From ef629904fdaaa43e5c08118897fb3eda107d490a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 2 Mar 2023 06:10:17 +0000 Subject: [PATCH] Auto sync2gitlab import of java-1.8.0-openjdk-1.8.0.362.b09-3.el8.src.rpm --- .gitignore | 1 + NEWS | 2 + java-1.8.0-openjdk.spec | 18 +- ...4-support_system_cacerts-8139f2361c2.patch | 170 ++++++------------ sources | 2 +- 5 files changed, 68 insertions(+), 125 deletions(-) rename pr2888-rh2055274-support_system_cacerts.patch => pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch (50%) diff --git a/.gitignore b/.gitignore index b51079f..c8ebb99 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz /openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz /tapsets-icedtea-3.15.0.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz diff --git a/NEWS b/NEWS index b87597c..a6788c4 100644 --- a/NEWS +++ b/NEWS @@ -84,6 +84,8 @@ Live versions of these release notes can be found at: - JDK-8297804: (tz) Update Timezone Data to 2022g - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8300178: JDK-8286496 causes build failure on older GCC + - JDK-8300225: JDK-8288516 causes build failure on Windows + VS2010 Notes on individual issues: =========================== diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 36389b4..53abe58 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -313,7 +313,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u362-b08 +%global openjdk_revision jdk8u362-b09 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -323,6 +323,8 @@ %global icedteaver 3.15.0 # Define current Git revision for the FIPS support patches %global fipsver 6d1aade0648 +# Define current Git revision for the cacerts patch +%global cacertsver 8139f2361c2 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) @@ -1354,7 +1356,7 @@ Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch Patch1003: rh1582504-rsa_default_for_keytool.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk11u/tree/fips +# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk8u/tree/fips # as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: @@ -1393,8 +1395,10 @@ Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_t # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts # RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds -# Must be applied after crypto policy patch as it also changes java.security -Patch539: pr2888-rh2055274-support_system_cacerts.patch +# Must be applied after the FIPS patch as it also changes java.security +# Patch is generated from the cacerts tree at https://github.com/rh-openjdk/jdk8u/tree/cacerts +# as follows: git diff fips > pr2888-rh2055274-support_system_cacerts-$(git show -s --format=%h HEAD).patch +Patch539: pr2888-rh2055274-support_system_cacerts-%{cacertsver}.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build @@ -2690,6 +2694,12 @@ cjc.mainProgram(args) %endif %changelog +* Tue Jan 24 2023 Andrew Hughes - 1:1.8.0.362.b09-3 +- Update cacerts patch to fix OPENJDK-1433 SecurityManager issue +- Update to shenandoah-jdk8u352-b09 (GA) +- Update release notes for shenandoah-8u352-b09. +- Resolves: rhbz#2162715 + * Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-3 - Update to shenandoah-jdk8u352-b08 (GA) - Update release notes for shenandoah-8u352-b08. diff --git a/pr2888-rh2055274-support_system_cacerts.patch b/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch similarity index 50% rename from pr2888-rh2055274-support_system_cacerts.patch rename to pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch index 1b88f2a..818e27a 100644 --- a/pr2888-rh2055274-support_system_cacerts.patch +++ b/pr2888-rh2055274-support_system_cacerts-8139f2361c2.patch @@ -1,5 +1,5 @@ diff --git a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java -index e7b4763db53..e8ec8467e6a 100644 +index e7b4763db53..0005e56f528 100644 --- a/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java +++ b/jdk/src/share/classes/sun/security/ssl/TrustStoreManager.java @@ -31,6 +31,7 @@ import java.security.