rpms/java-17-openjdk
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: rpms:imports/c8s/java-17-openjdk-17.0.3.0.5-0.1.ea.el8
Branches Tags
rpms:c8-beta
rpms:c8
rpms:a8-portable
rpms:a9
rpms:c9
rpms:c8s
rpms:c9s
rpms:c10s
rpms:a10s
rpms:a10s-portable
rpms:c9-bootstrap
rpms:c9-beta
rpms:imports/c8/java-17-openjdk-17.0.17.0.10-1.el8
rpms:changed/a8-portable/java-17-openjdk-17.0.17.0.10-1.0.1.el8
rpms:changed/a9/java-17-openjdk-17.0.17.0.10-1.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.17.0.10-1.el9
rpms:changed/a8-portable/java-17-openjdk-17.0.16.0.8-2.el8
rpms:changed/a9/java-17-openjdk-17.0.16.0.8-2.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.16.0.8-2.el9
rpms:imports/c8/java-17-openjdk-17.0.16.0.8-2.el8
rpms:changed/a9/java-17-openjdk-17.0.15.0.6-3.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.15.0.6-3.el9
rpms:imports/c8/java-17-openjdk-17.0.15.0.6-2.el8
rpms:changed/a9/java-17-openjdk-17.0.15.0.6-2.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.15.0.6-2.el9
rpms:changed/a9/java-17-openjdk-17.0.14.0.7-2.el9.alma.1
rpms:imports/c8/java-17-openjdk-17.0.14.0.7-3.el8
rpms:imports/c9/java-17-openjdk-17.0.14.0.7-2.el9
rpms:changed/a9/java-17-openjdk-17.0.13.0.11-4.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.13.0.11-4.el9
rpms:changed/a9/java-17-openjdk-17.0.13.0.11-3.el9.alma.1
rpms:imports/c8/java-17-openjdk-17.0.13.0.11-3.el8
rpms:imports/c9/java-17-openjdk-17.0.13.0.11-3.el9
rpms:changed/a10s/java-17-openjdk-17.0.12.0.7-2.el10.alma.1
rpms:imports/c8/java-17-openjdk-17.0.12.0.7-2.el8
rpms:imports/c9/java-17-openjdk-17.0.12.0.7-2.el9
rpms:imports/c10s/java-17-openjdk-17.0.10.0.7-1.el10.1
rpms:imports/c8/java-17-openjdk-17.0.11.0.9-2.el8
rpms:imports/c9/java-17-openjdk-17.0.11.0.9-2.el9
rpms:imports/c9/java-17-openjdk-17.0.10.0.7-2.el9
rpms:imports/c8/java-17-openjdk-17.0.10.0.7-2.el8
rpms:imports/c8/java-17-openjdk-17.0.9.0.9-2.el8
rpms:imports/c9/java-17-openjdk-17.0.9.0.9-2.el9
rpms:imports/c9/java-17-openjdk-17.0.8.0.7-2.el9
rpms:imports/c8/java-17-openjdk-17.0.8.0.7-2.el8
rpms:imports/c8/java-17-openjdk-17.0.7.0.7-3.el8
rpms:changed/a9/java-17-openjdk-17.0.7.0.7-3.el9.alma
rpms:imports/c9/java-17-openjdk-17.0.7.0.7-3.el9
rpms:imports/c8/java-17-openjdk-17.0.7.0.7-1.el8_7
rpms:imports/c9/java-17-openjdk-17.0.7.0.7-1.el9_1
rpms:imports/c9-beta/java-17-openjdk-17.0.6.0.9-0.3.ea.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.6.0.9-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.10-3.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.9-0.4.ea.el8
rpms:imports/c9/java-17-openjdk-17.0.6.0.10-3.el9_1
rpms:imports/c8/java-17-openjdk-17.0.6.0.10-3.el8_7
rpms:imports/c8s/java-17-openjdk-17.0.6.0.9-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.1-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.5.0.8-5.el8
rpms:imports/c9/java-17-openjdk-17.0.5.0.8-1.el9_1
rpms:imports/c9/java-17-openjdk-17.0.4.1.1-5.el9
rpms:imports/c8s/java-17-openjdk-17.0.5.0.8-2.el8
rpms:imports/c8/java-17-openjdk-17.0.5.0.8-1.el8_7
rpms:imports/c8/java-17-openjdk-17.0.4.1.1-6.el8
rpms:imports/c9/java-17-openjdk-17.0.5.0.8-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.5.0.8-2.el8_6
rpms:imports/c9-beta/java-17-openjdk-17.0.4.0.8-3.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.3.0.7-6.el8
rpms:imports/c9/java-17-openjdk-17.0.4.1.1-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.4.1.1-2.el8_6
rpms:imports/c9/java-17-openjdk-17.0.4.0.8-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.4.0.8-2.el8_6
rpms:imports/c9/java-17-openjdk-17.0.3.0.7-1.el9_0
rpms:imports/c9/java-17-openjdk-17.0.2.0.8-13.el9
rpms:imports/c8s/java-17-openjdk-17.0.3.0.7-1.el8
rpms:imports/c8s/java-17-openjdk-17.0.3.0.5-0.1.ea.el8
rpms:imports/c8/java-17-openjdk-17.0.3.0.7-2.el8_6
rpms:imports/c8/java-17-openjdk-17.0.2.0.8-15.el8
rpms:imports/c8/java-17-openjdk-17.0.3.0.6-2.el8_5
rpms:imports/c9-beta/java-17-openjdk-17.0.2.0.8-5.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.2.0.8-6.el8
rpms:imports/c8s/java-17-openjdk-17.0.2.0.8-15.el8
rpms:imports/c9-beta/java-17-openjdk-17.0.2.0.8-2.el9
rpms:imports/c8/java-17-openjdk-17.0.2.0.8-4.el8_5
rpms:imports/c9-beta/java-17-openjdk-17.0.0.0.35-3.el9_b
rpms:imports/c9-beta/java-17-openjdk-17.0.0.0.33-0.5.ea.el9
rpms:imports/c8/java-17-openjdk-17.0.1.0.12-2.el8_5
rpms:imports/c8/java-17-openjdk-17.0.0.0.35-4.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.35-5.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.35-3.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.33-0.5.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.33-0.1.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.26-0.2.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.26-0.1.ea.el8
rpms:imports/c8-beta/java-17-openjdk-17.0.0.0.33-0.5.ea.el8
...
compare: rpms:c8-beta
Branches Tags
rpms:c8
rpms:a8-portable
rpms:a9
rpms:c9
rpms:c8s
rpms:c9s
rpms:c10s
rpms:a10s
rpms:a10s-portable
rpms:c9-bootstrap
rpms:c9-beta
rpms:c8-beta
rpms:imports/c8/java-17-openjdk-17.0.17.0.10-1.el8
rpms:changed/a8-portable/java-17-openjdk-17.0.17.0.10-1.0.1.el8
rpms:changed/a9/java-17-openjdk-17.0.17.0.10-1.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.17.0.10-1.el9
rpms:changed/a8-portable/java-17-openjdk-17.0.16.0.8-2.el8
rpms:changed/a9/java-17-openjdk-17.0.16.0.8-2.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.16.0.8-2.el9
rpms:imports/c8/java-17-openjdk-17.0.16.0.8-2.el8
rpms:changed/a9/java-17-openjdk-17.0.15.0.6-3.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.15.0.6-3.el9
rpms:imports/c8/java-17-openjdk-17.0.15.0.6-2.el8
rpms:changed/a9/java-17-openjdk-17.0.15.0.6-2.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.15.0.6-2.el9
rpms:changed/a9/java-17-openjdk-17.0.14.0.7-2.el9.alma.1
rpms:imports/c8/java-17-openjdk-17.0.14.0.7-3.el8
rpms:imports/c9/java-17-openjdk-17.0.14.0.7-2.el9
rpms:changed/a9/java-17-openjdk-17.0.13.0.11-4.el9.alma.1
rpms:imports/c9/java-17-openjdk-17.0.13.0.11-4.el9
rpms:changed/a9/java-17-openjdk-17.0.13.0.11-3.el9.alma.1
rpms:imports/c8/java-17-openjdk-17.0.13.0.11-3.el8
rpms:imports/c9/java-17-openjdk-17.0.13.0.11-3.el9
rpms:changed/a10s/java-17-openjdk-17.0.12.0.7-2.el10.alma.1
rpms:imports/c8/java-17-openjdk-17.0.12.0.7-2.el8
rpms:imports/c9/java-17-openjdk-17.0.12.0.7-2.el9
rpms:imports/c10s/java-17-openjdk-17.0.10.0.7-1.el10.1
rpms:imports/c8/java-17-openjdk-17.0.11.0.9-2.el8
rpms:imports/c9/java-17-openjdk-17.0.11.0.9-2.el9
rpms:imports/c9/java-17-openjdk-17.0.10.0.7-2.el9
rpms:imports/c8/java-17-openjdk-17.0.10.0.7-2.el8
rpms:imports/c8/java-17-openjdk-17.0.9.0.9-2.el8
rpms:imports/c9/java-17-openjdk-17.0.9.0.9-2.el9
rpms:imports/c9/java-17-openjdk-17.0.8.0.7-2.el9
rpms:imports/c8/java-17-openjdk-17.0.8.0.7-2.el8
rpms:imports/c8/java-17-openjdk-17.0.7.0.7-3.el8
rpms:changed/a9/java-17-openjdk-17.0.7.0.7-3.el9.alma
rpms:imports/c9/java-17-openjdk-17.0.7.0.7-3.el9
rpms:imports/c8/java-17-openjdk-17.0.7.0.7-1.el8_7
rpms:imports/c9/java-17-openjdk-17.0.7.0.7-1.el9_1
rpms:imports/c9-beta/java-17-openjdk-17.0.6.0.9-0.3.ea.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.6.0.9-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.10-3.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.9-0.4.ea.el8
rpms:imports/c9/java-17-openjdk-17.0.6.0.10-3.el9_1
rpms:imports/c8/java-17-openjdk-17.0.6.0.10-3.el8_7
rpms:imports/c8s/java-17-openjdk-17.0.6.0.9-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.6.0.1-0.3.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.5.0.8-5.el8
rpms:imports/c9/java-17-openjdk-17.0.5.0.8-1.el9_1
rpms:imports/c9/java-17-openjdk-17.0.4.1.1-5.el9
rpms:imports/c8s/java-17-openjdk-17.0.5.0.8-2.el8
rpms:imports/c8/java-17-openjdk-17.0.5.0.8-1.el8_7
rpms:imports/c8/java-17-openjdk-17.0.4.1.1-6.el8
rpms:imports/c9/java-17-openjdk-17.0.5.0.8-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.5.0.8-2.el8_6
rpms:imports/c9-beta/java-17-openjdk-17.0.4.0.8-3.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.3.0.7-6.el8
rpms:imports/c9/java-17-openjdk-17.0.4.1.1-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.4.1.1-2.el8_6
rpms:imports/c9/java-17-openjdk-17.0.4.0.8-2.el9_0
rpms:imports/c8/java-17-openjdk-17.0.4.0.8-2.el8_6
rpms:imports/c9/java-17-openjdk-17.0.3.0.7-1.el9_0
rpms:imports/c9/java-17-openjdk-17.0.2.0.8-13.el9
rpms:imports/c8s/java-17-openjdk-17.0.3.0.7-1.el8
rpms:imports/c8s/java-17-openjdk-17.0.3.0.5-0.1.ea.el8
rpms:imports/c8/java-17-openjdk-17.0.3.0.7-2.el8_6
rpms:imports/c8/java-17-openjdk-17.0.2.0.8-15.el8
rpms:imports/c8/java-17-openjdk-17.0.3.0.6-2.el8_5
rpms:imports/c9-beta/java-17-openjdk-17.0.2.0.8-5.el9
rpms:imports/c8-beta/java-17-openjdk-17.0.2.0.8-6.el8
rpms:imports/c8s/java-17-openjdk-17.0.2.0.8-15.el8
rpms:imports/c9-beta/java-17-openjdk-17.0.2.0.8-2.el9
rpms:imports/c8/java-17-openjdk-17.0.2.0.8-4.el8_5
rpms:imports/c9-beta/java-17-openjdk-17.0.0.0.35-3.el9_b
rpms:imports/c9-beta/java-17-openjdk-17.0.0.0.33-0.5.ea.el9
rpms:imports/c8/java-17-openjdk-17.0.1.0.12-2.el8_5
rpms:imports/c8/java-17-openjdk-17.0.0.0.35-4.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.35-5.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.35-3.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.33-0.5.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.33-0.1.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.26-0.2.ea.el8
rpms:imports/c8s/java-17-openjdk-17.0.0.0.26-0.1.ea.el8
rpms:imports/c8-beta/java-17-openjdk-17.0.0.0.33-0.5.ea.el8

No commits in common. "imports/c8s/java-17-openjdk-17.0.3.0.5-0.1.ea.el8" and "c8-beta" have entirely different histories.
imports/c8 ... c8-beta

