From 4dfc5acfc8807c90357a1fa819ced424e9e48e9e Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Sat, 13 Apr 2024 14:56:57 +0100 Subject: [PATCH] Update to jdk-21.0.3+7 (EA) - Update release notes to 21.0.3+7 - Require tzdata 2024a due to upstream inclusion of JDK-8322725 - Only require tzdata 2023d for now as 2024a is unavailable in buildroot - Drop JDK-8009550 which is now available upstream - Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 Resolves: RHEL-30946 --- .gitignore | 1 + ...c48eda.patch => fips-21u-0a42e29b391.patch | 27 ++-- java-21-openjdk.spec | 29 ++-- ...0-rh910107-fail_to_load_pcsc_library.patch | 125 ------------------ sources | 2 +- 5 files changed, 33 insertions(+), 151 deletions(-) rename fips-21u-75ffdc48eda.patch => fips-21u-0a42e29b391.patch (99%) delete mode 100644 jdk8009550-rh910107-fail_to_load_pcsc_library.patch diff --git a/.gitignore b/.gitignore index 55fdc20..99c817e 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /openjdk-21.0.2+12.tar.xz /openjdk-21.0.2+13.tar.xz /openjdk-21.0.3+1-ea.tar.xz +/openjdk-21.0.3+7-ea.tar.xz diff --git a/fips-21u-75ffdc48eda.patch b/fips-21u-0a42e29b391.patch similarity index 99% rename from fips-21u-75ffdc48eda.patch rename to fips-21u-0a42e29b391.patch index 8413fe1..54e8da0 100644 --- a/fips-21u-75ffdc48eda.patch +++ b/fips-21u-0a42e29b391.patch @@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80 + AC_SUBST(NSS_LIBDIR) +]) diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4 -index a1fc81564b1..ebad69d9dcf 100644 +index 51d4f724c33..feb0bcf3e75 100644 --- a/make/autoconf/libraries.m4 +++ b/make/autoconf/libraries.m4 @@ -35,6 +35,7 @@ m4_include([lib-std.m4]) @@ -127,7 +127,7 @@ index a1fc81564b1..ebad69d9dcf 100644 ################################################################################ # Determine which libraries are needed for this configuration -@@ -134,6 +135,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], +@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES], LIB_SETUP_X11 LIB_TESTS_SETUP_GTEST @@ -136,10 +136,10 @@ index a1fc81564b1..ebad69d9dcf 100644 BASIC_JDKLIB_LIBS="" BASIC_JDKLIB_LIBS_TARGET="" diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in -index 0f85917814e..9419562b654 100644 +index f6def153c82..4d7abc33427 100644 --- a/make/autoconf/spec.gmk.in +++ b/make/autoconf/spec.gmk.in -@@ -867,6 +867,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ +@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@ # Libraries # @@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815 +} \ No newline at end of file diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java -index 6b26297b1b4..7ee5e07756c 100644 +index c3b412885a6..0e7ce73b158 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java @@ -37,6 +37,8 @@ import javax.crypto.*; @@ -2981,20 +2981,21 @@ index 6b26297b1b4..7ee5e07756c 100644 private static final String PUBLIC = "public"; private static final String PRIVATE = "private"; private static final String SECRET = "secret"; -@@ -401,8 +406,10 @@ abstract class P11Key implements Key, Length { +@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length { new CK_ATTRIBUTE(CKA_EXTRACTABLE), }); -- boolean keySensitive = (attrs[0].getBoolean() || -- attrs[1].getBoolean() || !attrs[2].getBoolean()); +- boolean keySensitive = +- (attrs[0].getBoolean() && P11Util.isNSS(session.token)) || +- attrs[1].getBoolean() || !attrs[2].getBoolean(); + boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH"); + boolean keySensitive = (!exportable && -+ (attrs[0].getBoolean() || -+ attrs[1].getBoolean() || !attrs[2].getBoolean())); ++ ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) || ++ attrs[1].getBoolean() || !attrs[2].getBoolean())); return switch (algorithm) { case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm, -@@ -454,7 +461,8 @@ abstract class P11Key implements Key, Length { +@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length { public String