From e9072a8da26b6898b48f2e0bb17ea364137e07d3 Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Thu, 4 Jan 2024 19:41:48 -0500 Subject: [PATCH] Update to jdk-17.0.10+7 (GA) - Sync the copy of the portable specfile with the latest update - fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch - generate_source_tarball.sh changes: - Add WITH_TEMP environment variable - Multithread xz on all available cores - Add OPENJDK_LATEST environment variable - Update comment about tarball naming - Remove REPO_NAME from FILE_NAME_ROOT - Set compile-command in Emacs - Reformat comment header - Reformat and update help output - Move PROJECT_NAME and REPO_NAME checks - Do a shallow clone, for speed - Append -ea designator when required - Eliminate some removal prompting - Make tarball reproducible - Prefix temporary directory with temp- - shellcheck: Remove x-prefixes since we use Bash - shellcheck: Double-quote variable references - shellcheck: Do not use -a - shellcheck: Do not use $ in expression - Remove temporary directory exit conditions - Add --sort=name to tar invocation for reproducibility - Add note on network usage of OPENJDK_LATEST - Move to -P usage for patch macro which works on all RPM versions - Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release - Remove RH1648644 patch not in portable build (and so not applied to binary used) - Resolves: RHEL-20997 --- .gitignore | 2 + ...00be4e.patch => fips-17u-d63771ea660.patch | 30 +-- generate_source_tarball.sh | 202 ++++++++++++------ java-17-openjdk-portable.specfile | 139 ++++++++---- java-17-openjdk.spec | 134 +++++++----- jdk8312489-max_sig_default_increase.patch | 50 ----- ...va_access_bridge_privileged_security.patch | 20 -- sources | 2 +- 8 files changed, 333 insertions(+), 246 deletions(-) rename fips-17u-51e1d00be4e.patch => fips-17u-d63771ea660.patch (99%) delete mode 100644 jdk8312489-max_sig_default_increase.patch delete mode 100644 rh1648644-java_access_bridge_privileged_security.patch diff --git a/.gitignore b/.gitignore index 963e2df..b9e676d 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ /openjdk-17.0.9+1-ea.tar.xz /openjdk-17.0.9+7-ea.tar.xz /openjdk-17.0.9+9.tar.xz +/openjdk-17.0.10+6-ea.tar.xz +/openjdk-17.0.10+7.tar.xz diff --git a/fips-17u-51e1d00be4e.patch b/fips-17u-d63771ea660.patch similarity index 99% rename from fips-17u-51e1d00be4e.patch rename to fips-17u-d63771ea660.patch index da1df4d..4830fb2 100644 --- a/fips-17u-51e1d00be4e.patch +++ b/fips-17u-d63771ea660.patch @@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index 366682cf044..1f8d782f419 100644 +index 62db5b16c31..f0bb4333fc9 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -33,6 +33,7 @@ m4_include([lib-std.m4]) @@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 0736ce997e4..0a937fef377 100644 +index 39bd783dd25..1146e7f9d80 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -3529,19 +3529,21 @@ index 0736ce997e4..0a937fef377 100644 boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS && extractable && !tokenObject); this.keyIDHolder = new NativeKeyHolder(this, keyID, session, -@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length { - new CK_ATTRIBUTE(CKA_SENSITIVE), - new CK_ATTRIBUTE(CKA_EXTRACTABLE), +@@ -395,8 +398,10 @@ abstract class P11Key implements Key, Length { + new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); -- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) { + +- boolean keySensitive = (attrs[0].getBoolean() || +- attrs[1].getBoolean() || !attrs[2].getBoolean()); + boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); -+ if (!exportable && (attributes[1].getBoolean() || -+ (attributes[2].getBoolean() == false))) { - return new P11PrivateKey - (session, keyID, algorithm, keyLength, attributes); - } else { -@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length { - } ++ boolean keySensitive = (!exportable && ++ (attrs[0].getBoolean() || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); + + switch (algorithm) { + case "RSA": +@@ -451,7 +456,8 @@ abstract class P11Key implements Key, Length { + public String getFormat() { token.ensureValid(); - if (sensitive || !extractable || (isNSS && tokenObject)) { @@ -4527,7 +4529,7 @@ index aa35e8fa668..1855e5631bd 100644 debug.println("logout succeeded"); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 9858a5faedf..e63585486d9 100644 +index 1f94fe3e18a..99eec2114e4 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -33,6 +33,7 @@ import java.lang.ref.*; diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 7f22f4e..5dc6d60 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -1,51 +1,99 @@ #!/bin/bash # Generates the 'source tarball' for JDK projects. # -# Example: -# When used from local repo set REPO_ROOT pointing to file:// with your repo -# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL +# Example 1: +# When used from local repo set REPO_ROOT pointing to file:// with your repo. +# If your local repo follows upstream forests conventions, it may be enough to +# set OPENJDK_URL. +# +# Example 2: +# This will read the OpenJDK feature version from the spec file, then create a +# tarball from the most recent tag for that version in the upstream Git +# repository. +# +# $ OPENJDK_LATEST=1 ./generate_source_tarball.sh +# [...] +# Tarball is: temp-generated-source-tarball-ujD/openjdk-17.0.10+6-ea.tar.xz +# +# Unless you use OPENJDK_LATEST, you have to set PROJECT_NAME, REPO_NAME and +# VERSION, e.g.: # -# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg: # PROJECT_NAME=openjdk # REPO_NAME=jdk17u # VERSION=jdk-17.0.3+5 -# or to eg prepare systemtap: -# icedtea7's jstack and other tapsets +# +# or to e.g., prepare systemtap, icedtea7's jstack and other tapsets: +# # VERSION=6327cf1cea9e # REPO_NAME=icedtea7-2.6 # PROJECT_NAME=release # OPENJDK_URL=http://icedtea.classpath.org/hg/ # TO_COMPRESS="*/tapset" # -# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) - -# This script creates a single source tarball out of the repository -# based on the given tag and removes code not allowed in fedora/rhel. For -# consistency, the source tarball will always contain 'openjdk' as the top -# level folder, name is created, based on parameter +# They are used to create correct name and are used in construction of sources +# URL (unless REPO_ROOT is set). # +# This script creates a single source tarball out of the repository based on the +# given tag and removes code not allowed in Fedora/RHEL. set -e OPENJDK_URL_DEFAULT=https://github.com COMPRESSION_DEFAULT=xz -if [ "x$1" = "xhelp" ] ; then - echo -e "Behaviour may be specified by setting the following variables:\n" - echo "VERSION - the version of the specified OpenJDK project" - echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)" - echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)" - echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" - echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" - echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" - echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)" - echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})" - echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" +if [ "$1" = "help" ] ; then + echo "Behaviour may be specified by setting the following variables:" + echo + echo "VERSION - the version of the specified OpenJDK project" + echo " (required unless OPENJDK_LATEST is set)" + echo "PROJECT_NAME - the name of the OpenJDK project being archived" + echo " (needed to compute REPO_ROOT and/or" + echo " FILE_NAME_ROOT automatically;" + echo " optional if they are set explicitly)" + echo "REPO_NAME - the name of the OpenJDK repository" + echo " (needed to compute REPO_ROOT automatically;" + echo " optional if REPO_ROOT is set explicitly)" + echo "OPENJDK_URL - the URL to retrieve code from" + echo " (defaults to ${OPENJDK_URL_DEFAULT})" + echo "COMPRESSION - the compression type to use" + echo " (defaults to ${COMPRESSION_DEFAULT})" + echo "FILE_NAME_ROOT - name of the archive, minus extensions" + echo " (defaults to PROJECT_NAME-VERSION)" + echo "REPO_ROOT - the location of the Git repository to archive" + echo " (defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)" + echo "TO_COMPRESS - what part of clone to pack" + echo " (defaults to ${VERSION})" + echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" + echo " (defaults to packaged JDK version)" + echo "WITH_TEMP - run in a temporary directory" + echo " (defaults to disabled)" + echo "OPENJDK_LATEST - deduce VERSION from most recent upstream tag" + echo " (implies WITH_TEMP, computes everything else" + echo " automatically; Note: accesses network to read" + echo " tag list from remote Git repository)" exit 1; fi +if [ "$OPENJDK_LATEST" != "" ] ; then + FEATURE_VERSION=$(echo '%featurever' \ + | rpmspec --shell ./*.spec 2>/dev/null \ + | grep --after-context 1 featurever \ + | tail --lines 1) + PROJECT_NAME=openjdk + REPO_NAME=jdk"${FEATURE_VERSION}"u + VERSION=$(git ls-remote --tags --refs --sort=-version:refname \ + "${OPENJDK_URL_DEFAULT}/${PROJECT_NAME}/${REPO_NAME}.git" \ + "jdk-${FEATURE_VERSION}*" \ + | head --lines 1 | cut --characters 52-) + FILE_NAME_ROOT=open${VERSION} + WITH_TEMP=1 +fi -if [ "x$VERSION" = "x" ] ; then +if [ "$WITH_TEMP" != "" ] ; then + pushd "$(mktemp --directory temp-generated-source-tarball-XXX)" +fi + +if [ "$VERSION" = "" ] ; then echo "No VERSION specified" exit 2 fi @@ -57,18 +105,18 @@ BUILD_VER=${NUM_VER##*+} MAJOR_VER=${RELEASE_VER%%.*} echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}" -if [ "x$BOOT_JDK" = "x" ] ; then +if [ "$BOOT_JDK" = "" ] ; then echo "No boot JDK specified". BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk; echo -n "Checking for ${BOOT_JDK}..."; - if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + if [ -d "${BOOT_JDK}" ] && [ -x "${BOOT_JDK}"/bin/java ] ; then echo "Boot JDK found at ${BOOT_JDK}"; else echo "Not found"; - PREV_VER=$((${MAJOR_VER} - 1)); + PREV_VER=$((MAJOR_VER - 1)); BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk; echo -n "Checking for ${BOOT_JDK}..."; - if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + if [ -d ${BOOT_JDK} ] && [ -x ${BOOT_JDK}/bin/java ] ; then echo "Boot JDK found at ${BOOT_JDK}"; else echo "Not found"; @@ -79,43 +127,41 @@ else echo "Boot JDK: ${BOOT_JDK}"; fi -# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT -if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then - if [ "x$PROJECT_NAME" = "x" ] ; then - echo "No PROJECT_NAME specified" - exit 1 - fi - echo "Project name: ${PROJECT_NAME}" - if [ "x$REPO_NAME" = "x" ] ; then - echo "No REPO_NAME specified" - exit 3 - fi - echo "Repository name: ${REPO_NAME}" -fi - -if [ "x$OPENJDK_URL" = "x" ] ; then +if [ "$OPENJDK_URL" = "" ] ; then OPENJDK_URL=${OPENJDK_URL_DEFAULT} echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}" else echo "OpenJDK URL: ${OPENJDK_URL}" fi -if [ "x$COMPRESSION" = "x" ] ; then +if [ "$COMPRESSION" = "" ] ; then # rhel 5 needs tar.gz COMPRESSION=${COMPRESSION_DEFAULT} fi echo "Creating a tar.${COMPRESSION} archive" -if [ "x$FILE_NAME_ROOT" = "x" ] ; then - FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION} +if [ "$FILE_NAME_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by FILE_NAME_ROOT" + exit 1 + fi + FILE_NAME_ROOT=${PROJECT_NAME}-${VERSION} echo "No file name root specified; default to ${FILE_NAME_ROOT}" fi -if [ "x$REPO_ROOT" = "x" ] ; then +if [ "$REPO_ROOT" = "" ] ; then + if [ "$PROJECT_NAME" = "" ] ; then + echo "No PROJECT_NAME specified, needed by REPO_ROOT" + exit 1 + fi + if [ "$REPO_NAME" = "" ] ; then + echo "No REPO_NAME specified, needed by REPO_ROOT" + exit 3 + fi REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git" echo "No repository root specified; default to ${REPO_ROOT}" fi; -if [ "x$TO_COMPRESS" = "x" ] ; then +if [ "$TO_COMPRESS" = "" ] ; then TO_COMPRESS="${VERSION}" echo "No targets to be compressed specified ; default to ${TO_COMPRESS}" fi; @@ -131,53 +177,77 @@ echo -e "\tREPO_ROOT: ${REPO_ROOT}" echo -e "\tTO_COMPRESS: ${TO_COMPRESS}" echo -e "\tBOOT_JDK: ${BOOT_JDK}" -if [ -d ${FILE_NAME_ROOT} ] ; then +if [ -d "${FILE_NAME_ROOT}" ] ; then echo "exists exists exists exists exists exists exists " echo "reusing reusing reusing reusing reusing reusing " - echo ${FILE_NAME_ROOT} + echo "${FILE_NAME_ROOT}" + STAT_TIME="$(stat --format=%Y "${FILE_NAME_ROOT}")" + TAR_TIME="$(date --date=@"${STAT_TIME}" --iso-8601=seconds)" else mkdir "${FILE_NAME_ROOT}" pushd "${FILE_NAME_ROOT}" echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" - git clone -b ${VERSION} ${REPO_ROOT} ${VERSION} + git clone --depth=1 -b "${VERSION}" "${REPO_ROOT}" "${VERSION}" + pushd "${VERSION}" + TAR_TIME="$(git log --max-count 1 --format=%cI)" + popd popd fi pushd "${FILE_NAME_ROOT}" + EA_PART="$(git tag --contains "${VERSION}" \ + | grep --quiet '\-ga$' || echo '-ea')" - # Generate .src-rev so build has knowledge of the revision the tarball was created from + # Generate .src-rev so build has knowledge of the revision the tarball was + # created from mkdir build pushd build - sh ${PWD}/../${VERSION}/configure --with-boot-jdk=${BOOT_JDK} + sh "${PWD}"/../"${VERSION}"/configure --with-boot-jdk="${BOOT_JDK}" make store-source-revision popd rm -rf build # Remove commit checks - echo "Removing $(find ${VERSION} -name '.jcheck' -print)" - find ${VERSION} -name '.jcheck' -print0 | xargs -0 rm -r + echo "Removing $(find "${VERSION}" -name '.jcheck' -print)" + find "${VERSION}" -name '.jcheck' -print0 | xargs -0 rm -r # Remove history and GHA echo "find ${VERSION} -name '.hgtags'" - find ${VERSION} -name '.hgtags' -exec rm -v '{}' '+' + find "${VERSION}" -name '.hgtags' -exec rm -v '{}' '+' echo "find ${VERSION} -name '.hgignore'" - find ${VERSION} -name '.hgignore' -exec rm -v '{}' '+' + find "${VERSION}" -name '.hgignore' -exec rm -v '{}' '+' echo "find ${VERSION} -name '.gitattributes'" - find ${VERSION} -name '.gitattributes' -exec rm -v '{}' '+' + find "${VERSION}" -name '.gitattributes' -exec rm -v '{}' '+' echo "find ${VERSION} -name '.gitignore'" - find ${VERSION} -name '.gitignore' -exec rm -v '{}' '+' + find "${VERSION}" -name '.gitignore' -exec rm -v '{}' '+' + # Work around some Git objects not having write permissions. + echo "chmod --recursive u+w ${VERSION}/.git" + chmod --recursive u+w "${VERSION}"/.git echo "find ${VERSION} -name '.git'" - find ${VERSION} -name '.git' -exec rm -rv '{}' '+' + find "${VERSION}" -name '.git' -exec rm -rv '{}' '+' echo "find ${VERSION} -name '.github'" - find ${VERSION} -name '.github' -exec rm -rv '{}' '+' + find "${VERSION}" -name '.github' -exec rm -rv '{}' '+' echo "Compressing remaining forest" - if [ "X$COMPRESSION" = "Xxz" ] ; then + if [ "$COMPRESSION" = "xz" ] ; then SWITCH=cJf else SWITCH=czf fi - TARBALL_NAME=${FILE_NAME_ROOT}.tar.${COMPRESSION} - tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS - mv ${TARBALL_NAME} .. + TARBALL_NAME=${FILE_NAME_ROOT}${EA_PART}.tar.${COMPRESSION} + XZ_OPT=${XZ_OPT-"-T0"} \ + tar --mtime="${TAR_TIME}" --owner=root --group=root --sort=name \ + --exclude-vcs -$SWITCH "${TARBALL_NAME}" "${TO_COMPRESS}" + mv "${TARBALL_NAME}" .. popd -echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT." +if [ "$WITH_TEMP" != "" ] ; then + echo "Tarball is: $(realpath --relative-to=.. .)/${TARBALL_NAME}" + popd +else + echo -n "Done. You may want to remove the uncompressed version" + echo " - $FILE_NAME_ROOT." +fi + +# Local Variables: +# compile-command: "shellcheck generate_source_tarball.sh" +# fill-column: 80 +# End: diff --git a/java-17-openjdk-portable.specfile b/java-17-openjdk-portable.specfile index 74673fe..0c39875 100644 --- a/java-17-openjdk-portable.specfile +++ b/java-17-openjdk-portable.specfile @@ -326,7 +326,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 9 +%global updatever 10 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -366,7 +366,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 51e1d00be4e +%global fipsver d63771ea660 %global javaver %{featurever} %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} @@ -381,7 +381,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 +%global buildver 7 %global rpmrelease 1 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit @@ -615,38 +615,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u # as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes +# The following list is generated by: +# git log %%{vcstag}.. --no-merges --format=%s --reverse: # Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# PR3183, RH1340845: Support Fedora & RHEL system crypto policy +# PR3695: Allow system crypto policy enforcement to be toggled on/off +# RH1655466: Support global RHEL crypto policy +# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode +# RH1860986: