rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update FIPS patch

Browse Source 
- Update FIPS patch
- Related: RHEL-86624
This commit is contained in:
Thomas Fitzsimmons 2025-04-06 13:07:08 -04:00
parent fe1c06be2e
commit ebfd33aa59
2 changed files with 32 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
fips-17u-e893be00150.patch → fips-17u-df4c415ac9a.patch
View File

@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80
+ AC_SUBST(NSS_LIBDIR)
+])
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
index 62db5b16c31..f0bb4333fc9 100644
index 865feea36d9..5c3a137e65c 100644
--- a/make/autoconf/libraries.m4
+++ b/make/autoconf/libraries.m4
@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
@ -2508,7 +2508,7 @@ index 00000000000..dc8bc72fccb
+ }
+}
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 8f6e1e12a7e..2726391bcea 100644
index e26b7f8c394..08effe23fce 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -82,6 +82,17 @@ security.provider.tbd=Apple
@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815
+}
\ No newline at end of file
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
index d12244337a5..f2e8e4094c8 100644
index e05892e2c22..cb40c3bf794 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -37,6 +37,8 @@ import javax.crypto.*;
@ -3518,7 +3518,7 @@ index d12244337a5..f2e8e4094c8 100644
private static final long serialVersionUID = -2575874101938349339L;
private static final String PUBLIC = "public";
@@ -393,9 +398,10 @@ abstract class P11Key implements Key, Length {
@@ -406,9 +411,10 @@ abstract class P11Key implements Key, Length {
new CK_ATTRIBUTE(CKA_EXTRACTABLE),
});
@ -3532,7 +3532,7 @@ index d12244337a5..f2e8e4094c8 100644
switch (algorithm) {
case "RSA":
@@ -450,7 +456,8 @@ abstract class P11Key implements Key, Length {
@@ -463,7 +469,8 @@ abstract class P11Key implements Key, Length {
public String getFormat() {
token.ensureValid();
@ -4072,7 +4072,7 @@ index cabee449346..72b64f72c0a 100644
// empty
}
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index aa35e8fa668..1855e5631bd 100644
index 00fbbcfe07c..b5a30c6da4e 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
@ -4411,10 +4411,10 @@ index aa35e8fa668..1855e5631bd 100644
d(SIG, "RawDSA", P11Signature,
List.of("NONEwithDSA"),
m(CKM_DSA));
@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider {
if (ds == null) {
@@ -1120,9 +1332,21 @@ public final class SunPKCS11 extends AuthProvider {
continue;
}
boolean allowLegacy = config.getAllowLegacy();
+ descLoop:
for (Descriptor d : ds) {
Integer oldMech = supportedAlgs.get(d);
@ -4430,10 +4430,10 @@ index aa35e8fa668..1855e5631bd 100644
+ }
+ }
+ }
supportedAlgs.put(d, integerMech);
continue;
}
@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider {
// assume full support if no mech info available
if (!allowLegacy && mechInfo != null) {
@@ -1211,11 +1435,52 @@ public final class SunPKCS11 extends AuthProvider {
}
@Override
@ -4486,7 +4486,7 @@ index aa35e8fa668..1855e5631bd 100644
try {
return newInstance0(param);
} catch (PKCS11Exception e) {
@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider {
@@ -1235,6 +1500,8 @@ public final class SunPKCS11 extends AuthProvider {
} else if (algorithm.endsWith("GCM/NoPadding") ||
algorithm.startsWith("ChaCha20-Poly1305")) {
return new P11AEADCipher(token, algorithm, mechanism);
@ -4495,7 +4495,7 @@ index aa35e8fa668..1855e5631bd 100644
} else {
return new P11Cipher(token, algorithm, mechanism);
}
@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider {
@@ -1570,6 +1837,9 @@ public final class SunPKCS11 extends AuthProvider {
try {
session = token.getOpSession();
p11.C_Logout(session.id());
@ -4592,7 +4592,7 @@ index 0c9ebb289c1..b4b2448464d 100644
// CK_MECHANISM(long) constructor and setParameter(CK_RSA_PKCS_PSS_PARAMS)
// methods instead of creating yet another constructor
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
index e8b048869c4..a25fa1c39e5 100644
index 7b874ced493..d6c291ebc57 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/CK_PBE_PARAMS.java
@@ -50,15 +50,15 @@ package sun.security.pkcs11.wrapper;
@ -4895,7 +4895,7 @@ index 1f9c4d39f57..5e3c1b9d29f 100644
public String toString() {
StringBuilder sb = new StringBuilder();
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..d796aaa3075 100644
index 421c4212361..4e6520e70a1 100644
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,9 @@ package sun.security.pkcs11.wrapper;
@ -4999,7 +4999,7 @@ index 5c0aacd1a67..d796aaa3075 100644
/**
* Connects this object to the specified PKCS#11 library. This method is for
* internal use only.
@@ -1625,7 +1677,7 @@ public class PKCS11 {
@@ -1661,7 +1713,7 @@ public class PKCS11 {
static class SynchronizedPKCS11 extends PKCS11 {
SynchronizedPKCS11(String pkcs11ModulePath, String functionListName)
@ -5008,7 +5008,7 @@ index 5c0aacd1a67..d796aaa3075 100644
super(pkcs11ModulePath, functionListName);
}
@@ -1911,4 +1963,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
@@ -1947,4 +1999,194 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