30 changed files with 7587 additions and 4306 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-17-openjdk.metadata
View File

@ -1,2 +1,2 @@
0d36992602220a83adaff3bd0702efc02e616a0a SOURCES/openjdk-jdk17u-jdk-17.0.3+5.tar.xz
95213324016613e314e5c97dc87f31a0576df00c SOURCES/openjdk-jdk17u-jdk-17.0.6+9.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

65
SOURCES/CheckVendor.java Normal file
View File

@ -0,0 +1,65 @@
/* CheckVendor -- Check the vendor properties match specified values.
Copyright (C) 2020 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @test
*/
public class CheckVendor {
public static void main(String[] args) {
if (args.length < 4) {
System.err.println("CheckVendor <VENDOR> <VENDOR-URL> <VENDOR-BUG-URL> <VENDOR-VERSION-STRING>");
System.exit(1);
}
String vendor = System.getProperty("java.vendor");
String expectedVendor = args[0];
String vendorURL = System.getProperty("java.vendor.url");
String expectedVendorURL = args[1];
String vendorBugURL = System.getProperty("java.vendor.url.bug");
String expectedVendorBugURL = args[2];
String vendorVersionString = System.getProperty("java.vendor.version");
String expectedVendorVersionString = args[3];
if (!expectedVendor.equals(vendor)) {
System.err.printf("Invalid vendor %s, expected %s\n",
vendor, expectedVendor);
System.exit(2);
}
if (!expectedVendorURL.equals(vendorURL)) {
System.err.printf("Invalid vendor URL %s, expected %s\n",
vendorURL, expectedVendorURL);
System.exit(3);
}
if (!expectedVendorBugURL.equals(vendorBugURL)) {
System.err.printf("Invalid vendor bug URL %s, expected %s\n",
vendorBugURL, expectedVendorBugURL);
System.exit(4);
}
if (!expectedVendorVersionString.equals(vendorVersionString)) {
System.err.printf("Invalid vendor version string %s, expected %s\n",
vendorVersionString, expectedVendorVersionString);
System.exit(5);
}
System.err.printf("Vendor information verified as %s, %s, %s, %s\n",
vendor, vendorURL, vendorBugURL, vendorVersionString);
}
}

1008
SOURCES/NEWS
View File

File diff suppressed because it is too large Load Diff

51
SOURCES/TestSecurityProperties.java
View File

@ -1,3 +1,20 @@
/* TestSecurityProperties -- Ensure system security properties can be used to
enable the crypto policies.
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.io.File;
import java.io.FileInputStream;
import java.security.Security;
@ -9,35 +26,59 @@ public class TestSecurityProperties {
// JDK 8
private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
private static final String MSG_PREFIX = "DEBUG: ";
public static void main(String[] args) {
if (args.length == 0) {
System.err.println("TestSecurityProperties <true|false>");
System.err.println("Invoke with 'true' if system security properties should be enabled.");
System.err.println("Invoke with 'false' if system security properties should be disabled.");
System.exit(1);
}
boolean enabled = Boolean.valueOf(args[0]);
System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
Properties jdkProps = new Properties();
loadProperties(jdkProps);
if (enabled) {
loadPolicy(jdkProps);
}
for (Object key: jdkProps.keySet()) {
String sKey = (String)key;
String securityVal = Security.getProperty(sKey);
String jdkSecVal = jdkProps.getProperty(sKey);
if (!securityVal.equals(jdkSecVal)) {
String msg = "Expected value '" + jdkSecVal + "' for key '" +
String msg = "Expected value '" + jdkSecVal + "' for key '" +
sKey + "'" + " but got value '" + securityVal + "'";
throw new RuntimeException("Test failed! " + msg);
} else {
System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
}
}
System.out.println("TestSecurityProperties PASSED!");
}
private static void loadProperties(Properties props) {
String javaVersion = System.getProperty("java.version");
System.out.println("Debug: Java version is " + javaVersion);
System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
String propsFile = JDK_PROPS_FILE_JDK_11;
if (javaVersion.startsWith("1.8.0")) {
propsFile = JDK_PROPS_FILE_JDK_8;
}
try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
try (FileInputStream fin = new FileInputStream(propsFile)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
private static void loadPolicy(Properties props) {
try (FileInputStream fin = new FileInputStream(POLICY_FILE)) {
props.load(fin);
} catch (Exception e) {
throw new RuntimeException("Test failed!", e);
}
}
}

160
SOURCES/TestTranslations.java Normal file
View File

@ -0,0 +1,160 @@
/* TestTranslations -- Ensure translations are available for new timezones
Copyright (C) 2022 Red Hat, Inc.
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
import java.text.DateFormatSymbols;
import java.time.ZoneId;
import java.time.format.TextStyle;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Locale;
import java.util.Objects;
import java.util.TimeZone;
public class TestTranslations {
private static Map<Locale,String[]> KYIV, CIUDAD_JUAREZ;
static {
Map<Locale,String[]> map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Eastern European Standard Time", "GMT+02:00", "EET",
"Eastern European Summer Time", "GMT+03:00", "EEST",
"Eastern European Time", "GMT+02:00", "EET"});
map.put(Locale.FRANCE, new String[] { "heure normale d\u2019Europe de l\u2019Est", "UTC+02:00", "EET",
"heure d\u2019\u00e9t\u00e9 d\u2019Europe de l\u2019Est", "UTC+03:00", "EEST",
"heure d\u2019Europe de l\u2019Est", "UTC+02:00", "EET"});
map.put(Locale.GERMANY, new String[] { "Osteurop\u00e4ische Normalzeit", "OEZ", "OEZ",
"Osteurop\u00e4ische Sommerzeit", "OESZ", "OESZ",
"Osteurop\u00e4ische Zeit", "OEZ", "OEZ"});
KYIV = Collections.unmodifiableMap(map);
map = new HashMap<Locale,String[]>();
map.put(Locale.US, new String[] { "Mountain Standard Time", "MST", "MST",
"Mountain Daylight Time", "MDT", "MDT",
"Mountain Time", "MT", "MT"});
map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
"heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MDT",
"heure des Rocheuses", "UTC\u221207:00", "MT"});
map.put(Locale.GERMANY, new String[] { "Rocky Mountain-Normalzeit", "GMT-07:00", "MST",
"Rocky-Mountain-Sommerzeit", "GMT-06:00", "MDT",
"Rocky-Mountain-Zeit", "GMT-07:00", "MT"});
CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
}
public static void main(String[] args) {
if (args.length < 1) {
System.err.println("Test must be started with the name of the locale provider.");
System.exit(1);
}
System.out.println("Checking sanity of full zone string set...");
boolean invalid = Arrays.stream(Locale.getAvailableLocales())
.peek(l -> System.out.println("Locale: " + l))
.map(l -> DateFormatSymbols.getInstance(l).getZoneStrings())
.flatMap(zs -> Arrays.stream(zs))
.flatMap(names -> Arrays.stream(names))
.filter(name -> Objects.isNull(name) || name.isEmpty())
.findAny()
.isPresent();
if (invalid) {
System.err.println("Zone string for a locale returned null or empty string");
System.exit(2);
}
String localeProvider = args[0];
testZone(localeProvider, KYIV,
new String[] { "Europe/Kiev", "Europe/Kyiv", "Europe/Uzhgorod", "Europe/Zaporozhye" });
testZone(localeProvider, CIUDAD_JUAREZ,
new String[] { "America/Cambridge_Bay", "America/Ciudad_Juarez" });
}
private static void testZone(String localeProvider, Map<Locale,String[]> exp, String[] ids) {
for (Locale l : exp.keySet()) {
String[] expected = exp.get(l);
System.out.printf("Expected values for %s are %s\n", l, Arrays.toString(expected));
for (String id : ids) {
String expectedShortStd = null;
String expectedShortDST = null;
String expectedShortGen = null;
System.out.printf("Checking locale %s for %s...\n", l, id);
if ("JRE".equals(localeProvider)) {
expectedShortStd = expected[2];
expectedShortDST = expected[5];
expectedShortGen = expected[8];
} else if ("CLDR".equals(localeProvider)) {
expectedShortStd = expected[1];
expectedShortDST = expected[4];
expectedShortGen = expected[7];
} else {
System.err.printf("Invalid locale provider %s\n", localeProvider);
System.exit(3);
}
System.out.printf("Locale Provider is %s, using short values %s, %s and %s\n",
localeProvider, expectedShortStd, expectedShortDST, expectedShortGen);
String longStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.LONG, l);
String shortStd = TimeZone.getTimeZone(id).getDisplayName(false, TimeZone.SHORT, l);
String longDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.LONG, l);
String shortDST = TimeZone.getTimeZone(id).getDisplayName(true, TimeZone.SHORT, l);
String longGen = ZoneId.of(id).getDisplayName(TextStyle.FULL, l);
String shortGen = ZoneId.of(id).getDisplayName(TextStyle.SHORT, l);
if (!expected[0].equals(longStd)) {
System.err.printf("Long standard display name for %s in %s was %s, expected %s\n",
id, l, longStd, expected[0]);
System.exit(4);
}
if (!expectedShortStd.equals(shortStd)) {
System.err.printf("Short standard display name for %s in %s was %s, expected %s\n",
id, l, shortStd, expectedShortStd);
System.exit(5);
}
if (!expected[3].equals(longDST)) {
System.err.printf("Long DST display name for %s in %s was %s, expected %s\n",
id, l, longDST, expected[3]);
System.exit(6);
}
if (!expectedShortDST.equals(shortDST)) {
System.err.printf("Short DST display name for %s in %s was %s, expected %s\n",
id, l, shortDST, expectedShortDST);
System.exit(7);
}
if (!expected[6].equals(longGen)) {
System.err.printf("Long generic display name for %s in %s was %s, expected %s\n",
id, l, longGen, expected[6]);
System.exit(8);
}
if (!expectedShortGen.equals(shortGen)) {
System.err.printf("Short generic display name for %s in %s was %s, expected %s\n",
id, l, shortGen, expectedShortGen);
System.exit(9);
}
}
}
}
}

5911
SOURCES/fips-17u-72d08e3226f.patch Normal file
View File

File diff suppressed because it is too large Load Diff

26
SOURCES/jdk8275535-rh2053256-ldap_auth.patch
View File

@ -1,26 +0,0 @@
diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
index 70903206ea0..09956084cf9 100644
--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
ctx = getLdapCtxFromUrl(
r.getDomainName(), url, new LdapURL(u), env);
return ctx;
+ } catch (AuthenticationException e) {
+ // do not retry on a different endpoint to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
// try the next element
lastException = e;
@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor
for (String u : urls) {
try {
return getUsingURL(u, env);
+ } catch (AuthenticationException e) {
+ // do not retry on a different URL to avoid blocking
+ // the user if authentication credentials are wrong.
+ throw e;
} catch (NamingException e) {
ex = e;
}

16
SOURCES/jdk8283911-default_promoted_version_pre.patch
View File

@ -1,16 +0,0 @@
commit 37807a694f89611f60880260d2bb7162908bc0c8
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Wed Mar 30 04:19:43 2022 +0100
8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
diff --git openjdk.orig/make/conf/version-numbers.conf openjdk/make/conf/version-numbers.conf
index 71b19762f2e..7378ec67a48 100644
--- openjdk.orig/make/conf/version-numbers.conf
+++ openjdk/make/conf/version-numbers.conf
@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
DEFAULT_VERSION_DOCS_API_SINCE=11
DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
DEFAULT_JDK_SOURCE_TARGET_VERSION=17
-DEFAULT_PROMOTED_VERSION_PRE=
+DEFAULT_PROMOTED_VERSION_PRE=ea

6
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +0,0 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

88
SOURCES/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
View File

@ -1,88 +0,0 @@
# HG changeset patch
# User andrew
# Date 1478057514 0
# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
PR3183: Support Fedora/RHEL system crypto policy
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
@@ -43,6 +43,9 @@
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
* @since 1.1
*/
@@ -52,6 +55,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -93,6 +100,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -114,6 +122,31 @@
}
if ("true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
+++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
@@ -276,6 +276,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#

78
SOURCES/pr3695-toggle_system_crypto_policy.patch
View File

@ -1,78 +0,0 @@
# HG changeset patch
# User andrew
# Date 1545198926 0
# Wed Dec 19 05:55:26 2018 +0000
# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
PR3695: Allow use of system crypto policy to be disabled by the user
Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
--- a/src/java.base/share/classes/java/security/Security.java
+++ b/src/java.base/share/classes/java/security/Security.java
@@ -125,31 +125,6 @@
}
if ("true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
- loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
- }
- }
-
- if ("true".equalsIgnoreCase(props.getProperty
("security.overridePropertiesFile"))) {
String extraPropFile = System.getProperty
@@ -215,6 +190,33 @@
}
}
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
+
if (!loadedProps) {
initializeStatic();
if (sdebug != null) {

