rpms/java-1.8.0-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-1.8.0-openjdk-1.8.0.302.b08-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-11-09 04:46:21 -05:00 committed by Stepan Oksanichenko
parent 1da3709cbf
commit 8ada0d611f
5 changed files with 169 additions and 809 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz

2
.java-1.8.0-openjdk.metadata
View File

@ -1,2 +1,2 @@
097b9b3d7dc423db2c9a6ef554370fb77d614952 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u312-b07-4curve.tar.xz 72250f55a8932ac5b53e4d2dba0d7c5644201ef0 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u302-b08-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz

126
SOURCES/NEWS
View File

@ -3,132 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 8u312 (2021-10-19):
===========================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk8u312
* https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u312.txt
* Security fixes
- JDK-8130183, CVE-2021-35588: InnerClasses: VM permits wrong Throw ClassFormatError if InnerClasses attribute's inner_class_info_index is 0
- JDK-8161016: Strange behavior of URLConnection with proxy
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
- JDK-8263314: Enhance XML Dsig modes
- JDK-8265167, CVE-2021-35556: Richer Text Editors
- JDK-8265574: Improve handling of sheets
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
- JDK-8265776: Improve Stream handling for SSL
- JDK-8266097, CVE-2021-35561: Better hashing support
- JDK-8266103: Better specified spec values
- JDK-8266109: More Resilient Classloading
- JDK-8266115: More Manifest Jar Loading
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
- JDK-8267712: Better LDAP reference processing
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
- JDK-8267735, CVE-2021-35586: Better BMP support
- JDK-8268193: Improve requests of certificates
- JDK-8268199: Correct certificate requests
- JDK-8268506: More Manifest Digests
- JDK-8269618, CVE-2021-35603: Better session identification
- JDK-8269624: Enhance method selection support
- JDK-8270398: Enhance canonicalization
- JDK-8270404: Better canonicalization
* Other changes
- JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit
- JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
- JDK-7188942: Remove support of pbuffers in OGL Java2d pipeline
- JDK-8004148: NPE in sun.awt.SunToolkit.getWindowDeactivationTime
- JDK-8022323: [JavaSecurityScanner] review package com.sun.management.* Native methods should be private
- JDK-8027154: [TESTBUG] Test java/awt/Mouse/GetMousePositionTest/GetMousePositionWithPopup.java fails
- JDK-8035001: TEST_BUG: the retry logic in RMID.start() should check that the subprocess hasn't terminated
- JDK-8035424: (reflect) Performance problem in sun.reflect.generics.parser.SignatureParser
- JDK-8042557: compiler/uncommontrap/TestSpecTrapClassUnloading.java fails with: GC triggered before VM initialization completed
- JDK-8054118: java/net/ipv6tests/UdpTest.java failed intermittently
- JDK-8065215: Print warning summary at end of configure
- JDK-8072767: DefaultCellEditor for comboBox creates ActionEvent with wrong source object
- JDK-8079891: Store configure log in $BUILD/configure.log
- JDK-8080082: configure fails if you create an empty directory and then run configure from it
- JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing
- JDK-8131062: aarch64: add support for GHASH acceleration
- JDK-8134869: AARCH64: GHASH intrinsic is not optimal
- JDK-8134989: java/net/MulticastSocket/TestInterfaces.java failed due to unexpected IP address
- JDK-8156584: Initialization race in sun.security.x509.AlgorithmId.get
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
- JDK-8166673: The new implementation of Robot.waitForIdle() may hang
- JDK-8170467: (reflect) Optimize SignatureParser's use of StringBuilders
- JDK-8194246: JVM crashes when calling getStackTrace if stack contains a method that is a member of a very large class
- JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
- JDK-8202837: PBES2 AlgorithmId encoding error in PKCS12 KeyStore
- JDK-8206189: sun/security/pkcs12/EmptyPassword.java fails with Sequence tag error
- JDK-8214418: half-closed SSLEngine status may cause application dead loop
- JDK-8214513: A PKCS12 keystore from Java 8 using custom PBE parameters cannot be read in Java 11
- JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
- JDK-8229243: SunPKCS11-Solaris provider tests failing on Solaris 11.4
- JDK-8231222: fix pkcs11 P11_DEBUG guarded native traces
- JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7
- JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
- JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
- JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
- JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
- JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
- JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
- JDK-8263311: Watch registry changes for remote printers update instead of polling
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
- JDK-8265238: [8u] [macos] build failure in OpenJDK8u after JDK-8211301 in older xcode
