Update to jdk-21.0.3+7 (EA)

- Update release notes to 21.0.3+7 - Require tzdata 2024a due to upstream inclusion of JDK-8322725 - Only require tzdata 2023d for now as 2024a is unavailable in buildroot - Drop JDK-8009550 which is now available upstream - Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254 Resolves: RHEL-30946
2024-04-13 14:56:57 +01:00 · 2024-04-13 14:56:57 +01:00 · 4dfc5acfc8
commit 4dfc5acfc8
parent 87737cc6b9
5 changed files with 33 additions and 151 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,3 +16,4 @@
 /openjdk-21.0.2+12.tar.xz
 /openjdk-21.0.2+13.tar.xz
 /openjdk-21.0.3+1-ea.tar.xz
+/openjdk-21.0.3+7-ea.tar.xz
--- a/fips-21u-0a42e29b391.patch
+++ b/fips-21u-0a42e29b391.patch
@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80
 +  AC_SUBST(NSS_LIBDIR)
 +])
 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
-index a1fc81564b1..ebad69d9dcf 100644
+index 51d4f724c33..feb0bcf3e75 100644
 --- a/make/autoconf/libraries.m4
 +++ b/make/autoconf/libraries.m4
@@ -35,6 +35,7 @@ m4_include([lib-std.m4])
@ -127,7 +127,7 @@ index a1fc81564b1..ebad69d9dcf 100644
 
 ################################################################################
 # Determine which libraries are needed for this configuration
-@@ -134,6 +135,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
+@@ -128,6 +129,7 @@ AC_DEFUN_ONCE([LIB_SETUP_LIBRARIES],
   LIB_SETUP_X11
 
   LIB_TESTS_SETUP_GTEST
@ -136,10 +136,10 @@ index a1fc81564b1..ebad69d9dcf 100644
   BASIC_JDKLIB_LIBS=""
   BASIC_JDKLIB_LIBS_TARGET=""
 diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
-index 0f85917814e..9419562b654 100644
+index f6def153c82..4d7abc33427 100644
 --- a/make/autoconf/spec.gmk.in
 +++ b/make/autoconf/spec.gmk.in
-@@ -867,6 +867,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
+@@ -873,6 +873,11 @@ INSTALL_SYSCONFDIR=@sysconfdir@
 # Libraries
 #
 
@ -2959,7 +2959,7 @@ index 00000000000..f8d505ca815
 +}
 \ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index 6b26297b1b4..7ee5e07756c 100644
+index c3b412885a6..0e7ce73b158 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
@@ -37,6 +37,8 @@ import javax.crypto.*;
@ -2981,20 +2981,21 @@ index 6b26297b1b4..7ee5e07756c 100644
     private static final String PUBLIC = "public";
     private static final String PRIVATE = "private";
     private static final String SECRET = "secret";
-@@ -401,8 +406,10 @@ abstract class P11Key implements Key, Length {
+@@ -401,9 +406,10 @@ abstract class P11Key implements Key, Length {
                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
         });
 
-        boolean keySensitive = (attrs[0].getBoolean() ||
-                attrs[1].getBoolean() || !attrs[2].getBoolean());
+-        boolean keySensitive =
+-                (attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+-                attrs[1].getBoolean() || !attrs[2].getBoolean();
 +        boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH");
 +        boolean keySensitive = (!exportable &&
-+            (attrs[0].getBoolean() ||
-+             attrs[1].getBoolean() || !attrs[2].getBoolean()));
+               ((attrs[0].getBoolean() && P11Util.isNSS(session.token)) ||
+                attrs[1].getBoolean() || !attrs[2].getBoolean()));
 
         return switch (algorithm) {
             case "RSA" -> P11RSAPrivateKeyInternal.of(session, keyID, algorithm,
-@@ -454,7 +461,8 @@ abstract class P11Key implements Key, Length {
+@@ -455,7 +461,8 @@ abstract class P11Key implements Key, Length {
 
