Compare commits
No commits in common. "imports/c8s/java-17-openjdk-17.0.6.0.9-0.4.ea.el8" and "c8-beta" have entirely different histories.
imports/c8
...
c8-beta
|
|
@ -2644,7 +2644,7 @@ index 00000000000..55bbba98b7a
|
|||
+attributes(*,CKO_SECRET_KEY,CKK_GENERIC_SECRET)={ CKA_SIGN=true }
|
||||
+
|
||||
diff --git a/src/java.base/share/lib/security/default.policy b/src/java.base/share/lib/security/default.policy
|
||||
index b22f26947af..02bea84e210 100644
|
||||
index b22f26947af..3ee2ce6ea88 100644
|
||||
--- a/src/java.base/share/lib/security/default.policy
|
||||
+++ b/src/java.base/share/lib/security/default.policy
|
||||
@@ -121,6 +121,7 @@ grant codeBase "jrt:/jdk.charsets" {
|
||||
|
|
@ -2663,15 +2663,6 @@ index b22f26947af..02bea84e210 100644
|
|||
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
@@ -140,6 +142,8 @@ grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.util.PropertyPermission "os.name", "read";
|
||||
permission java.util.PropertyPermission "os.arch", "read";
|
||||
permission java.util.PropertyPermission "jdk.crypto.KeyAgreement.legacyKDF", "read";
|
||||
+ permission java.util.PropertyPermission "fips.nssdb.path", "read,write";
|
||||
+ permission java.util.PropertyPermission "fips.nssdb.pin", "read";
|
||||
permission java.security.SecurityPermission "putProviderProperty.*";
|
||||
permission java.security.SecurityPermission "clearProviderProperties.*";
|
||||
permission java.security.SecurityPermission "removeProviderProperty.*";
|
||||
diff --git a/src/java.base/share/native/libsystemconf/systemconf.c b/src/java.base/share/native/libsystemconf/systemconf.c
|
||||
new file mode 100644
|
||||
index 00000000000..ddf9befe5bc
|
||||
|
|
@ -4129,7 +4120,7 @@ index 262cfc062ad..72b64f72c0a 100644
|
|||
Provider p = sun;
|
||||
if (p == null) {
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index aa35e8fa668..1855e5631bd 100644
|
||||
index aa35e8fa668..f4d7c9cc201 100644
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -26,6 +26,9 @@
|
||||
|
|
@ -4195,7 +4186,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -115,6 +153,29 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -115,6 +153,18 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
return AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
|
||||
@Override
|
||||
public SunPKCS11 run() throws Exception {
|
||||
|
|
@ -4206,26 +4197,15 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
+ * fips.nssdb.path System property after expansion.
|
||||
+ * Security properties expansion is unsupported.
|
||||
+ */
|
||||
+ String nssdbPath =
|
||||
+ System.setProperty(
|
||||
+ FIPS_NSSDB_PATH_PROP,
|
||||
+ SecurityProperties.privilegedGetOverridable(
|
||||
+ FIPS_NSSDB_PATH_PROP);
|
||||
+ if (System.getSecurityManager() != null) {
|
||||
+ AccessController.doPrivileged(
|
||||
+ (PrivilegedAction<Void>) () -> {
|
||||
+ System.setProperty(
|
||||
+ FIPS_NSSDB_PATH_PROP,
|
||||
+ nssdbPath);
|
||||
+ return null;
|
||||
+ });
|
||||
+ } else {
|
||||
+ System.setProperty(
|
||||
+ FIPS_NSSDB_PATH_PROP, nssdbPath);
|
||||
+ }
|
||||
+ FIPS_NSSDB_PATH_PROP));
|
||||
+ }
|
||||
return new SunPKCS11(new Config(newConfigName));
|
||||
}
|
||||
});
|
||||
@@ -320,10 +381,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -320,10 +370,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
// request multithreaded access first
|
||||
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||
PKCS11 tmpPKCS11;
|
||||
|
|
@ -4246,7 +4226,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
} catch (PKCS11Exception e) {
|
||||
if (debug != null) {
|
||||
debug.println("Multi-threaded initialization failed: " + e);
|
||||
@@ -339,11 +409,12 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -339,11 +398,12 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