11
SOURCES/remove-intree-libraries.sh
View File

@ -5,6 +5,7 @@ TREE=${1}
TYPE=${2}
ZIP_SRC=src/java.base/share/native/libzip/zlib/
FREETYPE_SRC=src/java.desktop/share/native/libfreetype/
JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
@ -31,15 +32,21 @@ cd ${TREE}
echo "Removing built-in libs (they will be linked)"
# On full runs, allow for zlib having already been deleted by minimal
# On full runs, allow for zlib & freetype having already been deleted by minimal
echo "Removing zlib"
if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
echo "${ZIP_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${ZIP_SRC}
echo "Removing freetype"
if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then
echo "${FREETYPE_SRC} does not exist. Refusing to proceed."
exit 1
fi
rm -rvf ${FREETYPE_SRC}
# Minimal is limited to just zlib so finish here
# Minimal is limited to just zlib and freetype so finish here
if test "x${TYPE}" = "xminimal"; then
echo "Finished.";
exit 0;

10
SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
View File

@ -1,7 +1,7 @@
diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
index 534bdae5a16..2df2b59cbf6 100644
--- openjdk/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index adfaf57d29e..abf89bbf327 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
security.provider.tbd=Apple
#endif
@ -9,4 +9,4 @@ index 534bdae5a16..2df2b59cbf6 100644
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# A list of preferred providers for specific algorithms. These providers will
# Security providers used when FIPS mode support is active

205
SOURCES/rh1655466-global_crypto_and_fips.patch
View File

@ -1,205 +0,0 @@
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -196,26 +196,8 @@
if (disableSystemProps == null &&
"true".equalsIgnoreCase(props.getProperty
("security.useSystemPropertiesFile"))) {
-
- // now load the system file, if it exists, so its values
- // will win if they conflict with the earlier values
- try (BufferedInputStream bis =
- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
- props.load(bis);
+ if (SystemConfigurator.configure(props)) {
loadedProps = true;
-
- if (sdebug != null) {
- sdebug.println("reading system security properties file " +
- SYSTEM_PROPERTIES);
- sdebug.println(props.toString());
- }
- } catch (IOException e) {
- if (sdebug != null) {
- sdebug.println
- ("unable to load security properties from " +
- SYSTEM_PROPERTIES);
- e.printStackTrace();
- }
}
}
diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
new file mode 100644
--- /dev/null
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -0,0 +1,151 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.io.BufferedInputStream;
+import java.io.FileInputStream;
+import java.io.IOException;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+
+import java.util.Iterator;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.function.Consumer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import sun.security.util.Debug;
+
+/**
+ * Internal class to align OpenJDK with global crypto-policies.
+ * Called from java.security.Security class initialization,
+ * during startup.
+ *
+ */
+
+class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+ private static final String CRYPTO_POLICIES_BASE_DIR =
+ "/etc/crypto-policies";
+
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+ private static final class SecurityProviderInfo {
+ int number;
+ String key;
+ String value;
+ SecurityProviderInfo(int number, String key, String value) {
+ this.number = number;
+ this.key = key;
+ this.value = value;
+ }
+ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+ static boolean configure(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+ new BufferedInputStream(
+ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
+ props.load(bis);
+ loadedProps = true;
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties from " +
+ CRYPTO_POLICIES_JAVA_CONFIG);
+ e.printStackTrace();
+ }
+ }
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+ loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
+ Entry<Object, Object> e = i.next();
+ if (((String) e.getKey()).startsWith("security.provider")) {
+ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
+ i.remove();
+ }
+ }
+ // Add FIPS security providers
+ String fipsProviderValue = null;
+ for (int n = 1;
+ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
+ String fipsProviderKey = "security.provider." + n;
+ if (sdebug != null) {
+ sdebug.println("Adding provider " + n + ": " +
+ fipsProviderKey + "=" + fipsProviderValue);
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+ sdebug.println("unable to load FIPS configuration");
+ e.printStackTrace();
+ }
+ }
+ return loadedProps;
+ }
+
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (fipsEnabled) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+ return pattern.matcher(cryptoPoliciesConfig).find();
+ } else {
+ return false;
+ }
+ }
+}
diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -87,6 +87,14 @@
#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
+# Security providers used when global crypto-policies are set to FIPS.
+#
+fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
+fips.provider.2=SUN
+fips.provider.3=SunEC
+fips.provider.4=SunJSSE
+
+#
# A list of preferred providers for specific algorithms. These providers will
# be searched for matching algorithms before the list of registered providers.
# Entries containing errors (parsing, etc) will be ignored. Use the

52
SOURCES/rh1818909-fips_default_keystore_type.patch
View File

@ -1,52 +0,0 @@
diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
@@ -123,6 +123,33 @@
}
props.put(fipsProviderKey, fipsProviderValue);
}
+ // Add other security properties
+ String keystoreTypeValue = (String) props.get("fips.keystore.type");
+ if (keystoreTypeValue != null) {
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+ // previous keystore.type under FIPS mode. In
+ // a default configuration, the Trust Store will
+ // be 'cacerts' (JKS type).
+ System.setProperty("javax.net.ssl.trustStoreType",
+ nonFipsKeystoreType);
+ }
+ if (sdebug != null) {
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
loadedProps = true;
}
} catch (Exception e) {
diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
+++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
@@ -299,6 +299,11 @@
keystore.type=pkcs12
#
+# Default keystore type used when global crypto-policies are set to FIPS.
+#
+fips.keystore.type=PKCS11
+
+#
# Controls compatibility mode for JKS and PKCS12 keystore types.
#
# When set to 'true', both JKS and PKCS12 keystore types support loading

318
SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
View File

@ -1,318 +0,0 @@
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index f9baf8c9742..60fa75cab45 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,11 +1,13 @@
/*
- * Copyright (c) 2019, Red Hat, Inc.
+ * Copyright (c) 2019, 2020, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
@@ -34,10 +36,10 @@ import java.nio.file.Path;
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.function.Consumer;
-import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
+import jdk.internal.access.SharedSecrets;
import sun.security.util.Debug;
/**
@@ -47,7 +49,7 @@ import sun.security.util.Debug;
*
*/
-class SystemConfigurator {
+final class SystemConfigurator {
private static final Debug sdebug =
Debug.getInstance("properties");
@@ -61,15 +63,16 @@ class SystemConfigurator {
private static final String CRYPTO_POLICIES_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/config";
- private static final class SecurityProviderInfo {
- int number;
- String key;
- String value;
- SecurityProviderInfo(int number, String key, String value) {
- this.number = number;
- this.key = key;
- this.value = value;
- }
+ private static boolean systemFipsEnabled = false;
+
+ static {
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
}
/*
@@ -128,9 +131,9 @@ class SystemConfigurator {
String nonFipsKeystoreType = props.getProperty("keystore.type");
props.put("keystore.type", keystoreTypeValue);
if (keystoreTypeValue.equals("PKCS11")) {
- // If keystore.type is PKCS11, javax.net.ssl.keyStore
- // must be "NONE". See JDK-8238264.
- System.setProperty("javax.net.ssl.keyStore", "NONE");
+ // If keystore.type is PKCS11, javax.net.ssl.keyStore
+ // must be "NONE". See JDK-8238264.
+ System.setProperty("javax.net.ssl.keyStore", "NONE");
}
if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
// If no trustStoreType has been set, use the
@@ -144,12 +147,13 @@ class SystemConfigurator {
sdebug.println("FIPS mode default keystore.type = " +
keystoreTypeValue);
sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
- System.getProperty("javax.net.ssl.keyStore", ""));
+ System.getProperty("javax.net.ssl.keyStore", ""));
sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
System.getProperty("javax.net.ssl.trustStoreType", ""));
}
}
loadedProps = true;
+ systemFipsEnabled = true;
}
} catch (Exception e) {
if (sdebug != null) {
@@ -160,13 +164,30 @@ class SystemConfigurator {
return loadedProps;
}
+ /**
+ * Returns whether or not global system FIPS alignment is enabled.
+ *
+ * Value is always 'false' before java.security.Security class is
+ * initialized.
+ *
+ * Call from out of this package through SharedSecrets:
+ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ * .isSystemFipsEnabled();
+ *
+ * @return a boolean value indicating whether or not global
+ * system FIPS alignment is enabled.
+ */
+ static boolean isSystemFipsEnabled() {
+ return systemFipsEnabled;
+ }
+
/*
* FIPS is enabled only if crypto-policies are set to "FIPS"
* and the com.redhat.fips property is true.
*/
private static boolean enableFips() throws Exception {
- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
- if (fipsEnabled) {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
new file mode 100644
index 00000000000..a31e93ec02e
--- /dev/null
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2020, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.internal.access;
+
+public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
+}
diff --git openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
index f6d3638c3dd..5a2c9eb0c46 100644
--- openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -81,6 +81,7 @@ public class SharedSecrets {
private static JavaSecuritySpecAccess javaSecuritySpecAccess;
private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
private static JavaxCryptoSpecAccess javaxCryptoSpecAccess;
+ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
public static void setJavaUtilCollectionAccess(JavaUtilCollectionAccess juca) {
javaUtilCollectionAccess = juca;
@@ -442,4 +443,12 @@ public class SharedSecrets {
MethodHandles.lookup().ensureInitialized(c);
} catch (IllegalAccessException e) {}
}
+
+ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
+ javaSecuritySystemConfiguratorAccess = jssca;
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ return javaSecuritySystemConfiguratorAccess;
+ }
}
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
index 6ffdfeda18d..775b185fb06 100644
--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -32,6 +32,7 @@ import java.security.cert.*;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.*;
+import jdk.internal.access.SharedSecrets;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
@@ -536,22 +537,40 @@ public abstract class SSLContextImpl extends SSLContextSpi {
private static final List<CipherSuite> serverDefaultCipherSuites;
static {
- supportedProtocols = Arrays.asList(
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10,
- ProtocolVersion.SSL30,
- ProtocolVersion.SSL20Hello
- );
-
- serverDefaultProtocols = getAvailableProtocols(
- new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- });
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10,
+ ProtocolVersion.SSL30,
+ ProtocolVersion.SSL20Hello
+ );
+
+ serverDefaultProtocols = getAvailableProtocols(
+ new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ });
+ }
supportedCipherSuites = getApplicableSupportedCipherSuites(
supportedProtocols);
@@ -842,12 +861,23 @@ public abstract class SSLContextImpl extends SSLContextSpi {
ProtocolVersion[] candidates;
if (refactored.isEmpty()) {
// Client and server use the same default protocols.
- candidates = new ProtocolVersion[] {
- ProtocolVersion.TLS13,
- ProtocolVersion.TLS12,
- ProtocolVersion.TLS11,
- ProtocolVersion.TLS10
- };
+ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ } else {
+ candidates = new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+ ProtocolVersion.TLS11,
+ ProtocolVersion.TLS10
+ };
+ }
} else {
// Use the customized TLS protocols.
candidates =
diff --git openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
index 894e26dfad8..8b16378b96b 100644
--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java
@@ -27,6 +27,8 @@ package sun.security.ssl;
import java.security.*;
import java.util.*;
+
+import jdk.internal.access.SharedSecrets;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
/**
@@ -102,8 +104,13 @@ public class SunJSSE extends java.security.Provider {
"sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
ps("SSLContext", "TLSv1.2",
"sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
- ps("SSLContext", "TLSv1.3",
- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled()) {
+ // RH1860986: TLSv1.3 key derivation not supported with
+ // the Security Providers available in system FIPS mode.
+ ps("SSLContext", "TLSv1.3",
+ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
+ }
ps("SSLContext", "TLS",
"sun.security.ssl.SSLContextImpl$TLSContext",
List.of("SSL"), null);

70
SOURCES/rh1915071-always_initialise_configurator_access.patch
View File

@ -1,70 +0,0 @@
diff --git openjdk/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index f1633afb627..ce32c939253 100644
--- openjdk/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -32,6 +32,7 @@ import java.net.URL;
import jdk.internal.event.EventHelper;
import jdk.internal.event.SecurityPropertyModificationEvent;
+import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.util.Debug;
@@ -74,6 +75,15 @@ public final class Security {
}
static {
+ // Initialise here as used by code with system properties disabled
+ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+ new JavaSecuritySystemConfiguratorAccess() {
+ @Override
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
+ });
+
// doPrivileged here because there are multiple
// things in initialize that might require privs.
// (the FileInputStream call and the File.exists call,
@@ -194,9 +204,8 @@ public final class Security {
}
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
- if (disableSystemProps == null &&
- "true".equalsIgnoreCase(props.getProperty
- ("security.useSystemPropertiesFile"))) {
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
if (SystemConfigurator.configure(props)) {
loadedProps = true;
}
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 60fa75cab45..10b54aa4ce4 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -38,8 +38,6 @@ import java.util.Map.Entry;
import java.util.Properties;
import java.util.regex.Pattern;
-import jdk.internal.access.JavaSecuritySystemConfiguratorAccess;
-import jdk.internal.access.SharedSecrets;
import sun.security.util.Debug;
/**
@@ -65,16 +63,6 @@ final class SystemConfigurator {
private static boolean systemFipsEnabled = false;
- static {
- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
- new JavaSecuritySystemConfiguratorAccess() {
- @Override
- public boolean isSystemFipsEnabled() {
- return SystemConfigurator.isSystemFipsEnabled();
- }
- });
- }
-
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and