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
- JDK-8265978: make test should look for more locations when searching for exit code
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
- JDK-8269763: The JEditorPane is blank after JDK-8265167
- JDK-8269810: [8u] Update generated_configure.sh after JDK-8250876 backport
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
- JDK-8269859: BacktraceBuilder._cprefs needs to be accessed as unsigned short
- JDK-8269882: stack-use-after-scope in NewObjectA
- JDK-8269953: config.log is not in build directory after 8u backport of JDK-8079891
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
- JDK-8271466: StackGap test fails on aarch64 due to "-m64"
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
- JDK-8272214: [8u] Build failure after backport of JDK-8248901
- JDK-8272714: [8u] Build failure after backport of JDK-8248901 with MSVC 2013
* Shenandoah
- [backport] JDK-8269661: JNI_GetStringCritical does not lock char array
- Re-cast JNI critical strings patch to be Shenandoah-specific
Notes on individual issues:
===========================
core-libs/java.net:
JDK-8164200: Modified HttpURLConnection behavior when no suitable proxy is found
================================================================================
The behavior of HttpURLConnection when using a ProxySelector has been
modified with this JDK release. HttpURLConnection used to fall back to
a DIRECT connection attempt if the configured proxy(s) failed to make
a connection. This release introduces a change whereby no DIRECT
connection will be attempted in such a scenario. Instead, the
HttpURLConnection.connect() method will fail and throw an IOException
which occurred from the last proxy tested.
security-libs/javax.net.ssl:
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
=================================================================
The preference of the default enabled cipher suites has been
changed. The compatibility impact should be minimal. If needed,
applications can customize the enabled cipher suites and the
preference. For more details, refer to the SunJSSE provider
documentation and the JSSE Reference Guide documentation.
New in release OpenJDK 8u302 (2021-07-20): New in release OpenJDK 8u302 (2021-07-20):
=========================================== ===========================================
Live versions of these release notes can be found at: Live versions of these release notes can be found at:

583
SOURCES/rh1991003-enable_fips_keys_import.patch
View File

@ -1,583 +0,0 @@
diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
+++ openjdk/jdk/src/share/classes/java/security/Security.java
@@ -78,6 +78,10 @@
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
+++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -149,6 +150,16 @@
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -176,6 +187,19 @@
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
--- openjdk.orig/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/jdk/src/share/classes/sun/misc/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
--- /dev/null
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,290 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = P11ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -63,6 +66,26 @@
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -314,10 +337,15 @@
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -333,7 +361,7 @@
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -147,16 +148,28 @@
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1905,4 +1918,69 @@
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
+}
diff --git openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+++ openjdk/jdk/src/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
@@ -33,8 +33,13 @@
import javax.net.ssl.*;
+import sun.misc.SharedSecrets;
+
abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
X509ExtendedKeyManager keyManager;
boolean isInitialized;
@@ -62,7 +67,8 @@
KeyStoreException, NoSuchAlgorithmException,
UnrecoverableKeyException {
if ((ks != null) && SunJSSE.isFIPS()) {
- if (ks.getProvider() != SunJSSE.cryptoProvider) {
+ if (ks.getProvider() != SunJSSE.cryptoProvider &&
+ !plainKeySupportEnabled) {
throw new KeyStoreException("FIPS mode: KeyStore must be "
+ "from provider " + SunJSSE.cryptoProvider.getName());
}
@@ -91,8 +97,8 @@
keyManager = new X509KeyManagerImpl(
Collections.<Builder>emptyList());
} else {
- if (SunJSSE.isFIPS() &&
- (ks.getProvider() != SunJSSE.cryptoProvider)) {
+ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
+ && !plainKeySupportEnabled) {
throw new KeyStoreException(
"FIPS mode: KeyStore must be " +
"from provider " + SunJSSE.cryptoProvider.getName());

265
SPECS/java-1.8.0-openjdk.spec
View File

@ -19,8 +19,6 @@
%bcond_without slowdebug %bcond_without slowdebug
# Enable release builds by default on relevant arches. # Enable release builds by default on relevant arches.
%bcond_without release %bcond_without release
# Remove build artifacts by default
%bcond_with artifacts
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info. # This fixes detailed NMT and other tools which need minimal debug info.
