Commit Graph

36 Commits

Author SHA1 Message Date
Andrew Hughes
a1c90bb786 Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Resolves: rhbz#2055383
2022-02-28 06:37:47 +00:00
Andrew Hughes
1172935e21 Add rpminspect.yaml to turn off Java bytecode inspections
java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode

Resolves: rhbz#2023540
2022-02-28 04:40:37 +00:00
Andrew Hughes
432eae58ca Introduce tests/tests.yml, based on the one in java-11-openjdk
Resolves: rhbz#2058490
2022-02-27 02:54:33 +00:00
Jiri
45a200751f Storing and restoring alterntives during update manually
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE

The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family

Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master
2022-02-26 10:24:13 +01:00
Andrew Hughes
8f31e878a5 Family extracted to globals
Related: rhbz#2008206
2022-02-25 17:24:15 +00:00
Andrew Hughes
554f0c4bb8 Detect NSS at runtime for FIPS detection
Turn off build-time NSS linking and go back to an explicit Requires on NSS

Resolves: rhbz#2052829
2022-02-23 17:53:35 +00:00
Andrew Hughes
d0f5e2a431 Add JDK-8275535 patch to fix LDAP authentication issue.
Resolves: rhbz#2053521
2022-02-23 03:33:43 +00:00
Andrew Hughes
adde3ad33b Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
Resolves: rhbz#2052819
2022-02-21 20:10:10 +00:00
Andrew Hughes
37c16ffafe Fix FIPS issues in native code and with initialisation of java.security.Security
Resolves: rhbz#2023531
2022-02-18 02:12:37 +00:00
Andrew Hughes
fd93b6637f Cherry-pick appropriate spec file changes from Fedora
* Restructure the build so a minimal initial build is then used for the final build (with docs)
  - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
* Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
* Handle Fedora in distro conditionals that currently only pertain to RHEL.
* Replace tabs by sets of spaces to make rpmlint happy
  - Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
* javadoc-zip gets its own provides next to plain javadoc ones
* Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
* Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
  - Need to support noarch for creating source RPMs for non-scratch builds.
* Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
  - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
  - Explicitly list JIT architectures rather than relying on those with slowdebug builds
  - Disable the serviceability agent on Zero architectures even when the architecture itself is supported

Resolves: rhbz#2022826
2022-02-17 19:18:04 +00:00
Andrew Hughes
65bc52e7a0 Minor cosmetic improvements to make spec more comparable between variants
Related: rhbz#2022826
2022-02-16 03:52:09 +00:00
Andrew Hughes
d3bc4567f3 Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@
Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository

Related: rhbz#2022826
2022-02-16 00:33:09 +00:00
Andrew Hughes
a8b9b10273 January 2022 security update to jdk 17.0.2+8
Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java
Rename libsvml.so to libjsvml.so following JDK-8276025
Drop JDK-8276572 patch which is now upstream

Resolves: rhbz#2039392
2022-02-11 12:48:59 +00:00
Andrew Hughes
1f415e6830 Sync desktop files with upstream IcedTea release 3.15.0 using new script
Related: rhbz#2022826
2022-02-10 21:14:21 +00:00
Andrew Hughes
821e2145f6 Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy secmod.db file as part of nss
Resolves: rhbz#2023537
2021-11-29 19:36:18 +00:00
Andrew Hughes
defc5e1dd6 October CPU update to jdk 17.0.1+12
Dropped commented-out source line
Drop JDK-8272332 patch now included upstream.

Resolves: rhbz#2013846
2021-11-16 18:51:08 +00:00
Andrew Hughes
3cd0505fe2 Set LTS designator on RHEL, but not Fedora or EPEL.
Related: rhbz#2013846
2021-11-09 01:58:54 +00:00
Jiri Vanek
b291d3f668 alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
2021-11-08 15:38:19 +01:00
Andrew Hughes
bf21f1a810 Patch syslookup.c so it actually has some code to be compiled into libsyslookup
Related: rhbz#2013846
2021-11-07 01:50:01 +00:00
Andrew Hughes
ccefd13b01 Add FIPS patch to allow plain key import.
Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false

Resolves: rhbz#1994682
2021-10-11 03:24:35 +01:00
Andrew Hughes
4b932ebee8 Update release notes to document the major changes between OpenJDK 11 & 17.
Resolves: rhbz#2000925
2021-10-10 23:05:32 +01:00
Andrew Hughes
da06035ff0 Update to jdk-17+35, also known as jdk-17-ga.
Switch to GA mode.
Add JDK-8272332 fix so we actually link against HarfBuzz.

Resolves: rhbz#2000925
2021-09-19 13:38:46 +01:00
Andrew Hughes
1c4a8bc563 Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access.
Resolves: rhbz#1997359
2021-08-30 16:52:43 +01:00
Andrew Hughes
027bbcc4e3 Add patch to login to the NSS software token when in FIPS mode.
Fix unused function compiler warning found in systemconf.c

Resolves: rhbz#1997359
Related: rhbz#1995889
2021-08-28 01:38:47 +01:00
Andrew Hughes
cba3bba79b Add patch to disable non-FIPS crypto in the SUN and SunEC security providers.
Resolves: rhbz#1995889
2021-08-27 23:17:20 +01:00
Andrew Hughes
d4c6f7c9b1 Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.

Related: rhbz#1995889
2021-08-27 21:22:49 +01:00
Andrew Hughes
584ffa5a36 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

Related: rhbz#1995889
2021-08-27 05:58:02 +01:00
Andrew Hughes
ee6b0f24ba Update to jdk-17+33, including JDWP fix and July 2021 CPU
Resolves: rhbz#1870625
2021-08-26 18:47:16 +01:00
Andrew Hughes
f9155e4763 Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.

Resolves: rhbz#1870625
2021-08-26 03:36:42 +01:00
Mohan Boddu
1103501516 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 21:03:49 +00:00
Andrew Hughes
a9c385cc9a Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
It makes the SunPKCS provider show up again

Resolves: rhbz#1870625
2021-07-14 05:44:00 +01:00
Jiri Vanek
2575952df8 Added gating.yaml
Resolves: rhbz#1870625
2021-07-13 17:42:35 +02:00
Severin Gehwolf
f9fcec76c3 Add possibility to disable system crypto policy
Add PR3695 to allow the system crypto policy to be turned off
Re-enable TestSecurityProperties after inclusion of PR3695

Resolves: rhbz#1870625
2021-07-06 03:59:27 +01:00
Andrew Hughes
780eb3f7a9 Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot.
Update buildjdkver to 17 so as to build with itself

Resolves: rhbz#1870625
2021-06-26 18:34:21 +01:00
Andrew Hughes
913d7c9e5b Import java-17-openjdk
Resolves: rhbz#1870625
2021-06-23 03:08:10 +01:00
Release Configuration Management
175fc84788 New branch setup 2020-12-10 15:04:50 +00:00