69
SOURCES/rh1929465-dont_define_unused_throwioexception.patch
View File

@ -1,69 +0,0 @@
commit 90e344e7d4987af610fa0054c92d18fe1c2edd41
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Sat Aug 28 01:15:28 2021 +0100
RH1929465: Don't define unused throwIOException function when using NSS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 6f4656bfcb6..38919d6bb0f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -34,14 +34,34 @@
#include "java_security_SystemConfigurator.h"
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
#define MSG_MAX_SIZE 96
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
+#ifndef SYSCONF_NSS
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+#endif
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
/*
* Class: java_security_SystemConfigurator
@@ -149,20 +169,3 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
#endif // SYSCONF_NSS
}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
-}

428
SOURCES/rh1929465-improve_system_FIPS_detection.patch
View File

@ -1,428 +0,0 @@
diff --git openjdk/make/autoconf/lib-sysconf.m4 openjdk/make/autoconf/lib-sysconf.m4
new file mode 100644
index 00000000000..b2b1c1787da
--- /dev/null
+++ openjdk/make/autoconf/lib-sysconf.m4
@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2021, Red Hat, Inc.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation. Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+################################################################################
+# Setup system configuration libraries
+################################################################################
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
+[
+ ###############################################################################
+ #
+ # Check for the NSS library
+ #
+
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
+
+ # default is not available
+ DEFAULT_SYSCONF_NSS=no
+
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
+ [
+ case "${enableval}" in
+ yes)
+ sysconf_nss=yes
+ ;;
+ *)
+ sysconf_nss=no
+ ;;
+ esac
+ ],
+ [
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
+ ])
+ AC_MSG_RESULT([$sysconf_nss])
+
+ USE_SYSCONF_NSS=false
+ if test "x${sysconf_nss}" = "xyes"; then
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
+ if test "x${NSS_FOUND}" = "xyes"; then
+ AC_MSG_CHECKING([for system FIPS support in NSS])
+ saved_libs="${LIBS}"
+ saved_cflags="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
+ LIBS="${LIBS} ${NSS_LIBS}"
+ AC_LANG_PUSH([C])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
+ [[SECMOD_GetSystemFIPSEnabled()]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no])
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
+ AC_LANG_POP([C])
+ CFLAGS="${saved_cflags}"
+ LIBS="${saved_libs}"
+ USE_SYSCONF_NSS=true
+ else
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
+ dnl in nss3/pk11pub.h.
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
+ fi
+ fi
+ AC_SUBST(USE_SYSCONF_NSS)
+])
diff --git openjdk/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
index a65d91ee974..a8f054c1397 100644
--- openjdk/make/autoconf/libraries.m4
+++ openjdk/make/autoconf/libraries.m4
@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
m4_include([lib-x11.m4])
m4_include([lib-fontconfig.m4])
m4_include([lib-tests.m4])
+m4_include([lib-sysconf.m4])
################################################################################
# Determine which libraries are needed for this configuration
@@ -104,6 +105,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
LIB_SETUP_BUNDLED_LIBS
LIB_SETUP_MISC_LIBS
LIB_TESTS_SETUP_GTEST
+ LIB_SETUP_SYSCONF_LIBS
BASIC_JDKLIB_LIBS=""
if test "x$TOOLCHAIN_TYPE" != xmicrosoft; then
diff --git openjdk/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
index 29445c8c24f..9b1b512a34a 100644
--- openjdk/make/autoconf/spec.gmk.in
+++ openjdk/make/autoconf/spec.gmk.in
@@ -834,6 +834,10 @@ INSTALL_SYSCONFDIR=@sysconfdir@
# Libraries
#
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
+NSS_LIBS:=@NSS_LIBS@
+NSS_CFLAGS:=@NSS_CFLAGS@
+
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
LCMS_CFLAGS:=@LCMS_CFLAGS@
LCMS_LIBS:=@LCMS_LIBS@
diff --git openjdk/make/modules/java.base/Lib.gmk openjdk/make/modules/java.base/Lib.gmk
index 5658ff342e5..cb7a56852f7 100644
--- openjdk/make/modules/java.base/Lib.gmk
+++ openjdk/make/modules/java.base/Lib.gmk
@@ -167,6 +167,31 @@ ifeq ($(call isTargetOsType, unix), true)
endif
endif
+################################################################################
+# Create the systemconf library
+
+LIBSYSTEMCONF_CFLAGS :=
+LIBSYSTEMCONF_CXXFLAGS :=
+
+ifeq ($(USE_SYSCONF_NSS), true)
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
+endif
+
+ifeq ($(OPENJDK_BUILD_OS), linux)
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
+ NAME := systemconf, \
+ OPTIMIZATION := LOW, \
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
+ ))
+
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
+endif
+
################################################################################
# Create the symbols file for static builds.
diff --git openjdk/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
new file mode 100644
index 00000000000..6f4656bfcb6
--- /dev/null
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <dlfcn.h>
+#include <jni.h>
+#include <jni_util.h>
+#include <stdio.h>
+
+#ifdef SYSCONF_NSS
+#include <nss3/pk11pub.h>
+#endif //SYSCONF_NSS
+
+#include "java_security_SystemConfigurator.h"
+
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+#define MSG_MAX_SIZE 96
+
+static jmethodID debugPrintlnMethodID = NULL;
+static jobject debugObj = NULL;
+
+static void throwIOException(JNIEnv *env, const char *msg);
+static void dbgPrint(JNIEnv *env, const char* msg);
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnLoad
+ */
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+ jclass sysConfCls, debugCls;
+ jfieldID sdebugFld;
+
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return JNI_EVERSION; /* JNI version not supported */
+ }
+
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
+ if (sysConfCls == NULL) {
+ printf("libsystemconf: SystemConfigurator class not found\n");
+ return JNI_ERR;
+ }
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
+ "sdebug", "Lsun/security/util/Debug;");
+ if (sdebugFld == NULL) {
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
+ if (debugObj != NULL) {
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
+ if (debugCls == NULL) {
+ printf("libsystemconf: Debug class not found\n");
+ return JNI_ERR;
+ }
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
+ "println", "(Ljava/lang/String;)V");
+ if (debugPrintlnMethodID == NULL) {
+ printf("libsystemconf: Debug::println(String) method not found\n");
+ return JNI_ERR;
+ }
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
+ return (*env)->GetVersion(env);
+}
+
+/*
+ * Class: java_security_SystemConfigurator
+ * Method: JNI_OnUnload
+ */
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+{
+ JNIEnv *env;
+
+ if (debugObj != NULL) {
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+}
+
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
+ (JNIEnv *env, jclass cls)
+{
+ int fips_enabled;
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+#ifdef SYSCONF_NSS
+
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " SECMOD_GetSystemFIPSEnabled return value");
+ }
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+
+#else // SYSCONF_NSS
+
+ FILE *fe;
+
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+ " read character");
+ }
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+
+#endif // SYSCONF_NSS
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
diff --git openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 10b54aa4ce4..6aa1419dfd0 100644
--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, 2020, Red Hat, Inc.
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
@@ -30,13 +30,9 @@ import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
-import java.nio.file.Files;
-import java.nio.file.Path;
-
import java.util.Iterator;
import java.util.Map.Entry;
import java.util.Properties;
-import java.util.regex.Pattern;
import sun.security.util.Debug;
@@ -58,11 +54,23 @@ final class SystemConfigurator {
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
- private static final String CRYPTO_POLICIES_CONFIG =
- CRYPTO_POLICIES_BASE_DIR + "/config";
-
private static boolean systemFipsEnabled = false;
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+ private static native boolean getSystemFIPSEnabled()
+ throws IOException;
+
+ static {
+ @SuppressWarnings("removal")
+ var dummy = AccessController.doPrivileged(new PrivilegedAction<Void>() {
+ public Void run() {
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
+ return null;
+ }
+ });
+ }
+
/*
* Invoked when java.security.Security class is initialized, if
* java.security.disableSystemPropertiesFile property is not set and
@@ -170,16 +178,34 @@ final class SystemConfigurator {
}
/*
- * FIPS is enabled only if crypto-policies are set to "FIPS"
- * and the com.redhat.fips property is true.
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+ *
+ * There are 2 possible ways in which OpenJDK detects that the system
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
+ * /proc/sys/crypto/fips_enabled file is read.
*/
private static boolean enableFips() throws Exception {
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
if (shouldEnable) {
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
- return pattern.matcher(cryptoPoliciesConfig).find();
+ if (sdebug != null) {
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
+ }
+ try {
+ shouldEnable = getSystemFIPSEnabled();
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
+ + shouldEnable);
+ }
+ return shouldEnable;
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
+ sdebug.println(e.getMessage());
+ }
+ throw e;
+ }
} else {
return false;
}