@ -67,7 +65,7 @@
# Set of architectures for which we build slowdebug builds # Set of architectures for which we build slowdebug builds
%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64}
# Set of architectures for which we build fastdebug builds # Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 %global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler # Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches} %global jit_arches %{debug_arches}
# Set of architectures which run a full bootstrap cycle # Set of architectures which run a full bootstrap cycle
@ -265,7 +263,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project aarch64-port %global shenandoah_project aarch64-port
%global shenandoah_repo jdk8u-shenandoah %global shenandoah_repo jdk8u-shenandoah
%global shenandoah_revision aarch64-shenandoah-jdk8u312-b07 %global shenandoah_revision aarch64-shenandoah-jdk8u302-b08
# Define old aarch64/jdk8u tree variables for compatibility # Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project} %global project %{shenandoah_project}
%global repo %{shenandoah_repo} %global repo %{shenandoah_repo}
@ -281,7 +279,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27 # eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
%global rpmrelease 1 %global rpmrelease 3
# Define milestone (EA for pre-releases, GA ("fcs") for releases) # Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1): # Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases, # - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -310,7 +308,6 @@
%global jdkimage j2sdk-image %global jdkimage j2sdk-image
# output dir stub # output dir stub
%define buildoutputdir() %{expand:build/jdk8.build%{?1}} %define buildoutputdir() %{expand:build/jdk8.build%{?1}}
%define installoutputdir() %{expand:install/jdk8.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch # we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}%{?1}} %define uniquejavadocdir() %{expand:%{fullversion}%{?1}}
# main id and dir of this jdk # main id and dir of this jdk
@ -908,7 +905,7 @@ exit 0
%define files_demo() %{expand: %define files_demo() %{expand:
%defattr(-,root,root,-) %defattr(-,root,root,-)
%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
} }
%define files_src() %{expand: %define files_src() %{expand:
@ -920,13 +917,13 @@ exit 0
%define files_javadoc() %{expand: %define files_javadoc() %{expand:
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
} }
%define files_javadoc_zip() %{expand: %define files_javadoc_zip() %{expand:
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
%license %{installoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE
} }
%define files_accessibility() %{expand: %define files_accessibility() %{expand:
@ -972,11 +969,13 @@ Requires: javapackages-filesystem
Requires: tzdata-java >= 2021a Requires: tzdata-java >= 2021a
# libsctp.so.1 is being `dlopen`ed on demand # libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa} Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression # considered as regression
Requires: copy-jdk-configs >= 3.3 Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs OrderWithRequires: copy-jdk-configs
%endif
# for printing support # for printing support
Requires: cups-libs Requires: cups-libs
# Post requires alternatives to install tool alternatives # Post requires alternatives to install tool alternatives
@ -1200,8 +1199,6 @@ Patch1006: rh1929465-improve_system_FIPS_detection-root.patch
Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch Patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch
# RH1996182: Login to the NSS software token in FIPS mode # RH1996182: Login to the NSS software token in FIPS mode
Patch1008: rh1996182-login_to_nss_software_token.patch Patch1008: rh1996182-login_to_nss_software_token.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1011: rh1991003-enable_fips_keys_import.patch
############################################# #############################################
# #
@ -1705,7 +1702,6 @@ sh %{SOURCE12}
%patch1006 %patch1006
%patch1007 %patch1007
%patch1008 %patch1008
%patch1011
# RHEL-only patches # RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7 %if ! 0%{?fedora} && 0%{?rhel} <= 7
@ -1803,10 +1799,9 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS
function buildjdk() { function buildjdk() {
local outputdir=${1} local outputdir=${1}
local installdir=${2} local buildjdk=${2}
local buildjdk=${3} local maketargets=${3}
local maketargets=${4} local debuglevel=${4}
local debuglevel=${5}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures # Variable used in hs_err hook on build failures
@ -1819,7 +1814,7 @@ function buildjdk() {
echo "Using debuglevel: ${debuglevel}" echo "Using debuglevel: ${debuglevel}"
echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}"
mkdir -p ${outputdir} ${installdir} mkdir -p ${outputdir}
pushd ${outputdir} pushd ${outputdir}
bash ${top_srcdir_abs_path}/configure \ bash ${top_srcdir_abs_path}/configure \
@ -1880,23 +1875,6 @@ function buildjdk() {
find images/%{jdkimage}/bin/ -exec chmod +x {} \; find images/%{jdkimage}/bin/ -exec chmod +x {} \;
popd >& /dev/null popd >& /dev/null
echo "Installing build from ${outputdir} to ${installdir}..."