         public String getFormat() {
             token.ensureValid();
@ -3004,7 +3005,7 @@ index 6b26297b1b4..7ee5e07756c 100644
                 return null;
             } else {
                 return "RAW";
-@@ -1624,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
+@@ -1625,4 +1632,3 @@ final class SessionKeyRef extends PhantomReference<P11Key> {
         this.clear();
     }
 }
@ -3204,7 +3205,7 @@ index 5cd6828d293..bae49c4e8a9 100644
                 debug.println("logout succeeded");
             }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
-index 3378409ca1c..7602a92a252 100644
+index a6f5f0a8764..9a07c96ca4e 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
@@ -33,6 +33,7 @@ import java.lang.ref.*;
--- a/java-21-openjdk.spec
+++ b/java-21-openjdk.spec
@ -343,7 +343,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 75ffdc48eda
+%global fipsver 0a42e29b391
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 %global javaver         %{featurever}
@ -357,8 +357,8 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        1
-%global rpmrelease      2
+%global buildver        7
+%global rpmrelease      1
 # Settings used by the portable build
 %global portablerelease 1
 %global portablesuffix %{?pkgos:el7_9}%{!?pkgos:el9}
@ -1147,7 +1147,8 @@ Requires: ca-certificates
 # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
 Requires: javapackages-filesystem
 # Require zone-info data provided by tzdata-java sub-package
-# 2023d required as of JDK-8322725
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
 Requires: tzdata-java >= 2023d
 # for support of kernel stream control
 # libsctp.so.1 is being `dlopen`ed on demand
@ -1407,10 +1408,6 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 #
 #############################################

-# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-# PR: https://github.com/openjdk/jdk/pull/15409
-Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
-
 # Currently empty

 #############################################
@ -1472,7 +1469,8 @@ BuildRequires: %{pkgnameroot}-misc = %{epoch}:%{version}-%{prelease}.%{portables
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
-# 2023d required as of JDK-8322725
+# 2024a required as of JDK-8325150
+# Use 2023d until 2024a is in the buildroot
 BuildRequires: tzdata-java >= 2023d
 # Earlier versions have a bug in tree vectorization on PPC
 BuildRequires: gcc >= 4.8.3-8
@ -1878,8 +1876,6 @@ sh %{SOURCE12} %{top_level_dir_name}
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
 %patch -P1001 -p1
-# Patches in need of upstreaming
-%patch -P6 -p1
 popd # openjdk


@ -2503,6 +2499,15 @@ cjc.mainProgram(args)
 %endif

 %changelog
+* Sun Apr 14 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.3.0.7-0.1.ea
+- Update to jdk-21.0.3+7 (EA)
+- Update release notes to 21.0.3+7
+- Require tzdata 2024a due to upstream inclusion of JDK-8322725
+- Only require tzdata 2023d for now as 2024a is unavailable in buildroot
+- Drop JDK-8009550 which is now available upstream
+- Re-generate FIPS patch against 21.0.3+7 following backport of JDK-8325254
+- Resolves: RHEL-30946
+
 * Sun Apr 14 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:21.0.3.0.1-0.2.ea
 - Invoke xz in multi-threaded mode
 - generate_source_tarball.sh: Add WITH_TEMP environment variable
@ -2562,7 +2567,7 @@ cjc.mainProgram(args)
 - Update to jdk-21.0.3+1 (EA)
 - Update release notes to 21.0.3+1
 - Switch to EA mode
- Require tzdata 2023d due to local inclusion of JDK-8322725
+- Require tzdata 2023d due to upstream inclusion of JDK-8322725
 - Bump FreeType version to 2.13.2 following JDK-8316028
 - Related: RHEL-30946

