import java-1.8.0-openjdk-1.8.0.322.b06-9.el9

2022-04-05 05:48:14 -04:00 · 2022-04-05 05:48:14 -04:00 · 3128742cc8
parent e3b0344654
commit 3128742cc8
6 changed files with 565 additions and 28 deletions
--- a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
+++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
@ -0,0 +1,26 @@
+diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index cf4becb7db..4ab2ac0a31 100644
+--- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+                     ctx = getLdapCtxFromUrl(
+                             r.getDomainName(), url, new LdapURL(u), env);
+                     return ctx;
+                } catch (AuthenticationException e) {
+                    // do not retry on a different endpoint to avoid blocking
+                    // the user if authentication credentials are wrong.
+                    throw e;
+                 } catch (NamingException e) {
+                     // try the next element
+                     lastException = e;
+@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+         for (String u : urls) {
+             try {
+                 return getUsingURL(u, env);
+            } catch (AuthenticationException e) {
+                // do not retry on a different URL to avoid blocking
+                // the user if authentication credentials are wrong.
+                throw e;
+             } catch (NamingException e) {
+                 ex = e;
+             }
--- a/SOURCES/rh2021263-fips_ensure_security_initialised.patch
+++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
@ -0,0 +1,28 @@
+commit 06c2decab204fcce5aca2d285953fcac1820b1ae
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Jan 24 01:23:28 2022 +0000
+
+    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index 40ca609e02..0dafe6f59c 100644
+--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
+++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
+import java.security.Security;
+ import java.security.Signature;
+ 
+ import java.security.AccessController;
+@@ -255,6 +256,9 @@ public class SharedSecrets {
+     }
+ 
+     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+        if (javaSecuritySystemConfiguratorAccess == null) {
+            unsafe.ensureClassInitialized(Security.class);
+        }
+         return javaSecuritySystemConfiguratorAccess;
+     }
+ }
--- a/SOURCES/rh2021263-fips_missing_native_returns.patch
+++ b/SOURCES/rh2021263-fips_missing_native_returns.patch
@ -0,0 +1,24 @@
+commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
+Author: Fridrich Strba <fstrba@suse.com>
+Date:   Mon Jan 24 01:10:57 2022 +0000
+
+    RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 6f4656bfcb..34d0ff0ce9 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+        return JNI_FALSE;
+     }
+     fips_enabled = fgetc(fe);
+     fclose(fe);
+     if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+        return JNI_FALSE;
+     }
+     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+             " read character is '%c'", fips_enabled);
--- a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
+++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
@ -0,0 +1,98 @@
+commit aaf92165ad1cbb1c9818eb60178c91293e13b053
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Jan 24 15:13:14 2022 +0000
+
+    RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+
+diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
+index fa494b680f..b5aa5c749d 100644
+--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
+@@ -57,10 +57,6 @@ public final class Security {
+     private static final Debug sdebug =
+                         Debug.getInstance("properties");
+ 
+-    /* System property file*/
+-    private static final String SYSTEM_PROPERTIES =
+-        "/etc/crypto-policies/back-ends/java.config";
+-
+     /* The java.security properties */
+     private static Properties props;
+ 
+@@ -202,13 +198,6 @@ public final class Security {
+             }
+         }
+ 
+-        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+-        if (disableSystemProps == null &&
+-            "true".equalsIgnoreCase(props.getProperty
+-                ("security.useSystemPropertiesFile"))) {
+-            loadedProps = loadedProps && SystemConfigurator.configure(props);
+-        }
+-
+         if (!loadedProps) {
+             initializeStatic();
+             if (sdebug != null) {
+@@ -217,6 +206,28 @@ public final class Security {
+             }
+         }
+ 
+        String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+        if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+            "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+            if (!SystemConfigurator.configureSysProps(props)) {
+                if (sdebug != null) {
+                    sdebug.println("WARNING: System properties could not be loaded.");
+                }
+            }
+        }
+
+        // FIPS support depends on the contents of java.security so
+        // ensure it has loaded first
+        if (loadedProps) {
+            boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+             if (sdebug != null) {
+                if (fipsEnabled) {
+                    sdebug.println("FIPS support enabled.");
+                } else {
+                    sdebug.println("FIPS support disabled.");
+                }
+             }
+        }
+     }
+ 
+     /*
+diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+index d1f677597d..7da65b1d2c 100644
+--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -76,7 +76,7 @@ final class SystemConfigurator {
+      * java.security.disableSystemPropertiesFile property is not set and
+      * security.useSystemPropertiesFile is true.
+      */
+-    static boolean configure(Properties props) {
+    static boolean configureSysProps(Properties props) {
+         boolean loadedProps = false;
+ 
+         try (BufferedInputStream bis =
+@@ -96,11 +96,19 @@ final class SystemConfigurator {
+                 e.printStackTrace();
+             }
+         }
+        return loadedProps;
+    }
+
+    /*
+     * Invoked at the end of java.security.Security initialisation
+     * if java.security properties have been loaded
+     */
+    static boolean configureFIPS(Properties props) {
+        boolean loadedProps = false;
+ 
+         try {