*; @@ -19,16 +19,17 @@ index e7b4763db53..e8ec8467e6a 100644 */ private static final class TrustStoreDescriptor { private static final String fileSep = File.separator; -@@ -76,7 +77,7 @@ final class TrustStoreManager { +@@ -76,7 +77,8 @@ final class TrustStoreManager { GetPropertyAction.privilegedGetProperty("java.home") + fileSep + "lib" + fileSep + "security"; private static final String defaultStore = - defaultStorePath + fileSep + "cacerts"; -+ KeyStoreUtil.getCacertsKeyStoreFile().getPath(); ++ AccessController.doPrivileged((PrivilegedAction) () -> ++ KeyStoreUtil.getCacertsKeyStorePath()); private static final String jsseDefaultStore = defaultStorePath + fileSep + "jssecacerts"; -@@ -139,6 +140,10 @@ final class TrustStoreManager { +@@ -139,6 +141,10 @@ final class TrustStoreManager { String storePropPassword = System.getProperty( "javax.net.ssl.trustStorePassword", ""); @@ -39,117 +40,56 @@ index e7b4763db53..e8ec8467e6a 100644 String temporaryName = ""; File temporaryFile = null; long temporaryTime = 0L; -@@ -146,21 +151,22 @@ final class TrustStoreManager { - String[] fileNames = - new String[] {storePropName, defaultStore}; - for (String fileName : fileNames) { -- File f = new File(fileName); -- if (f.isFile() && f.canRead()) { -- temporaryName = fileName;; -- temporaryFile = f; -- temporaryTime = f.lastModified(); -- -- break; -- } -- -- // Not break, the file is inaccessible. -- if (SSLLogger.isOn && -+ if (fileName != null && !"".equals(fileName)) { -+ File f = new File(fileName); -+ if (f.isFile() && f.canRead()) { -+ temporaryName = fileName;; -+ temporaryFile = f; -+ temporaryTime = f.lastModified(); -+ -+ break; -+ } -+ // Not break, the file is inaccessible. -+ if (SSLLogger.isOn && +@@ -160,7 +166,7 @@ final class TrustStoreManager { SSLLogger.isOn("trustmanager")) { -- SSLLogger.fine( -- "Inaccessible trust store: " + + SSLLogger.fine( + "Inaccessible trust store: " + - storePropName); -+ SSLLogger.fine( -+ "Inaccessible trust store: " + -+ fileName); -+ } ++ fileName); } } } else { diff --git a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -index fcc77786da1..f554f83a8b4 100644 +index fcc77786da1..3a4388964cc 100644 --- a/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java +++ b/jdk/src/share/classes/sun/security/tools/KeyStoreUtil.java -@@ -33,7 +33,10 @@ import java.io.InputStreamReader; +@@ -41,6 +41,8 @@ import java.text.Collator; + import java.util.Locale; + import java.util.ResourceBundle; - import java.net.URL; - -+import java.security.AccessController; - import java.security.KeyStore; -+import java.security.PrivilegedAction; -+import java.security.Security; - - import java.security.cert.X509Certificate; - import java.text.Collator; -@@ -54,6 +57,33 @@ public class KeyStoreUtil { ++import sun.security.util.SecurityProperties; ++ + /** + *

This class provides several utilities to KeyStore. + * +@@ -54,6 +56,8 @@ public class KeyStoreUtil { private static final String JKS = "jks"; -+ private static final String PROP_NAME = "security.systemCACerts"; -+ -+ /** -+ * Returns the value of the security property propName, which can be overridden -+ * by a system property of the same name -+ * -+ * @param propName the name of the system or security property -+ * @return the value of the system or security property -+ */ -+ @SuppressWarnings("removal") -+ public static String privilegedGetOverridable(String propName) { -+ if (System.getSecurityManager() == null) { -+ return getOverridableProperty(propName); -+ } else { -+ return AccessController.doPrivileged((PrivilegedAction) () -> getOverridableProperty(propName)); -+ } -+ } -+ -+ private static String getOverridableProperty(String propName) { -+ String val = System.getProperty(propName); -+ if (val == null) { -+ return Security.getProperty(propName); -+ } else { -+ return val; -+ } -+ } ++ private static final String SYSTEM_CA_CERTS_PROP = "security.systemCACerts"; + /** * Returns true if the certificate is self-signed, false otherwise. */ -@@ -96,20 +126,38 @@ public class KeyStoreUtil { +@@ -96,16 +100,30 @@ public class KeyStoreUtil { } } + /** + * Returns the path to the cacerts DB + */ -+ public static File getCacertsKeyStoreFile() ++ public static String getCacertsKeyStorePath() + { ++ // Check system DB first, preferring system property over security one ++ String systemDB = SecurityProperties ++ .privilegedGetOverridable(SYSTEM_CA_CERTS_PROP); ++ if (systemDB != null && !"".equals(systemDB) && ++ (new File(systemDB)).isFile()) { ++ return systemDB; ++ } + String sep = File.separator; -+ File file = null; -+ /* Check system cacerts DB first, preferring system property over security property */ -+ String systemDB = privilegedGetOverridable(PROP_NAME); -+ if (systemDB != null && !"".equals(systemDB)) { -+ file = new File(systemDB); -+ } -+ if (file == null || !file.exists()) { -+ file = new File(System.getProperty("java.home") + sep -+ + "lib" + sep + "security" + sep -+ + "cacerts"); -+ } -+ if (file.exists()) { -+ return file; -+ } -+ return null; ++ return System.getProperty("java.home") + sep ++ + "lib" + sep + "security" + sep + "cacerts"; + } + /** @@ -162,27 +102,21 @@ index fcc77786da1..f554f83a8b4 100644 - File file = new File(System.getProperty("java.home") + sep - + "lib" + sep + "security" + sep - + "cacerts"); -- if (!file.exists()) { -- return null; -- } - KeyStore caks = null; -+ File file = getCacertsKeyStoreFile(); -+ if (file == null) { return null; } - try (FileInputStream fis = new FileInputStream(file)) { - caks = KeyStore.getInstance(JKS); - caks.load(fis, null); ++ File file = new File(getCacertsKeyStorePath()); + if (!file.exists()) { + return null; + } diff --git a/jdk/src/share/lib/security/java.security-aix b/jdk/src/share/lib/security/java.security-aix -index bfe0c593adb..093bc09bf95 100644 +index 681a24b905d..ecb8bc43a6c 100644 --- a/jdk/src/share/lib/security/java.security-aix +++ b/jdk/src/share/lib/security/java.security-aix -@@ -294,6 +294,13 @@ security.overridePropertiesFile=true +@@ -294,6 +294,12 @@ security.overridePropertiesFile=true # security.useSystemPropertiesFile=false +# +# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true ++# This property may be disabled using an empty value +# +security.systemCACerts=${java.home}/lib/security/cacerts + @@ -190,17 +124,16 @@ index bfe0c593adb..093bc09bf95 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-linux b/jdk/src/share/lib/security/java.security-linux -index 9d1c8fe8a8e..16c9281cc1f 100644 +index 789c19a8cba..2546fdec9b2 100644 --- a/jdk/src/share/lib/security/java.security-linux +++ b/jdk/src/share/lib/security/java.security-linux -@@ -307,6 +307,13 @@ security.overridePropertiesFile=true +@@ -307,6 +307,12 @@ security.overridePropertiesFile=true # security.useSystemPropertiesFile=false +# +# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true ++# This property may be disabled using an empty value +# +security.systemCACerts=${java.home}/lib/security/cacerts + @@ -208,17 +141,16 @@ index 9d1c8fe8a8e..16c9281cc1f 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-macosx b/jdk/src/share/lib/security/java.security-macosx -index 19047c61097..43e034cdeaf 100644 +index d4da666af3b..1a20027c02b 100644 --- a/jdk/src/share/lib/security/java.security-macosx +++ b/jdk/src/share/lib/security/java.security-macosx -@@ -297,6 +297,13 @@ security.overridePropertiesFile=true +@@ -297,6 +297,12 @@ security.overridePropertiesFile=true # security.useSystemPropertiesFile=false +# +# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true ++# This property may be disabled using an empty value +# +security.systemCACerts=${java.home}/lib/security/cacerts + @@ -226,17 +158,16 @@ index 19047c61097..43e034cdeaf 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-solaris b/jdk/src/share/lib/security/java.security-solaris -index 7eda556ae13..325937e97fb 100644 +index 300132384a1..6299e0a3c7b 100644 --- a/jdk/src/share/lib/security/java.security-solaris +++ b/jdk/src/share/lib/security/java.security-solaris -@@ -295,6 +295,13 @@ security.overridePropertiesFile=true +@@ -295,6 +295,12 @@ security.overridePropertiesFile=true # security.useSystemPropertiesFile=false +# +# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true ++# This property may be disabled using an empty value +# +security.systemCACerts=${java.home}/lib/security/cacerts + @@ -244,17 +175,16 @@ index 7eda556ae13..325937e97fb 100644 # Determines the default key and trust manager factory algorithms for # the javax.net.ssl package. diff --git a/jdk/src/share/lib/security/java.security-windows b/jdk/src/share/lib/security/java.security-windows -index dfa1a669aa9..92ef777e065 100644 +index 64db5a5cd1e..823994f3466 100644 --- a/jdk/src/share/lib/security/java.security-windows +++ b/jdk/src/share/lib/security/java.security-windows -@@ -297,6 +297,13 @@ security.overridePropertiesFile=true +@@ -297,6 +297,12 @@ security.overridePropertiesFile=true # security.useSystemPropertiesFile=false +# +# Specifies the system certificate store -+# This property may be disabled using -+# -Djava.security.disableSystemCACerts=true ++# This property may be disabled using an empty value +# +security.systemCACerts=${java.home}/lib/security/cacerts + diff --git a/sources b/sources index 60c1680..457d51a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b08-4curve.tar.xz) = e112367213834e0653218a099c8a75558b794702591407170e742a3df6bd5b0780cbf87b85e2a125a50d613ae00501d7ee5bd1708d03a75bca615ef83fc8239b +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz) = 2ed16c616189e7872ecf36c82e86b551b1e6efc4d11a93264db856f01191875a82ddaec3363b5f8296ea225a9a8edf4c0e1504ff27d8474088ba0b2f6fc061d5 SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671