Disable TLSv1.3 in FIPS mode +# RH1915071: Always initialise configurator access.patch # RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection +# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers +# RH1996182: Login to the NSS Software Token in FIPS Mode +# RH1929465: Don't define unused throwIOException function when using NSS detection +# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access +# RH1991003: Enable the import of plain keys into the NSS software token. +# RH2021263: Return in C code after having generated Java exception +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -# RH2104724: Avoid import/export of DH private keys -# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores -# RH2020290: Support TLS 1.3 in FIPS mode -# Add nss.fips.cfg support to OpenJDK tree -# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -# Remove forgotten dead code from RH2020290 and RH2104724 -# OJ1357: Fix issue on FIPS with a SecurityManager in place -# RH2134669: Add missing attributes when registering services in FIPS mode. -# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class -# RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +# RH2023467: Enable FIPS keys export (#1) +# Run workflows on pull request, as we are not using SKARA. +# RH2094027: SunEC runtime permission for FIPS (#5) +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8) +# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4) +# Use encoded space rather than quoting for JTReg JAVA_OPTIONS +# RH2104724: Avoid import/export of DH private keys (#14) +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16) +# Build the systemconf library on all platforms (#7) +# RH2048582: Support PKCS#12 keystores (#2) +# RH2020290: Support TLS 1.3 in FIPS mode (#13) +# Add nss.fips.cfg support to OpenJDK tree (#22) +# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17) +# Remove forgotten dead code from #13 and #14 (#21) +# Fix issue on FIPS with a SecurityManager in place (#25) +# RH2134669: Add missing attributes when registering services in FIPS mode. (#19) +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27) +# RH1940064: Enable XML Signature provider in FIPS mode (#24) +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26) Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -662,8 +669,8 @@ Patch1001: fips-17u-%{fipsver}.patch # OpenJDK patches appearing in 17.0.10 # ############################################# -# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar -Patch2000: jdk8312489-max_sig_default_increase.patch + +# Currently empty ############################################# # @@ -941,21 +948,20 @@ sh %{SOURCE12} %{top_level_dir_name} %endif # Patch the JDK +# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18 +# -p N: strip N leading slashes from paths pushd %{top_level_dir_name} -%patch1 -p1 -%patch3 -p1 -%patch6 -p1 +%patch -P1 -p1 +%patch -P3 -p1 +%patch -P6 -p1 # Add crypto policy and FIPS support -%patch1001 -p1 +%patch -P1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -# JDK-8312489 backport, coming in 17.0.10 -%patch2000 -p1 +%patch -P1000 -p1 # alt-java support -%patch600 -p1 +%patch -P600 -p1 popd # openjdk - # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -973,9 +979,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then echo "WARNING: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; - # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting - # This is fixed in the final upstream version - # exit 17 + exit 17 fi # Extract systemtap tapsets @@ -1697,6 +1701,49 @@ done %{_jvmdir}/%{miscportablearchive}.sha256sum %changelog +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+7 (GA) +- Update release notes to 17.0.10+7 +- Move to -P usage for patch macro which works on all RPM versions +- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release +- Switch to GA mode for release +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** + +* Thu Jan 11 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST +- generate_source_tarball.sh: Remove unneeded FIXME + +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.6-0.1.ea +- Update release notes to 17.0.10+6 +- Revert change to patch