rpms
/
java-1.8.0-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c8' into a8-portable

This commit is contained in:
eabdullin 2023-07-20 19:17:58 +03:00
parent 1db42e44cf 29fc50007d
commit 6fd1f392d0
4 changed files with 33 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz

2
.java-1.8.0-openjdk.metadata
View File

@ -1,2 +1,2 @@
3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz
5da51f425a78dbdcb00909544cac3385db461e54 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

65
SOURCES/java-1.8.0-openjdk-portable.specfile
View File

@ -257,9 +257,8 @@
%global stapinstall %{nil}
%endif
# Always off in portables
%ifarch %{systemtap_arches}
%global with_systemtap 0
%global with_systemtap 1
%else
%global with_systemtap 0
%endif
@ -299,7 +298,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
%global openjdk_revision jdk8u372-b07
%global openjdk_revision jdk8u382-b05
%global shenandoah_revision shenandoah-%{openjdk_revision}
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
@ -396,20 +395,6 @@
%global alternatives_requires %{_sbindir}/alternatives
%endif
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific sub-dir,
# but currently systemtap doesn't support that, so we have to
# use the root tapset dir for now. To distinguish between 64
# and 32 bit architectures we place the tapsets under the arch
# specific dir (note that systemtap will only pickup the tapset
# for the primary arch for now). Systemtap uses the machine name
# aka target_cpu as architecture specific directory name.
%global tapsetroot /usr/share/systemtap
%global tapsetdirttapset %{tapsetroot}/tapset/
%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
%endif
# Prevent brp-java-repack-jars from being run.
%global __jar_repack 0
@ -466,8 +451,7 @@ Source7: NEWS
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (3.x).
# Systemtap tapsets. Zipped up to keep it small.
# Disabled in portables
#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
# Desktop files. Adapted from IcedTea
# Disabled in portables
@ -629,8 +613,6 @@ Patch12: jdk8186464-rh1433262-zip64_failure.patch
# able to be removed once that release is out
# and used by this RPM.
#############################################
# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
#############################################
#
@ -719,6 +701,8 @@ BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h
Provides: bundled(zlib) = 1.2.13
# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h
@ -888,8 +872,6 @@ pushd %{top_level_dir_name}
%patch1000 -p1
# system cacerts support
%patch539 -p1
# 8u382 fix
%patch2001 -p1
popd
# RPM-only fixes
@ -916,17 +898,7 @@ cp -r tapset tapset%{fastdebug_suffix}
for suffix in %{build_loop} ; do
for file in "tapset"$suffix/*.in; do
OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1
# TODO find out which architectures other than i686 have a client vm
%ifarch %{ix86}
sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/client/libjvm.so:g" $file.1 > $OUTPUT_FILE
%else
sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE
%endif
sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file
done
done
# systemtap tapsets ends
@ -1137,6 +1109,7 @@ function packagejdk() {
local bundledir=$(pwd)/${1}/bundles
local packagesdir=$(pwd)/${2}
local srcdir=$(pwd)/%{top_level_dir_name}
local tapsetdir=$(pwd)/tapset
echo "Packaging build from ${imagesdir} to ${packagesdir}..."
mkdir -p ${packagesdir}
@ -1198,6 +1171,9 @@ function packagejdk() {
for s in 16 24 32 48 ; do
cp -av ${srcdir}/jdk/src/solaris/classes/sun/awt/X11/java-icon${s}.png ${miscname}
done
%if %{with_systemtap}
cp -a ${tapsetdir}* ${miscname}
%endif
tar -cJf ${miscarchive} ${miscname}
genchecksum ${miscarchive}
fi
@ -1525,6 +1501,27 @@ done
%{_jvmdir}/%{miscportablearchive}.sha256sum
%changelog
* Fri Jul 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.382.b05-2
- Re-enable SystemTap support and perform only substitutions possible without final NVR available
- Include tapsets in the miscellaneous tarball
- Drop unused globals for tapset installation
* Fri Jul 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.382.b05-1
- Update to shenandoah-jdk8u372-b05 (GA)
- Update release notes for shenandoah-8u372-b05.
- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. **
* Fri Jul 07 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.382.b04-0.1.ea
- Update to shenandoah-jdk8u382-b04 (EA)
- Update release notes for shenandoah-8u382-b04.
* Wed Jun 28 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.382.b01-0.1.ea
- Update to shenandoah-jdk8u382-b01 (EA)
- Update release notes for shenandoah-8u382-b01.
- Switch to EA mode.
- Remove JDK-8271199 patch which is now upstream.
- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update)
* Thu Apr 27 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.372.b07-2
- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8
- Fix debug symbols flag to newboot and package naming