initArgs.flags = 0;
|
||||
}
|
||||
tmpPKCS11 = PKCS11.getInstance(library,
|
||||
|
|
@ -4261,7 +4241,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
if (p11Info.cryptokiVersion.major < 2) {
|
||||
throw new ProviderException("Only PKCS#11 v2.0 and later "
|
||||
+ "supported, library version is v" + p11Info.cryptokiVersion);
|
||||
@@ -417,14 +488,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -417,14 +477,19 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
final String className;
|
||||
final List<String> aliases;
|
||||
final int[] mechanisms;
|
||||
|
|
@ -4282,7 +4262,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
}
|
||||
private P11Service service(Token token, int mechanism) {
|
||||
return new P11Service
|
||||
@@ -458,18 +534,29 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -458,18 +523,29 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
private static void d(String type, String algorithm, String className,
|
||||
int[] m) {
|
||||
|
|
@ -4315,7 +4295,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
}
|
||||
|
||||
private static void register(Descriptor d) {
|
||||
@@ -525,6 +612,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -525,6 +601,7 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
String P11Cipher = "sun.security.pkcs11.P11Cipher";
|
||||
String P11RSACipher = "sun.security.pkcs11.P11RSACipher";
|
||||
String P11AEADCipher = "sun.security.pkcs11.P11AEADCipher";
|
||||
|
|
@ -4323,7 +4303,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
String P11Signature = "sun.security.pkcs11.P11Signature";
|
||||
String P11PSSSignature = "sun.security.pkcs11.P11PSSSignature";
|
||||
|
||||
@@ -587,6 +675,30 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -587,6 +664,30 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
d(MAC, "SslMacSHA1", P11Mac,
|
||||
m(CKM_SSL3_SHA1_MAC));
|
||||
|
||||
|
|
@ -4354,7 +4334,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
d(KPG, "RSA", P11KeyPairGenerator,
|
||||
getAliases("PKCS1"),
|
||||
m(CKM_RSA_PKCS_KEY_PAIR_GEN));
|
||||
@@ -685,6 +797,66 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -685,6 +786,66 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
d(SKF, "ChaCha20", P11SecretKeyFactory,
|
||||
m(CKM_CHACHA20_POLY1305));
|
||||
|
||||
|
|
@ -4421,7 +4401,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
// XXX attributes for Ciphers (supported modes, padding)
|
||||
dA(CIP, "ARCFOUR", P11Cipher,
|
||||
m(CKM_RC4));
|
||||
@@ -754,6 +926,46 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -754,6 +915,46 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
d(CIP, "RSA/ECB/NoPadding", P11RSACipher,
|
||||
m(CKM_RSA_X_509));
|
||||
|
||||
|
|
@ -4468,7 +4448,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
d(SIG, "RawDSA", P11Signature,
|
||||
List.of("NONEwithDSA"),
|
||||
m(CKM_DSA));
|
||||
@@ -1144,9 +1356,21 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -1144,9 +1345,21 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (ds == null) {
|
||||
continue;
|
||||
}
|
||||
|
|
@ -4490,13 +4470,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
supportedAlgs.put(d, integerMech);
|
||||
continue;
|
||||
}
|
||||
@@ -1220,11 +1444,52 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
}
|
||||
|
||||
@Override
|
||||
+ @SuppressWarnings("removal")
|
||||
public Object newInstance(Object param)
|
||||
throws NoSuchAlgorithmException {
|
||||
@@ -1225,6 +1438,27 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (token.isValid() == false) {
|
||||
throw new NoSuchAlgorithmException("Token has been removed");
|
||||
}
|
||||
|
|
@ -4514,26 +4488,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
+ * property.
