Commit Graph

56 Commits

Author SHA1 Message Date
Andrew Hughes
60b0ba249b Update FIPS support to bring in latest changes
* Add nss.fips.cfg support to OpenJDK tree
* RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
* Remove forgotten dead code from RH2020290 and RH2104724

Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build

Resolves: rhbz#2118493
2022-11-23 23:22:55 +00:00
Andrew Hughes
bddc601af1 Update to jdk-17.0.5+8 (GA)
Update release notes to 17.0.5+8 (GA)
Switch to GA mode for final release.
Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
Update CLDR data with Europe/Kyiv (JDK-8293834)
Drop JDK-8292223 patch which we found to be unnecessary
Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
Remove freetype sources along with zlib sources

Resolves: rhbz#2133695
2022-10-26 06:05:33 +01:00
Andrew Hughes
2a4a44856f Update to jdk-17.0.5+7
Update release notes to 17.0.5+7

Resolves: rhbz#2130622
2022-10-07 09:11:36 +01:00
Andrew Hughes
294f63dbef Update to jdk-17.0.5+1
Update release notes to 17.0.5+1
Switch to EA mode for 17.0.5 pre-release builds.
Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
Bump FreeType bundled version to 2.12.1 following JDK-8290334

Related: rhbz#2130622
2022-10-05 18:10:20 +01:00
Andrew Hughes
d04417859d Switch to static builds, reducing system dependencies and making build more portable
Resolves: rhbz#2121268
2022-08-30 01:24:13 +01:00
Andrew Hughes
75d8e4a02b Fix flatpak builds (catering for their uncompressed manual pages)
...see
<https://docs.fedoraproject.org/en-US/flatpak/troubleshooting/#_uncompressed_manual_pages>
for details

Fix flatpak builds

...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use
Zero in order to get a working build":

When building the

>       if ${run_bootstrap} ; then

branch for suffix='' and loop='-main', the second

>           buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}

uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk
on the previous line.  But installjdk does

>       rm ${imagepath}/lib/tzdb.dat
>       ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat

which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a
flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non-
flatpak build) which is not present at build-time (but will be present at
runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for
the flatpak /app prefix).  So using that JDK's compiler during the build kept
failing due to java.io.FileNotFoundException for its lib/tzdb.dat.

(This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as
installjdk's modification of lib/tzdb.dat used to be done only for the "Final
setup on the main image" at the very end of the build, not during the build for
JDKs that are themselves used later during the build.)

The easiest workaround for this issue appears to be to just not bootstrap_build
in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has
been modified through installjdk is used during the build.

Resolves: rhbz#2102726
2022-08-29 18:04:22 +01:00
Andrew Hughes
674cdfbcb9 Update FIPS support to bring in latest changes
* RH2104724: Avoid import/export of DH private keys
* RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
* Build the systemconf library on all platforms
* RH2048582: Support PKCS#12 keystores
* RH2020290: Support TLS 1.3 in FIPS mode

Resolves: rhbz#2104725
Resolves: rhbz#2117758
Resolves: rhbz#2115164
Resolves: rhbz#2029665
2022-08-29 15:13:57 +01:00
Andrew Hughes
aa8a052ae2 Update to jdk-17.0.4.1+1
Update release notes to 17.0.4.1+1
Add patch to provide translations for Europe/Kyiv added in tzdata2022b
Add test to ensure timezones can be translated

Resolves: rhbz#2119532
2022-08-21 12:10:43 +01:00
Andrew Hughes
084ca2b8b5 Update to jdk-17.0.3.0+8
Update release notes to 17.0.3.0+8
Switch to GA mode for release

Resolves: rhbz#2106524
2022-07-22 10:28:57 +01:00
Andrew Hughes
cef4d307f5 - Revert the following changes until copy-java-configs has adapted to relative symlinks:
* Move cacerts replacement to install section and retain original of this and tzdb.dat
* Run tests on the installed image, rather than the build image
* Introduce variables to refer to the static library installation directories
* Use relative symlinks so they work within the image
* Run debug symbols check during build stage, before the install strips them

The move of turning on system security properties is retained so we don't ship with them off

Related: rhbz#2084218
2022-07-20 11:06:41 +01:00
Andrew Hughes
c308709d10 Update to jdk-17.0.3.0+7
Update release notes to 17.0.3.0+7
Need to include the '.S' suffix in debuginfo checks after JDK-8284661
Explicitly require crypto-policies during build and runtime for system security properties
Make use of the vendor version string to store our version & release rather than an upstream release date
Include a test in the RPM to check the build has the correct vendor information.
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the shell.