@ -5266,10 +5266,10 @@ index 0d65ee26805..38fd4aff1f3 100644
+ /* (CKM_NSS + 32) */ = 0xCE534370L;
}
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
index d941b574cc7..e2de13648be 100644
index 3ea91a6cfd1..26309f4f7b2 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_convert.c
@@ -1515,6 +1515,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
@@ -1518,6 +1518,10 @@ CK_VOID_PTR jMechParamToCKMechParamPtrSlow(JNIEnv *env, jobject jParam,
case CKM_PBE_SHA1_DES3_EDE_CBC:
case CKM_PBE_SHA1_DES2_EDE_CBC:
case CKM_PBA_SHA1_WITH_SHA1_HMAC:
@ -5280,7 +5280,7 @@ index d941b574cc7..e2de13648be 100644
ckpParamPtr = jPbeParamToCKPbeParamPtr(env, jParam, ckpLength);
break;
case CKM_PKCS5_PBKD2:
@@ -1658,13 +1662,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
@@ -1661,13 +1665,13 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
// retrieve java values
jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS);
if (jPbeParamsClass == NULL) { return NULL; }
@ -5296,7 +5296,7 @@ index d941b574cc7..e2de13648be 100644
if (fieldID == NULL) { return NULL; }
jSalt = (*env)->GetObjectField(env, jParam, fieldID);
fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J");
@@ -1680,15 +1684,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
@@ -1683,15 +1687,15 @@ jPbeParamToCKPbeParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pLength)
// populate using java values
ckParamPtr->ulIteration = jLongToCKULong(jIteration);
@ -5315,7 +5315,7 @@ index d941b574cc7..e2de13648be 100644
if ((*env)->ExceptionCheck(env)) {
goto cleanup;
}
@@ -1767,31 +1771,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
@@ -1770,31 +1774,59 @@ void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, job
}
}
@ -5384,7 +5384,7 @@ index d941b574cc7..e2de13648be 100644
fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J");
if (fieldID == NULL) { return NULL; }
jSaltSource = (*env)->GetLongField(env, jParam, fieldID);
@@ -1807,36 +1839,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
@@ -1810,36 +1842,60 @@ jPkcs5Pbkd2ParamToCKPkcs5Pbkd2ParamPtr(JNIEnv *env, jobject jParam, CK_ULONG *pL
fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B");
if (fieldID == NULL) { return NULL; }
jPrfData = (*env)->GetObjectField(env, jParam, fieldID);
@ -5458,7 +5458,7 @@ index d941b574cc7..e2de13648be 100644
return NULL;
diff --git a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
index 520bd52a2cd..aa76945283d 100644
index 84edb3c5105..0f49657ada1 100644
--- a/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
+++ b/src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_util.c
@@ -410,11 +410,27 @@ void freeCKMechanismPtr(CK_MECHANISM_PTR mechPtr) {
@ -5490,7 +5490,7 @@ index 520bd52a2cd..aa76945283d 100644
// PBE mechs, WTLS mechs, CMS mechs,
// CKM_EXTRACT_KEY_FROM_KEY, CKM_OTP, CKM_KIP,
// CKM_DSA_PARAMETER_GEN?, CKM_GOSTR3410_*
@@ -517,12 +533,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
@@ -528,12 +544,11 @@ void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBO
jboolean* jpTemp;
CK_ULONG i;
@ -5505,7 +5505,7 @@ index 520bd52a2cd..aa76945283d 100644
jpTemp = (jboolean*) calloc(*ckpLength, sizeof(jboolean));
if (jpTemp == NULL) {
throwOutOfMemoryError(env, 0);
@@ -559,12 +574,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
@@ -570,12 +585,11 @@ void jByteArrayToCKByteArray(JNIEnv *env, const jbyteArray jArray, CK_BYTE_PTR *
jbyte* jpTemp;
CK_ULONG i;
@ -5520,7 +5520,7 @@ index 520bd52a2cd..aa76945283d 100644
jpTemp = (jbyte*) calloc(*ckpLength, sizeof(jbyte));
if (jpTemp == NULL) {
throwOutOfMemoryError(env, 0);
@@ -606,12 +620,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
@@ -617,12 +631,11 @@ void jLongArrayToCKULongArray(JNIEnv *env, const jlongArray jArray, CK_ULONG_PTR
jlong* jTemp;
CK_ULONG i;
@ -5535,7 +5535,7 @@ index 520bd52a2cd..aa76945283d 100644
jTemp = (jlong*) calloc(*ckpLength, sizeof(jlong));
if (jTemp == NULL) {
throwOutOfMemoryError(env, 0);
@@ -648,12 +661,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
@@ -659,12 +672,11 @@ void jCharArrayToCKCharArray(JNIEnv *env, const jcharArray jArray, CK_CHAR_PTR *
jchar* jpTemp;
CK_ULONG i;
@ -5550,7 +5550,7 @@ index 520bd52a2cd..aa76945283d 100644
jpTemp = (jchar*) calloc(*ckpLength, sizeof(jchar));
if (jpTemp == NULL) {
throwOutOfMemoryError(env, 0);
@@ -690,12 +702,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
@@ -701,12 +713,11 @@ void jCharArrayToCKUTF8CharArray(JNIEnv *env, const jcharArray jArray, CK_UTF8CH
jchar* jTemp;
CK_ULONG i;

3
java-17-openjdk.spec
View File

@ -364,7 +364,7 @@
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver e893be00150
%global fipsver df4c415ac9a
%global javaver %{featurever}
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
@ -2510,6 +2510,7 @@ cjc.mainProgram(args)
- Set bundled harfbuzz provide version to 8.2.2
- Require tzdata-java 2025a at runtime and for build
- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
- Update FIPS patch
- Resolves: RHEL-86624
- ** This tarball is embargoed until 2025-04-15 @ 1pm PT. **