug is by using the SunEC provider.
(In reply to jiri vanek from comment #10) > Can we rather put this into jdk10 directly? I'd assume there are more JDK 9 users out there than there are of JDK 10. So having it in JDK 9 seems useful. FWIW, I'm working on a JDK 10 port. The JDK 9 patch doesn't cleanly apply due to the mono-repository change.
JDK 10 is being tracked with bug 1565658.
java-9-openjdk-9.0.4.11-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f6cc40bc6c
java-9-openjdk-9.0.4.11-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f6cc40bc6c
java-9-openjdk-9.0.4.11-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This issue appears to be back in Fedora 28. I have a test case implemented as: - @Test public void testEncodeDecodeECPublicKey() throws Exception { assertParsing(KeyPairGenerator.getInstance("EC").generateKeyPair().getPublic()); } This is resulting in the following error: - java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236) at org.wildfly.security.util.PemTest.testEncodeDecodeECPublicKey(PemTest.java:95) This is the package I have installed: - Installed Packages Name : java-9-openjdk-devel Epoch : 1 Version : 9.0.4.11 Release : 6.fc28 Arch : x86_64 Size : 5.4 M Source : java-9-openjdk-9.0.4.11-6.fc28.src.rpm Repo : @System From repo : fedora Summary : OpenJDK Development Environment URL : http://openjdk.java.net/ License : ASL 1.1 and ASL 2.0 and GPL+ and GPLv2 and GPLv2 with exceptions and LGPL+ and LGPLv2 and MPLv1.0 and MPLv1.1 and Public Domain and W3C Description : The OpenJDK development tools. If I download OpenJDK 9 directly it works: - https://download.java.net/java/GA/jdk9/9.0.4/binaries/openjdk-9.0.4_linux-x64_bin.tar.gz
(In reply to Darran Lofthouse from comment #19) > This issue appears to be back in Fedora 28. > > I have a test case implemented as: - > > @Test > public void testEncodeDecodeECPublicKey() throws Exception { > > assertParsing(KeyPairGenerator.getInstance("EC").generateKeyPair(). > getPublic()); > } > > This is resulting in the following error: - > > java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available > at > java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java: > 236) > at > org.wildfly.security.util.PemTest.testEncodeDecodeECPublicKey(PemTest.java: > 95) > > This is the package I have installed: - > > Installed Packages > Name : java-9-openjdk-devel > Epoch : 1 > Version : 9.0.4.11 > Release : 6.fc28 > Arch : x86_64 > Size : 5.4 M > Source : java-9-openjdk-9.0.4.11-6.fc28.src.rpm > Repo : @System > From repo : fedora > Summary : OpenJDK Development Environment > URL : http://openjdk.java.net/ > License : ASL 1.1 and ASL 2.0 and GPL+ and GPLv2 and GPLv2 with > exceptions and LGPL+ and LGPLv2 and MPLv1.0 and MPLv1.1 and Public Domain > and W3C > Description : The OpenJDK development tools. > > If I download OpenJDK 9 directly it works: - > > https://download.java.net/java/GA/jdk9/9.0.4/binaries/openjdk-9.0.4_linux- > x64_bin.tar.gz Reproduced, but since JDK 9 is EOL I wouldn't keep my hopes up to get it fixed. Please use JDK 10 or JDK 11 instead. JDK 10: dnf install java-openjdk-devel JDK 11: dnf install java-11-openjdk-devel For both of them EC ciphers work: $ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA Signature: 3045022015a77e84e6dfe077da723e25fc2f3f58244b1034edff24b2d5a904271df5df520221008b95bccb85454459cb887cc47c595970d98da8014b5e7b271a291bdd20e32133 Test passed. $ /usr/lib/jvm/java-11-openjdk/bin/java TestECDSA Signature: 3046022100c4ccdbfb5114a906c22a52fe8aa56fa0cfda1a52665fde7ed75160e9931afc2502210094c228278f107c7885aeda098e3366809823bf8a363d5bf78828ef670884fd16 Test passed. $ rpm -qf /usr/lib/jvm/java-10-openjdk/bin/java java-openjdk-headless-10.0.2.13-1.fc28.x86_64 $ rpm -qf /usr/lib/jvm/java-11-openjdk/bin/java java-11-openjdk-headless-11.0.ea.22-1.fc28.x86_64 TestECDSA sources are here: https://src.fedoraproject.org/rpms/java-openjdk/raw/master/f/TestECDSA.java
Looks like java-9-openjdk-9.0.4.11-6.fc28 never got the patch (only F27 builds of java-9-openjdk has it): $ rpm -q --changelog java-9-openjdk | head * Tue Feb 13 2018 Sandro Mani <manisandro> - 1:9.0.4.11-6 - Rebuild (giflib) * Wed Feb 07 2018 Fedora Release Engineering <releng> - 1:9.0.4.11-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Fri Jan 26 2018 Severin Gehwolf <sgehwolf> - 1:9.0.4.11-4 - Update AArch64 patch series (3) from upstream which fix FTBFS on AArch64 post-January CPU.