|
||||
+ */
|
||||
+ try {
|
||||
+ if (System.getSecurityManager() != null) {
|
||||
+ try {
|
||||
+ AccessController.doPrivileged(
|
||||
+ (PrivilegedExceptionAction<Void>) () -> {
|
||||
+ token.ensureLoggedIn(null);
|
||||
+ return null;
|
||||
+ });
|
||||
+ } catch (PrivilegedActionException pae) {
|
||||
+ Exception e = pae.getException();
|
||||
+ if (e instanceof LoginException le) {
|
||||
+ throw le;
|
||||
+ } else if (e instanceof PKCS11Exception p11e) {
|
||||
+ throw p11e;
|
||||
+ } else {
|
||||
+ throw new RuntimeException(e);
|
||||
+ }
|
||||
+ }
|
||||
+ } else {
|
||||
+ token.ensureLoggedIn(null);
|
||||
+ }
|
||||
+ token.ensureLoggedIn(null);
|
||||
+ } catch (PKCS11Exception | LoginException e) {
|
||||
+ throw new ProviderException("FIPS: error during the Token" +
|
||||
+ " login required for the " + getType() +
|
||||
|
|
@ -4543,7 +4498,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
try {
|
||||
return newInstance0(param);
|
||||
} catch (PKCS11Exception e) {
|
||||
@@ -1244,6 +1509,8 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -1244,6 +1478,8 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
} else if (algorithm.endsWith("GCM/NoPadding") ||
|
||||
algorithm.startsWith("ChaCha20-Poly1305")) {
|
||||
return new P11AEADCipher(token, algorithm, mechanism);
|
||||
|
|
@ -4552,7 +4507,7 @@ index aa35e8fa668..1855e5631bd 100644
|
|||
} else {
|
||||
return new P11Cipher(token, algorithm, mechanism);
|
||||
}
|
||||
@@ -1579,6 +1846,9 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
@@ -1579,6 +1815,9 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
try {
|
||||
session = token.getOpSession();
|
||||
p11.C_Logout(session.id());
|
||||
|
|
@ -361,7 +361,7 @@
|
|||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||
# Define current Git revision for the FIPS support patches
|
||||
%global fipsver 257d544b594
|
||||
%global fipsver 72d08e3226f
|
||||
|
||||
# Standard JPackage naming and versioning defines
|
||||
%global origin openjdk
|
||||
|
|
@ -369,7 +369,7 @@
|
|||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 9
|
||||
%global rpmrelease 4
|
||||
%global rpmrelease 3
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
|
||||
|
|
@ -1365,7 +1365,6 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|||
# Add nss.fips.cfg support to OpenJDK tree
|
||||
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||
# OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||
Patch1001: fips-17u-%{fipsver}.patch
|
||||
|
||||
#############################################
|
||||
|
|
@ -2162,14 +2161,10 @@ nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
|
|||
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
|
||||
%endif
|
||||
|
||||
%if ! 0%{?flatpak}
|
||||
# Check translations are available for new timezones (during flatpak builds, the
|
||||
# tzdb.dat used by this test is not where the test expects it, so this is
|
||||
# disabled for flatpak builds)
|
||||
# Check translations are available for new timezones
|
||||
$JAVA_HOME/bin/javac -d . %{SOURCE18}
|
||||
$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE
|
||||
$JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
|
||||
%endif
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Check debug symbols in static libraries (smoke test)
|
||||
|
|
@ -2626,15 +2621,6 @@ require "copy_jdk_configs.lua"
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 13 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.4.ea
|
||||
- Update FIPS support to bring in latest changes
|
||||
- * OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||
- Related: rhbz#2117972
|
||||
|
||||
* Fri Jan 13 2023 Stephan Bergmann <sbergman@redhat.com> - 1:17.0.6.0.9-0.4.ea
|
||||
- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat
|
||||
- Related: rhbz#2150195
|
||||
|
||||
* Wed Jan 04 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.6.0.9-0.3.ea
|
||||
- Update to jdk-17.0.6+9
|
||||
- Update release notes to 17.0.6+9
|
||||
|
|
|
|||
Loading…
Reference in New Issue