579
SOURCES/rh1991003-enable_fips_keys_import.patch
View File

@ -1,579 +0,0 @@
commit abcd0954643eddbf826d96291d44a143038ab750
Author: Martin Balao <mbalao@redhat.com>
Date: Sun Oct 10 18:14:01 2021 +0100
RH1991003: Enable the import of plain keys into the NSS software token.
This can be individually disabled using -Dcom.redhat.fips.plainKeySupport=false
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index ce32c939253..dc7020ce668 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -82,6 +82,10 @@ public final class Security {
public boolean isSystemFipsEnabled() {
return SystemConfigurator.isSystemFipsEnabled();
}
+ @Override
+ public boolean isPlainKeySupportEnabled() {
+ return SystemConfigurator.isPlainKeySupportEnabled();
+ }
});
// doPrivileged here because there are multiple
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 6aa1419dfd0..ecab722848e 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -55,6 +55,7 @@ final class SystemConfigurator {
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
private static boolean systemFipsEnabled = false;
+ private static boolean plainKeySupportEnabled = false;
private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
@@ -150,6 +151,16 @@ final class SystemConfigurator {
}
loadedProps = true;
systemFipsEnabled = true;
+ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
+ "true");
+ plainKeySupportEnabled = !"false".equals(plainKeySupport);
+ if (sdebug != null) {
+ if (plainKeySupportEnabled) {
+ sdebug.println("FIPS support enabled with plain key support");
+ } else {
+ sdebug.println("FIPS support enabled without plain key support");
+ }
+ }
}
} catch (Exception e) {
if (sdebug != null) {
@@ -177,6 +188,19 @@ final class SystemConfigurator {
return systemFipsEnabled;
}
+ /**
+ * Returns {@code true} if system FIPS alignment is enabled
+ * and plain key support is allowed. Plain key support is
+ * enabled by default but can be disabled with
+ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
+ *
+ * @return a boolean indicating whether plain key support
+ * should be enabled.
+ */
+ static boolean isPlainKeySupportEnabled() {
+ return plainKeySupportEnabled;
+ }
+
/*
* OpenJDK FIPS mode will be enabled only if the com.redhat.fips
* system property is true (default) and the system is in FIPS mode.
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
index a31e93ec02e..3f3caac64dc 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/JavaSecuritySystemConfiguratorAccess.java
@@ -27,4 +27,5 @@ package jdk.internal.access;
public interface JavaSecuritySystemConfiguratorAccess {
boolean isSystemFipsEnabled();
+ boolean isPlainKeySupportEnabled();
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
new file mode 100644
index 00000000000..bee3a1e1537
--- /dev/null
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2021, Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.pkcs11;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.Provider;
+import java.security.Security;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.concurrent.locks.ReentrantLock;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.DHPrivateKeySpec;
+import javax.crypto.spec.IvParameterSpec;
+
+import sun.security.jca.JCAUtil;
+import sun.security.pkcs11.TemplateManager;
+import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
+import sun.security.pkcs11.wrapper.CK_MECHANISM;
+import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
+import sun.security.pkcs11.wrapper.PKCS11Exception;
+import sun.security.rsa.RSAUtil.KeyType;
+import sun.security.util.Debug;
+import sun.security.util.ECUtil;
+
+final class FIPSKeyImporter {
+
+ private static final Debug debug =
+ Debug.getInstance("sunpkcs11");
+
+ private static P11Key importerKey = null;
+ private static final ReentrantLock importerKeyLock = new ReentrantLock();
+ private static CK_MECHANISM importerKeyMechanism = null;
+ private static Cipher importerCipher = null;
+
+ private static Provider sunECProvider = null;
+ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
+
+ private static KeyFactory DHKF = null;
+ private static final ReentrantLock DHKFLock = new ReentrantLock();
+
+ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
+ throws PKCS11Exception {
+ long keyID = -1;
+ Token token = sunPKCS11.getToken();
+ if (debug != null) {
+ debug.println("Private or Secret key will be imported in" +
+ " system FIPS mode.");
+ }
+ if (importerKey == null) {
+ importerKeyLock.lock();
+ try {
+ if (importerKey == null) {
+ if (importerKeyMechanism == null) {
+ // Importer Key creation has not been tried yet. Try it.
+ createImporterKey(token);
+ }
+ if (importerKey == null || importerCipher == null) {
+ if (debug != null) {
+ debug.println("Importer Key could not be" +
+ " generated.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ if (debug != null) {
+ debug.println("Importer Key successfully" +
+ " generated.");
+ }
+ }
+ } finally {
+ importerKeyLock.unlock();
+ }
+ }
+ long importerKeyID = importerKey.getKeyID();
+ try {
+ byte[] keyBytes = null;
+ byte[] encKeyBytes = null;
+ long keyClass = 0L;
+ long keyType = 0L;
+ Map<Long, CK_ATTRIBUTE> attrsMap = new HashMap<>();
+ for (CK_ATTRIBUTE attr : attributes) {
+ if (attr.type == CKA_CLASS) {
+ keyClass = attr.getLong();
+ } else if (attr.type == CKA_KEY_TYPE) {
+ keyType = attr.getLong();
+ }
+ attrsMap.put(attr.type, attr);
+ }
+ BigInteger v = null;
+ if (keyClass == CKO_PRIVATE_KEY) {
+ if (keyType == CKK_RSA) {
+ if (debug != null) {
+ debug.println("Importing an RSA private key...");
+ }
+ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
+ KeyType.RSA,
+ null,
+ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ } else if (keyType == CKK_DSA) {
+ if (debug != null) {
+ debug.println("Importing a DSA private key...");
+ }
+ keyBytes = new sun.security.provider.DSAPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO
+ ).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_EC) {
+ if (debug != null) {
+ debug.println("Importing an EC private key...");
+ }
+ if (sunECProvider == null) {
+ sunECProviderLock.lock();
+ try {
+ if (sunECProvider == null) {
+ sunECProvider = Security.getProvider("SunEC");
+ }
+ } finally {
+ sunECProviderLock.unlock();
+ }
+ }
+ keyBytes = ECUtil.generateECPrivateKey(
+ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ECUtil.getECParameterSpec(sunECProvider,
+ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
+ .getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else if (keyType == CKK_DH) {
+ if (debug != null) {
+ debug.println("Importing a Diffie-Hellman private key...");
+ }
+ if (DHKF == null) {
+ DHKFLock.lock();
+ try {
+ if (DHKF == null) {
+ DHKF = KeyFactory.getInstance(
+ "DH", P11Util.getSunJceProvider());
+ }
+ } finally {
+ DHKFLock.unlock();
+ }
+ }
+ DHPrivateKeySpec spec = new DHPrivateKeySpec
+ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
+ ? v : BigInteger.ZERO,
+ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
+ ? v : BigInteger.ZERO);
+ keyBytes = DHKF.generatePrivate(spec).getEncoded();
+ if (token.config.getNssNetscapeDbWorkaround() &&
+ attrsMap.get(CKA_NETSCAPE_DB) == null) {
+ attrsMap.put(CKA_NETSCAPE_DB,
+ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
+ }
+ } else {
+ if (debug != null) {
+ debug.println("Unrecognized private key type.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ } else if (keyClass == CKO_SECRET_KEY) {
+ if (debug != null) {
+ debug.println("Importing a secret key...");
+ }
+ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
+ }
+ if (keyBytes == null || keyBytes.length == 0) {
+ if (debug != null) {
+ debug.println("Private or secret key plain bytes could" +
+ " not be obtained. Import failed.");
+ }
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
+ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
+ null);
+ attributes = new CK_ATTRIBUTE[attrsMap.size()];
+ attrsMap.values().toArray(attributes);
+ encKeyBytes = importerCipher.doFinal(keyBytes);
+ attributes = token.getAttributes(TemplateManager.O_IMPORT,
+ keyClass, keyType, attributes);
+ keyID = token.p11.C_UnwrapKey(hSession,
+ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
+ if (debug != null) {
+ debug.println("Imported key ID: " + keyID);
+ }
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ } finally {
+ importerKey.releaseKeyID();
+ }
+ return Long.valueOf(keyID);
+ }
+
+ private static void createImporterKey(Token token) {
+ if (debug != null) {
+ debug.println("Generating Importer Key...");
+ }
+ byte[] iv = new byte[16];
+ JCAUtil.getSecureRandom().nextBytes(iv);
+ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
+ try {
+ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
+ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
+ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
+ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
+ Session s = null;
+ try {
+ s = token.getObjSession();
+ long keyID = token.p11.C_GenerateKey(
+ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
+ attributes);
+ if (debug != null) {
+ debug.println("Importer Key ID: " + keyID);
+ }
+ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
+ 256 >> 3, null);
+ } catch (PKCS11Exception e) {
+ // best effort
+ } finally {
+ token.releaseSession(s);
+ }
+ if (importerKey != null) {
+ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+ }
+ } catch (Throwable t) {
+ // best effort
+ importerKey = null;
+ importerCipher = null;
+ // importerKeyMechanism value is kept initialized to indicate that
+ // Importer Key creation has been tried and failed.
+ }
+ }
+}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 5d3963ea893..42c72b393fd 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -26,6 +26,9 @@
package sun.security.pkcs11;
import java.io.*;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
+import java.lang.invoke.MethodType;
import java.util.*;
import java.security.*;
@@ -66,6 +69,26 @@ public final class SunPKCS11 extends AuthProvider {
private static final boolean systemFipsEnabled = SharedSecrets
.getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+ private static final boolean plainKeySupportEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
+
+ private static final MethodHandle fipsImportKey;
+ static {
+ MethodHandle fipsImportKeyTmp = null;
+ if (plainKeySupportEnabled) {
+ try {
+ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
+ FIPSKeyImporter.class, "importKey",
+ MethodType.methodType(Long.class, SunPKCS11.class,
+ long.class, CK_ATTRIBUTE[].class));
+ } catch (Throwable t) {
+ throw new SecurityException("FIPS key importer initialization" +
+ " failed", t);
+ }
+ }
+ fipsImportKey = fipsImportKeyTmp;
+ }
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -324,10 +347,15 @@ public final class SunPKCS11 extends AuthProvider {
// request multithreaded access first
initArgs.flags = CKF_OS_LOCKING_OK;
PKCS11 tmpPKCS11;
+ MethodHandle fipsKeyImporter = null;
+ if (plainKeySupportEnabled) {
+ fipsKeyImporter = MethodHandles.insertArguments(
+ fipsImportKey, 0, this);
+ }
try {
tmpPKCS11 = PKCS11.getInstance(
library, functionList, initArgs,
- config.getOmitInitialize());
+ config.getOmitInitialize(), fipsKeyImporter);
} catch (PKCS11Exception e) {
if (debug != null) {
debug.println("Multi-threaded initialization failed: " + e);
@@ -343,7 +371,7 @@ public final class SunPKCS11 extends AuthProvider {
initArgs.flags = 0;
}
tmpPKCS11 = PKCS11.getInstance(library,
- functionList, initArgs, config.getOmitInitialize());
+ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
}
p11 = tmpPKCS11;
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
index 5c0aacd1a67..4d80145cb91 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
import java.io.File;
import java.io.IOException;
+import java.lang.invoke.MethodHandle;
import java.util.*;
import java.security.AccessController;
@@ -152,16 +153,28 @@ public class PKCS11 {
public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
- boolean omitInitialize) throws IOException, PKCS11Exception {
+ boolean omitInitialize, MethodHandle fipsKeyImporter)
+ throws IOException, PKCS11Exception {
// we may only call C_Initialize once per native .so/.dll
// so keep a cache using the (non-canonicalized!) path
PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
if (pkcs11 == null) {
+ boolean nssFipsMode = fipsKeyImporter != null;
if ((pInitArgs != null)
&& ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
+ fipsKeyImporter);
+ } else {
+ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
+ }
} else {
- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ if (nssFipsMode) {
+ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
+ functionList, fipsKeyImporter);
+ } else {
+ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
+ }
}
if (omitInitialize == false) {
try {
@@ -1911,4 +1924,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
super.C_GenerateRandom(hSession, randomData);
}
}
+
+// PKCS11 subclass that allows using plain private or secret keys in
+// FIPS-configured NSS Software Tokens. Only used when System FIPS
+// is enabled.
+static class FIPSPKCS11 extends PKCS11 {
+ private MethodHandle fipsKeyImporter;
+ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // Creating sensitive key objects from plain key material in a
+ // FIPS-configured NSS Software Token is not allowed. We apply
+ // a key-unwrapping scheme to achieve so.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+// FIPSPKCS11 synchronized counterpart.
+static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
+ private MethodHandle fipsKeyImporter;
+ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
+ MethodHandle fipsKeyImporter) throws IOException {
+ super(pkcs11ModulePath, functionListName);
+ this.fipsKeyImporter = fipsKeyImporter;
+ }
+
+ public synchronized long C_CreateObject(long hSession,
+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
+ // See FIPSPKCS11::C_CreateObject.
+ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
+ try {
+ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
+ .longValue();
+ } catch (Throwable t) {
+ throw new PKCS11Exception(CKR_GENERAL_ERROR);
+ }
+ }
+ return super.C_CreateObject(hSession, pTemplate);
+ }
+}
+
+private static class FIPSPKCS11Helper {
+ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
+ for (CK_ATTRIBUTE attr : pTemplate) {
+ if (attr.type == CKA_CLASS &&
+ (attr.getLong() == CKO_PRIVATE_KEY ||
+ attr.getLong() == CKO_SECRET_KEY)) {
+ return true;
+ }
+ }
+ return false;
+ }
+}
}
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
index e2d6d371bec..dc5e7eefdd3 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Exception.java
@@ -219,6 +219,14 @@ public class PKCS11Exception extends Exception {
return "0x" + Functions.toFullHexString((int)errorCode);
}
+ /**
+ * Constructor taking the error code (the CKR_* constants in PKCS#11) with
+ * no extra info for the error message.
+ */
+ public PKCS11Exception(long errorCode) {
+ this(errorCode, null);
+ }
+
/**
* Constructor taking the error code (the CKR_* constants in PKCS#11) and
* extra info for error message.

