From c1b114827558f6c69d2470f00c5f8376f0a5d0cb Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Thu, 15 May 2025 20:51:17 +0100 Subject: [PATCH] Update to shenandoah-jdk8u382-b01 (EA) Switch to EA mode. Remove JDK-8271199 patch which is now upstream. Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) Introduce 'prelease' for the portable release versioning, to handle EA builds Sync the copy of the portable specfile with the latest update - Related: RHEL-12211 --- .gitignore | 1 + java-1.8.0-openjdk-portable.specfile | 19 +- java-1.8.0-openjdk.spec | 48 +++-- ...75317-custom_pkcs11_provider_support.patch | 167 ------------------ sources | 2 +- 5 files changed, 43 insertions(+), 194 deletions(-) delete mode 100644 jdk8271199-rh2175317-custom_pkcs11_provider_support.patch diff --git a/.gitignore b/.gitignore index 3d74887..0238052 100644 --- a/.gitignore +++ b/.gitignore @@ -290,3 +290,4 @@ /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz diff --git a/java-1.8.0-openjdk-portable.specfile b/java-1.8.0-openjdk-portable.specfile index 9197600..d4ec700 100644 --- a/java-1.8.0-openjdk-portable.specfile +++ b/java-1.8.0-openjdk-portable.specfile @@ -298,7 +298,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b01 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -319,12 +319,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 2 +%global rpmrelease 1 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -628,8 +628,6 @@ Patch12: jdk8186464-rh1433262-zip64_failure.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -718,6 +716,8 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else +# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h +Provides: bundled(zlib) = 1.2.13 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h @@ -887,8 +887,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # system cacerts support %patch539 -p1 -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -1524,6 +1522,13 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Wed Jun 28 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Update release notes for shenandoah-8u382-b01. +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) + * Thu Apr 27 2023 Andrew Hughes - 1:1.8.0.372.b07-2 - Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 - Fix debug symbols flag to newboot and package naming diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 6a13486..e4f8dc3 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -318,7 +318,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u372-b07 +%global openjdk_revision jdk8u382-b01 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -339,9 +339,9 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 4 +%global rpmrelease 1 # Settings used by the portable build -%global portablerelease 2 +%global portablerelease 1 %global portablesuffix el8 %global portablebuilddir /builddir/build/BUILD @@ -349,7 +349,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -1260,6 +1260,8 @@ Provides: java-%{javaver}-%{origin}-accessibility = %{epoch}:%{version}-%{releas Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever}.%{buildver} Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# Equivalent for the portable build +%global prelease %{?eaprefix}%{rpmrelease}%{?extraver} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -1341,11 +1343,11 @@ Source19: README.md Source20: java-1.%{majorver}.0-openjdk-portable.specfile # Setup variables to reference correct sources -%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz -%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.docs.%{_arch}.tar.xz -%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.misc.%{_arch}.tar.xz -%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.slowdebug.jdk.%{_arch}.tar.xz -%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.fastdebug.jdk.%{_arch}.tar.xz +%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{prelease}.portable.fastdebug.jdk.%{_arch}.tar.xz ############################################ # @@ -1470,8 +1472,7 @@ Patch581: jdk8257794-remove_broken_assert.patch # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key -Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch + ############################################# # @@ -1537,16 +1538,16 @@ BuildRequires: unzip # For definitions and macros like jvmdir BuildRequires: javapackages-filesystem %if %{include_normal_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif %if %{include_fastdebug_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif %if %{include_debug_build} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{prelease}.%{portablesuffix} %endif -BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} -BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{prelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{prelease}.%{portablesuffix} # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel @@ -1566,6 +1567,8 @@ BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel %else +# Version in jdk/src/share/native/java/util/zip/zlib/zlib.h +Provides: bundled(zlib) = 1.2.13 # Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h Provides: bundled(giflib) = 5.2.1 # Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h @@ -1906,8 +1909,6 @@ pushd %{top_level_dir_name} %patch1000 -p1 # system cacerts support %patch539 -p1 -# 8u382 fix -%patch2001 -p1 popd # RPM-only fixes @@ -2016,7 +2017,7 @@ for suffix in %{build_loop} ; do mkdir -p $(dirname ${installdir}) mv %{name}* ${installdir} # Fix build paths in ELF files so it looks like we built them - portablenvr="%{name}-portable-%{version}-%{portablerelease}.%{portablesuffix}.%{_arch}" + portablenvr="%{name}-portable-%{version}-%{prelease}.%{portablesuffix}.