macro due to failure on RHEL 8 +- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility + +* Tue Jan 9 2024 Thomas Fitzsimmons - 1:17.0.10.0.6-0.1.ea +- Update to jdk-17.0.10+6 (EA) +- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash +- generate_source_tarball.sh: shellcheck: Double-quote variable references +- generate_source_tarball.sh: shellcheck: Do not use -a +- generate_source_tarball.sh: shellcheck: Do not use $ in expression +- generate_source_tarball.sh: Remove temporary directory exit conditions + +* Sat Oct 28 2023 Andrew Hughes - 1:17.0.9.0.9-2 +- Add missing CVE and release note to sync local NEWS with upstream release announcements + * Thu Oct 12 2023 Andrew Hughes - 1:17.0.9.0.9-1 - Update to jdk-17.0.9+9 (GA) - Update release notes to 17.0.9+9 diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 8ab817e..9c0eb42 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -322,7 +322,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 9 +%global updatever 10 %global patchver 0 # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, @@ -362,7 +362,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 51e1d00be4e +%global fipsver d63771ea660 %global javaver %{featurever} %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} @@ -377,7 +377,7 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 +%global buildver 7 # rpmrelease numbering must start at 2 to be later than the 9.0 RPM %global rpmrelease 2 # Settings used by the portable build @@ -1347,8 +1347,6 @@ Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch @@ -1357,38 +1355,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u # as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes +# The following list is generated by: +# git log %%{vcstag}.. --no-merges --format=%s --reverse: # Fixes currently included: -# PR3183, RH1340845: Follow system wide crypto policy -# PR3695: Allow use of system crypto policy to be disabled by the user -# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider -# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode -# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available -# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +# PR3183, RH1340845: Support Fedora & RHEL system crypto policy +# PR3695: Allow system crypto policy enforcement to be toggled on/off +# RH1655466: Support global RHEL crypto policy +# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode +# RH1860986: Disable TLSv1.3 in FIPS mode +# RH1915071: Always initialise configurator access.patch # RH1929465: Improve system FIPS detection -# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers -# RH1996182: Login to the NSS software token in FIPS mode -# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false -# RH2021263: Resolve outstanding FIPS issues -# RH2052819: Fix FIPS reliance on crypto policies -# RH2052829: Detect NSS at Runtime for FIPS detection +# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers +# RH1996182: Login to the NSS Software Token in FIPS Mode +# RH1929465: Don't define unused throwIOException function when using NSS detection +# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access +# RH1991003: Enable the import of plain keys into the NSS software token. +# RH2021263: Return in C code after having generated Java exception +# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance +# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support +# RH2051605: Detect NSS at Runtime for FIPS detection # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -# RH2023467: Enable FIPS keys export -# RH2094027: SunEC runtime permission for FIPS -# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -# RH2090378: Revert to disabling system security properties and FIPS mode support together -# RH2104724: Avoid import/export of DH private keys -# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# Build the systemconf library on all platforms -# RH2048582: Support PKCS#12 keystores -# RH2020290: Support TLS 1.3 in FIPS mode -# Add nss.fips.cfg support to OpenJDK tree -# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -# Remove forgotten dead code from RH2020290 and RH2104724 -# OJ1357: Fix issue on FIPS with