591
SOURCES/rh1995150-disable_non-fips_crypto.patch
View File

@ -1,591 +0,0 @@
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 63bb580eb3a..238735c0c8c 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -152,6 +152,7 @@ module java.base {
java.naming,
java.rmi,
jdk.charsets,
+ jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
jdk.net,
diff --git openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
index 912cad59714..7cb5ebcde51 100644
--- openjdk.orig/src/java.base/share/classes/sun/security/provider/SunEntries.java
+++ openjdk/src/java.base/share/classes/sun/security/provider/SunEntries.java
@@ -30,6 +30,7 @@ import java.net.*;
import java.util.*;
import java.security.*;
+import jdk.internal.access.SharedSecrets;
import jdk.internal.util.StaticProperty;
import sun.security.action.GetPropertyAction;
import sun.security.util.SecurityProviderConstants;
@@ -83,6 +84,10 @@ import static sun.security.util.SecurityProviderConstants.getAliases;
public final class SunEntries {
+ private static final boolean systemFipsEnabled =
+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled();
+
// the default algo used by SecureRandom class for new SecureRandom() calls
public static final String DEF_SECURE_RANDOM_ALGO;
@@ -94,147 +99,149 @@ public final class SunEntries {
// common attribute map
HashMap<String, String> attrs = new HashMap<>(3);
- /*
- * SecureRandom engines
- */
- attrs.put("ThreadSafe", "true");
- if (NativePRNG.isAvailable()) {
- add(p, "SecureRandom", "NativePRNG",
- "sun.security.provider.NativePRNG", attrs);
- }
- if (NativePRNG.Blocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGBlocking",
- "sun.security.provider.NativePRNG$Blocking", attrs);
- }
- if (NativePRNG.NonBlocking.isAvailable()) {
- add(p, "SecureRandom", "NativePRNGNonBlocking",
- "sun.security.provider.NativePRNG$NonBlocking", attrs);
- }
- attrs.put("ImplementedIn", "Software");
- add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
- add(p, "SecureRandom", "SHA1PRNG",
- "sun.security.provider.SecureRandom", attrs);
-
- /*
- * Signature engines
- */
- attrs.clear();
- String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
- "|java.security.interfaces.DSAPrivateKey";
- attrs.put("SupportedKeyClasses", dsaKeyClasses);
- attrs.put("ImplementedIn", "Software");
-
- attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
-
- addWithAlias(p, "Signature", "SHA1withDSA",
- "sun.security.provider.DSA$SHA1withDSA", attrs);
- addWithAlias(p, "Signature", "NONEwithDSA",
- "sun.security.provider.DSA$RawDSA", attrs);
-
- // for DSA signatures with 224/256-bit digests
- attrs.put("KeySize", "2048");
-
- addWithAlias(p, "Signature", "SHA224withDSA",
- "sun.security.provider.DSA$SHA224withDSA", attrs);
- addWithAlias(p, "Signature", "SHA256withDSA",
- "sun.security.provider.DSA$SHA256withDSA", attrs);
-
- addWithAlias(p, "Signature", "SHA3-224withDSA",
- "sun.security.provider.DSA$SHA3_224withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-256withDSA",
- "sun.security.provider.DSA$SHA3_256withDSA", attrs);
-
- attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
-
- addWithAlias(p, "Signature", "SHA384withDSA",
- "sun.security.provider.DSA$SHA384withDSA", attrs);
- addWithAlias(p, "Signature", "SHA512withDSA",
- "sun.security.provider.DSA$SHA512withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-384withDSA",
- "sun.security.provider.DSA$SHA3_384withDSA", attrs);
- addWithAlias(p, "Signature", "SHA3-512withDSA",
- "sun.security.provider.DSA$SHA3_512withDSA", attrs);
-
- attrs.remove("KeySize");
-
- add(p, "Signature", "SHA1withDSAinP1363Format",
- "sun.security.provider.DSA$SHA1withDSAinP1363Format");
- add(p, "Signature", "NONEwithDSAinP1363Format",
- "sun.security.provider.DSA$RawDSAinP1363Format");
- add(p, "Signature", "SHA224withDSAinP1363Format",
- "sun.security.provider.DSA$SHA224withDSAinP1363Format");
- add(p, "Signature", "SHA256withDSAinP1363Format",
- "sun.security.provider.DSA$SHA256withDSAinP1363Format");
- add(p, "Signature", "SHA384withDSAinP1363Format",
- "sun.security.provider.DSA$SHA384withDSAinP1363Format");
- add(p, "Signature", "SHA512withDSAinP1363Format",
- "sun.security.provider.DSA$SHA512withDSAinP1363Format");
- add(p, "Signature", "SHA3-224withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
- add(p, "Signature", "SHA3-256withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
- add(p, "Signature", "SHA3-384withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
- add(p, "Signature", "SHA3-512withDSAinP1363Format",
- "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
- /*
- * Key Pair Generator engines
- */
- attrs.clear();
- attrs.put("ImplementedIn", "Software");
- attrs.put("KeySize", "2048"); // for DSA KPG and APG only
+ if (!systemFipsEnabled) {
+ /*
+ * SecureRandom engines
+ */
+ attrs.put("ThreadSafe", "true");
+ if (NativePRNG.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNG",
+ "sun.security.provider.NativePRNG", attrs);
+ }
+ if (NativePRNG.Blocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGBlocking",
+ "sun.security.provider.NativePRNG$Blocking", attrs);
+ }
+ if (NativePRNG.NonBlocking.isAvailable()) {
+ add(p, "SecureRandom", "NativePRNGNonBlocking",
+ "sun.security.provider.NativePRNG$NonBlocking", attrs);
+ }
+ attrs.put("ImplementedIn", "Software");
+ add(p, "SecureRandom", "DRBG", "sun.security.provider.DRBG", attrs);
+ add(p, "SecureRandom", "SHA1PRNG",
+ "sun.security.provider.SecureRandom", attrs);
- String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
- dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
- addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
+ /*
+ * Signature engines
+ */
+ attrs.clear();
+ String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" +
+ "|java.security.interfaces.DSAPrivateKey";
+ attrs.put("SupportedKeyClasses", dsaKeyClasses);
+ attrs.put("ImplementedIn", "Software");
+
+ attrs.put("KeySize", "1024"); // for NONE and SHA1 DSA signatures
+
+ addWithAlias(p, "Signature", "SHA1withDSA",
+ "sun.security.provider.DSA$SHA1withDSA", attrs);
+ addWithAlias(p, "Signature", "NONEwithDSA",
+ "sun.security.provider.DSA$RawDSA", attrs);
+
+ // for DSA signatures with 224/256-bit digests
+ attrs.put("KeySize", "2048");
+
+ addWithAlias(p, "Signature", "SHA224withDSA",
+ "sun.security.provider.DSA$SHA224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA256withDSA",
+ "sun.security.provider.DSA$SHA256withDSA", attrs);
+
+ addWithAlias(p, "Signature", "SHA3-224withDSA",
+ "sun.security.provider.DSA$SHA3_224withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-256withDSA",
+ "sun.security.provider.DSA$SHA3_256withDSA", attrs);
+
+ attrs.put("KeySize", "3072"); // for DSA sig using 384/512-bit digests
+
+ addWithAlias(p, "Signature", "SHA384withDSA",
+ "sun.security.provider.DSA$SHA384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA512withDSA",
+ "sun.security.provider.DSA$SHA512withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-384withDSA",
+ "sun.security.provider.DSA$SHA3_384withDSA", attrs);
+ addWithAlias(p, "Signature", "SHA3-512withDSA",
+ "sun.security.provider.DSA$SHA3_512withDSA", attrs);
+
+ attrs.remove("KeySize");
+
+ add(p, "Signature", "SHA1withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA1withDSAinP1363Format");
+ add(p, "Signature", "NONEwithDSAinP1363Format",
+ "sun.security.provider.DSA$RawDSAinP1363Format");
+ add(p, "Signature", "SHA224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA224withDSAinP1363Format");
+ add(p, "Signature", "SHA256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA256withDSAinP1363Format");
+ add(p, "Signature", "SHA384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA384withDSAinP1363Format");
+ add(p, "Signature", "SHA512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA512withDSAinP1363Format");
+ add(p, "Signature", "SHA3-224withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_224withDSAinP1363Format");
+ add(p, "Signature", "SHA3-256withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_256withDSAinP1363Format");
+ add(p, "Signature", "SHA3-384withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_384withDSAinP1363Format");
+ add(p, "Signature", "SHA3-512withDSAinP1363Format",
+ "sun.security.provider.DSA$SHA3_512withDSAinP1363Format");
+ /*
+ * Key Pair Generator engines
+ */
+ attrs.clear();
+ attrs.put("ImplementedIn", "Software");
+ attrs.put("KeySize", "2048"); // for DSA KPG and APG only
- /*
- * Algorithm Parameter Generator engines
- */
- addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
- "sun.security.provider.DSAParameterGenerator", attrs);
- attrs.remove("KeySize");
+ String dsaKPGImplClass = "sun.security.provider.DSAKeyPairGenerator$";
+ dsaKPGImplClass += (useLegacyDSA? "Legacy" : "Current");
+ addWithAlias(p, "KeyPairGenerator", "DSA", dsaKPGImplClass, attrs);
- /*
- * Algorithm Parameter engines
- */
- addWithAlias(p, "AlgorithmParameters", "DSA",
- "sun.security.provider.DSAParameters", attrs);
+ /*
+ * Algorithm Parameter Generator engines
+ */
+ addWithAlias(p, "AlgorithmParameterGenerator", "DSA",
+ "sun.security.provider.DSAParameterGenerator", attrs);
+ attrs.remove("KeySize");
- /*
- * Key factories
- */
- addWithAlias(p, "KeyFactory", "DSA",
- "sun.security.provider.DSAKeyFactory", attrs);
+ /*
+ * Algorithm Parameter engines
+ */
+ addWithAlias(p, "AlgorithmParameters", "DSA",
+ "sun.security.provider.DSAParameters", attrs);
- /*
- * Digest engines
- */
- add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
- add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
- addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
- attrs);
+ /*
+ * Key factories
+ */
+ addWithAlias(p, "KeyFactory", "DSA",
+ "sun.security.provider.DSAKeyFactory", attrs);
- addWithAlias(p, "MessageDigest", "SHA-224",
- "sun.security.provider.SHA2$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-256",
- "sun.security.provider.SHA2$SHA256", attrs);
- addWithAlias(p, "MessageDigest", "SHA-384",
- "sun.security.provider.SHA5$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512",
- "sun.security.provider.SHA5$SHA512", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512/224",
- "sun.security.provider.SHA5$SHA512_224", attrs);
- addWithAlias(p, "MessageDigest", "SHA-512/256",
- "sun.security.provider.SHA5$SHA512_256", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-224",
- "sun.security.provider.SHA3$SHA224", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-256",
- "sun.security.provider.SHA3$SHA256", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-384",
- "sun.security.provider.SHA3$SHA384", attrs);
- addWithAlias(p, "MessageDigest", "SHA3-512",
- "sun.security.provider.SHA3$SHA512", attrs);
+ /*
+ * Digest engines
+ */
+ add(p, "MessageDigest", "MD2", "sun.security.provider.MD2", attrs);
+ add(p, "MessageDigest", "MD5", "sun.security.provider.MD5", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-1", "sun.security.provider.SHA",
+ attrs);
+
+ addWithAlias(p, "MessageDigest", "SHA-224",
+ "sun.security.provider.SHA2$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-256",
+ "sun.security.provider.SHA2$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-384",
+ "sun.security.provider.SHA5$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512",
+ "sun.security.provider.SHA5$SHA512", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/224",
+ "sun.security.provider.SHA5$SHA512_224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA-512/256",
+ "sun.security.provider.SHA5$SHA512_256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-224",
+ "sun.security.provider.SHA3$SHA224", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-256",
+ "sun.security.provider.SHA3$SHA256", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-384",
+ "sun.security.provider.SHA3$SHA384", attrs);
+ addWithAlias(p, "MessageDigest", "SHA3-512",
+ "sun.security.provider.SHA3$SHA512", attrs);
+ }
/*
* Certificates
diff --git openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
index 8c9e4f9dbe6..883dc04758e 100644
--- openjdk.orig/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
+++ openjdk/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
@@ -38,6 +38,7 @@ import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import jdk.internal.access.SharedSecrets;
import sun.security.ec.ed.EdDSAAlgorithmParameters;
import sun.security.ec.ed.EdDSAKeyFactory;
import sun.security.ec.ed.EdDSAKeyPairGenerator;
@@ -56,6 +57,10 @@ public final class SunEC extends Provider {
private static final long serialVersionUID = -2279741672933606418L;
+ private static final boolean systemFipsEnabled =
+ SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
+ .isSystemFipsEnabled();
+
private static class ProviderServiceA extends ProviderService {
ProviderServiceA(Provider p, String type, String algo, String cn,
HashMap<String, String> attrs) {
@@ -249,85 +254,86 @@ public final class SunEC extends Provider {
putXDHEntries();
putEdDSAEntries();
-
- /*
- * Signature engines
- */
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
- null, ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
- ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
- ATTRS));
-
- putService(new ProviderService(this, "Signature",
- "NONEwithECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$RawinP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA1withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA224withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA256withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA384withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA512withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
-
- putService(new ProviderService(this, "Signature",
- "SHA3-224withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-256withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-384withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
- putService(new ProviderService(this, "Signature",
- "SHA3-512withECDSAinP1363Format",
- "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
-
- /*
- * Key Pair Generator engine
- */
- putService(new ProviderService(this, "KeyPairGenerator",
- "EC", "sun.security.ec.ECKeyPairGenerator",
- List.of("EllipticCurve"), ATTRS));
-
- /*
- * Key Agreement engine
- */
- putService(new ProviderService(this, "KeyAgreement",
- "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+ if (!systemFipsEnabled) {
+ /*
+ * Signature engines
+ */
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSA", "sun.security.ec.ECDSASignature$Raw",
+ null, ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA1withECDSA", "sun.security.ec.ECDSASignature$SHA1",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA224withECDSA", "sun.security.ec.ECDSASignature$SHA224",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA256withECDSA", "sun.security.ec.ECDSASignature$SHA256",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA384withECDSA", "sun.security.ec.ECDSASignature$SHA384",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA512withECDSA", "sun.security.ec.ECDSASignature$SHA512",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-224withECDSA", "sun.security.ec.ECDSASignature$SHA3_224",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-256withECDSA", "sun.security.ec.ECDSASignature$SHA3_256",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-384withECDSA", "sun.security.ec.ECDSASignature$SHA3_384",
+ ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "SHA3-512withECDSA", "sun.security.ec.ECDSASignature$SHA3_512",
+ ATTRS));
+
+ putService(new ProviderService(this, "Signature",
+ "NONEwithECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$RawinP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA1withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA1inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA224withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA224inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA256withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA256inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA384withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA384inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA512withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA512inP1363Format"));
+
+ putService(new ProviderService(this, "Signature",
+ "SHA3-224withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_224inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-256withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_256inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-384withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_384inP1363Format"));
+ putService(new ProviderService(this, "Signature",
+ "SHA3-512withECDSAinP1363Format",
+ "sun.security.ec.ECDSASignature$SHA3_512inP1363Format"));
+
+ /*
+ * Key Pair Generator engine
+ */
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "EC", "sun.security.ec.ECKeyPairGenerator",
+ List.of("EllipticCurve"), ATTRS));
+
+ /*
+ * Key Agreement engine
+ */
+ putService(new ProviderService(this, "KeyAgreement",
+ "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
+ }
}
private void putXDHEntries() {
@@ -344,23 +350,25 @@ public final class SunEC extends Provider {
"X448", "sun.security.ec.XDHKeyFactory.X448",
ATTRS));
- putService(new ProviderService(this, "KeyPairGenerator",
- "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
- ATTRS));
-
- putService(new ProviderService(this, "KeyAgreement",
- "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyAgreement",
- "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyAgreement",
- "X448", "sun.security.ec.XDHKeyAgreement.X448",
- ATTRS));
+ if (!systemFipsEnabled) {
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "XDH", "sun.security.ec.XDHKeyPairGenerator", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "X25519", "sun.security.ec.XDHKeyPairGenerator.X25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "X448", "sun.security.ec.XDHKeyPairGenerator.X448",
+ ATTRS));
+
+ putService(new ProviderService(this, "KeyAgreement",
+ "XDH", "sun.security.ec.XDHKeyAgreement", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyAgreement",
+ "X25519", "sun.security.ec.XDHKeyAgreement.X25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyAgreement",
+ "X448", "sun.security.ec.XDHKeyAgreement.X448",
+ ATTRS));
+ }
}
private void putEdDSAEntries() {
@@ -375,21 +383,23 @@ public final class SunEC extends Provider {
putService(new ProviderServiceA(this, "KeyFactory",
"Ed448", "sun.security.ec.ed.EdDSAKeyFactory.Ed448", ATTRS));
- putService(new ProviderService(this, "KeyPairGenerator",
- "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
- ATTRS));
- putService(new ProviderServiceA(this, "KeyPairGenerator",
- "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
- ATTRS));
-
- putService(new ProviderService(this, "Signature",
- "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
- putService(new ProviderServiceA(this, "Signature",
- "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
+ if (!systemFipsEnabled) {
+ putService(new ProviderService(this, "KeyPairGenerator",
+ "EdDSA", "sun.security.ec.ed.EdDSAKeyPairGenerator", null, ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "Ed25519", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed25519",
+ ATTRS));
+ putService(new ProviderServiceA(this, "KeyPairGenerator",
+ "Ed448", "sun.security.ec.ed.EdDSAKeyPairGenerator.Ed448",
+ ATTRS));
+
+ putService(new ProviderService(this, "Signature",
+ "EdDSA", "sun.security.ec.ed.EdDSASignature", null, ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "Ed25519", "sun.security.ec.ed.EdDSASignature.Ed25519", ATTRS));
+ putService(new ProviderServiceA(this, "Signature",
+ "Ed448", "sun.security.ec.ed.EdDSASignature.Ed448", ATTRS));
+ }
}
}

