Fix FIPS issues in native code and with initialisation of java.security.Security

java-1.8.0-openjdk.spec

@@ -344,7 +344,7 @@
 %global updatever       %(VERSION=%{whole_update}; echo ${VERSION##*u})
 # eg jdk8u60-b27 -> b27
 %global buildver        %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease      1
+%global rpmrelease      2
 # Define milestone (EA for pre-releases, GA ("fcs") for releases)
 # Release will be (where N is usually a number starting at 1):
 # - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -1354,6 +1354,9 @@ Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
 Patch1008: rh1996182-login_to_nss_software_token.patch
 # RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
 Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
 
 #############################################
 #
@@ -1881,6 +1884,8 @@ sh %{SOURCE12}
 %patch1007
 %patch1008
 %patch1011
+%patch1014
+%patch1015
 
 # RHEL-only patches
 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -2683,6 +2688,9 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+
 * Wed Feb 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-1
 - Update to aarch64-shenandoah-jdk8u322-b06 (EA)
 - Update release notes for 8u322-b06.

rh2021263-fips_ensure_security_initialised.patch

@@ -0,0 +1,28 @@
+commit 06c2decab204fcce5aca2d285953fcac1820b1ae
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date:   Mon Jan 24 01:23:28 2022 +0000
+
+    RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+index 40ca609e02..0dafe6f59c 100644
+--- openjdk.orig/jdk/src/share/classes/sun/misc/SharedSecrets.java
++++ openjdk/jdk/src/share/classes/sun/misc/SharedSecrets.java
+@@ -31,6 +31,7 @@ import java.io.Console;
+ import java.io.FileDescriptor;
+ import java.io.ObjectInputStream;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+ 
+ import java.security.AccessController;
+@@ -255,6 +256,9 @@ public class SharedSecrets {
+     }
+ 
+     public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++        if (javaSecuritySystemConfiguratorAccess == null) {
++            unsafe.ensureClassInitialized(Security.class);
++        }
+         return javaSecuritySystemConfiguratorAccess;
+     }
+ }

rh2021263-fips_missing_native_returns.patch

@@ -0,0 +1,24 @@
+commit 7f58a05104138ebdfd3b7b968ed67ea4c8573073
+Author: Fridrich Strba <fstrba@suse.com>
+Date:   Mon Jan 24 01:10:57 2022 +0000
+
+    RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 6f4656bfcb..34d0ff0ce9 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+     dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+     if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+         throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     fips_enabled = fgetc(fe);
+     fclose(fe);
+     if (fips_enabled == EOF) {
+         throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++        return JNI_FALSE;
+     }
+     msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+             " read character is '%c'", fips_enabled);