a SecurityManager in place -# RH2134669: Add missing attributes when registering services in FIPS mode. -# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class -# RH1940064: Enable XML Signature provider in FIPS mode -# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +# RH2023467: Enable FIPS keys export (#1) +# Run workflows on pull request, as we are not using SKARA. +# RH2094027: SunEC runtime permission for FIPS (#5) +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8) +# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4) +# Use encoded space rather than quoting for JTReg JAVA_OPTIONS +# RH2104724: Avoid import/export of DH private keys (#14) +# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16) +# Build the systemconf library on all platforms (#7) +# RH2048582: Support PKCS#12 keystores (#2) +# RH2020290: Support TLS 1.3 in FIPS mode (#13) +# Add nss.fips.cfg support to OpenJDK tree (#22) +# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17) +# Remove forgotten dead code from #13 and #14 (#21) +# Fix issue on FIPS with a SecurityManager in place (#25) +# RH2134669: Add missing attributes when registering services in FIPS mode. (#19) +# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27) +# RH1940064: Enable XML Signature provider in FIPS mode (#24) +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26) Patch1001: fips-17u-%{fipsver}.patch ############################################# @@ -1402,8 +1407,8 @@ Patch1001: fips-17u-%{fipsver}.patch # OpenJDK patches appearing in 17.0.10 # ############################################# -# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar -Patch2000: jdk8312489-max_sig_default_increase.patch + +# Currently empty BuildRequires: autoconf BuildRequires: automake @@ -1838,22 +1843,20 @@ sh %{SOURCE12} %{top_level_dir_name} %endif # Patch the JDK +# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18 +# -p N: strip N leading slashes from paths pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 +%patch -P1 -p1 +%patch -P3 -p1 +%patch -P6 -p1 # Add crypto policy and FIPS support -%patch1001 -p1 +%patch -P1001 -p1 # nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 -# JDK-8312489 backport, coming in 17.0.10 -%patch2000 -p1 +%patch -P1000 -p1 # alt-java support -%patch600 -p1 +%patch -P600 -p1 popd # openjdk - # The OpenJDK version file includes the current # upstream version information. For some reason, # configure does not automatically use the @@ -1871,9 +1874,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then echo "WARNING: Designator mismatch"; echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'" echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'"; - # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting - # This is fixed in the final upstream version - # exit 17 + exit 17 fi # Prepare desktop files @@ -2473,6 +2474,41 @@ cjc.mainProgram(args) %endif %changelog +* Thu Jan 11 2024 Andrew Hughes - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+7 (GA) +- Sync the copy of the portable specfile with the latest update +- Move to -P usage for patch macro which works on all RPM versions +- Remove RH1648644 patch not in portable build (and so not applied to binary used) +- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release +- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility +- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. ** +- Resolves: RHEL-20997 + +* Thu Jan 11 2024 Thomas Fitzsimmons - 1:17.0.10.0.7-1 +- Update to jdk-17.0.10+6 (EA) +- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch +- generate_source_tarball.sh: Add WITH_TEMP environment variable +- generate_source_tarball.sh: Multithread xz on all available cores +- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable +- generate_source_tarball.sh: Update comment about tarball naming +- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT +- generate_source_tarball.sh: Set compile-command in Emacs +- generate_source_tarball.sh: Reformat comment header +- generate_source_tarball.sh: Reformat and update help output +- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks +- generate_source_tarball.sh: Do a shallow clone, for