18
SOURCES/rh1996182-extend_security_policy.patch
View File

@ -1,18 +0,0 @@
commit bfd7c5dae9c15266799cb885b8c60199217b65b9
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Aug 30 16:14:14 2021 +0100
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
index 8356e56367b..23925f048be 100644
--- openjdk.orig/src/java.base/share/lib/security/default.policy
+++ openjdk/src/java.base/share/lib/security/default.policy
@@ -128,6 +128,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
grant codeBase "jrt:/jdk.crypto.cryptoki" {
permission java.lang.RuntimePermission
"accessClassInPackage.com.sun.crypto.provider";
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.access";
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.*";

65
SOURCES/rh1996182-login_to_nss_software_token.patch
View File

@ -1,65 +0,0 @@
commit 93c9f6330bf2b4405c789bf893a5256c3f4a4923
Author: Martin Balao <mbalao@redhat.com>
Date: Sat Aug 28 00:35:44 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 238735c0c8c..dbbf11bbb22 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
+++ openjdk/src/java.base/share/classes/module-info.java
@@ -152,6 +152,7 @@ module java.base {
java.naming,
java.rmi,
jdk.charsets,
+ jdk.crypto.cryptoki,
jdk.crypto.ec,
jdk.jartool,
jdk.jlink,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 112b639aa96..5d3963ea893 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -42,6 +42,7 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
+import jdk.internal.access.SharedSecrets;
import jdk.internal.misc.InnocuousThread;
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
@@ -62,6 +63,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Exception.*;
*/
public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -379,6 +383,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}
+ if (systemFipsEnabled) {
+ // The NSS Software Token in FIPS 140-2 mode requires a user
+ // login for most operations. See sftk_fipsCheck. The NSS DB
+ // (/etc/pki/nssdb) PIN is empty.
+ Session session = null;
+ try {
+ session = token.getOpSession();
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
+ } catch (PKCS11Exception p11e) {
+ if (debug != null) {
+ debug.println("Error during token login: " +
+ p11e.getMessage());
+ }
+ throw p11e;
+ } finally {
+ token.releaseSession(session);
+ }
+ }
} catch (Exception e) {
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
throw new UnsupportedOperationException

28
SOURCES/rh2021263-fips_ensure_security_initialised.patch
View File

@ -1,28 +0,0 @@
commit 4ac1a03b3ec73358988553fe9e200130847ea3b4
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Jan 10 20:19:40 2022 +0000
RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
index 5a2c9eb0c46..a1ee182d913 100644
--- openjdk.orig/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
+++ openjdk/src/java.base/share/classes/jdk/internal/access/SharedSecrets.java
@@ -39,6 +39,7 @@ import java.io.FilePermission;
import java.io.ObjectInputStream;
import java.io.RandomAccessFile;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.security.Signature;
/** A repository of "shared secrets", which are a mechanism for
@@ -449,6 +450,9 @@ public class SharedSecrets {
}
public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
+ if (javaSecuritySystemConfiguratorAccess == null) {
+ ensureClassInitialized(Security.class);
+ }
return javaSecuritySystemConfiguratorAccess;
}
}

24
SOURCES/rh2021263-fips_missing_native_returns.patch
View File

@ -1,24 +0,0 @@
commit 8f6e35dc9e9289aed290b36e260beeda76986bb5
Author: Fridrich Strba <fstrba@suse.com>
Date: Mon Jan 10 19:32:01 2022 +0000
RH2021263: Return in C code after having generated Java exception
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 38919d6bb0f..caf678a7dd6 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -151,11 +151,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
fips_enabled = fgetc(fe);
fclose(fe);
if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
}
msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
" read character is '%c'", fips_enabled);

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
View File

@ -1,99 +0,0 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

1182
SOURCES/rh2052070-enable_algorithmparameters_in_fips_mode.patch
View File

File diff suppressed because it is too large Load Diff

213
SOURCES/rh2052829-fips_runtime_nss_detection.patch
View File

@ -1,213 +0,0 @@
commit 090ea0389db5c2e0c8ee13652bccd544b17872c2
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 7 15:33:27 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index caf678a7dd6..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,26 +23,37 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
-#define MSG_MAX_SIZE 96
+#define MSG_MAX_SIZE 256
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read
-#ifndef SYSCONF_NSS
-
-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
static void throwIOException(JNIEnv *env, const char *msg)
{
@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg)
(*env)->ThrowNew(env, cls, msg);
}
-#endif
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
-static void dbgPrint(JNIEnv *env, const char* msg)
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
- }
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
}
+#endif
+
/*
* Class: java_security_SystemConfigurator
* Method: JNI_OnLoad
@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ FILE *fe;
-#else // SYSCONF_NSS
-
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
}