+             if (enableFips()) {
+                 if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+-                loadedProps = false;
+                 // Remove all security providers
+                 Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+                 while (i.hasNext()) {
--- a/SOURCES/rh2052829-fips_runtime_nss_detection.patch
+++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
@ -0,0 +1,220 @@
+commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Feb 28 05:50:10 2022 +0000
+
+    RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 34d0ff0ce9..8dcb7d9073 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
+++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -23,25 +23,99 @@
+  * questions.
+  */
+ 
+-#include <dlfcn.h>
+ #include <jni.h>
+ #include <jni_util.h>
+#include "jvm_md.h"
+ #include <stdio.h>
+ 
+ #ifdef SYSCONF_NSS
+ #include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
+ #endif //SYSCONF_NSS
+ 
+ #include "java_security_SystemConfigurator.h"
+ 
+#define MSG_MAX_SIZE 256
+ #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+-#define MSG_MAX_SIZE 96
+ 
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+ 
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+    jstring jMsg;
+    if (debugObj != NULL) {
+        jMsg = (*env)->NewStringUTF(env, msg);
+        CHECK_NULL(jMsg);
+        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+    }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+    jclass cls = (*env)->FindClass(env, "java/io/IOException");
+    if (cls != 0)
+        (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+  if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+    dbgPrint(env, msg);
+  } else {
+    dbgPrint(env, "systemconf: cannot render message");
+  }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+  char msg[MSG_MAX_SIZE];
+  int msg_bytes;
+  const char* errmsg;
+
+  nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+  if (nss_handle == NULL) {
+    errmsg = dlerror();
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+    return JNI_FALSE;
+  }
+  dlerror(); /* Clear errors */
+  getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+  if ((errmsg = dlerror()) != NULL) {
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+    return JNI_FALSE;
+  }
+  return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+  char msg[MSG_MAX_SIZE];
+  int msg_bytes;
+  const char* errmsg;
+
+  if (dlclose(nss_handle) != 0) {
+    errmsg = dlerror();
+    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+                         errmsg);
+    handle_msg(env, msg, msg_bytes);
+  }
+}
+
+#endif
+ 
+ /*
+  * Class:     java_security_SystemConfigurator
+@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+         debugObj = (*env)->NewGlobalRef(env, debugObj);
+     }
+ 
+#ifdef SYSCONF_NSS
+    getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+    if (loadNSS(env) == JNI_FALSE) {
+      dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+    }
+#endif
+
+     return (*env)->GetVersion(env);
+ }
+ 
+@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+         if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+             return; /* Should not happen */
+         }
+#ifndef SYSCONF_NSS
+        closeNSS(env);
+#endif
+         (*env)->DeleteGlobalRef(env, debugObj);
+     }
+ }
+@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     char msg[MSG_MAX_SIZE];
+     int msg_bytes;
+ 
+-#ifdef SYSCONF_NSS
+-
+-    dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+-    fips_enabled = SECMOD_GetSystemFIPSEnabled();
+-    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+-            " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+-    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+-        dbgPrint(env, msg);
+    if (getSystemFIPSEnabled != NULL) {
+      dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+      fips_enabled = (*getSystemFIPSEnabled)();
+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
+                           " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+      handle_msg(env, msg, msg_bytes);
+      return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+     } else {
+-        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+-                " SECMOD_GetSystemFIPSEnabled return value");
+-    }
+-    return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+-
+-#else // SYSCONF_NSS
+      FILE *fe;
+ 
+-    FILE *fe;
+-
+-    dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+-    if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+      dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+      if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+         return JNI_FALSE;
+-    }
+-    fips_enabled = fgetc(fe);
+-    fclose(fe);
+-    if (fips_enabled == EOF) {
+      }
+      fips_enabled = fgetc(fe);
+      fclose(fe);
+      if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+         return JNI_FALSE;
+-    }
+-    msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+-            " read character is '%c'", fips_enabled);
+-    if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+-        dbgPrint(env, msg);
+-    } else {
+-        dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+-                " read character");
+-    }
+-    return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+-}
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+-    jclass cls = (*env)->FindClass(env, "java/io/IOException");
+-    if (cls != 0)
+-        (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+-    jstring jMsg;
+-    if (debugObj != NULL) {
+-        jMsg = (*env)->NewStringUTF(env, msg);
+-        CHECK_NULL(jMsg);
+-        (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+      }
+      msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:"   \
+                           " read character is '%c'", fips_enabled);
+      handle_msg(env, msg, msg_bytes);
+      return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+     }
+ }
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@ -324,7 +324,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      2
+%global rpmrelease      9
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -406,6 +406,9 @@
 %global alternatives_requires %{_sbindir}/alternatives
 %endif

