http://bugzilla.novell.com/show_bug.cgi?id=546843
User mvyskocil@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546843#c546468
Summary: gkeytool lack a support for ECC certificates Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: matz@novell.com ReportedBy: mvyskocil@novell.com QAContact: qa@suse.de Found By: Development
gkeytool fails on read ECC certificate - this is also in openjdk, but the fix adds a support for Elliptic Curve Cryptography already exists in upstream, but I did not find similar for gcc java. I read a commit log, asked on #openjdk@irc.oftc.net, where many openjdk and gcj developers are, but noone answered me yet.
see bnc#546468 for details about openjdk
The java-1_5_0-gcj-compat fails on keystore creation: + for key in '/etc/ssl/certs/*.pem' + yes ++ basename /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem + gkeytool-4.4 -import -keystore cacerts -file /etc/ssl/certs/COMODO_ECC_Certification_Authority.pem -storepass '' -alias COMODO_ECC_Certification_Authority.pem keytool error: java.security.cert.CertificateException error: Bad exit status from /var/tmp/rpm-tmp.cYvDZ9 (%prep)
I'm going to workaround it in java-1_5_0-gcj-compat by skipping those certificates during keystore creation, to provide a fix immediately to make OpenOffice.org build immediately. But it'd be nice to have gcj with ECC support enabled.
http://bugzilla.novell.com/show_bug.cgi?id=546843
User mvyskocil@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546843#c1
--- Comment #1 from Michal Vyskocil mvyskocil@novell.com 2009-10-14 06:39:42 MDT --- JFI: the answer from Mark Wielaard
[14:35] <mjw> mvyskocil, then the answer currently is sadly no, since gkeytool doesn't use nss, and doesn't have another ecc implementation.
So I submit a workaround in java-1_5_0-gcj-compat as a hotfix.
http://bugzilla.novell.com/show_bug.cgi?id=546843
User matz@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=546843#c2
Michael Matz matz@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX
--- Comment #2 from Michael Matz matz@novell.com 2009-10-14 12:16:02 MDT --- Yep, you need to filter out that certificate. gnu.crypto doesn't implement ECC and there's no support to use e.g. nss. I'm not sure if ECC will ever be implemented upstream, it's not terribly active.
http://bugzilla.novell.com/show_bug.cgi?id=546843 http://bugzilla.novell.com/show_bug.cgi?id=546843#c3
--- Comment #3 from Bernhard Wiedemann bwiedemann@suse.com --- This is an autogenerated message for OBS integration: This bug (546843) was mentioned in https://build.opensuse.org/request/show/22394 Factory / java-1_5_0-gcj-compat https://build.opensuse.org/request/show/35339 Factory / java-1_5_0-gcj-compat
http://bugzilla.novell.com/show_bug.cgi?id=546843
Swamp Workflow Management swamp@suse.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |ibs:running:2941:moderate