Resolves: rhbz#2084218
2022-07-17 18:37:13 +01:00
Andrew Hughes
a4d2ca79e8 Update to jdk-17.0.4.0+1
Update release notes to 17.0.4.0+1
Switch to EA mode for 17.0.4 pre-release builds.
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Move EA designator check to prep so failures can be caught earlier
Make EA designator check non-fatal while upstream is not maintaining it

Related: rhbz#2084218
2022-07-12 03:59:57 +01:00
Andrew Hughes
4d1d142a1e Fix whitespace in spec file
Related: rhbz#2100677
2022-07-08 21:35:49 +01:00
Andrew Hughes
78ce190731 Sequence spec file sections as they are run by rpmbuild (build, install then test)
Related: rhbz#2100677
2022-07-08 21:31:40 +01:00
Andrew Hughes
dca2f55ea3 Turn on system security properties as part of the build's install section
Move cacerts replacement to install section and retain original of this and tzdb.dat
Run tests on the installed image, rather than the build image
Introduce variables to refer to the static library installation directories
Use relative symlinks so they work within the image
Run debug symbols check during build stage, before the install strips them

Related: rhbz#2100677
2022-07-08 17:39:32 +01:00
Francisco Ferrari Bihurriet
fb297243dc RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION

Resolves: rhbz#2102433
2022-07-08 04:09:10 +01:00
Andrew John Hughes
01cf14b7a6 Update FIPS support to bring in latest changes
* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together

Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on

Resolves: rhbz#2099844
Resolves: rhbz#2100677
2022-06-27 18:43:22 +01:00
Andrew Hughes
6a89094f84 Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
RH2023467: Enable FIPS keys export
RH2094027: SunEC runtime permission for FIPS

Resolves: rhbz#2029657
Resolves: rhbz#2096117
2022-06-14 20:19:46 +01:00
Andrew Hughes
30b21c5259 April 2022 security update to jdk 17.0.3+7
Update to jdk-17.0.3.0+7 tarball
Update release notes to 17.0.3.0+7
Add missing README.md and generate_source_tarball.sh
Switch to GA mode for release
JDK-8283911 patch no longer needed now we're GA...

Resolves: rhbz#2073579
2022-04-21 03:09:12 +01:00
Andrew Hughes
cbd2e1ee1d Update to jdk-17.0.3.0+5
Update release notes to 17.0.3.0+5

Resolves: rhbz#2050460
2022-04-06 01:40:35 +01:00
Andrew Hughes
045d1d1de8 Update to jdk-17.0.3.0+1
Update release notes to 17.0.3.0+1
Switch to EA mode for 17.0.3 pre-release builds.
Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value

Related: rhbz#2050460
2022-03-30 04:32:08 +01:00
Andrew Hughes
a1c90bb786 Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Resolves: rhbz#2055383
2022-02-28 06:37:47 +00:00
Andrew Hughes
1172935e21 Add rpminspect.yaml to turn off Java bytecode inspections
java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode

Resolves: rhbz#2023540
2022-02-28 04:40:37 +00:00
Andrew Hughes
432eae58ca Introduce tests/tests.yml, based on the one in java-11-openjdk
Resolves: rhbz#2058490
2022-02-27 02:54:33 +00:00
Jiri
45a200751f Storing and restoring alterntives during update manually
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE

The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family

Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master
2022-02-26 10:24:13 +01:00
Andrew Hughes
8f31e878a5 Family extracted to globals
Related: rhbz#2008206
2022-02-25 17:24:15 +00:00
Andrew Hughes
554f0c4bb8 Detect NSS at runtime for FIPS detection
Turn off build-time NSS linking and go back to an explicit Requires on NSS