+%global family %{name}.%{_arch}
+%global family_noarch  %{name}
+
 %if %{with_systemtap}
 # Where to install systemtap tapset (links)
 # We would like these to be in a package specific sub-dir,
@ -423,6 +426,50 @@
 # not-duplicated scriptlets for normal/debug packages
 %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :

+%define save_alternatives() %{expand:
+  # warning! alternatives are localised!
+  # LANG=cs_CZ.UTF-8  alternatives --display java | head
+  # LANG=en_US.UTF-8  alternatives --display java | head
+  function nonLocalisedAlternativesDisplayOfMaster() {
+    LANG=en_US.UTF-8 alternatives --display "$MASTER"
+  }
+  function headOfAbove() {
+    nonLocalisedAlternativesDisplayOfMaster | head -n $1
+  }
+  MASTER="%{?1}"
+  LOCAL_LINK="%{?2}"
+  FAMILY="%{?3}"
+  rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+  if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+      if headOfAbove 1 | grep -q manual ; then
+        if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+           headOfAbove 2  > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+        fi
+      fi
+  fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  upgrade1_uninstal0=%{?3}
+  if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+    %{save_alternatives %{?1} %{?2} %{?4}}
+  fi
+  alternatives --remove  "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+  MASTER="%{?1}"
+  FAMILY="%{?2}"
+  ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+  if [ -e  "$ALTERNATIVES_FILE" ] ; then
+    rm "$ALTERNATIVES_FILE"
+    alternatives --set $MASTER $FAMILY
+  fi
+}
+

 %define post_script() %{expand:
 update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -431,14 +478,18 @@ exit 0
 }

 %define alternatives_java_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi

 ext=.gz
+key=java
 alternatives \\
-  --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY  --family %{name}.%{_arch} \\
+  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{jredir -- %{?1}} \\
  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
  --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@ -476,11 +527,17 @@ alternatives \\
  --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
  %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext

+%{set_if_needed_alternatives $key %{family}}
+
 for X in %{origin} %{javaver} ; do
-  alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+  key=jre_"$X"
+  alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{family}
+  %{set_if_needed_alternatives $key %{family}}
 done

-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY  --family %{family}
+%{set_if_needed_alternatives $key %{family}}
 }

 %define post_headless() %{expand:
@ -513,10 +570,14 @@ exit 0


 %define postun_headless() %{expand:
-  alternatives --remove java %{jrebindir -- %{?1}}/java
-  alternatives --remove jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}}
-  alternatives --remove jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}}
-  alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  java  %{jrebindir -- %{?1}}/java $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
 }

 %define posttrans_script() %{expand:
@ -525,14 +586,18 @@ exit 0


 %define alternatives_javac_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi

 ext=.gz
+key=javac
 alternatives \\
-  --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{name}.%{_arch} \\
+  --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
  --slave %{_bindir}/appletviewer appletviewer %{sdkbindir -- %{?1}}/appletviewer \\
  --slave %{_bindir}/clhsdb clhsdb %{sdkbindir -- %{?1}}/clhsdb \\
@ -626,12 +691,17 @@ alternatives \\
  --slave %{_mandir}/man1/xjc.1$ext xjc.1$ext \\
  %{_mandir}/man1/xjc-%{uniquesuffix -- %{?1}}.1$ext