getFormat() { token.ensureValid(); @@ -3004,7 +3005,7 @@ index 6b26297b1b4..7ee5e07756c 100644 return null; } else { return "RAW"; -@@ -1624,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { +@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference { this.clear(); } } @@ -3204,7 +3205,7 @@ index 5cd6828d293..bae49c4e8a9 100644 debug.println("logout succeeded"); } diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java -index 3378409ca1c..7602a92a252 100644 +index a6f5f0a8764..9a07c96ca4e 100644 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java @@ -33,6 +33,7 @@ import java.lang.ref.*; diff --git a/java-21-openjdk.spec b/java-21-openjdk.spec index cb22ea8..a64f8af 100644 --- a/java-21-openjdk.spec +++ b/java-21-openjdk.spec @@ -343,7 +343,7 @@ # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches -%global fipsver 75ffdc48eda +%global fipsver 0a42e29b391 # Define JDK versions %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} @@ -357,8 +357,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 1 -%global rpmrelease 2 +%global buildver 7 +%global rpmrelease 1 # Settings used by the portable build %global portablerelease 1 %global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el9} @@ -1147,7 +1147,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2023d required as of JDK-8322725 +# 2024a required as of JDK-8325150 +# Use 2023d until 2024a is in the buildroot Requires: tzdata-java >= 2023d # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand @@ -1407,10 +1408,6 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch # ############################################# -# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -# PR: https://github.com/openjdk/jdk/pull/15409 -Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch - # Currently empty ############################################# @@ -1472,7 +1469,8 @@ BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portables %ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2023d required as of JDK-8322725 +# 2024a required as of JDK-8325150 +# Use 2023d until 2024a is in the buildroot BuildRequires: tzdata-java >= 2023d # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1878,8 +1876,6 @@ sh %{SOURCE12} %{top_level_dir_name} pushd %{top_level_dir_name} # Add crypto policy and FIPS support %patch -P1001 -p1 -# Patches in need of upstreaming -%patch -P6 -p1 popd # openjdk @@ -2503,6 +2499,15 @@ cjc.mainProgram(args) %endif %changelog +* Sun Apr 14 2024 Andrew Hughes - 1:21.0.3.0.7-0.1.ea +- Update to jdk-21.0.3+7 (EA) +- Update release notes to 21.0.3+7 +- Require tzdata 2024a due to upstream inclusion of JDK-8322725 +- Only require tzdata 2023d for now as 2024a is unavailable in buildroot +- Drop JDK-8009550 which is now available upstream +- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 +- Resolves: RHEL-30946 + * Sun Apr 14 2024 Thomas Fitzsimmons - 1:21.0.3.0.1-0.2.ea - Invoke xz in multi-threaded mode - generate_source_tarball.sh: Add WITH_TEMP environment variable @@ -2562,7 +2567,7 @@ cjc.mainProgram(args) - Update to jdk-21.0.3+1 (EA) - Update release notes to 21.0.3+1 - Switch to EA mode -- Require tzdata 2023d due to local inclusion of JDK-8322725 +- Require tzdata 2023d due to upstream inclusion of JDK-8322725 - Bump FreeType version to 2.13.2 following JDK-8316028 - Related: RHEL-30946 diff --git a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch deleted file mode 100644 index 9213937..0000000 --- a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch +++ /dev/null @@ -1,125 +0,0 @@ -commit d0523302416bc6507696f20d1068f16427bcf6b8 -Author: Andrew Hughes -Date: Thu Aug 24 01:23:49 2023 +0100 - - 8009550: PlatformPCSC should load versioned so - -diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java -index bff273c6548..e5a6b288ff8 100644 ---- a/src/java.base/share/classes/sun/security/util/Debug.java -+++ b/src/java.base/share/classes/sun/security/util/Debug.java -@@ -81,6 +81,7 @@ public static