--- a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+++ b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
@ -1,125 +0,0 @@
-commit d0523302416bc6507696f20d1068f16427bcf6b8
-Author: Andrew Hughes <gnu.andrew@redhat.com>
-Date:   Thu Aug 24 01:23:49 2023 +0100
-
-    8009550: PlatformPCSC should load versioned so
-
-diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
-index bff273c6548..e5a6b288ff8 100644
--- a/src/java.base/share/classes/sun/security/util/Debug.java
-+++ b/src/java.base/share/classes/sun/security/util/Debug.java
-@@ -81,6 +81,7 @@ public static void Help()
-         System.err.println("logincontext  login context results");
-         System.err.println("jca           JCA engine class debugging");
-         System.err.println("keystore      KeyStore debugging");
-+        System.err.println("pcsc          Smartcard library debugging");
-         System.err.println("policy        loading and granting");
-         System.err.println("provider      security provider debugging");
-         System.err.println("pkcs11        PKCS11 session manager debugging");
-diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-index bacff32efbc..d9f605ada1e 100644
--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-+++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-@@ -1,5 +1,6 @@
- /*
-  * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2023, Red Hat Inc. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -46,8 +47,13 @@ class PlatformPCSC {
- 
-     private static final String PROP_NAME = "sun.security.smartcardio.library";
- 
-    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
-    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
-+    private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
-+                                                    "/usr/local/$LIBISA/libpcsclite.so",
-+                                                    "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
-+                                                    "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
-+                                                    "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
-+                                                    "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
-+    private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
-     private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
- 
-     PlatformPCSC() {
-@@ -73,23 +79,38 @@ public Throwable run() {
-     });
- 
-     // expand $LIBISA to the system specific directory name for libraries
-+    // expand $ARCH to the Debian system architecture in use
-     private static String expand(String lib) {
-         int k = lib.indexOf("$LIBISA");
-        if (k == -1) {
-            return lib;
-+        if (k != -1) {
-+            String libDir;
-+            if ("64".equals(System.getProperty("sun.arch.data.model"))) {
-+                // assume Linux convention
-+                libDir = "lib64";
-+            } else {
-+                // must be 32-bit
-+                libDir = "lib";
-+            }
-+            lib = lib.replace("$LIBISA", libDir);
-         }
-        String s1 = lib.substring(0, k);
-        String s2 = lib.substring(k + 7);
-        String libDir;
-        if ("64".equals(System.getProperty("sun.arch.data.model"))) {
-            // assume Linux convention
-            libDir = "lib64";
-        } else {
-            // must be 32-bit
-            libDir = "lib";
-+
-+        k = lib.indexOf("$ARCH");
-+        if (k != -1) {
-+            String arch = System.getProperty("os.arch");
-+            lib = lib.replace("$ARCH", getDebianArchitecture(arch));
-         }
-        String s = s1 + libDir + s2;
-        return s;
-+
-+        return lib;
-+    }
-+
-+    private static String getDebianArchitecture(String jdkArch) {
-+        return switch (jdkArch) {
-+            case "amd64" -> "x86_64";
-+            case "ppc" -> "powerpc";
-+            case "ppc64" -> "powerpc64";
-+            case "ppc64le" -> "powerpc64le";
-+            default -> jdkArch;
-+        };
-     }
- 
-     private static String getLibraryName() throws IOException {
-@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
-         if (lib.length() != 0) {
-             return lib;
-         }
-        lib = expand(LIB1);
-        if (new File(lib).isFile()) {
-            // if LIB1 exists, use that
-            return lib;
-        }
-        lib = expand(LIB2);
-        if (new File(lib).isFile()) {
-            // if LIB2 exists, use that
-            return lib;
-+
-+        for (String template : LIB_TEMPLATES) {
-+            for (String suffix : LIB_SUFFIXES) {
-+                lib = expand(template) + suffix;
-+                if (debug != null) {
-+                    debug.println("Looking for " + lib);
-+                }
-+                if (new File(lib).isFile()) {
-+                    // if library exists, use that
-+                    return lib;
-+                }
-+            }
-         }
- 
-         // As of macos 11, framework libraries have been removed from the file
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-21.0.3+1-ea.tar.xz) = 5b1eb2fc253787a22857c4a5b644f2eeec4774d860c9d90d76f8daf4a40299941fd2865baee4811a16e7c80b4d7dadd1413514fb68d218431f94445a89ea1b75
+SHA512 (openjdk-21.0.3+7-ea.tar.xz) = 086e753c6f5139c2123a34ca25b09983b7068d94a47206499d9b03dbb6c6de23609ab15de66d93e9b7ed7282293831885e2be222f6b7f47966d5f8e683386e12