diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 93a4bbb..febb3c4 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -304,6 +304,10 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} +# Settings for local security configuration +%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os} +%global cacerts_file /etc/pki/java/cacerts + # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. %global oj_vendor_url "https://www.redhat.com/" @@ -343,7 +347,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 4 +%global rpmrelease 5 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -829,6 +833,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security %{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts +%{_jvmdir}/%{jredir -- %{?1}}/lib/security/cacerts.upstream %dir %{_jvmdir}/%{jredir -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/bin %dir %{_jvmdir}/%{jredir -- %{?1}}/lib @@ -957,6 +962,7 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/rt.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/sound.properties %{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat +%{_jvmdir}/%{jredir -- %{?1}}/lib/tzdb.dat.upstream %{_jvmdir}/%{jredir -- %{?1}}/lib/management-agent.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/management/* %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm/* @@ -1475,7 +1481,9 @@ Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts -Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds +# Must be applied after FIPS patch as it also changes java.security +Patch539: pr2888-rh2055274-support_system_cacerts.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # JDK-8218811: replace open by os::open in hotspot coding @@ -1933,10 +1941,11 @@ pushd %{top_level_dir_name} %patch1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security %patch1000 -p1 +# cacerts patch; must follow FIPS patch as it also alters java.security +%patch539 -p1 popd # RPM-only fixes -%patch539 %patch600 %patch1003 @@ -2000,7 +2009,11 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg +# Setup security policy +sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} + %build + # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -2154,8 +2167,13 @@ function installjdk() { ${imagepath}/jre/lib/security/java.security # Use system-wide tzdata - rm ${imagepath}/jre/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + mv ${imagepath}/jre/lib/tzdb.dat{,.upstream} + ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/jre/lib/tzdb.dat + + # Rename OpenJDK cacerts database + mv ${imagepath}/jre/lib/security/cacerts{,.upstream} + # Install cacerts symlink needed by some apps which hard-code the path + ln -sv %{cacerts_file} ${imagepath}/jre/lib/security # add alt-java man page pushd ${imagepath} @@ -2372,13 +2390,6 @@ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/clien done %endif - # Remove empty cacerts database - rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security/cacerts - # Install cacerts symlink needed by some apps which hardcode the path - pushd $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/security - ln -sf /etc/pki/java/cacerts . - popd - # Install versioned symlinks pushd $RPM_BUILD_ROOT%{_jvmdir} ln -sf %{jredir -- $suffix} %{jrelnk -- $suffix} @@ -2708,6 +2719,12 @@ cjc.mainProgram(args) %endif %changelog +* Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-5 +- Allow the default keystore to be configured using security.systemCACerts +- Use of the property can now be disabled using -Dsecurity.systemCACerts= +- Move cacerts replacement to install section and retain original of this and tzdb.dat +- Resolves: rhbz#2077006 + * Tue Aug 30 2022 Andrew Hughes - 1:1.8.0.345.b01-4 - Switch to static builds, reducing system dependencies and making build more portable - Resolves: rhbz#2121273 diff --git a/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch b/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch deleted file mode 100644 index a42688d..0000000 --- a/pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1459487045 -3600 -# Fri Apr 01 06:04:05 2016 +0100 -# Node ID 3334efeacd8327a14b7d2f392f4546e3c29c594b -# Parent 6b81fd2227d14226f2121f2d51b464536925686e -PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) -PR3575: System cacerts database handling should not affect jssecacerts - -diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -+++ openjdk/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -@@ -72,7 +72,7 @@ - * The preference of the default trusted KeyStore is: - * javax.net.ssl.trustStore - * jssecacerts -- * cacerts -+ * cacerts (system and local) - */ - private static final class TrustStoreDescriptor { - private static final String fileSep = File.separator; -@@ -83,6 +83,10 @@ - defaultStorePath + fileSep + "cacerts"; - private static final String jsseDefaultStore = - defaultStorePath + fileSep + "jssecacerts"; -+ /* Check system cacerts DB: /etc/pki/java/cacerts */ -+ private static final String systemStore = -+ fileSep + "etc" + fileSep + "pki" + -+ fileSep + "java" + fileSep + "cacerts"; - - // the trust store name - private final String storeName; -@@ -146,7 +150,8 @@ - long temporaryTime = 0L; - if (!"NONE".equals(storePropName)) { - String[] fileNames = -- new String[] {storePropName, defaultStore}; -+ new String[] {storePropName, -+ systemStore, defaultStore}; - for (String fileName : fileNames) { - File f = new File(fileName); - if (f.isFile() && f.canRead()) { -diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ---- openjdk.orig/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -+++ openjdk/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -108,9 +108,14 @@ - throws Exception - { - String sep = File.separator; -- File file = new File(System.getProperty("java.home") + sep -- + "lib" + sep + "security" + sep -- + "cacerts"); -+ /* Check system cacerts DB first; /etc/pki/java/cacerts */ -+ File file = new File(sep + "etc" + sep + "pki" + sep -+ + "java" + sep + "cacerts"); -+ if (!file.exists()) { -+ file = new File(System.getProperty("java.home") + sep -+ + "lib" + sep + "security" + sep -+ + "cacerts"); -+ } - if (!file.exists()) { - return null; - } diff --git a/pr2888-rh2055274-support_system_cacerts.patch b/pr2888-rh2055274-support_system_cacerts.patch new file mode 100644 index 0000000..1b88f2a --- /dev/null +++ b/pr2888-rh2055274-support_system_cacerts.patch @@ -0,0 +1,263 @@ +diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +index e7b4763db53..e8ec8467e6a 100644 +--- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java ++++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +@@ -31,6 +31,7 @@ import java.security.*; + import java.security.cert.*; + import java.util.*; + import sun.security.action.*; ++import sun.security.tools.KeyStoreUtil; + import sun.security.validator.TrustStoreUtil; + + /** +@@ -68,7 +69,7 @@ final class TrustStoreManager { + * The preference of the default trusted KeyStore is: + * javax.net.ssl.trustStore + * jssecacerts +- * cacerts ++ * cacerts (system and local) + */ + private static final class TrustStoreDescriptor { + private static final String fileSep = File.separator; +@@ -76,7 +77,7 @@ final class TrustStoreManager { + GetPropertyAction.privilegedGetProperty("java.home") + + fileSep + "lib" + fileSep + "security"; + private static final String defaultStore = +- defaultStorePath + fileSep + "cacerts"; ++ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); + private static final String jsseDefaultStore = + defaultStorePath + fileSep + "jssecacerts"; + +@@ -139,6 +140,10 @@ final class TrustStoreManager { + String storePropPassword = System.getProperty( + "javax.net.ssl.trustStorePassword", ""); + ++ if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) { ++ SSLLogger.fine("Default store: " + defaultStore); ++ } ++ + String temporaryName = ""; + File temporaryFile = null; + long temporaryTime = 0L; +@@ -146,21 +151,22 @@ final class TrustStoreManager { + String[] fileNames = + new String[] {storePropName, defaultStore}; + for (String fileName : fileNames) { +- File f = new File(fileName); +- if (f.isFile() && f.canRead()) { +- temporaryName = fileName;; +- temporaryFile = f; +- temporaryTime = f.lastModified(); +- +- break; +- } +- +- // Not break, the file is inaccessible. +- if (SSLLogger.isOn && ++ if (fileName != null && !"".equals(fileName)) { ++ File f = new File(fileName); ++ if (f.isFile() && f.canRead()) { ++ temporaryName = fileName;; ++ temporaryFile = f; ++ temporaryTime = f.lastModified(); ++ ++ break; ++ } ++ // Not break, the file is inaccessible. ++ if (SSLLogger.isOn && + SSLLogger.isOn("trustmanager")) { +- SSLLogger.fine( +- "Inaccessible trust store: " + +- storePropName); ++ SSLLogger.fine( ++ "Inaccessible trust store: " + ++ fileName); ++ } + } + } + } else { +diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +index fcc77786da1..f554f83a8b4 100644 +--- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java ++++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +@@ -33,7 +33,10 @@ import java.io.InputStreamReader; + + import java.net.URL; + ++import java.security.AccessController; + import java.security.KeyStore; ++import java.security.PrivilegedAction; ++import java.security.Security; + + import java.security.cert.X509Certificate; + import java.text.Collator; +@@ -54,6 +57,33 @@ public class KeyStoreUtil { + + private static final String JKS = "jks"; + ++ private static final String PROP_NAME = "security.systemCACerts"; ++ ++ /** ++ * Returns the value of the security property propName, which can be overridden ++ * by a system property of the same name ++ * ++ * @param propName the name of the system or security property ++ * @return the value of the system or security property ++ */ ++ @SuppressWarnings("removal") ++ public static String privilegedGetOverridable(String propName) { ++ if (System.getSecurityManager() == null) { ++ return getOverridableProperty(propName); ++ } else { ++ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); ++ } ++ } ++ ++ private static String getOverridableProperty(String propName) { ++ String val = System.getProperty(propName); ++ if (val == null) { ++ return Security.getProperty(propName); ++ } else { ++ return val; ++ } ++ } ++ + /** + * Returns true if the certificate is self-signed, false otherwise. + */ +@@ -96,20 +126,38 @@ public class KeyStoreUtil { + } + } + ++ /** ++ * Returns the path to the cacerts DB ++ */ ++ public static File getCacertsKeyStoreFile() ++ { ++ String sep = File.separator; ++ File file = null; ++ /* Check system cacerts DB first, preferring system property over security property */ ++ String systemDB = privilegedGetOverridable(PROP_NAME); ++ if (systemDB != null && !"".equals(systemDB)) { ++ file = new File(systemDB); ++ } ++ if (file == null || !file.exists()) { ++ file = new File(System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep ++ + "cacerts"); ++ } ++ if (file.exists()) { ++ return file; ++ } ++ return null; ++ } ++ + /** + * Returns the keystore with the configured CA certificates. + */ + public static KeyStore getCacertsKeyStore() + throws Exception + { +- String sep = File.separator; +- File file = new File(System.getProperty("java.home") + sep +- + "lib" + sep + "security" + sep +- + "cacerts"); +- if (!file.exists()) { +- return null; +- } + KeyStore caks = null; ++ File file = getCacertsKeyStoreFile(); ++ if (file == null) { return null; } + try (FileInputStream fis = new FileInputStream(file)) { + caks = KeyStore.getInstance(JKS); + caks.load(fis, null); +diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix +index bfe0c593adb..093bc09bf95 100644 +--- a/jdk/src/share/lib/security/java.security-aix ++++ b/jdk/src/share/lib/security/java.security-aix +@@ -294,6 +294,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux +index 9d1c8fe8a8e..16c9281cc1f 100644 +--- a/jdk/src/share/lib/security/java.security-linux ++++ b/jdk/src/share/lib/security/java.security-linux +@@ -307,6 +307,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx +index 19047c61097..43e034cdeaf 100644 +--- a/jdk/src/share/lib/security/java.security-macosx ++++ b/jdk/src/share/lib/security/java.security-macosx +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris +index 7eda556ae13..325937e97fb 100644 +--- a/jdk/src/share/lib/security/java.security-solaris ++++ b/jdk/src/share/lib/security/java.security-solaris +@@ -295,6 +295,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. +diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows +index dfa1a669aa9..92ef777e065 100644 +--- a/jdk/src/share/lib/security/java.security-windows ++++ b/jdk/src/share/lib/security/java.security-windows +@@ -297,6 +297,13 @@ security.overridePropertiesFile=true + # + security.useSystemPropertiesFile=false + ++# ++# Specifies the system certificate store ++# This property may be disabled using ++# -Djava.security.disableSystemCACerts=true ++# ++security.systemCACerts=${java.home}/lib/security/cacerts ++ + # + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package.