Resolves: rhbz#2052829
2022-02-23 17:53:35 +00:00
Andrew Hughes
d0f5e2a431 Add JDK-8275535 patch to fix LDAP authentication issue.
Resolves: rhbz#2053521
2022-02-23 03:33:43 +00:00
Andrew Hughes
adde3ad33b Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
Resolves: rhbz#2052819
2022-02-21 20:10:10 +00:00
Andrew Hughes
37c16ffafe Fix FIPS issues in native code and with initialisation of java.security.Security
Resolves: rhbz#2023531
2022-02-18 02:12:37 +00:00
Andrew Hughes
fd93b6637f Cherry-pick appropriate spec file changes from Fedora
* Restructure the build so a minimal initial build is then used for the final build (with docs)
  - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
* Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
* Handle Fedora in distro conditionals that currently only pertain to RHEL.
* Replace tabs by sets of spaces to make rpmlint happy
  - Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
* javadoc-zip gets its own provides next to plain javadoc ones
* Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
* Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
  - Need to support noarch for creating source RPMs for non-scratch builds.
* Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
  - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
  - Explicitly list JIT architectures rather than relying on those with slowdebug builds
  - Disable the serviceability agent on Zero architectures even when the architecture itself is supported

Resolves: rhbz#2022826
2022-02-17 19:18:04 +00:00
Andrew Hughes
65bc52e7a0 Minor cosmetic improvements to make spec more comparable between variants
Related: rhbz#2022826
2022-02-16 03:52:09 +00:00
Andrew Hughes
d3bc4567f3 Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository

Related: rhbz#2022826
2022-02-16 00:33:09 +00:00
Andrew Hughes
a8b9b10273 January 2022 security update to jdk 17.0.2+8
Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
Rename libsvml.so to libjsvml.so following JDK-8276025
Drop JDK-8276572 patch which is now upstream

Resolves: rhbz#2039392
2022-02-11 12:48:59 +00:00
Andrew Hughes
1f415e6830 Sync desktop files with upstream IcedTea release 3.15.0 using new script
Related: rhbz#2022826
2022-02-10 21:14:21 +00:00
Andrew Hughes
821e2145f6 Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy secmod.db file as part of nss
Resolves: rhbz#2023537
2021-11-29 19:36:18 +00:00
Andrew Hughes
defc5e1dd6 October CPU update to jdk 17.0.1+12
Dropped commented-out source line
Drop JDK-8272332 patch now included upstream.

Resolves: rhbz#2013846
2021-11-16 18:51:08 +00:00
Andrew Hughes
3cd0505fe2 Set LTS designator on RHEL, but not Fedora or EPEL.
Related: rhbz#2013846
2021-11-09 01:58:54 +00:00
Jiri Vanek
b291d3f668 alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
2021-11-08 15:38:19 +01:00
Andrew Hughes
bf21f1a810 Patch syslookup.c so it actually has some code to be compiled into libsyslookup
Related: rhbz#2013846
2021-11-07 01:50:01 +00:00
Andrew Hughes
ccefd13b01 Add FIPS patch to allow plain key import.
Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false

Resolves: rhbz#1994682
2021-10-11 03:24:35 +01:00
Andrew Hughes
4b932ebee8 Update release notes to document the major changes between OpenJDK 11 & 17.
Resolves: rhbz#2000925
2021-10-10 23:05:32 +01:00
Andrew Hughes
da06035ff0 Update to jdk-17+35, also known as jdk-17-ga.
Switch to GA mode.
Add JDK-8272332 fix so we actually link against HarfBuzz.

Resolves: rhbz#2000925
2021-09-19 13:38:46 +01:00
Andrew Hughes
1c4a8bc563 Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
Resolves: rhbz#1997359
2021-08-30 16:52:43 +01:00
Andrew Hughes
027bbcc4e3 Add patch to login to the NSS software token when in FIPS mode.
Fix unused function compiler warning found in systemconf.c

Resolves: rhbz#1997359
Related: rhbz#1995889
2021-08-28 01:38:47 +01:00
Andrew Hughes
cba3bba79b Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
Resolves: rhbz#1995889
2021-08-27 23:17:20 +01:00
Andrew Hughes
d4c6f7c9b1 Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.

Related: rhbz#1995889
2021-08-27 21:22:49 +01:00
Andrew Hughes
584ffa5a36 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

Related: rhbz#1995889
2021-08-27 05:58:02 +01:00
Andrew Hughes
ee6b0f24ba Update to jdk-17+33, including JDWP fix and July 2021 CPU
Resolves: rhbz#1870625
2021-08-26 18:47:16 +01:00
Andrew Hughes
f9155e4763 Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.

Resolves: rhbz#1870625
2021-08-26 03:36:42 +01:00