As mentioned by @emaldonado in issue#15, we're needing to support JDK11 as multiple distributions are moving towards it. Currently it is available in F28+ with the goal of making F30 (current rawhide) being the first release to use JDK11 by default. This is documented in Fedora.
One of the biggest changes is that sun.security.pkcs11.wrapper.PKCS11Constants is no longer exported and available for use outside of the JDK. This means that our tests and our consumers cannot rely on it.
sun.security.pkcs11.wrapper.PKCS11Constants
@emaldonado proposed two workarounds:
The cons with approach 1 is that we'll have to write parsing logic to convert a C header file into a Java class. This makes me favor approach #2. We'd need to consult with Legal to ensure that this is OK as it appears to use a combination of a modified BSD-4 clause (+5 clause saying we have to rename it from what they originally called it) and whatever license the JDK is released under.
C
Java
Pending Legal approval though, I'd recommend the following:
samples
PKCS11Constants
samples/PKCS11Constants
OpenJDK
org/mozilla/jss/pkcs11/PKCS11Constants
What this achieves is the following:
The downsides are:
Thoughts?
/cc: @mharmsen, @cfu, @jmagne, @edewata, @dmoluguw, @emaldonado
I do agree that workaround 2 is easier than 1. It isn't easy though and will require some work to partially automate the sync up of ours with the one from openJDK and know when we need to update.
@cipherboy pointed me to this site http://hg.openjdk.java.net/jdk/jdk11/file/1ddf9a99e4ad/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
The problem with this page is that if download it via 'wget' it comes with a lot of HTML stuff on it. I haven't found the location of the actual source repository yet. From what I read it's a mercurial one. In the meantime I found a temprary workaround to get the file in a clean way. This is what I did.
tar xvzf
I then cd ~/Dowloads/jdk11-1ddf9a99e4ad ``` $ tree ./src/ | grep PKCS11Constants.java
cd ~/Dowloads/jdk11-1ddf9a99e4ad
│ │ │ ├── PKCS11Constants.java ```
confirms that it's included.
To find it $ find . -name PKCS11Constants.java ./src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
$ find . -name PKCS11Constants.java ./src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java
I can now compare with the one we have.
cd
sed -i '/^\s*$/d' PKCS11Constants.java
Just to us started, a lot more work remains.
(edit: formatting by @cipherboy)
For reasons of interoperability with NSS, I decided to take the alternate approach and generate PKCS11Constants from NSS's pkcs11t.h. This has been opened as PR here:
pkcs11t.h
This then has been finished in a different branch:
These later two have been tested together and verified to work.
I'd like feedback on the approach before continuing. In particular, I'd like to know:
/cc @emaldonado @dmoluguw @jmagne @edewata
Metadata Update from @cipherboy: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
I'm closing this as fixed in favor of the pull request https://github.com/dogtagpki/jss/pull/41 and @emaldonado's JDK11 tracking bug: https://pagure.io/jss/issue/15
The RFC portion is complete: maintaining a Java version from NSS's library will be easy enough and automated so we can stay on top of changes there.
Metadata Update from @cipherboy: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.