167
SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch
View File

@ -1,167 +0,0 @@
commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99
Author: Alexey Bakhtin <abakhtin@openjdk.org>
Date: Tue Apr 4 10:29:11 2023 +0000
8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key
Reviewed-by: andrew, mbalao
Backport-of: f6232982b91cb2314e96ddbde3984836a810a556
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
index a79e97d7c74..5378446b97b 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java
@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi {
@Override
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException {
- if (!(publicKey instanceof RSAPublicKey)) {
+ if (publicKey instanceof RSAPublicKey) {
+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey;
+ isPublicKeyValid(rsaPubKey);
+ this.pubKey = rsaPubKey;
+ this.privKey = null;
+ resetDigest();
+ } else {
throw new InvalidKeyException("key must be RSAPublicKey");
}
- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
- this.privKey = null;
- resetDigest();
}
// initialize for signing. See JCA doc
@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi {
@Override
protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
throws InvalidKeyException {
- if (!(privateKey instanceof RSAPrivateKey)) {
+ if (privateKey instanceof RSAPrivateKey) {
+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey;
+ isPrivateKeyValid(rsaPrivateKey);
+ this.privKey = rsaPrivateKey;
+ this.pubKey = null;
+ this.random =
+ (random == null ? JCAUtil.getSecureRandom() : random);
+ resetDigest();
+ } else {
throw new InvalidKeyException("key must be RSAPrivateKey");
}
- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
- this.pubKey = null;
- this.random =
- (random == null? JCAUtil.getSecureRandom() : random);
- resetDigest();
}
/**
@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi {
}
}
+ /**
+ * Validate the specified RSAPrivateKey
+ */
+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException {
+ try {
+ if (prKey instanceof RSAPrivateCrtKey) {
+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey;
+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ crtKey.getModulus().bitLength(),
+ crtKey.getPublicExponent());
+ } else {
+ throw new InvalidKeyException(
+ "Some of the CRT-specific components are not available");
+ }
+ } else {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ prKey.getModulus().bitLength(),
+ null);
+ }
+ } catch (InvalidKeyException ikEx) {
+ throw ikEx;
+ } catch (Exception e) {
+ throw new InvalidKeyException(
+ "Can not access private key components", e);
+ }
+ isValid(prKey);
+ }
+
+ /**
+ * Validate the specified RSAPublicKey
+ */
+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException {
+ try {
+ RSAKeyFactory.checkRSAProviderKeyLengths(
+ pKey.getModulus().bitLength(),
+ pKey.getPublicExponent());
+ } catch (InvalidKeyException ikEx) {
+ throw ikEx;
+ } catch (Exception e) {
+ throw new InvalidKeyException(
+ "Can not access public key components", e);
+ }
+ isValid(pKey);
+ }
+
/**
* Validate the specified RSAKey and its associated parameters against
* internal signature parameters.
*/
- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
+ private void isValid(RSAKey rsaKey) throws InvalidKeyException {
try {
AlgorithmParameterSpec keyParams = rsaKey.getParams();
// validate key parameters
@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi {
}
checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
}
- return rsaKey;
} catch (SignatureException e) {
throw new InvalidKeyException(e);
}
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
index 6b219937981..b3c1fae9672 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl
RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
// check all CRT-specific components are available, if any one
// missing, return a non-CRT key instead
- if ((key.getPublicExponent().signum() == 0) ||
- (key.getPrimeExponentP().signum() == 0) ||
- (key.getPrimeExponentQ().signum() == 0) ||
- (key.getPrimeP().signum() == 0) ||
- (key.getPrimeQ().signum() == 0) ||
- (key.getCrtCoefficient().signum() == 0)) {
+ if (checkComponents(key)) {
+ return key;
+ } else {
return new RSAPrivateKeyImpl(
key.algid,
key.getModulus(),
- key.getPrivateExponent()
- );
- } else {
- return key;
+ key.getPrivateExponent());
}
}
+ /**
+ * Validate if all CRT-specific components are available.
+ */
+ static boolean checkComponents(RSAPrivateCrtKey key) {
+ return !((key.getPublicExponent().signum() == 0) ||
+ (key.getPrimeExponentP().signum() == 0) ||
+ (key.getPrimeExponentQ().signum() == 0) ||
+ (key.getPrimeP().signum() == 0) ||
+ (key.getPrimeQ().signum() == 0) ||
+ (key.getCrtCoefficient().signum() == 0));
+ }
+
/**
* Generate a new key from the specified type and components.
* Returns a CRT key if possible and a non-CRT key otherwise.