%{_arch}" for file in $(find ${installdir} -type f) ; do if file ${file} | grep -q 'ELF'; then %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} @@ -2557,6 +2558,15 @@ cjc.mainProgram(args) %endif %changelog +* Wed Jul 05 2023 Andrew Hughes - 1:1.8.0.382.b01-0.1.ea +- Update to shenandoah-jdk8u382-b01 (EA) +- Switch to EA mode. +- Remove JDK-8271199 patch which is now upstream. +- Add version of bundled zlib (bumped from 1.2.11 to 1.2.13 with this update) +- Introduce 'prelease' for the portable release versioning, to handle EA builds +- Sync the copy of the portable specfile with the latest update +- Related: RHEL-12211 + * Thu Apr 27 2023 Andrew Hughes - 1:1.8.0.372.b07-4 - Include the java-1.8.0-openjdk-portable.spec file with instructions on how to rebuild. - Remove duplicate use of README.md inside the *-src package (it is no longer about sources) diff --git a/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch deleted file mode 100644 index 42ac516..0000000 --- a/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch +++ /dev/null @@ -1,167 +0,0 @@ -commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 -Author: Alexey Bakhtin -Date: Tue Apr 4 10:29:11 2023 +0000 - - 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - Reviewed-by: andrew, mbalao - Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 - -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -index a79e97d7c74..5378446b97b 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java -@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitVerify(PublicKey publicKey) - throws InvalidKeyException { -- if (!(publicKey instanceof RSAPublicKey)) { -+ if (publicKey instanceof RSAPublicKey) { -+ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; -+ isPublicKeyValid(rsaPubKey); -+ this.pubKey = rsaPubKey; -+ this.privKey = null; -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPublicKey"); - } -- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); -- this.privKey = null; -- resetDigest(); - } - - // initialize for signing. See JCA doc -@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { - @Override - protected void engineInitSign(PrivateKey privateKey, SecureRandom random) - throws InvalidKeyException { -- if (!(privateKey instanceof RSAPrivateKey)) { -+ if (privateKey instanceof RSAPrivateKey) { -+ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; -+ isPrivateKeyValid(rsaPrivateKey); -+ this.privKey = rsaPrivateKey; -+ this.pubKey = null; -+ this.random = -+ (random == null ? JCAUtil.getSecureRandom() : random); -+ resetDigest(); -+ } else { - throw new InvalidKeyException("key must be RSAPrivateKey"); - } -- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); -- this.pubKey = null; -- this.random = -- (random == null? JCAUtil.getSecureRandom() : random); -- resetDigest(); - } - - /** -@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { - } - } - -+ /** -+ * Validate the specified RSAPrivateKey -+ */ -+ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { -+ try { -+ if (prKey instanceof RSAPrivateCrtKey) { -+ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; -+ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ crtKey.getModulus().bitLength(), -+ crtKey.getPublicExponent()); -+ } else { -+ throw new InvalidKeyException( -+ "Some of the CRT-specific components are not available"); -+ } -+ } else { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ prKey.getModulus().bitLength(), -+ null); -+ } -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access private key components", e); -+ } -+ isValid(prKey); -+ } -+ -+ /** -+ * Validate the specified RSAPublicKey -+ */ -+ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { -+ try { -+ RSAKeyFactory.checkRSAProviderKeyLengths( -+ pKey.getModulus().bitLength(), -+ pKey.getPublicExponent()); -+ } catch (InvalidKeyException ikEx) { -+ throw ikEx; -+ } catch (Exception e) { -+ throw new InvalidKeyException( -+ "Can not access public key components", e); -+ } -+ isValid(pKey); -+ } -+ - /** - * Validate the specified RSAKey and its associated parameters against - * internal signature parameters. - */ -- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { -+ private void isValid(RSAKey rsaKey) throws InvalidKeyException { - try { - AlgorithmParameterSpec keyParams = rsaKey.getParams(); - // validate key parameters -@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { - } - checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); - } -- return rsaKey; - } catch (SignatureException e) { - throw new InvalidKeyException(e); - } -diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -index 6b219937981..b3c1fae9672 100644 ---- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java -@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl - RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); - // check all CRT-specific components are available, if any one - // missing, return a non-CRT key instead -- if ((key.getPublicExponent().signum() == 0) || -- (key.getPrimeExponentP().signum() == 0) || -- (key.getPrimeExponentQ().signum() == 0) || -- (key.getPrimeP().signum() == 0) || -- (key.getPrimeQ().signum() == 0) || -- (key.getCrtCoefficient().signum() == 0)) { -+ if (checkComponents(key)) { -+ return key; -+ } else { - return new RSAPrivateKeyImpl( - key.algid, - key.getModulus(), -- key.getPrivateExponent() -- ); -- } else { -- return key; -+ key.getPrivateExponent()); - } - } - -+ /** -+ * Validate if all CRT-specific components are available. -+ */ -+ static boolean checkComponents(RSAPrivateCrtKey key) { -+ return !((key.getPublicExponent().signum() == 0) || -+ (key.getPrimeExponentP().signum() == 0) || -+ (key.getPrimeExponentQ().signum() == 0) || -+ (key.getPrimeP().signum() == 0) || -+ (key.getPrimeQ().signum() == 0) || -+ (key.getCrtCoefficient().signum() == 0)); -+ } -+ - /** - * Generate a new key from the specified type and components. - * Returns a CRT key if possible and a non-CRT key otherwise. diff --git a/sources b/sources index 808ed42..3b9cfac 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz) = afc1324463883404f22cea3c37177d7b6164fc4cf285d958e7ec21aba976dc306045296eadaa296a31795be6b543ca0b742e0ba074689c3e5a50b9956383934b +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u382-b01-4curve.tar.xz) = e6219684046922a4fcfc577fe3457d28a48e79f3bb57b575b0195273b559293a8a8990197d5a37ca63d6a9d9c50ebf41b7d7630b1b16841df6396eb58b72f404