speed +- generate_source_tarball.sh: Append -ea designator when required +- generate_source_tarball.sh: Eliminate some removal prompting +- generate_source_tarball.sh: Make tarball reproducible +- generate_source_tarball.sh: Prefix temporary directory with temp- +- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash +- generate_source_tarball.sh: shellcheck: Double-quote variable references +- generate_source_tarball.sh: shellcheck: Do not use -a +- generate_source_tarball.sh: shellcheck: Do not use $ in expression +- generate_source_tarball.sh: Remove temporary directory exit conditions +- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST +- Related: RHEL-20997 + * Thu Oct 12 2023 Andrew Hughes - 1:17.0.9.0.9-1 - Update to jdk-17.0.9+9 (GA) - Sync the copy of the portable specfile with the latest update diff --git a/jdk8312489-max_sig_default_increase.patch b/jdk8312489-max_sig_default_increase.patch deleted file mode 100644 index 8aeb261..0000000 --- a/jdk8312489-max_sig_default_increase.patch +++ /dev/null @@ -1,50 +0,0 @@ -commit 5b613e3ebed6c141146e743e64c894fe4f39421e -Author: Andrew John Hughes -Date: Fri Sep 1 15:53:41 2023 +0000 - - 8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar - - Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750 - -diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java -index bd538649a4f..70cf99504e4 100644 ---- a/src/java.base/share/classes/java/util/jar/JarFile.java -+++ b/src/java.base/share/classes/java/util/jar/JarFile.java -@@ -803,7 +803,9 @@ private byte[] getBytes(ZipEntry ze) throws IOException { - throw new IOException("Unsupported size: " + uncompressedSize + - " for JarEntry " + ze.getName() + - ". Allowed max size: " + -- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes"); -+ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " + -+ "You can use the jdk.jar.maxSignatureFileSize " + -+ "system property to increase the default value."); - } - int len = (int)uncompressedSize; - int bytesRead; -diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java -index 4ea9255ba0a..05acdcb9474 100644 ---- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java -+++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java -@@ -856,16 +856,16 @@ private static int initializeMaxSigFileSize() { - * the maximum allowed number of bytes for the signature-related files - * in a JAR file. - */ -- Integer tmp = GetIntegerAction.privilegedGetProperty( -- "jdk.jar.maxSignatureFileSize", 8000000); -+ int tmp = GetIntegerAction.privilegedGetProperty( -+ "jdk.jar.maxSignatureFileSize", 16000000); - if (tmp < 0 || tmp > MAX_ARRAY_SIZE) { - if (debug != null) { -- debug.println("Default signature file size 8000000 bytes " + -- "is used as the specified size for the " + -- "jdk.jar.maxSignatureFileSize system property " + -+ debug.println("The default signature file size of 16000000 bytes " + -+ "will be used for the jdk.jar.maxSignatureFileSize " + -+ "system property since the specified value " + - "is out of range: " + tmp); - } -- tmp = 8000000; -+ tmp = 16000000; - } - return tmp; - } diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch deleted file mode 100644 index 53026ad..0000000 --- a/rh1648644-java_access_bridge_privileged_security.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- openjdk/src/java.base/share/conf/security/java.security -+++ openjdk/src/java.base/share/conf/security/java.security -@@ -304,6 +304,8 @@ - # - package.access=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # List of comma-separated packages that start with or equal this string -@@ -316,6 +318,8 @@ - # - package.definition=sun.misc.,\ - sun.reflect.,\ -+ org.GNOME.Accessibility.,\ -+ org.GNOME.Bonobo.,\ - - # - # Determines whether this properties file can be appended to diff --git a/sources b/sources index 5222947..4fd3575 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-17.0.9+9.tar.xz) = 33225a1070077c9504b4857734305f301e51b93a929274d460ddc3dc042ce15943030f8af928c11962743a928619ea39daa453d8fb1c8ea5a334a4b6490a00ee +SHA512 (openjdk-17.0.10+7.tar.xz) = 066acec5dbc76d753a3aba3a8a85ef477f9e379ebfd6338c5026e2f8b329b0a08f878fcbb7f6fdefba99ec45415ac22e01e7439831749816717adb1a0d8230d1