Bug 1565658 - java-openjdk (JDK 10) does not support EC ciphers via system NSS [NEEDINFO]
Summary: java-openjdk (JDK 10) does not support EC ciphers via system NSS
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: java-openjdk
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Severin Gehwolf
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-10 13:45 UTC by Severin Gehwolf
Modified: 2018-04-30 08:29 UTC (History)
3 users (show)

Fixed In Version: java-openjdk-10.0.1.10-1.fc27, java-openjdk-10.0.1.10-1.fc28, java-openjdk-10.0.1.10-1.fc29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-30 08:27:56 UTC
Type: Bug
sgehwolf: needinfo? (mbalao)


Attachments (Terms of Use)

Description Severin Gehwolf 2018-04-10 13:45:43 UTC
Description of problem:
This is a JDK 10 clone of bug 1537049. On JDK 8 (java-1.8.0-openjdk) one can use system NSS via a patched SunEC provider. This is currently not possible on JDK 10 (java-openjdk). It's a regression in terms of functionality.

Version-Release number of selected component (if applicable):
java-openjdk-10.0.0.46-10.fc27.x86_64

How reproducible:
100%

Steps to Reproduce:
1. $ wget https://src.fedoraproject.org/rpms/java-9-openjdk/raw/master/f/TestECDSA.java
2. $ javac TestECDSA.java
3. $ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA

Actual results:
Exception in thread "main" java.security.NoSuchAlgorithmException: EC KeyPairGenerator not available
	at java.base/java.security.KeyPairGenerator.getInstance(KeyPairGenerator.java:236)
	at TestECDSA.main(TestECDSA.java:29)

Expected results:
Signature: 3045022100ec68089396b64d8797638f1e5e16092573309a97f66df1041460242595335a3e022065d6a34d1fd312f3295c6be73466f86820da3f5b88c4a43d6abb13005f7e2661
Test passed.

Additional info:
This works with latest java-1.8.0-openjdk, and fails with latest java-openjdk.

$ rpm -ql java-1.8.0-openjdk-headless | grep libsunec
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so
$ ldd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.151-1.b12.fc27.x86_64/jre/lib/amd64/libsunec.so
	linux-vdso.so.1 (0x00007ffe6175b000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007f529bc70000)
	libssl3.so => /lib64/libssl3.so (0x00007f529ba23000)
	libsmime3.so => /lib64/libsmime3.so (0x00007f529b7fc000)
	libnss3.so => /lib64/libnss3.so (0x00007f529b4d4000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007f529b2a4000)
	libplds4.so => /lib64/libplds4.so (0x00007f529b0a0000)
	libplc4.so => /lib64/libplc4.so (0x00007f529ae9b000)
	libnspr4.so => /lib64/libnspr4.so (0x00007f529ac5d000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f529aa3e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f529a83a000)
	libm.so.6 => /lib64/libm.so.6 (0x00007f529a4e5000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f529a102000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007f5299eeb000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f529c203000)
	libz.so.1 => /lib64/libz.so.1 (0x00007f5299cd4000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f5299acc000)

$ rpm -ql java-openjdk-headless | grep libsunec
<nothing>

Comment 1 Severin Gehwolf 2018-04-10 15:11:25 UTC
The port was fairly straight-forward. Only some files needed changing since they included source repository paths. Namely jdk-options.m4 and Lib-jdk.crypto.ec.gmk.

PR which enables system NSS:
https://src.fedoraproject.org/rpms/java-openjdk/pull-request/1

Scratch build with this is running:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26291651

Martin it would be appreciated if you could look this over. Thanks!

Comment 2 Severin Gehwolf 2018-04-11 08:58:16 UTC
(In reply to Severin Gehwolf from comment #1)
> Scratch build with this is running:
> https://koji.fedoraproject.org/koji/taskinfo?taskID=26291651

For the record, this passed.

Comment 3 Severin Gehwolf 2018-04-11 15:59:49 UTC
JDK 10 for F27 from:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26303153

$ rpm -q java-openjdk
java-openjdk-10.0.0.46-12.fc27.x86_64

$ rpm -ql java-openjdk-headless | grep libsunec
/usr/lib/jvm/java-10-openjdk-10.0.0.46-12.fc27.x86_64/lib/libsunec.so
$ ldd /usr/lib/jvm/java-10-openjdk-10.0.0.46-12.fc27.x86_64/lib/libsunec.so
	linux-vdso.so.1 (0x00007ffd7157c000)
	libssl3.so => /lib64/libssl3.so (0x00007fdeabce7000)
	libsmime3.so => /lib64/libsmime3.so (0x00007fdeabac0000)
	libnss3.so => /lib64/libnss3.so (0x00007fdeab798000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fdeab568000)
	libplds4.so => /lib64/libplds4.so (0x00007fdeab364000)
	libplc4.so => /lib64/libplc4.so (0x00007fdeab15f000)
	libnspr4.so => /lib64/libnspr4.so (0x00007fdeaaf21000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdeaad03000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fdeaaaff000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fdeaa778000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fdeaa42d000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fdeaa077000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdea9e60000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fdea9c58000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fdeac146000)
$ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA
Signature: 30440220414ccda00b7ee01be3015115be47ec73550a23cdcf24bf258731294ebdbe822202203db858315dd94293e4ad5f47b09dbc3a2dd022251327e024eb94fbca28a86fc3
Test passed

Comment 4 Severin Gehwolf 2018-04-30 08:29:10 UTC
$ /usr/lib/jvm/java-10-openjdk/bin/java TestECDSA
Signature: 304502206791c2738381e0a8ab49db7ecb1435585ba95ec0bc3a06b20dff168b2ff96e7d022100b00121a0a36ecdd82b2075fe90b10e2d6e49b95539b78f32f9f8fcd2f3d08c98
Test passed.
$ rpm -ql java-openjdk-headless | grep sunec
/usr/lib/jvm/java-10-openjdk-10.0.1.10-1.fc27.x86_64/lib/libsunec.so
$ ldd /usr/lib/jvm/java-10-openjdk-10.0.1.10-1.fc27.x86_64/lib/libsunec.so
	linux-vdso.so.1 (0x00007fff6df9b000)
	libssl3.so => /lib64/libssl3.so (0x00007fdd65663000)
	libsmime3.so => /lib64/libsmime3.so (0x00007fdd6543c000)
	libnss3.so => /lib64/libnss3.so (0x00007fdd65114000)
	libnssutil3.so => /lib64/libnssutil3.so (0x00007fdd64ee4000)
	libplds4.so => /lib64/libplds4.so (0x00007fdd64ce0000)
	libplc4.so => /lib64/libplc4.so (0x00007fdd64adb000)
	libnspr4.so => /lib64/libnspr4.so (0x00007fdd6489d000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdd6467f000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007fdd6447b000)
	libstdc++.so.6 => /lib64/libstdc++.so.6 (0x00007fdd640f4000)
	libm.so.6 => /lib64/libm.so.6 (0x00007fdd63da9000)
	libc.so.6 => /lib64/libc.so.6 (0x00007fdd639f3000)
	libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fdd637dc000)
	librt.so.1 => /lib64/librt.so.1 (0x00007fdd635d4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007fdd65ac2000)


Note You need to log in before you can comment on or make changes to this bug.