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
echo "Installing bundles...";
mv ${outputdir}/bundles ${installdir} ;
fi
if [ -d ${outputdir}/docs ] ; then
echo "Installing docs...";
mv ${outputdir}/docs ${installdir} ;
fi
%if !%{with artifacts}
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
} }
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
@ -1910,8 +1888,6 @@ fi
systemjdk=/usr/lib/jvm/java-openjdk systemjdk=/usr/lib/jvm/java-openjdk
builddir=%{buildoutputdir -- $suffix} builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir} bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
bootinstalldir=boot${installdir}
# Debug builds don't need same targets as release for # Debug builds don't need same targets as release for
# build speed-up # build speed-up
@ -1921,15 +1897,15 @@ if echo $debugbuild | grep -q "debug" ; then
fi fi
%if %{bootstrap_build} %if %{bootstrap_build}
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
%{!?with_artifacts:rm -rf ${bootinstalldir}} rm -rf ${bootbuilddir}
%else %else
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
%endif %endif
# Install nss.cfg right away as we will be using the JRE above # Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
# Install nss.cfg right away as we will be using the JRE above # Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/ install -m 644 nss.cfg $JAVA_HOME/jre/lib/security/
@ -1955,7 +1931,7 @@ done
# We test debug first as it will give better diagnostics on a crash # We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage}
# Check unlimited policy has been used # Check unlimited policy has been used
$JAVA_HOME/bin/javac -d . %{SOURCE13} $JAVA_HOME/bin/javac -d . %{SOURCE13}
@ -2069,7 +2045,7 @@ STRIP_KEEP_SYMTAB=libjvm*
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
# Install the jdk # Install the jdk
pushd %{installoutputdir -- $suffix}/images/%{jdkimage} pushd %{buildoutputdir -- $suffix}/images/%{jdkimage}
# Install jsa directories so we can owe them # Install jsa directories so we can owe them
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/ mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{jredir -- $suffix}/lib/%{archinstall}/server/
@ -2136,9 +2112,9 @@ popd
if ! echo $suffix | grep -q "debug" ; then if ! echo $suffix | grep -q "debug" ; then
# Install Javadoc documentation # Install Javadoc documentation
install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
cp -a %{installoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} cp -a %{buildoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip
cp -a %{installoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip
fi fi
# Install release notes # Install release notes
@ -2239,7 +2215,13 @@ done
-- whether copy-jdk-configs is installed or not. If so, then configs are copied -- whether copy-jdk-configs is installed or not. If so, then configs are copied
-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
local posix = require "posix" local posix = require "posix"
local debug = false
if (os.getenv("debug") == "true") then
debug = true;
print("cjc: in spec debug is on")
else
debug = false;
end
SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
@ -2267,9 +2249,10 @@ else
return return
end end
end end
-- run content of included file with fake args arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} cjc = require "copy_jdk_configs.lua"
require "copy_jdk_configs.lua" args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
cjc.mainProgram(args)
%post %post
%{post_script %{nil}} %{post_script %{nil}}
@ -2441,44 +2424,25 @@ require "copy_jdk_configs.lua"
%endif %endif
%changelog %changelog
* Fri Oct 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-1 * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
- Update to aarch64-shenandoah-jdk8u312-b07 (EA)
- Update release notes for 8u312-b07.
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
- Resolves: rhbz#2011826
* Thu Oct 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.4.ea
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#2014193
* Thu Oct 14 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.312.b05-0.4.ea
- Add patch to allow plain key import.