+%{set_if_needed_alternatives  $key %{family}}
+
 for X in %{origin} %{javaver} ; do
-  alternatives \\
-    --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+  key=java_sdk_"$X"
+  alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
+  %{set_if_needed_alternatives  $key %{family}}
 done

-update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{name}.%{_arch}
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY  --family %{family}
+%{set_if_needed_alternatives  $key %{family}}
 }

 %define post_devel() %{expand:
@ -642,10 +712,14 @@ exit 0
 }

 %define postun_devel() %{expand:
-  alternatives --remove javac %{sdkbindir -- %{?1}}/javac
-  alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
-  alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
-  alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+  %{save_and_remove_alternatives  java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}

 update-desktop-database %{_datadir}/applications &> /dev/null || :

@ -662,36 +736,49 @@ exit 0
 }

 %define alternatives_javadoc_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi

-alternatives \\
-  --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
-  $PRIORITY  --family %{name}
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY  --family %{family_noarch}
+%{set_if_needed_alternatives  $key %{family_noarch}}
 exit 0
 }

 %define postun_javadoc() %{expand:
-  alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javadocdir  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
 exit 0
 }

 %define alternatives_javadoczip_install() %{expand:
+if [ "x$debug"  == "xtrue" ] ; then
+  set -x
+fi
 PRIORITY=%{priority}
 if [ "%{?1}" == %{debug_suffix} ]; then
  let PRIORITY=PRIORITY-1
 fi
-
-alternatives \\
-  --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
-  $PRIORITY  --family %{name}
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY  --family %{family_noarch}
+%{set_if_needed_alternatives  $key %{family_noarch}}
 exit 0
 }

 %define postun_javadoc_zip() %{expand:
-  alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+  if [ "x$debug"  == "xtrue" ] ; then
+    set -x
+  fi
+  post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+  %{save_and_remove_alternatives  javadoczip  %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
 exit 0
 }

@ -1133,6 +1220,8 @@ Requires: copy-jdk-configs >= 4.0
 OrderWithRequires: copy-jdk-configs
 # for printing support
 Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
 # Post requires alternatives to install tool alternatives
 Requires(post):   %{alternatives_requires}
 # Postun requires alternatives to uninstall tool alternatives
@ -1334,6 +1423,13 @@ Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
 Patch1008: rh1996182-login_to_nss_software_token.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
+Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch

 #############################################
 #
@ -1367,6 +1463,8 @@ Patch600: rh1750419-redhat_alt_java.patch
 Patch111: jdk8218811-perfMemory_linux.patch
 # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
 Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch113: jdk8275535-rh2053256-ldap_auth.patch

 #############################################
 #
@ -1482,8 +1580,8 @@ BuildRequires: libXinerama-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
-BuildRequires: nss-devel >= 3.53
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
 BuildRequires: pkgconfig
 BuildRequires: xorg-x11-proto-devel
 BuildRequires: zip
@ -1792,6 +1890,7 @@ sh %{SOURCE12}
 %patch112
 %patch580
 %patch581
+%patch113

 # RPM-only fixes
 %patch539
@ -1806,6 +1905,10 @@ sh %{SOURCE12}
 %patch1007
 %patch1008
 %patch1011
+%patch1014
+%patch1015
+%patch1016
+%patch1017

 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -1936,7 +2039,7 @@ function buildjdk() {
    --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
    --with-boot-jdk=${buildjdk} \
    --with-debug-level=${debuglevel} \
-    --enable-sysconf-nss \
+    --disable-sysconf-nss \
    --enable-unlimited-crypto \
    --with-zlib=system \
    --with-libjpeg=system \
@ -2555,6 +2658,44 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-9
+- Remove 'java --version' test as this is not supported on java-1.8.0-openjdk
+- Resolves: rhbz#2058487
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-8
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053525
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-7
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052833
+
+* Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-6
+- Storing and restoring alternatives during update manually
+- Family extracted to globals
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008202
+
+* Sun Feb 27 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-5
+- Introduce tests/tests.yml, based on the one in RHEL 8
+- Resolves: rhbz#2058487
+
+* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-4
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2052821
+
+* Tue Feb 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-3
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023387
+
 * Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
 - Refactor build functions so we can build just HotSpot without any attempt at installation.
 - Introduce architecture restriction logic for the gdb test. (RH2041970)