518
SPECS/java-17-openjdk.spec
View File

@ -23,6 +23,8 @@
%bcond_without staticlibs
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Build with system libraries
%bcond_with system_libs
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -39,6 +41,16 @@
%global build_hotspot_first 0
%endif
%if %{with system_libs}
%global system_libs 1
%global link_type system
%global freetype_lib %{nil}
%else
%global system_libs 0
%global link_type bundled
%global freetype_lib |libfreetype[.]so.*
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -190,11 +202,15 @@
%global staticlibs_loop %{nil}
%endif
%if 0%{?flatpak}
%global bootstrap_build false
%else
%ifarch %{bootstrap_arches}
%global bootstrap_build true
%else
%global bootstrap_build false
%endif
%endif
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
@ -305,12 +321,8 @@
# New Version-String scheme-style defines
%global featurever 17
%global interimver 0
%global updatever 3
%global updatever 6
%global patchver 0
# If you bump featurever, you must also bump vendor_version_string
# Used via new version scheme. JDK 17 was
# GA'ed in September 2021 => 21.9
%global vendor_version_string 21.9
# buildjdkver is usually same as %%{featurever},
# but in time of bootstrap of next jdk, it is featurever-1,
# and this it is better to change it here, on single place
@ -325,16 +337,39 @@
%global lts_designator_zip ""
%endif
# Define vendor information used by OpenJDK
%global oj_vendor Red Hat, Inc.
%global oj_vendor_url https://www.redhat.com/
# Define what url should JVM offer in case of a crash report
# order may be important, epel may have rhel declared
%if 0%{?epel}
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
%else
%if 0%{?fedora}
# Does not work for rawhide, keeps the version field empty
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
%else
%if 0%{?rhel}
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
%else
%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
%endif
%endif
%endif
%global oj_vendor_version (Red_Hat-%{version}-%{release})
# Define IcedTea version used for SystemTap tapsets and desktop file
%global icedteaver 6.0.0pre00-c848b93a8598
# Define current Git revision for the FIPS support patches
%global fipsver 72d08e3226f
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 5
%global rpmrelease 1
%global buildver 9
%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -353,6 +388,9 @@
# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
# The tag used to create the OpenJDK tarball
%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}
# Define milestone (EA for pre-releases, GA for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@ -360,35 +398,18 @@
%global is_ga 0
%if %{is_ga}
%global build_type GA
%global expected_ea_designator ""
%global ea_designator ""
%global ea_designator_zip ""
%global extraver %{nil}
%global eaprefix %{nil}
%else
%global build_type EA
%global expected_ea_designator ea
%global ea_designator_zip -%{expected_ea_designator}
%global extraver .%{expected_ea_designator}
%global ea_designator ea
%global ea_designator_zip -%{ea_designator}
%global extraver .%{ea_designator}
%global eaprefix 0.
%endif
# Define what url should JVM offer in case of a crash report
# order may be important, epel may have rhel declared
%if 0%{?epel}
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
%else
%if 0%{?fedora}
# Does not work for rawhide, keeps the version field empty
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
%else
%if 0%{?rhel}
%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
%else
%global bugs https://bugzilla.redhat.com/enter_bug.cgi
%endif
%endif
%endif
# parametrized macros are order-sensitive
%global compatiblename java-%{featurever}-%{origin}
%global fullversion %{compatiblename}-%{version}-%{release}
@ -406,7 +427,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib}
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@ -810,6 +831,9 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
%if ! %{system_libs}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
@ -928,7 +952,7 @@ exit 0
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1*
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
@ -967,11 +991,11 @@ exit 0
%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1*
%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1*
%if %{with_systemtap}
%dir %{tapsetroot}
@ -1094,7 +1118,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
Requires: tzdata-java >= 2015d
# 2022g required as of JDK-8297804
Requires: tzdata-java >= 2022g
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1107,6 +1132,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for system security properties
Requires: crypto-policies
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
@ -1252,9 +1279,8 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv
URL: http://openjdk.java.net/
# to regenerate source0 (jdk) run update_package.sh
# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
# The source tarball, generated using generate_source_tarball.sh
Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@ -1282,8 +1308,11 @@ Source14: TestECDSA.java
# Verify system crypto (policy) can be disabled via a property
Source15: TestSecurityProperties.java
# nss fips configuration file
Source17: nss.fips.cfg.in
# Ensure vendor settings are correct
Source16: CheckVendor.java
# Ensure translations are available for new timezones
Source18: TestTranslations.java
############################################
#
@ -1302,55 +1331,57 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Follow system wide crypto policy RHBZ#1249083
Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
# PR3695: Allow use of system crypto policy to be disabled by the user
Patch5: pr3695-toggle_system_crypto_policy.patch
# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# FIPS support patches
# Crypto policy and FIPS support patches
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
# as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch
# Diff is limited to src and make subdirectories to exclude .github changes
# Fixes currently included:
# PR3183, RH1340845: Follow system wide crypto policy
# PR3695: Allow use of system crypto policy to be disabled by the user
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
Patch1001: rh1655466-global_crypto_and_fips.patch
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
Patch1002: rh1818909-fips_default_keystore_type.patch
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch
Patch1011: rh1929465-dont_define_unused_throwioexception.patch
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
Patch1009: rh1995150-disable_non-fips_crypto.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1010: rh1996182-login_to_nss_software_token.patch
Patch1012: rh1996182-extend_security_policy.patch
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
Patch1013: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch
# RH2023467: Enable FIPS keys export
# RH2094027: SunEC runtime permission for FIPS
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
# RH2090378: Revert to disabling system security properties and FIPS mode support together
# RH2104724: Avoid import/export of DH private keys
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
# Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores
# RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
# Remove forgotten dead code from RH2020290 and RH2104724
Patch1001: fips-17u-%{fipsver}.patch
#############################################
#
# OpenJDK patches in need of upstreaming
#
#############################################
# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
Patch2000: jdk8275535-rh2053256-ldap_auth.patch
# JDK-8283911: DEFAULT_PROMOTED_VERSION_PRE not reset to 'ea' for jdk-17.0.4
Patch2001: jdk8283911-default_promoted_version_pre.patch
#############################################
#
# OpenJDK patches appearing in 17.0.1
# OpenJDK patches appearing in 17.0.5
#
#############################################
#############################################
#
# OpenJDK patches targetted for 17.0.6
#
#############################################
@ -1363,14 +1394,8 @@ BuildRequires: desktop-file-utils
# elfutils only are OK for build without AOT
BuildRequires: elfutils-devel
BuildRequires: fontconfig-devel
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: gcc-c++
BuildRequires: gdb
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
BuildRequires: libxslt
BuildRequires: libX11-devel
BuildRequires: libXi-devel
@ -1381,6 +1406,8 @@ BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
# Requirement for system security property test
BuildRequires: crypto-policies
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1390,7 +1417,8 @@ BuildRequires: java-17-openjdk-devel
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
BuildRequires: tzdata-java >= 2015d
# 2022g required as of JDK-8297804
BuildRequires: tzdata-java >= 2022g
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -1399,6 +1427,30 @@ BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
%if %{system_libs}
BuildRequires: freetype-devel
BuildRequires: giflib-devel
BuildRequires: harfbuzz-devel
BuildRequires: lcms2-devel
BuildRequires: libjpeg-devel
BuildRequires: libpng-devel
%else
# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h
Provides: bundled(freetype) = 2.12.1
# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
Provides: bundled(giflib) = 5.2.1
# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
Provides: bundled(harfbuzz) = 4.4.1
# Version in src/java.desktop/share/native/liblcms/lcms2.h
Provides: bundled(lcms2) = 2.12.0
# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
Provides: bundled(libjpeg) = 6b
# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
Provides: bundled(libpng) = 1.6.37
# We link statically against libstdc++ to increase portability
BuildRequires: libstdc++-static
%endif
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
%{java_rpo %{nil}}
@ -1708,6 +1760,8 @@ The %{origin_nice} %{featurever} API documentation compressed in a single archiv
%prep
echo "Preparing %{oj_vendor_version}"
# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
%if 0%{?stapinstall:1}
echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
@ -1746,39 +1800,45 @@ if [ $prioritylength -ne 8 ] ; then
fi
# OpenJDK patches
%if %{system_libs}
# Remove libraries that are linked by both static and dynamic builds
sh %{SOURCE12} %{top_level_dir_name}
%endif
# Patch the JDK
pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
popd # openjdk
%patch1000
%patch600
%patch1001
%patch1002
%patch1004
%patch1007
%patch1008
%patch1009
%patch1010
%patch1011
%patch1012
%patch1013
%patch1014
%patch1015
%patch1016
%patch1017
%patch1018
%patch2000
%patch2001
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
# default pre-version supplied there (despite
# what the file claims), so we pass it manually
# to configure
VERSION_FILE=$(pwd)/%{top_level_dir_name}/make/conf/version-numbers.conf
if [ -f ${VERSION_FILE} ] ; then
UPSTREAM_EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
else
echo "Could not find OpenJDK version file.";
exit 16
fi
if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
echo "WARNING: Designator mismatch";
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
exit 17
fi
# Extract systemtap tapsets
%if %{with_systemtap}
@ -1829,9 +1889,6 @@ done
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build
# How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
@ -1875,22 +1932,12 @@ function buildjdk() {
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
# default pre-version supplied there (despite
# what the file claims), so we pass it manually
# to configure
VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
if [ -f ${VERSION_FILE} ] ; then
EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2)
# This must be set using the global, so that the
# static libraries still use a dynamic stdc++lib
if [ "x%{link_type}" = "xbundled" ] ; then
libc_link_opt="static";
else
echo "Could not find OpenJDK version file.";
exit 16
fi
if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
exit 17
libc_link_opt="dynamic";
fi
echo "Using output directory: ${outputdir}";
@ -1899,11 +1946,15 @@ function buildjdk() {
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir}
pushd ${outputdir}
# Note: zlib and freetype use %{link_type}
# rather than ${link_opt} as the system versions
# are always used in a system_libs build, even
# for the static library build
bash ${top_dir_abs_src_path}/configure \
%ifarch %{zero_arches}
--with-jvm-variants=zero \
@ -1912,25 +1963,26 @@ function buildjdk() {
--with-jobs=1 \
%endif
--with-version-build=%{buildver} \
--with-version-pre="${EA_DESIGNATOR}" \
--with-version-pre="%{ea_designator}" \
--with-version-opt=%{lts_designator} \
--with-vendor-version-string="%{vendor_version_string}" \
--with-vendor-name="Red Hat, Inc." \
--with-vendor-url="https://www.redhat.com/" \
--with-vendor-bug-url="%{bugs}" \
--with-vendor-vm-bug-url="%{bugs}" \
--with-vendor-version-string="%{oj_vendor_version}" \
--with-vendor-name="%{oj_vendor}" \
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-zlib=%{link_type} \
--with-freetype=%{link_type} \
--with-libjpeg=${link_opt} \
--with-giflib=${link_opt} \
--with-libpng=${link_opt} \
--with-lcms=${link_opt} \
--with-harfbuzz=${link_opt} \
--with-stdc++lib=dynamic \
--with-stdc++lib=${libc_link_opt} \
--with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
--with-extra-cflags="$EXTRA_CFLAGS" \
--with-extra-ldflags="%{ourldflags}" \
@ -1970,8 +2022,9 @@ function installjdk() {
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
@ -2012,12 +2065,13 @@ for suffix in %{build_loop} ; do
bootbuilddir=boot${builddir}
if test "x${loop}" = "x%{main_suffix}" ; then
link_opt="%{link_type}"
%if %{system_libs}
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
%endif
# Debug builds don't need same targets as release for
# build speed-up. We also avoid bootstrapping these
# slower builds.
@ -2035,9 +2089,11 @@ for suffix in %{build_loop} ; do
else
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
%if %{system_libs}
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
%endif
else
# Use bundled libraries for building statically
link_opt="bundled"
@ -2053,6 +2109,9 @@ for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# Print release information
cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release
# build cycles
done # end of release / debug cycle loop
@ -2068,6 +2127,8 @@ top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticli
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Pre-test setup
#check Shenandoah is enabled
%if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
@ -2081,9 +2142,14 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev
$JAVA_HOME/bin/javac -d . %{SOURCE14}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
# Check system crypto (policy) can be disabled
# Check system crypto (policy) is active and can be disabled
# Test takes a single argument - true or false - to state whether system
# security properties are enabled or not.
$JAVA_HOME/bin/javac -d . %{SOURCE15}
$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||")
export SEC_DEBUG="-Djava.security.debug=properties"
$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} true
$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false
# Check java launcher has no SSB mitigation
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
@ -2095,6 +2161,11 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
%endif
# Check translations are available for new timezones
$JAVA_HOME/bin/javac -d . %{SOURCE18}
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
%if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
@ -2111,14 +2182,6 @@ do
# All these tests rely on RPM failing the build if the exit code of any set
# of piped commands is non-zero.
# If this is the empty library, libsyslookup.so, of the foreign function and memory
# API incubation module (JEP 412), skip the debuginfo check as this seems unreliable
# on s390x. It's not very useful for other arches either, so skip unconditionally.
if [ "`basename $lib`" = "libsyslookup.so" ]; then
echo "Skipping debuginfo check for empty library 'libsyslookup.so'"
continue
fi
# Test for .debug_* sections in the shared object. This is the main test
# Stripped objects will not contain these
eu-readelf -S "$lib" | grep "] .debug_"
@ -2133,7 +2196,7 @@ do
do
# We expect to see .cpp files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$"
done
IFS="$old_IFS"
@ -2558,6 +2621,189 @@ require "copy_jdk_configs.lua"
%endif
%changelog
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
- Update to jdk-17.0.6+9
- Update release notes to 17.0.6+9
- Drop local copy of JDK-8293834 now this is upstream
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone
- Resolves: rhbz#2150195
* Sat Dec 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.1-0.3.ea
- Update to jdk-17.0.6+1
- Update release notes to 17.0.6+1
- Switch to EA mode for 17.0.6 pre-release builds.
- Re-enable EA upstream status check now it is being actively maintained.
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
- Drop JDK-8275535 local patch now this has been accepted and backported upstream
- Bump tzdata requirement to 2022e now the package is available in RHEL
- Related: rhbz#2150195
* Wed Nov 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-5
- Update FIPS support to bring in latest changes
- * Add nss.fips.cfg support to OpenJDK tree
- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
- * Remove forgotten dead code from RH2020290 and RH2104724
- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build
- Resolves: rhbz#2117972
* Wed Oct 26 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.8-2
- Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA)
- Switch to GA mode for final release.
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Update CLDR data with Europe/Kyiv (JDK-8293834)
- Drop JDK-8292223 patch which we found to be unnecessary
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
- Remove freetype sources along with zlib sources
- Resolves: rhbz#2133695
* Tue Oct 04 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.7-0.2.ea
- Update to jdk-17.0.5+7
- Update release notes to 17.0.5+7
- Drop JDK-8288985 patch that is now upstream
- Resolves: rhbz#2130617
* Mon Oct 03 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.5.0.1-0.2.ea
- Update to jdk-17.0.5+1
- Update release notes to 17.0.5+1
- Switch to EA mode for 17.0.5 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Related: rhbz#2130617
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-6
- Backport JDK-8288985 to enable use of ChaCha20-Poly1305 with the PKCS11 provider
- Upstream backport in progress: https://github.com/openjdk/jdk17u-dev/pull/650
- Resolves: rhbz#2006351
* Tue Aug 30 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-5
- Switch to static builds, reducing system dependencies and making build more portable
- Resolves: rhbz#2121263
* Mon Aug 29 2022 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.4.1.1-4
- Fix flatpak builds (catering for their uncompressed manual pages)
- Fix flatpak builds by exempting them from bootstrap
- Resolves: rhbz#2102734
* Mon Aug 29 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-3
- Update FIPS support to bring in latest changes
- * RH2104724: Avoid import/export of DH private keys
- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
- * Build the systemconf library on all platforms
- * RH2048582: Support PKCS#12 keystores
- * RH2020290: Support TLS 1.3 in FIPS mode
- Resolves: rhbz#2104724
- Resolves: rhbz#2092507
- Resolves: rhbz#2048582
- Resolves: rhbz#2020290
* Sun Aug 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.1.1-2
- Update to jdk-17.0.4.1+1
- Update release notes to 17.0.4.1+1
- Add patch to provide translations for Europe/Kyiv added in tzdata2022b
- Add test to ensure timezones can be translated
- Resolves: rhbz#2119531
* Fri Jul 22 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.8-3
- Update to jdk-17.0.4.0+8
- Update release notes to 17.0.4.0+8
- Switch to GA mode for release
- Resolves: rhbz#2106522
* Wed Jul 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.2.ea
- Revert the following changes until copy-java-configs has adapted to relative symlinks:
- * Move cacerts replacement to install section and retain original of this and tzdb.dat
- * Run tests on the installed image, rather than the build image
- * Introduce variables to refer to the static library installation directories
- * Use relative symlinks so they work within the image
- * Run debug symbols check during build stage, before the install strips them
- The move of turning on system security properties is retained so we don't ship with them off
- Related: rhbz#2100674
* Wed Jul 20 2022 Jiri Vanek <jvanek@redhat.com> - 1:17.0.4.0.7-0.2.ea
- retutrned absolute symlinks
- relative symlinks are breaking cjc, and deeper investigations are necessary
-- why cjc intentionally skips relative symllinks
- images have to be workarounded differently
- Related: rhbz#2100674
* Sat Jul 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.4.0.7-0.1.ea
- Update to jdk-17.0.4.0+7
- Update release notes to 17.0.4.0+7
- Switch to EA mode for 17.0.4 pre-release builds.
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it
- Explicitly require crypto-policies during build and runtime for system security properties
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
- Resolves: rhbz#2083316
* Thu Jul 14 2022 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:17.0.4.0.1-0.2.ea
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Related: rhbz#2083316
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Fix whitespace in spec file
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Sequence spec file sections as they are run by rpmbuild (build, install then test)
- Related: rhbz#2100674
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-6
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them
- Related: rhbz#2100674
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-5
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2007331
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-4
- Update FIPS support to bring in latest changes
- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
- * RH2090378: Revert to disabling system security properties and FIPS mode support together
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- Resolves: rhbz#2099840
- Resolves: rhbz#2100674
* Tue Jun 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-3
- Add rpminspect.yaml to turn off Java bytecode inspections
- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode
- Resolves: rhbz#2101524
* Sun Jun 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-2
- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- RH2023467: Enable FIPS keys export
- RH2094027: SunEC runtime permission for FIPS
- Resolves: rhbz#2023467
- Resolves: rhbz#2094027
* Wed Apr 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-1
- April 2022 security update to jdk 17.0.3+7
- Update to jdk-17.0.3.0+7 release tarball
- Update release notes to 17.0.3.0+6
- Add missing README.md and generate_source_tarball.sh
- Switch to GA mode for release
- JDK-8283911 patch no longer needed now we're GA...
- Resolves: rhbz#2073577
* Wed Apr 06 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.5-0.1.ea
- Update to jdk-17.0.3.0+5
- Update release notes to 17.0.3.0+5