diff --git a/.gitignore b/.gitignore index f92ec58..1ed05dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index e29a21e..ccea57f 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -3f015b60e085b0e1f0fd9ea13abf775a890c2b1b SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +5da51f425a78dbdcb00909544cac3385db461e54 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b05-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/java-1.8.0-openjdk-portable.specfile b/SOURCES/java-1.8.0-openjdk-portable.specfile index 7c842a6..6c1febe 100644 --- a/SOURCES/java-1.8.0-openjdk-portable.specfile +++ b/SOURCES/java-1.8.0-openjdk-portable.specfile @@ -257,9 +257,8 @@ %global stapinstall %{nil} %endif -# Always off in portables %ifarch %{systemtap_arches} -%global with_systemtap 0 +%global with_systemtap 1 %else %global with_systemtap 0 %endif @@ -299,7 +298,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b05 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -396,20 +395,6 @@ %global alternatives_requires %{_sbindir}/alternatives %endif -%if %{with_systemtap} -# Where to install systemtap tapset (links) -# We would like these to be in a package specific sub-dir, -# but currently systemtap doesn't support that, so we have to -# use the root tapset dir for now. To distinguish between 64 -# and 32 bit architectures we place the tapsets under the arch -# specific dir (note that systemtap will only pickup the tapset -# for the primary arch for now). Systemtap uses the machine name -# aka target_cpu as architecture specific directory name. -%global tapsetroot /usr/share/systemtap -%global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{stapinstall} -%endif - # Prevent brp-java-repack-jars from being run. %global __jar_repack 0 @@ -466,8 +451,7 @@ Source7: NEWS # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). # Systemtap tapsets. Zipped up to keep it small. -# Disabled in portables -#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz +Source8: tapsets-icedtea-%%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea # Disabled in portables @@ -629,8 +613,6 @@ Patch12: jdk8186464-rh1433262-zip64_failure.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -719,6 +701,8 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else +# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h +Provides: bundled(zlib) = 1.2.13 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h @@ -888,8 +872,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # system cacerts support %patch539 -p1 -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -916,17 +898,7 @@ cp -r tapset tapset%{fastdebug_suffix} for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1 -# TODO find out which architectures other than i686 have a client vm -%ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/client/libjvm.so:g" $file.1 > $OUTPUT_FILE -%else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE -%endif - sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE - sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $file done done # systemtap tapsets ends @@ -1137,6 +1109,7 @@ function packagejdk() { local bundledir=$(pwd)/${1}/bundles local packagesdir=$(pwd)/${2} local srcdir=$(pwd)/%{top_level_dir_name} + local tapsetdir=$(pwd)/tapset echo "Packaging build from ${imagesdir} to ${packagesdir}..." mkdir -p ${packagesdir} @@ -1198,6 +1171,9 @@ function packagejdk() { for s in 16 24 32 48 ; do cp -av ${srcdir}/jdk/src/solaris/classes/sun/awt/X11/java-icon${s}.png ${miscname} done +%if %{with_systemtap} + cp -a ${tapsetdir}* ${miscname} +%endif tar -cJf ${miscarchive} ${miscname} genchecksum ${miscarchive} fi @@ -1525,6 +1501,27 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-2 +- Re-enable SystemTap support and perform only substitutions possible without final NVR available +- Include tapsets in the miscellaneous tarball +- Drop unused globals for tapset installation + +* Fri Jul 14 2023 Andrew Hughes - 1:1.8.0.382.b05-1 +- Update to shenandoah-jdk8u372-b05 (GA) +- Update release notes for shenandoah-8u372-b05. +- ** This tarball is embargoed until 2023-07-18 @ 1pm PT. ** + +* Fri Jul 07 2023 Andrew Hughes - 1:1.8.0.382.b04-0.1.ea +- Update to shenandoah-jdk8u382-b04 (EA) +- Update release notes for shenandoah-8u382-b04. + +* Wed Jun 28 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Update release notes for shenandoah-8u382-b01. +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) + * Thu Apr 27 2023 Andrew Hughes - 1:1.8.0.372.b07-2 - Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 - Fix debug symbols flag to newboot and package naming diff --git a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch deleted file mode 100644 index 42ac516..0000000 --- a/SOURCES/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch +++ /dev/null @@ -1,167 +0,0 @@ -commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 -Author: Alexey Bakhtin -Date: Tue Apr 4 10:29:11 2023 +0000 - - 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - Reviewed-by: andrew, mbalao - Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 - -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -index a79e97d7c74..5378446b97b 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitVerify(PublicKey publicKey) - throws InvalidKeyException { -- if (!