- Resolves: rhbz#2014193
* Thu Oct 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.3.ea
- Add patch to login to the NSS software token when in FIPS mode. - Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#2014204 - Resolves: rhbz#1997358
* Thu Oct 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.2.ea * Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
- Fix path to libsystemconf.so on 8u.
- Resolves: rhbz#1971679
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-2
- Port FIPS system detection support to OpenJDK 8u - Port FIPS system detection support to OpenJDK 8u
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Resolves: rhbz#2014201 - Resolves: rhbz#1971679
* Thu Oct 14 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.312.b05-0.2.ea * Fri Aug 27 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.302.b08-2
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Resolves: rhbz#2014201 - Resolves: rhbz#1971679
* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.1.ea * Fri Jul 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-1
- Update to aarch64-shenandoah-jdk8u312-b05-shenandoah-merge-2021-10-07
- Update release notes for 8u312-b05-shenandoah-merge-2021-10-07.
- Reduce disk footprint by removing build artifacts by default.
- Switch to EA mode.
- Remove non-Free test and demo files from source tarball.
- Related: rhbz#2011826
* Fri Jul 16 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-0
- Update to aarch64-shenandoah-jdk8u302-b08 (EA) - Update to aarch64-shenandoah-jdk8u302-b08 (EA)
- Update release notes for 8u302-b08. - Update release notes for 8u302-b08.
- Switch to GA mode for final release. - Switch to GA mode for final release.
@ -2488,41 +2452,146 @@ require "copy_jdk_configs.lua"
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b07-0.0.ea * Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b07-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b07 (EA) - Update to aarch64-shenandoah-jdk8u302-b07 (EA)
- Update release notes for 8u302-b07. - Update release notes for 8u302-b07.
- Switch to EA mode. - Resolves: rhbz#1967812
- Cleanup architecture handling
- Fixed not-including fastdebug build in case of --without fastdebug * Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b06-0.0.ea
- Re-order source files to sync with Fedora. - Update to aarch64-shenandoah-jdk8u302-b06 (EA)
- Update release notes for 8u302-b06.
- Resolves: rhbz#1967812
* Tue Jul 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.2.ea
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed.
- Resolves: rhbz#1966233
* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.1.ea
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Resolves: rhbz#1966233
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b05-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b05 (EA)
- Update release notes for 8u302-b05.
- Resolves: rhbz#1967812
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b04-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b04 (EA)
- Update release notes for 8u302-b04.
- Resolves: rhbz#1967812
* Tue Jun 29 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.3.ea
- Introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched - Introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
- Patch600, rh1750419-redhat_alt_java.patch, amended to die, if it is used wrongly - Patch600, rh1750419-redhat_alt_java.patch, amended to die, if it is used wrongly
- Introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures - Introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Resolves: rhbz#1966233
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Fix name of javadoc debug packages in Obsoletes declarations and add version where it was removed.
- Resolves: rhbz#1972395
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:1.8.0.302.b07-0.0.ea * Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.2.ea
- Re-order source files to sync with Fedora.
- Resolves: rhbz#1966233
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:1.8.0.302.b03-0.2.ea
- Add a test verifying system crypto policies can be disabled - Add a test verifying system crypto policies can be disabled
- Resolves: rhbz#1972395 - Resolves: rhbz#1966233
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b10-1 * Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.1.ea
- Update to aarch64-shenandoah-jdk8u302-b03-shenandoah-merge-2021-06-23 (EA)
- Update release notes for 8u302-b03-shenandoah-merge-2021-06-23.
- Resolves: rhbz#1967812
* Sun Jun 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b03-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b03 (EA)
- Update release notes for 8u302-b03.
- Resolves: rhbz#1967812
* Sat Jun 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b02-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b02 (EA)
- Update release notes for 8u302-b02.