void Help() - System.err.println("logincontext login context results"); - System.err.println("jca JCA engine class debugging"); - System.err.println("keystore KeyStore debugging"); -+ System.err.println("pcsc Smartcard library debugging"); - System.err.println("policy loading and granting"); - System.err.println("provider security provider debugging"); - System.err.println("pkcs11 PKCS11 session manager debugging"); -diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -index bacff32efbc..d9f605ada1e 100644 ---- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -+++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java -@@ -1,5 +1,6 @@ - /* - * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2023, Red Hat Inc. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -46,8 +47,13 @@ class PlatformPCSC { - - private static final String PROP_NAME = "sun.security.smartcardio.library"; - -- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so"; -- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so"; -+ private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so", -+ "/usr/local/$LIBISA/libpcsclite.so", -+ "/usr/lib/$ARCH-linux-gnu/libpcsclite.so", -+ "/usr/lib/arm-linux-gnueabi/libpcsclite.so", -+ "/usr/lib/arm-linux-gnueabihf/libpcsclite.so", -+ "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" }; -+ private static final String[] LIB_SUFFIXES = { ".1", ".0", "" }; - private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC"; - - PlatformPCSC() { -@@ -73,23 +79,38 @@ public Throwable run() { - }); - - // expand $LIBISA to the system specific directory name for libraries -+ // expand $ARCH to the Debian system architecture in use - private static String expand(String lib) { - int k = lib.indexOf("$LIBISA"); -- if (k == -1) { -- return lib; -+ if (k != -1) { -+ String libDir; -+ if ("64".equals(System.getProperty("sun.arch.data.model"))) { -+ // assume Linux convention -+ libDir = "lib64"; -+ } else { -+ // must be 32-bit -+ libDir = "lib"; -+ } -+ lib = lib.replace("$LIBISA", libDir); - } -- String s1 = lib.substring(0, k); -- String s2 = lib.substring(k + 7); -- String libDir; -- if ("64".equals(System.getProperty("sun.arch.data.model"))) { -- // assume Linux convention -- libDir = "lib64"; -- } else { -- // must be 32-bit -- libDir = "lib"; -+ -+ k = lib.indexOf("$ARCH"); -+ if (k != -1) { -+ String arch = System.getProperty("os.arch"); -+ lib = lib.replace("$ARCH", getDebianArchitecture(arch)); - } -- String s = s1 + libDir + s2; -- return s; -+ -+ return lib; -+ } -+ -+ private static String getDebianArchitecture(String jdkArch) { -+ return switch (jdkArch) { -+ case "amd64" -> "x86_64"; -+ case "ppc" -> "powerpc"; -+ case "ppc64" -> "powerpc64"; -+ case "ppc64le" -> "powerpc64le"; -+ default -> jdkArch; -+ }; - } - - private static String getLibraryName() throws IOException { -@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException { - if (lib.length() != 0) { - return lib; - } -- lib = expand(LIB1); -- if (new File(lib).isFile()) { -- // if LIB1 exists, use that -- return lib; -- } -- lib = expand(LIB2); -- if (new File(lib).isFile()) { -- // if LIB2 exists, use that -- return lib; -+ -+ for (String template : LIB_TEMPLATES) { -+ for (String suffix : LIB_SUFFIXES) { -+ lib = expand(template) + suffix; -+ if (debug != null) { -+ debug.println("Looking for " + lib); -+ } -+ if (new File(lib).isFile()) { -+ // if library exists, use that -+ return lib; -+ } -+ } - } - - // As of macos 11, framework libraries have been removed from the file diff --git a/sources b/sources index 1d840be..27e6e06 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30 -SHA512 (openjdk-21.0.3+1-ea.tar.xz) = 5b1eb2fc253787a22857c4a5b644f2eeec4774d860c9d90d76f8daf4a40299941fd2865baee4811a16e7c80b4d7dadd1413514fb68d218431f94445a89ea1b75 +SHA512 (openjdk-21.0.3+7-ea.tar.xz) = 086e753c6f5139c2123a34ca25b09983b7068d94a47206499d9b03dbb6c6de23609ab15de66d93e9b7ed7282293831885e2be222f6b7f47966d5f8e683386e12