(publicKey instanceof RSAPublicKey)) { -+ if (publicKey instanceof RSAPublicKey) { -+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; -+ isPublicKeyValid(rsaPubKey); -+ this.pubKey = rsaPubKey; -+ this.privKey = null; -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPublicKey"); - } -- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); -- this.privKey = null; -- resetDigest(); - } - - // initialize for signing. See JCA doc -@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitSign(PrivateKey privateKey, SecureRandom random) - throws InvalidKeyException { -- if (!(privateKey instanceof RSAPrivateKey)) { -+ if (privateKey instanceof RSAPrivateKey) { -+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; -+ isPrivateKeyValid(rsaPrivateKey); -+ this.privKey = rsaPrivateKey; -+ this.pubKey = null; -+ this.random = -+ (random == null ? JCAUtil.getSecureRandom() : random); -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPrivateKey"); - } -- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); -- this.pubKey = null; -- this.random = -- (random == null? JCAUtil.getSecureRandom() : random); -- resetDigest(); - } - - /** -@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { - } - } - -+ /** -+ * Validate the specified RSAPrivateKey -+ */ -+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { -+ try { -+ if (prKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; -+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ crtKey.getModulus().bitLength(), -+ crtKey.getPublicExponent()); -+ } else { -+ throw new InvalidKeyException( -+ "Some of the CRT-specific components are not available"); -+ } -+ } else { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ prKey.getModulus().bitLength(), -+ null); -+ } -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access private key components", e); -+ } -+ isValid(prKey); -+ } -+ -+ /** -+ * Validate the specified RSAPublicKey -+ */ -+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { -+ try { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ pKey.getModulus().bitLength(), -+ pKey.getPublicExponent()); -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access public key components", e); -+ } -+ isValid(pKey); -+ } -+ - /** - * Validate the specified RSAKey and its associated parameters against - * internal signature parameters. - */ -- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { -+ private void isValid(RSAKey rsaKey) throws InvalidKeyException { - try { - AlgorithmParameterSpec keyParams = rsaKey.getParams(); - // validate key parameters -@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { - } - checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); - } -- return rsaKey; - } catch (SignatureException e) { - throw new InvalidKeyException(e); - } -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -index 6b219937981..b3c1fae9672 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl - RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); - // check all CRT-specific components are available, if any one - // missing, return a non-CRT key instead -- if ((key.getPublicExponent().signum() == 0) || -- (key.getPrimeExponentP().signum() == 0) || -- (key.getPrimeExponentQ().signum() == 0) || -- (key.getPrimeP().signum() == 0) || -- (key.getPrimeQ().signum() == 0) || -- (key.getCrtCoefficient().signum() == 0)) { -+ if (checkComponents(key)) { -+ return key; -+ } else { - return new RSAPrivateKeyImpl( - key.algid, - key.getModulus(), -- key.getPrivateExponent() -- ); -- } else { -- return key; -+ key.getPrivateExponent()); - } - } - -+ /** -+ * Validate if all CRT-specific components are available. -+ */ -+ static boolean checkComponents(RSAPrivateCrtKey key) { -+ return !((key.getPublicExponent().signum() == 0) || -+ (key.getPrimeExponentP().signum() == 0) || -+ (key.getPrimeExponentQ().signum() == 0) || -+ (key.getPrimeP().signum() == 0) || -+ (key.getPrimeQ().signum() == 0) || -+ (key.getCrtCoefficient().signum() == 0)); -+ } -+ - /** - * Generate a new key from the specified type and components. - * Returns a CRT key if possible and a non-CRT key otherwise.