- Resolves: rhbz#1967812
* Mon Jun 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.3.ea
- Add ppc64le and aarch64 to fastdebug_arches
- Resolves: rhbz#1969254
* Fri Jun 18 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.2.ea
- Cleanup architecture handling in preparation for extending set of fastdebug architectures
- Fixed not-including fastdebug build in case of --without fastdebug
- Resolves: rhbz#1969254
* Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.302.b01-0.1.ea
- adapted to newst cjc to fix issue with rpm 4.17
- Disable copy-jdk-configs for Flatpak builds
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
- Resolves: rhbz#1953923
* Sat May 22 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b01-0.0.ea
- Update to aarch64-shenandoah-jdk8u302-b01 (EA)
- Update release notes for 8u302-b01.
- Switch to EA mode.
- Resolves: rhbz#1967812
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b10-2
- Update to aarch64-shenandoah-jdk8u292-b10 (GA) - Update to aarch64-shenandoah-jdk8u292-b10 (GA)
- Update release notes for 8u292-b10. - Update release notes for 8u292-b10.
- This tarball is embargoed until 2021-04-20 @ 1pm PT. - This tarball is embargoed until 2021-04-20 @ 1pm PT.
- Resolves: rhbz#1938201 - Resolves: rhbz#1938201
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b09-0.1.ea * Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b09-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b09 (EA) - Update to aarch64-shenandoah-jdk8u292-b09 (EA)
- Update release notes for 8u292-b09. - Update release notes for 8u292-b09.
- Switch to EA mode. - Resolves: rhbz#1942306
- Update tarball generation script to use PR3822 which handles
JDK-8233228 & JDK-8035166 changes * Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b08-0.2.ea
- Remove RH1868759 patch as this is now resolved upstream by JDK-8258833. - Update to aarch64-shenandoah-jdk8u292-b08 (EA)
- Update release notes for 8u292-b08.
- Require tzdata 2021a due to JDK-8260356
- Resolves: rhbz#1942306
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b07-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b07 (EA)
- Update release notes for 8u292-b07.
- Resolves: rhbz#1942306
* Sun Apr 11 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b06-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b06 (EA)
- Update release notes for 8u292-b06.
- Require tzdata 2020f due to JDK-8259048
- Resolves: rhbz#1942306
* Sat Apr 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b05-0.3.ea
- Update to aarch64-shenandoah-jdk8u292-b05-shenandoah-merge-2021-03-11 (EA)
- Update release notes for 8u292-b05-shenandoah-merge-2021-03-11.
- Re-organise S/390 patches for upstream submission, separating 8u upstream from Shenandoah fixes. - Re-organise S/390 patches for upstream submission, separating 8u upstream from Shenandoah fixes.
- Add new formatting case found in memprofiler.cpp on debug builds to PR3593 patch. - Add new formatting case found in memprofiler.cpp on debug builds to PR3593 patch.
- Extend s390 patch to fix issue caused by JDK-8252660 backport and lack of JDK-8188813 in 8u. - Extend s390 patch to fix issue caused by JDK-8252660 backport and lack of JDK-8188813 in 8u.
- Revise JDK-8252660 s390 failure to make _soft_max_size a jlong so pointer types are accurate. - Revise JDK-8252660 s390 failure to make _soft_max_size a jlong so pointer types are accurate.
- Require tzdata 2020f due to JDK-8259048 - Resolves: rhbz#1942306
- Require tzdata 2021a due to JDK-8260356
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b05-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b05 (EA)
- Update release notes for 8u292-b05.
- Resolves: rhbz#1942306
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b04-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b04 (EA)
- Update release notes for 8u292-b04.
- Resolves: rhbz#1942306
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b03-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b03 (EA)
- Update release notes for 8u292-b03.
- Resolves: rhbz#1942306
* Sat Mar 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b02-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b02 (EA)
- Update release notes for 8u292-b02.
- Remove RH1868759 patch as this is now resolved upstream by JDK-8258833.
- Resolves: rhbz#1942306
* Thu Mar 25 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.292.b01-0.2.ea
- Update to aarch64-shenandoah-jdk8u292-b01 (EA)
- Update release notes for 8u292-b01.
- Switch to EA mode.
- Update tarball generation script to use PR3822 which handles
JDK-8233228 & JDK-8035166 changes
- Resolves: rhbz#1942306 - Resolves: rhbz#1942306
* Wed Feb 17 2021 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.282.b08-4 * Wed Feb 17 2021 Stephan Bergmann <sbergman@redhat.com> - 1:1.8.0.282.b08-4